Transcription
IntroductionChapter1xxiiiWebApplication (In)securityApplicationsThe Evolution of WebCommon WebApplication FunctionsBenefits of Web ApplicationsWebApplication Security12456"This Site Is Secure"7The CoreSecurity Problem: Users Can SubmitArbitrary InputKey Problem FactorsThe New Security PerimeterThe Future of Web ApplicationSummaryChapter 2Security910121415Core Defense Mechanisms17Handling User Access18AuthenticationSession Management1819Access ControlHandlingUser20Input21Varieties of InputApproachesBoundaryto21Input HandlingValidationMultistep Validation2325and CanonicalizationHandling AttackersHandling ErrorsMaintaining Audit LogsAlerting AdministratorsReacting to Attacks283030313334
xContentsChapter3Managing the Application35Summary36Questions36Web Application Technologies39The HTTP P Headers45Cookies47Status Codes48HTTPS49HTTP e Functionality51State and Sessions66Server-SideSchemesEncodingURL EncodingUnicode EncodingHTML EncodingBase64 EncodingHex EncodingRemoting and Mapping the ApplicationEnumerating Content and FunctionalityWeb SpideringUser-Directed SpideringDiscovering Hidden ContentApplication Pages VersusFunctional PathsDiscovering Hidden ParametersAnalyzing the ApplicationIdentifying Entry Points for User InputIdentifying Server-Side TechnologiesIdentifying Server-Side FunctionalityMapping5170Questions441HTTP MethodsHTTP AuthenticationChapter3940the Attack ons114
ContentsChaptersBypassing Client-Side Controls117Transmitting Data Via the Client118Hidden Form Fields118HTTP Cookies121URL Parameters121The Referer Header122OpaqueData123The ASP.NET ViewStateCapturing User Data:HTML FormsLength LimitsScript-Based ValidationDisabled ElementsCapturingUser Data: Browser Extensions6128129131133Common Browser Extension Technologies134ApproachesIntercepting Traffic from Browser ExtensionsDecompiling Browser ExtensionsAttaching a DebuggerNative Client ComponentsHandling Client-Side Data SecurelyTransmitting Data Via the ClientValidating Client-Generated DataLogging and AlertingSummary135Questions157Attacking AuthenticationAuthentication TechnologiesDesign Flaws in Authentication159to Browser 5156156160161Bad PasswordsBrute-Forcible135161LoginMessagesVerbose Failure162166Vulnerable Transmission of Credentials169PasswordChange FunctionalityPassword Functionality"Remember Me" FunctionalityUser Impersonation FunctionalityIncomplete Validation of CredentialsNonunique Usernames171Forgotten173Predictable Usernames182Predictable Initial Passwords183Insecure Distribution of CredentialsFlaws in AuthenticationImplementationFail-Open Login Mechanisms176178180181184185185Defects in Multistage Login Mechanisms186Insecure190Storageof Credentialsxi
xiiContentsSecuring AuthenticationUse Strong CredentialsHandle Credentials SecretivelyValidate Credentials ProperlyPrevent Information Leakage191Prevent Brute-Force Attacks196Prevent Misuse of the Password199Prevent Misuse ofLog, Monitor,Summaryand192192193195Change Functionthe Account Recovery FunctionNotify201QuestionsChapter7202Attacking Session Management205The Need for State206Alternatives to Sessions208Weaknesses in Token Generation210Meaningful Tokens210Predictable TokensEncrypted213Tokens223Weaknesses in Session TokenDisclosure of TokensVulnerableHandlingon the NetworkDisclosure of Tokens in237LogsMapping of Tokens toSessions240Vulnerable Session Termination241Client243ExposureGenerateto Token Hijacking244248Strong TokensProtect TokensLog, Monitor,8233234Liberal Cookie ScopeSecuring Session ManagementChapter199201Throughout248Their LifeCycleand Alert250253Summary254Questions255AttackingAccess ControlsCommon Vulnerabilities257258Completely Unprotected Functionality259Identifier-Based Functions261MultistageFunctions262Static Files263Platform264MisconfigurationInsecure Access Control Methods265Access Controls266AttackingTesting with Different User AccountsTesting Multistage ProcessesTesting with Limited AccessTesting Direct Access to MethodsTesting Controls Over Static Resources267271273276277
ContentsRestrictionsTestingSecuringAChapter 9onHTTP MethodsAccess ControlsMultilayered PrivilegeModel280Summary284Questions284Attacking Data StoresInjecting into Interpreted ContextsBypassing a LoginInjecting into SQLExploiting a Basic VulnerabilityInjecting into Different Statement TypesFinding SQL Injection Bugs288288291292294298303Extracting Useful Data308Extracting Data with UNION308Bypassing Filters311Second-Order SQL313InjectionExploitationBeyond SQL Injection: Escalating304314theDatabase Attack325ToolsUsing SQL ExploitationSQL Syntax and Error ReferencePreventing SQL InjectionInjecting into NoSQLInjectingInjecting10287Fingerprinting the DatabaseThe UNION OperatorAdvancedChapter278278intoMongoDBinto XPath328332338342343344Subverting Application LogicInformed XPath InjectionBlind XPath InjectionFinding XPath Injection FlawsPreventing XPath InjectionInjecting into LDAPExploiting LDAP InjectionFinding LDAP Injection FlawsPreventing LDAP InjectionSummary345Questions354Attacking Back-End ComponentsInjecting OS Commands1:Via PerlExample InjectingExample 2: Injecting Via ASPInjecting Through Dynamic ExecutionFinding OS Command Injection FlawsFinding Dynamic Execution 8360362363366xiii
xivContentsPreventing OS Command InjectionPreventing Script Injection VulnerabilitiesManipulating File Paths368Path Traversal VulnerabilitiesFile Inclusion VulnerabilitiesInjectinginto OAP390390390HTTP ParameterInjection393into Mail Services397E-mail Header ManipulationSMTP Command Injection398Finding SMTP400Preventing12389Server-side HTTP RedirectionInjectingChapter381383into SOAP cting into Back-end HTTP Requests11368XML External on399402Summary402Questions403Attacking Application LogicThe Nature of Logic FlawsReal-World Logic FlawsExample 1: Asking the OracleExample 2: Fooling a Password Change FunctionExample 3: Proceeding to CheckoutExample 4: Rolling Your Own InsuranceExample 5: Breaking the BankExample 6: Beating a Business LimitExample 7: Cheating on Bulk DiscountsExample 8: Escaping from EscapingExample 9: Invalidating Input ValidationExample 10: Abusing a Search FunctionExample 11: Snarfing Debug MessagesExample 12: Racing Against the LoginAvoiding Logic FlawsSummaryQuestions405Attacking431Users: Cross-SiteScriptingVarieties of XSSReflected XSS 2424426428429430433434Stored XSS Vulnerabilities438DOM-Based XSS Vulnerabilities440XSS Attacks in ActionReal-World XSS Attacks442442
ContentsPayloadsfor XSS AttacksDeliveryMechanisms for XSS AttacksFinding and Exploiting443XSS VulnerabilitiesFinding and Exploiting Reflected XSS VulnerabilitiesFinding and Exploiting Stored XSS VulnerabilitiesFinding and Exploiting DOM-Based XSS VulnerabilitiesPreventing XSS AttacksPreventing Reflected and Stored XSSPreventing DOM-Based hapter 13 AttackingInducingUsers: OtherTechniquesUser Actions501Request Forgery502UI RedressCapturing511Data Cross-DomainCapturing Data by Injecting HTMLCapturing Data by Injecting CSSJavaScript HijackingThe Same-OriginPolicy RevisitedThe Same-Origin Policy and Browser ExtensionsTheSame-Origin Policy and HTML5Crossing Domains with Proxy Service ApplicationsOther Client-Side Injection AttacksHTTP Header InjectionCookie InjectionOpen Redirection VulnerabilitiesClient-Side SQL InjectionClient-Side HTTP Parameter PollutionLocal501Privacy 50Persistent Cookies550Cached Web Content551Browsing HistoryAutocomplete552552Flash Local net Explorer userData554HTML5 Local Storage g ActiveX ControlsFinding ActiveX VulnerabilitiesPreventingAttacking theActiveX VulnerabilitiesBrowserLogging KeystrokesStealing Browser History554555556558559560and Search Queries560xv
xviContentsEnumerating CurrentlyPort ScanningUsedApplications561561Attacking Other Network HostsExploitingExploiting Browser BugsDNSRebindingBrowser Exploitation Frameworks562Man-in-the-Middle Attacks566Non-HTTP tomating Customized Attacks571Uses for Customized Automation572Valid IdentifiersEnumeratingThe Basic Approach573Detecting HitsScripting the AttackJAttack574574576577Harvesting Useful DataFuzzing for Common VulnerabilitiesPutting It All Together: Burp Intruder583Barriers to xploiting sMessages616Stack Traces617Informative Debug618MessagesMessages619Server and DatabasePublic InformationUsingEngineering Informative Error MessagesGathering Published InformationUsing InferencePreventing Information LeakageUse Generic Error MessagesMinimize Client-Side Information623624625626627628628Protect Sensitive anismsCAPTCHA Attacking Native Compiled Applications633Buffer Overflow Vulnerabilities634Stack Overflows634Overflows635Heap
Contents"Off-by-One" VulnerabilitiesDetecting Buffer Overflow VulnerabilitiesInteger VulnerabilitiesSignedness Errors641Detecting Integer ttacking Application Architecture647String VulnerabilitiesDetecting Format String Vulnerabilities17Attacking Tiered ArchitecturesTiered ArchitecturesSecuringHosting and Application Service ProvidersVirtual HostingShared Application ServicesAttacking Shared EnvironmentsSharedSecuringSummaryShared apter 18 Attacking the Application ServerVulnerable ServerConfiguration669670Default Credentials670Default Content671Directory Listings677679WebDAV MethodsTheApplication uredSecuring Web ServerApplication Framework FlawsVulnerabilitiesMemory ManagementEncoding and CanonicalizationFinding Web Server FlawsSecuring Web Server SoftwareWeb682683684684Vulnerable Server Software19644647Tiered ArchitecturesChapter639640640Integer OverflowsChapter636Application inding VulnerabilitiesApproachesin Source CodeBlack-Box Versus White-BoxCode ReviewSignaturesTestingMethodologyof Common VulnerabilitiesCross-SiteScripting701702to Code Review702703704704xvH
xviiiContentsSQL Injection705Path Traversal706ArbitraryRedirectionOS Command707Injection708Backdoor Passwords708Native Software709BugsSource Code Comments710The Java Platform711Identifying User-Supplied Data711Session Interaction712Potentially Dangerous APIsConfiguring the Java Environment713ASP.NET718Identifying User-SuppliedData719Potentially Dangerous APIsConfiguring the ASP.NET Environment720723724Identifying User-Supplied Data724Session Interaction727Potentially DangerousConfiguring theAPIsPHP EnvironmentPerl727732735Identifying User-SuppliedDataSession Interaction735736Potentially Dangerous APIsConfiguring the Perl EnvironmentJavaScript736Database Code741ComponentsSQL InjectionCalls toDangerousTools for Code20718Session 742743Summary744Questions744A WebApplication Hacker's ToolkitWeb 50Integrated Testing Suites751How the Tools Work751Testing Work Flow769Alternatives to theStandaloneIntercepting ProxyVulnerability Scanners771773Vulnerabilities Detected by Scanners774Inherent Limitations of Scanners776
ContentsChallenges Faced byTechnical778Scanners781Current ProductsUsingaVulnerability783Scanner785Other ToolsWikto/Nikto785FirebugHydra785785786Custom Scripts789SummaryChapter21A WebApplication Hacker's Methodologythe1795ContentMapApplication's1.1 Explore Visible Content7951.2 Consult Public Resources7961.3 Discover Hidden Content7967971.4 Discover Default Content1.5 Enumerate1.6 Test for2791793General ions797798Parameters798ApplicationIdentify FunctionalityIdentify Data Entry Points7982.22.3Identify the7992.12.4Map799Technologies Used800the Attack Surface8003 Test Client-Side Controls3.1 Test Transmission of Data Via the Client8013.2 Test Client-Side Controls Over User801Input3.3 Test Browser Extension Components8028054 Test the Authentication Mechanism4.1 Understand the Mechanism8054.2 Test Password806Quality4.3 Test for Username Enumeration8064.4 Test Resilience to PasswordGuessing8074.5 TestAny AccountFunction8074.6 TestAny Remember Me Function8084.7 TestAny Impersonation Function808Recovery8094.8 Test UsernameUniqueness4.9 Test Predictability of AutogeneratedCredentials8094.10 Check for Unsafe Transmission of Credentials8104.11 Check for Unsafe Distribution of Credentials8104.12 Test for Insecure8114.13 Test for4.14StorageLogic FlawsExploit AnyVulnerabilities to Gain Unauthorized Access5 Test the Session Management Mechanism8118138145.1 Understand the Mechanism8145.2 Test Tokens for Meaning8155.3 Test Tokens for816Predictabilityxix
xxContents5.4 Check for Insecure Transmission of Tokens8175.5 Check for Disclosure of Tokens in8175.6 CheckMappingLogsof Tokens to Sessions8185.7 Test Session Termination8185.8 Check for Session Fixation8195.9 Check for CSRF8205.10 Check Cookie820Scope6 Test Access Controls8216.1 Understand the Access Control6.2 Test withRequirements822Multiple Accounts6.3 Test with Limited Access8226.4 Test for Insecure Access Control Methods7 Test for7.1Input-Based VulnerabilitiesFuzz AllRequest Parameters7.2 Test for SQL821823824824827Injection7.3 Test for XSS and Other7.4 Test for OS CommandResponse InjectionInjection8298327.5 Test for Path Traversal8337.6 Test for835Script Injection7.7 Test for File Inclusion8 Test for835Function-Specific Input Vulnerabilities8.1 Test for SMTP836836Injection8.2 Test for Native Software Vulnerabilities8378.3 Test for SOAP Injection8398.4 Test for LDAP839Injection8.5 Test for XPath8408.6 Test for Back-End8418.7 Test for XXE9 Test for9.19.29.3InjectionRequest InjectionInjectionFlawsLogicIdentify the Key Attack SurfaceTest Multistage ProcessesTest Handling of Incomplete Input9.4 Test Trust Boundaries10.1 Test8428428438449.5 Test Transaction Logic10 Test for Shared841842844VulnerabilitiesHostingSegregation in SharedInfrastructures10.2 Test Segregation Between ASP-Hosted Applications11 Test for Application Server Vulnerabilities84584584584611.1 Test for Default Credentials84611.2 Test for Default Content84711.3 Test for84711.4 Test for11.5 Test forHTTP MethodsDangerousProxy FunctionalityVirtual Hosting Misconfiguration11.6 Test for Web Server Software11.7 Test for WebBugsApplication Firewalling847847848848
Contents12 Miscellaneous Checks12.1 Check for DOM-Based Attacks12.2 Check for Local Privacy Vulnerabilities12.3 Check for Weak SSLCiphers12.4 Check Same-Origin Policy Configuration13 Follow Up Any Information LeakageIndex849849850851851852853xxi
Chapter 21 AWebApplication Hacker's Methodology 791 GeneralGuidelines 793 1 MaptheApplication'sContent 795 1.1 ExploreVisibleContent 795 1.2 ConsultPublicResources 796 1.3 DiscoverHiddenContent 796 1.4 DiscoverDefaultContent 797 1.5 EnumerateIdentifier-Specified Functions 797 1.6 TestforDebugParameters 798
