Hacking Exposed : Web applications
Free!
With Membership
$11.00
Suggested price

Hacking Exposed : Web applications

About the Book

All you need to know about HTTP,HTTPS,WEB,SSL,Authentication , authorization , encoding,firewall,APIs,HTML,Sql injections , XSS , CSRF , URI,Directory Traversal , IIS Vulnerabilites , Session , Authentication Bypass , previlege escalation , Hijacking , Script attack , Data store attacks , Client side validation , ssh , telnet , dot dot slash , File Include , Remote code Execution , WebDav , FTP , Cookie Hijacking , Web Client Hacking 

About the Author

Joel Scambray
Joel Scambray

Joel Scambray is co-author of Hacking Exposed (http://www .hackingexposed.com), the international best-selling Internet security book that reached its third edition in October 2001. He is also lead author of Hacking Ex- posed Windows 2000, the definitive insider’s analysis of Microsoft product security, released in September 2001 and now in its second foreign language translation. Joel’s past publications have included his co-founding role as InfoWorld’s Secu- rity Watch columnist, InfoWorld Test Center Analyst, and inaugural author of Microsoft’s TechNet Ask Us About...Security forum.

Joel’s writing draws primarily on his years of experience as an IT security consultant for clients ranging from members of the Fortune 50 to newly minted startups, where he has gained extensive, field-tested knowledge of numerous security technologies, and has designed and analyzed security architectures for a variety of applications and products. Joel’s consulting ex- periences have also provided him a strong business and management background, as he has per- sonally managed several multiyear, multinational projects; developed new lines of business accounting for substantial annual revenues; and sustained numerous information security enter- prises of various sizes over the last five years. He also maintains his own test laboratory, where he continues to research the frontiers of information system security.

Joel speaks widely on information system security for organizations including The Computer Security Institute, ISSA, ISACA, private companies, and government agencies. He is currently Managing Principal with Foundstone Inc. (http://www.foundstone.com), and previously held po- sitions at Ernst & Young, InfoWorld, and as Director of IT for a major commercial real estate firm. Joel’s academic background includes advanced degrees from the University of California at Davis and Los Angeles (UCLA), and he is a Certified Information Systems Security Professional (CISSP).

—Joel Scambray can be reached at joel@webhackingexposed.com. 

Table of Contents

IntroductiontoWebApplicationsandSecurity . . . . . . . . . . . . .

The Web Application Architecture

A Brief Word about HTML . Transport: HTTP ...... . The Web Client . ...... . The Web Server . ...... . The Web Application . . . . . The Database . . . . . . . . . Complications and Intermediaries ..

The New Model: Web Services Potential Weak Spots . . . . . . . . The Methodology of Web Hacking

Profile the Infrastructure . . . Attack Web Servers . . . . . . Survey the Application . . . . Attack the Authentication Mechanism Attack the Authorization Schemes . . Perform a Functional Analysis . . . .

Hacking Exposed Web Applications

Exploit the Data Connectivity . . . Attack the Management Interfaces Attack the Client . . . . . . . . . . Launch a Denial-of-Service Attack

Summary.................. References and Further Reading . . . .

▼2 Profiling .................................... 25

Server Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Intuition .............................. 26

Internet Footprinting ..... . DNS Interrogation . ..... . Ping.......... ..... . Discovery Using Port Scanning Dealing with Virtual Servers .

Service Discovery . . . Server Identification .

Dealing with SSL Summary ........ References and Further Reading

▼3 HackingWebServers............................. 41

Common Vulnerabilities by Platform . . . . . . . ... Apache..................... ... Microsoft Internet Information Server (IIS) ...

Attacks Against IIS Components

Attacks Against IIS . . . . . . . . Escalating Privileges on IIS . . . Netscape Enterprise Server . . . Other Web Server Vulnerabilities Miscellaneous Web Server Hacking Techniques

Automated Vulnerability Scanning Software . . . . . Whisker .............................. 80 Nikto................................ 83 twwwscan/arirang ........................ 84 Stealth HTTP Scanner . . . . . . . . . . . . . . . . . . . . . . 85 Typhon............................... 87 WebInspect ............................ 89 AppScan .............................. 90

FoundScan Web Module . . . . . Denial of Service Against Web Servers Summary ................. References and Further Reading . . .

▼4 SurveyingtheApplication........................... 99

Documenting Application Structure . . . . . . . . Manually Inspecting the Application . . . . . . . .

Statically and Dynamically Generated Pages

Directory Structure . . . . ...

Helper Files . . . . . . . . ... Java Classes and Applets ... HTML Comments and Content Forms ............................... 112

Query Strings . . . . . .

Back-End Connectivity . Tools to Automate the Survey

lynx............

Wget ................................ 119 Teleport Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Black Widow . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 WebSleuth ............................. 122

Common Countermeasures A Cautionary Note . . Protecting Directories Protecting Include Files Miscellaneous Tips . .

Summary ........... References and Further Reading

The Attack▼5 Authentication ................................. 131

Authentication Mechanisms . . . . . . . . . . HTTP Authentication: Basic and Digest

Forms-Based Authentication

Microsoft Passport . . . . . . Attacking Web Authentication . . Password Guessing . . . . . .

Session ID Prediction and Brute Forcing

Subverting Cookies . . . . . . . . . .

Bypassing SQL-Backed Login Forms Bypassing Authentication . . . . ..... Summary ............. . ..... References and Further Reading .....

Hacking Exposed Web Applications

▼6 Authorization ................................. 161

The Attacks . . . Role Matrix

The Methodology Query String

POST Data . . .

Hidden Tags

URI ..... HTTP Headers Cookies .............................. 167

Final Notes . . . . . . . . . . . . . . . Case Study: Using Curl to Map Permissions

Apache Authorization .. .

IIS Authorization . . . .. . Summary ........... .. . References and Further Reading

▼7 AttackingSessionStateManagement .................... 177

Client-Side Techniques . . . . . . . Hidden Fields . . . . . . . . . The URL . . . . . . . . . . . . HTTP Headers and Cookies .

Server-Side Techniques . . . . . . . Server-Generated Session IDs

Session Database SessionID Analysis . .

Content Analysis

▼8 InputValidationAttacks ............................ 201

Time Windows . Summary ........ References and Further Reading

Expecting the Unexpected . . . ...... . Input Validation EndGame . . ...... . Where to Find Potential Targets ...... . Bypassing Client-Side Validation Routines

Common Input Validation Attacks . . Buffer Overflow . . . . . . . . . . Canonicalization (dot-dot-slash) Script Attacks . . . . . . . . . . . Boundary Checking . . . . . . . Manipulating the Application . .

SQL Injection and Datastore Attacks .

A SQL Primer . . . . . . . . . . . SQL Injection . . . . . . . . . . .

Common Countermeasures Summary .............. References and Further Reading

Directory Services: UDDI and DISCO . . . . Sample Web Services Hacks . . . . . . . . . . . . . Basics of Web Service Security . . . . . . . . . . . .

Similarities to Web Application Security

Web Services Security Measures .... . Summary ................. .... . References and Further Reading . . . .... .

▼9 AttackingWebDatastores .......................... 225

▼10 AttackingWebServices............................ 243

What Is a Web Service? . . . . . . . . . . . . . . . . . . . . . . . . . 244 Transport: SOAP over HTTP(S) . . . . . . . . . . . . . . . . . 245 WSDL ............................... 247

▼11HackingWebApplicationManagement................ . . . . 261

Web Server Administration ..... Telnet.......... ..... SSH........... ..... Proprietary Management Ports Other Administration Services

Web Content Management . . . . . .

FTP ................................. 265 SSH/scp .............................. 265 FrontPage ............................. 265 WebDAV ............................. 270

Web-Based Network and System Management . . . . . . . . . . . 271 Other Web-Based Management Products . . . . . . . . . . . 274 Summary................................. 275 References and Further Reading . . . . . . . . . . . . . . . . . . . 275

Command Execution .

Common Side Effects . Common Countermeasures Summary ........... References and Further Reading

Hacking Exposed Web Applications

▼12WebClientHacking.............................. 277

The Problem of Client-Side Security Attack Methodologies ..... Active Content Attacks . . . ..... Java and JavaScript . . .....

................. 278 ................. 279 ................. 279 ................. 280

ActiveX .............................. 281

Cross-Site Scripting . . . . . . . . Cookie Hijacking . . . . . . . . . Summary ............. . References and Further Reading

................... 289 ................... 292 ................... 296 ................... 297

▼13CaseStudies ................................. 299

Case Study #1: From the URL to the Command Line and Back

Case Study #2: XOR Does Not Equal Security . . Case Study #3: The Cross-Site Scripting Calendar Summary.................. ..... References and Further Reading . . . . .....

Appendixes

  1. ▼A  WebSiteSecurityChecklist ......................... 311

  2. ▼B  WebHackingToolsandTechniquesCribsheet . . . . . . . . . . . . . . . 317

  3. ▼C  UsingLibwhisker ............................... 333

▼D UrlScanInstallationandConfiguration .................... 345

Inside Libwhisker . . . . . . . . http_do_request Function crawl Function . . . . . . utils_randstr Function . . Building a Script with Libwhisker Sinjection.pl ............................ 341

Overview of UrlScan . . . . . . . . . Obtaining UrlScan . . . . . . . . . . Updating UrlScan . 

..... ..... ..... .....

Updating Windows Family Products hfnetchk .............................. 348 Third-Party Tools . . . . . . . . . . . . . . . . . . . . . . . . . 349

Basic UrlScan Deployment . . . . . . . . . . . . . . . . . . . . . . . 351 Rolling Back IISLockdown . . . . . . . . . . . . . . . . . . . . 356 Unattended IISLockdown Installation . . . . . . . . . . . . . 358

............... 334 ............... 334 ............... 337 ............... 340 ............... 340

Removing UrlScan . . . . . UrlScan.ini Command Reference

Options Section . . . . AllowVerbs Section . . DenyVerbs Section . . DenyHeaders Section AllowExtensions Section DenyExtensions Section

....... ....... ....... ....... ....... ....... ....... ....... ....... .......

Summary ............ References and Further Reading

. . . . . . . . . . . .

. . . . . .

▼E AbouttheCompanionWebSite ....................... 371 ▼ Index...................................... 373

Contents

xv

Advanced UrlScan Deployment . . . . . . . . Extracting UrlScan.dll . . . . . . . . . . Configuring UrlScan.ini . . . . . . . . . Installing the UrlScan ISAPI Filter in IIS 

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.

You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!

So, there's no reason not to click the Add to Cart button, is there?

See full terms...

80% Royalties. Earn $16 on a $20 book.

We pay 80% royalties. That's not a typo: you earn $16 on a $20 sale. If we sell 5000 non-refunded copies of your book or course for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earnedover $13 millionwriting, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub