The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
Lýsing:
The highly successful security book returns with a new edition, completely updatedWeb applications are the front door to most organizations, exposing them to attacks that may disclose personal information, execute fraudulent transactions, or compromise ordinary users. This practical book has been completely updated and revised to discuss the latest stepbystep techniques for attacking and defending the range of everevolving web applications.
You'll explore the various new technologies employed in web applications that have appeared since the first edition and review the new attack techniques that have been developed, particularly in relation to the client side. Reveals how to overcome the new technologies and techniques aimed at defending web applications against attacks that have appeared since the previous edition Discusses new remoting frameworks, HTML5, crossdomain integration techniques, UI redress, framebusting, HTTP parameter pollution, hybrid file attacks, and more Features a companion web site hosted by the authors that allows readers to try out the attacks described, gives answers to the questions that are posed at the end of each chapter, and provides a summarized methodology and checklist of tasks Focusing on the areas of web application security where things have changed in recent years, this book is the most current resource on the critical topic of discovering, exploiting, and preventing web application security flaws.
Annað
- Höfundar: Dafydd Stuttard, Marcus Pinto
- Útgáfa:2
- Útgáfudagur: 2011-09-12
- Hægt að prenta út 2 bls.
- Hægt að afrita 10 bls.
- Format:ePub
- ISBN 13: 9781118784297
- Print ISBN: 9781118026472
- ISBN 10: 1118784294
Efnisyfirlit
- Front Matter
- About the Authors
- About the Technical Editor
- MDSec: The Authors' Company
- Credits
- Acknowledgments
- Introduction
- Overview of This Book
- Who Should Read This Book
- How This Book Is Organized
- What's New in This Edition
- Tools You Will Need
- What's on the Website
- Bring It On
- The Evolution of Web Applications
- Figure 1-1: A traditional website containing static information
- Figure 1-2: A typical web application
- Common Web Application Functions
- Benefits of Web Applications
- Web Application Security
- “This Site Is Secure”
- Figure 1-3: The incidence of some common web application vulnerabilities in applications recently tested by the authors (based on a sample of more than 100)
- The Core Security Problem: Users Can Submit Arbitrary Input
- Key Problem Factors
- Underdeveloped Security Awareness
- Custom Development
- Deceptive Simplicity
- Rapidly Evolving Threat Profile
- Resource and Time Constraints
- Overextended Technologies
- Increasing Demands on Functionality
- The New Security Perimeter
- NOTE
- The Future of Web Application Security
- “This Site Is Secure”
- Summary
- Handling User Access
- Authentication
- Figure 2-1: A typical login function
- Session Management
- Figure 2-2: An application enforcing session timeout
- Access Control
- Figure 2-3: An application enforcing access control
- Authentication
- Varieties of Input
- Figure 2-4: An application performing input validation
- Approaches to Input Handling
- “Reject Known Bad”
- NOTE
- “Accept Known Good”
- Sanitization
- Safe Data Handling
- Semantic Checks
- “Reject Known Bad”
- Boundary Validation
- Figure 2-5: An application function using boundary validation at multiple stages of processing
- Multistep Validation and Canonicalization
- Handling Errors
- Figure 2-6: An unhandled error
- Maintaining Audit Logs
- Figure 2-7: Poorly protected application logs containing sensitive information submitted by other users
- Alerting Administrators
- Reacting to Attacks
- Figure 2-8: An administrative interface within a web application
- The HTTP Protocol
- HTTP Requests
- HTTP Responses
- HTTP Methods
- Figure 3-1: Browsers do not automatically reissue POST requests made by users, because these might cause an action to be performed more than once
- URLs
- NOTE
- REST
- HTTP Headers
- General Headers
- Request Headers
- Response Headers
- Cookies
- Status Codes
- HTTPS
- NOTE
- HTTP Proxies
- HTTP Authentication
- Common Myth
- Server-Side Functionality
- Common Myth
- The Java Platform
- ASP.NET
- PHP
- Ruby on Rails
- SQL
- XML
- Web Services
- Client-Side Functionality
- HTML
- Hyperlinks
- Forms
- CSS
- JavaScript
- VBScript
- Document Object Model
- Ajax
- JSON
- Same-Origin Policy
- HTML5
- “Web 2.0”
- Browser Extension Technologies
- State and Sessions
- URL Encoding
- NOTE
- Unicode Encoding
- HTML Encoding
- Base64 Encoding
- Hex Encoding
- Remoting and Serialization Frameworks
- Enumerating Content and Functionality
- Web Spidering
- TIP
- TIP
- Figure 4-1: Mapping part of an application using Burp Spider
- WARNING
- User-Directed Spidering
- Figure 4-2: Burp's site map after user-guided spidering has been performed
- TIP
- Figure 4-3: IEWatch performing HTTP and HTML analysis from within the browser
- Hack Steps
- Discovering Hidden Content
- Brute-Force Techniques
- Figure 4-4: Burp Intruder being configured to probe for common directories
- Figure 4-5: Burp Intruder showing the results of a directory brute-force attack
- Figure 4-6: Burp Intruder showing the results of a file brute-force attack
- NOTE
- Hack Steps
- Inference from Published Content
- TIP
- Figure 4-7: Burp Intruder being used to perform a customized brute-force attack on part of a filename
- Hack Steps
- NOTE
- Figure 4-8: A content discovery session in progress against the EIS application
- TIP
- TIP
- Use of Public Information
- Hack Steps
- Hack Steps
- Leveraging the Web Server
- Figure 4-9: Wikto being used to discover content and some known vulnerabilities
- WARNING
- Hack Steps
- Brute-Force Techniques
- Web Spidering
- Application Pages Versus Functional Paths
- Figure 4-10: A mapping of the functional paths within a web application
- Hack Steps
- Discovering Hidden Parameters
- Hack Steps
- Identifying Entry Points for User Input
- URL File Paths
- Request Parameters
- HTTP Headers
- TIP
- Out-of-Band Channels
- Identifying Server-Side Technologies
- Banner Grabbing
- HTTP Fingerprinting
- Figure 4-11: Httprecon fingerprinting the EIS application
- File Extensions
- Figure 4-12: A customized error page indicating that the ASP.NET platform is present on the server
- Figure 4-13: A generic error message created when an unrecognized file extension is requested
- Figure 4-14: File extension mappings in IIS 5.0
- Directory Names
- Session Tokens
- Third-Party Code Components
- Hack Steps
- Dissecting Requests
- TIP
- Hack Steps
- Extrapolating Application Behavior
- Hack Steps
- Isolating Unique Application Behavior
- Hack Steps
- Mapping the Extreme Internet Shopping Application
- Figure 4-15: The attack surface exposed by the EIS application
- Hack Steps
- Transmitting Data Via the Client
- Hidden Form Fields
- Figure 5-1: A typical HTML form
- Try It!
- Figure 5-2: Modifying the values of hidden form fields using an intercepting proxy
- TIP
- HTTP Cookies
- Try It!
- URL Parameters
- The Referer Header
- Try It!
- Common Myth
- Hack Steps
- Opaque Data
- Try it!
- NOTE
- Hack Steps
- The ASP.NET ViewState
- TIP
- Figure 5-3: Burp Proxy can decode and render the ViewState, allowing you to review its contents and edit these if the EnableViewStateMac option is not set
- Try It!
- Hack Steps
- Hidden Form Fields
- Length Limits
- Intercepting Responses
- Hack Steps
- Script-Based Validation
- Try It!
- Hack Steps
- NOTE
- Disabled Elements
- Figure 5-4: A form containing a disabled input field
- Try It!
- Hack Steps
- Common Browser Extension Technologies
- Java
- Flash
- Silverlight
- Approaches to Browser Extensions
- Intercepting Traffic from Browser Extensions
- Handling Serialized Data
- Java Serialization
- Flash Serialization
- Figure 5-5: Burp Suite supports AMF format and lets you view and edit the deserialized data
- Silverlight Serialization
- Obstacles to Intercepting Traffic from Browser Extensions
- Hack Steps
- Handling Serialized Data
- Downloading the Bytecode
- TIP
- Decompiling the Bytecode
- Java Tools
- Flash Tools
- Silverlight Tools
- Working on the Source Code
- Recompiling and Executing Within the Browser
- Recompiling and Executing Outside the Browser
- Manipulating the Original Component Using JavaScript
- Hack Steps
- Hack Steps
- TIP
- Try It!
- Figure 5-6: JavaSnoop can hook directly into an applet running in the browser
- NOTE
- Figure 5-7: Once a suitable method has been identified, JavaSnoop can be used to tamper with the return value from the method
- Transmitting Data Via the Client
- Validating Client-Generated Data
- Common Myth
- Logging and Alerting
- NOTE
- Authentication Technologies
- Design Flaws in Authentication Mechanisms
- Bad Passwords
- Figure 6-1: An application that enforces weak password quality rules
- Hack Steps
- NOTE
- Try It!
- Brute-Forcible Login
- NOTE
- Figure 6-2: A successful password-guessing attack
- Hack Steps
- Try It!
- Verbose Failure Messages
- Figure 6-3: Verbose login failure messages indicating when a valid username has been guessed
- NOTE
- NOTE
- Figure 6-4: Identifying subtle differences in application responses using Burp Comparer
- Hack Steps
- TIP
- Try It!
- Vulnerable Transmission of Credentials
- NOTE
- Hack Steps
- Try It!
- Password Change Functionality
- Hack Steps
- TIP
- Try It!
- Forgotten Password Functionality
- Figure 6-5: A secondary challenge used in an account recovery function
- TIP
- Hack Steps
- Try It!
- “Remember Me” Functionality
- Figure 6-6: A vulnerable “remember me” function, which automatically logs in a user based solely on a username stored in a cookie
- Hack Steps
- Try It!
- User Impersonation Functionality
- Figure 6-7: A vulnerable user impersonation function
- Hack Steps
- Try It!
- Figure 6-8: A password-guessing attack with two “hits,” indicating the presence of a backdoor password
- Incomplete Validation of Credentials
- Hack Steps
- Try It!
- Nonunique Usernames
- Hack Steps
- Predictable Usernames
- Hack Steps
- Try It!
- Predictable Initial Passwords
- Hack Steps
- Try It!
- Insecure Distribution of Credentials
- Hack Steps
- Bad Passwords
- Fail-Open Login Mechanisms
- Hack Steps
- Try It!
- Defects in Multistage Login Mechanisms
- Common Myth
- Hack Steps
- Try It!
- NOTE
- Hack Steps
- Try It!
- NOTE
- Insecure Storage of Credentials
- TIP
- Hack Steps
- Use Strong Credentials
- Handle Credentials Secretively
- Validate Credentials Properly
- NOTE
- Prevent Information Leakage
- Prevent Brute-Force Attacks
- Figure 6-9: A CAPTCHA control designed to hinder automated attacks
- TIP
- Prevent Misuse of the Password Change Function
- Prevent Misuse of the Account Recovery Function
- Log, Monitor, and Notify
- Common Myth
- The Need for State
- Hack Steps
- Alternatives to Sessions
- Hack Steps
- NOTE
- Meaningful Tokens
- NOTE
- Hack Steps
- Try It!
- Predictable Tokens
- Concealed Sequences
- Figure 7-1: An attack to discover valid sessions where the session token is predictable
- Time Dependency
- Try It!
- Weak Random Number Generation
- NOTE
- NOTE
- Testing the Quality of Randomness
- Figure 7-2: Configuring Burp Sequencer to test the randomness of a session token
- Figure 7-3: Analyzing the Burp Sequencer results to understand the properties of the tokens that were tested
- NOTE
- Hack Steps
- Try It!
- Concealed Sequences
- ECB Ciphers
- Figure 7-4: Patterns within plaintext that is encrypted using an ECB cipher may be visible within the resulting ciphertext.
- Try It!
- CBC Ciphers
- Figure 7-5: In a CBC cipher, each block of plaintext is XORed against the preceding block of ciphertext before being encrypted.
- Figure 7-6: Configuring Burp Intruder to modify an encrypted session token
- Figure 7-7: Configuring Burp Intruder to flip each bit in the encrypted token
- Figure 7-8: A successful bit flipping attack against an encrypted token
- Try It!
- NOTE
- NOTE
- Hack Steps
- Common Myth
- Common Myth
- Disclosure of Tokens on the Network
- Figure 7-9: Browsers present a warning when a page accessed over HTTPS contains items accessed over HTTP.
- Hack Steps
- Figure 7-10: Walking through an application to identify locations where new session tokens are received.
- Try It!
- Disclosure of Tokens in Logs
- Figure 7-11: When session tokens appear in URLs, these are transmitted in the Referer header when users follow an off-site link or their browser loads an off-site resource.
- NOTE
- Hack Steps
- Try It!
- Vulnerable Mapping of Tokens to Sessions
- Hack Steps
- Try It!
- Vulnerable Session Termination
- Hack Steps
- Try It!
- Client Exposure to Token Hijacking
- Hack Steps
- Liberal Cookie Scope
- Cookie Domain Restrictions
- NOTE
- NOTE
- Hack Steps
- Cookie Path Restrictions
- Cookie Domain Restrictions
- Generate Strong Tokens
- NOTE
- TIP
- Protect Tokens Throughout Their Life Cycle
- Per-Page Tokens
- Figure 7-12: Per-page tokens used in a banking application
- Per-Page Tokens
- Reactive Session Termination
- Hack Steps
- Common Vulnerabilities
- Completely Unprotected Functionality
- Common Myth
- Direct Access to Methods
- Identifier-Based Functions
- TIP
- TIP
- NOTE
- Multistage Functions
- Static Files
- Platform Misconfiguration
- Insecure Access Control Methods
- Parameter-Based Access Control
- Referer-Based Access Control
- Location-Based Access Control
- Completely Unprotected Functionality
- Hack Steps
- Testing with Different User Accounts
- Hack Steps
- Hack Steps
- Figure 8-1: A site map comparison showing the differences between content that was accessed in different user contexts
- Figure 8-2: The low-privileged user is denied access to the top-level admin page
- Figure 8-3: The low-privileged user can access the administrative function to list application users
- Try It!
- Testing Multistage Processes
- Try It!
- Hack Steps
- Figure 8-4: Using Burp to request a given item within the current browser session
- TIP
- Testing with Limited Access
- Hack Steps
- Try It!
- Hack Steps
- Figure 8-5: A successful attack to harvest usernames and passwords via an access control vulnerability
- Try It!
- TIP
- Testing Direct Access to Methods
- Hack Steps
- Testing Controls Over Static Resources
- Hack Steps
- Testing Restrictions on HTTP Methods
- Hack Steps
- A Multilayered Privilege Model
- Figure 8-6: A privilege matrix for a complex application
- Hack Steps
- Injecting into Interpreted Contexts
- Bypassing a Login
- Try It!
- NOTE
- Hack Steps
- Bypassing a Login
- TIP
- Exploiting a Basic Vulnerability
- TIP
- Injecting into Different Statement Types
- SELECT Statements
- Try It!
- INSERT Statements
- TIP
- Try It!
- UPDATE Statements
- NOTE
- Try It!
- DELETE Statements
- SELECT Statements
- Finding SQL Injection Bugs
- NOTE
- TIP
- Injecting into String Data
- Hack Steps
- TIP
- TIP
- Injecting into Numeric Data
- Hack Steps
- TIP
- Injecting into the Query Structure
- TIP
- NOTE
- Hack Steps
- NOTE
- NOTE
- NOTE
- NOTE
- Hack Steps
- NOTE
- Try It!
- TIP
- TIP
- Avoiding Blocked Characters
- Try It!
- Circumventing Simple Validation
- Try It!
- Using SQL Comments
- Exploiting Defective Filters
- Try It!
- Try It!
- NOTE
- Retrieving Data as Numbers
- TIP
- Using an Out-of-Band Channel
- MS-SQL
- Oracle
- NOTE
- MySQL
- Leveraging the Operating System
- Using Inference: Conditional Responses
- Inducing Conditional Errors
- Using Time Delays
- TIP
- Try It!
- Common Myth
- MS-SQL
- Dealing with Default Lockdown
- Oracle
- MySQL
- NOTE
- Hack Steps
- SQL Syntax
- SQL Error Messages
- Partially Effective Measures
- Parameterized Queries
- NOTE
- Defense in Depth
- Injecting into MongoDB
- NOTE
- Subverting Application Logic
- NOTE
- Informed XPath Injection
- Try It!
- Blind XPath Injection
- TIP
- Try It!
- Finding XPath Injection Flaws
- Hack Steps
- Preventing XPath Injection
- Exploiting LDAP Injection
- Disjunctive Queries
- Try It!
- Conjunctive Queries
- Try It!
- NOTE
- Try It!
- Disjunctive Queries
- Hack Steps
- Injecting OS Commands
- Example 1: Injecting Via Perl
- Figure 10-1: A simple application function for listing a directory's contents
- Figure 10-2: A successful command injection attack
- Example 2: Injecting Via ASP
- Figure 10-3: A function to list the contents of a directory
- Figure 10-4: A successful command injection attack
- Try It!
- Injecting Through Dynamic Execution
- NOTE
- Finding OS Command Injection Flaws
- Hack Steps
- Try It!
- Hack Steps
- TIP
- Finding Dynamic Execution Vulnerabilities
- Hack Steps
- Preventing OS Command Injection
- Preventing Script Injection Vulnerabilities
- Example 1: Injecting Via Perl
- Manipulating File Paths
- Path Traversal Vulnerabilities
- NOTE
- Try It!
- Finding and Exploiting Path Traversal Vulnerabilities
- Locating Targets for Attack
- Hack Steps
- TIP
- Hack Steps
- Detecting Path Traversal Vulnerabilities
- Hack Steps
- Hack Steps
- Figure 10-5: A successful path traversal attack
- NOTE
- Circumventing Obstacles to Traversal Attacks
- Hack Steps
- Try It!
- Hack Steps
- Coping with Custom Encoding
- NOTE
- Exploiting Traversal Vulnerabilities
- Hack Steps
- Locating Targets for Attack
- Preventing Path Traversal Vulnerabilities
- Path Traversal Vulnerabilities
- File Inclusion Vulnerabilities
- Remote File Inclusion
- Local File Inclusion
- Finding File Inclusion Vulnerabilities
- Hack Steps
- Injecting XML External Entities
- Try It!
- Injecting into SOAP Services
- Try It!
- Finding and Exploiting SOAP Injection
- Hack Steps
- Preventing SOAP Injection
- Server-side HTTP Redirection
- Hack Steps
- NOTE
- Try It!
- HTTP Parameter Injection
- Try It!
- NOTE
- HTTP Parameter Pollution
- Try It!
- Attacks Against URL Translation
- Hack Steps
- E-mail Header Manipulation
- Figure 10-6: A typical site feedback form
- Figure 10-7: An e-mail header injection attack
- SMTP Command Injection
- NOTE
- Finding SMTP Injection Flaws
- Hack Steps
- TIP
- Preventing SMTP Injection
- The Nature of Logic Flaws
- Real-World Logic Flaws
- Example 1: Asking the Oracle
- The Functionality
- The Assumption
- The Attack
- Hack Steps
- Example 1: Asking the Oracle
- Example 2: Fooling a Password Change Function
- The Functionality
- The Assumption
- The Attack
- Hack Steps
- The Functionality
- The Assumption
- The Attack
- Hack Steps
- NOTE
- The Functionality
- The Assumption
- The Attack
- Hack Steps
- The Functionality
- The Assumption
- The Attack
- Hack Steps
- The Functionality
- The Assumption
- The Attack
- NOTE
- Hack Steps
- The Functionality
- The Assumption
- The Attack
- Hack Steps
- The Functionality
- The Assumption
- The Attack
- Hack Steps
- NOTE
- The Functionality
- The Assumption
- The Attack
- TIP
- Hack Steps
- NOTE
- The Functionality
- The Assumption
- The Attack
- TIP
- TIP
- The Functionality
- The Assumption
- The Attack
- Hack Steps
- The Functionality
- The Assumption
- The Attack
- Hack Steps
- Common Myth
- Common Myth
- Varieties of XSS
- Reflected XSS Vulnerabilities
- Figure 12-1: A dynamically generated error message
- Figure 12-2: A proof-of-concept XSS exploit
- Try It!
- NOTE
- Exploiting the Vulnerability
- Figure 12-3: The steps involved in a reflected XSS attack
- NOTE
- Reflected XSS Vulnerabilities
- Stored XSS Vulnerabilities
- Figure 12-4: The steps involved in a stored XSS attack
- Try It!
- DOM-Based XSS Vulnerabilities
- Try It!
- Figure 12-5: The steps involved in a DOM-based XSS attack
- Real-World XSS Attacks
- Payloads for XSS Attacks
- Virtual Defacement
- Figure 12-6: A virtual defacement attack exploiting an XSS flaw
- Injecting Trojan Functionality
- Figure 12-7: A reflected XSS attack injecting Trojan functionality
- Inducing User Actions
- Exploiting Any Trust Relationships
- Common Myth
- Escalating the Client-Side Attack
- Virtual Defacement
- Delivery Mechanisms for XSS Attacks
- Delivering Reflected and DOM-Based XSS Attacks
- Delivering Stored XSS Attacks
- Chaining XSS and Other Attacks
- Common Myth
- Try It!
- Finding and Exploiting Reflected XSS Vulnerabilities
- Identifying Reflections of User Input
- Hack Steps
- Testing Reflections to Introduce Script
- Example 1: A Tag Attribute Value
- Example 2: A JavaScript String
- Example 3: An Attribute Containing a URL
- TIP
- Hack Steps
- Identifying Reflections of User Input
- Probing Defensive Filters
- Beating Signature-Based Filters
- Figure 12-8: An error message generated by ASP.NET's anti-XSS filters
- Ways of Introducing Script Code
- NOTE
- Script Tags
- Event Handlers
- Script Pseudo-Protocols
- Dynamically Evaluated Styles
- Bypassing Filters: HTML
- The Tag Name
- TIP
- Space Following the Tag Name
- Attribute Names
- Attribute Delimiters
- Try It!
- Attribute Values
- Tag Brackets
- TIP
- Character Sets
- The Tag Name
- Bypassing Filters: Script Code
- Using JavaScript Escaping
- Dynamically Constructing Strings
- Alternatives to eval
- Alternatives to Dots
- Combining Multiple Techniques
- Using VBScript
- Combining VBScript and JavaScript
- Using Encoded Scripts
- Try It!
- TIP
- TIP
- TIP
- Escalating an Attack to Other Application Pages
- Common Myth
- Modifying the Request Method
- Common Myth
- Exploiting XSS Via Cookies
- Exploiting XSS in the Referer Header
- Exploiting XSS in Nonstandard Request and Response Content
- Sending XML Requests Cross-Domain
- TIP
- TIP
- Executing JavaScript from Within XML Responses
- Sending XML Requests Cross-Domain
- Attacking Browser XSS Filters
- Try It!
- Hack Steps
- TIP
- Testing for XSS in Web Mail Applications
- Testing for XSS in Uploaded Files
- Hybrid File Attacks
- XSS in Files Loaded Via Ajax
- TIP
- Hack Steps
- Try It!
- Try It!
- Try It!
- Common Myth
- Try It!
- Common Myth
- Preventing Reflected and Stored XSS
- Validate Input
- Validate Output
- Eliminate Dangerous Insertion Points
- Allowing Limited HTML
- Preventing DOM-Based XSS
- Validate Input
- Validate Output
- Inducing User Actions
- Request Forgery
- On-Site Request Forgery
- Try It!
- Hack Steps
- Cross-Site Request Forgery
- Try It!
- NOTE
- Exploiting CSRF Flaws
- Hack Steps
- TIP
- Authentication and CSRF
- Preventing CSRF Flaws
- NOTE
- Try It!
- WARNING
- Try It!
- Defeating Anti-CSRF Defenses Via XSS
- On-Site Request Forgery
- Request Forgery
- UI Redress
- Figure 13-1: A basic UI redress attack
- Try It!
- Framebusting Defenses
- Try It!
- Preventing UI Redress
- TIP
- Capturing Data by Injecting HTML
- Capturing Data by Injecting CSS
- JavaScript Hijacking
- Function Callbacks
- Try It!
- JSON
- Try It!
- Variable Assignment
- E4X
- Preventing JavaScript Hijacking
- Function Callbacks
- The Same-Origin Policy and Browser Extensions
- The Same-Origin Policy and Flash
- Hack Steps
- The Same-Origin Policy and Silverlight
- The Same-Origin Policy and Java
- The Same-Origin Policy and Flash
- The Same-Origin Policy and HTML5
- Hack Steps
- Crossing Domains with Proxy Service Applications
- Figure 13-2: Google Translate can be used to request an external URL, and return its contents, with text in the response translated into a specified language
- HTTP Header Injection
- Exploiting Header Injection Vulnerabilities
- Hack Steps
- WARNING
- Try It!
- Injecting Cookies
- Delivering Other Attacks
- HTTP Response Splitting
- Figure 13-3: The steps involved in an HTTP response splitting attack that poisons a proxy server cache
- Exploiting Header Injection Vulnerabilities
- Preventing Header Injection Vulnerabilities
- Session Fixation
- Figure 13-4: The steps involved in a session fixation attack
- Finding and Exploiting Session Fixation Vulnerabilities
- Hack Steps
- Hack Steps
- Preventing Session Fixation Vulnerabilities
- Figure 13-5: The result of a rickrolling attack
- Finding and Exploiting Open Redirection Vulnerabilities
- Hack Steps
- Hack Steps
- Try It!
- NOTE
- Blocking of Absolute URLs
- Try It!
- Addition of an Absolute Prefix
- Try It!
- Try It!
- NOTE
- Persistent Cookies
- Hack Steps
- Try It!
- Cached Web Content
- Hack Steps
- Try It!
- Browsing History
- Hack Steps
- Try It!
- Autocomplete
- Hack Steps
- Try It!
- Flash Local Shared Objects
- Hack Steps
- Try It!
- Silverlight Isolated Storage
- Hack Steps
- Try It!
- Internet Explorer userData
- Hack Steps
- Try It!
- HTML5 Local Storage Mechanisms
- Preventing Local Privacy Attacks
- Finding ActiveX Vulnerabilities
- Figure 13-6: A control registered as safe for scripting
- Hack Steps
- Figure 13-7: COMRaider showing the methods of an ActiveX control
- Preventing ActiveX Vulnerabilities
- Logging Keystrokes
- Stealing Browser History and Search Queries
- Enumerating Currently Used Applications
- Port Scanning
- Attacking Other Network Hosts
- Exploiting Non-HTTP Services
- Exploiting Browser Bugs
- DNS Rebinding
- Browser Exploitation Frameworks
- NOTE
- Figure 13-8: Data captured from a compromised user by BeEF
- Figure 13-9: BeEF performing a port scan of a compromised user's computer
- Man-in-the-Middle Attacks
- Uses for Customized Automation
- Enumerating Valid Identifiers
- The Basic Approach
- Detecting Hits
- HTTP Status Code
- Response Length
- Response Body
- Location Header
- Set-Cookie Header
- Time Delays
- TIP
- Scripting the Attack
- TIP
- JAttack
- NOTE
- Try It!
- Try It!
- TIP
- NOTE
- TIP
- Try It!
- Positioning Payloads
- Figure 14-1: Positioning payloads
- Choosing Payloads
- Configuring Response Analysis
- Attack 1: Enumerating Identifiers
- Figure 14-2: Setting a custom payload position
- Figure 14-3: Configuring numeric payloads
- Figure 14-4: Sorting attack results to quickly identify hits
- Try It!
- TIP
- Attack 2: Harvesting Information
- Try It!
- Figure 14-5: Positioning the payload
- Figure 14-6: Configuring Extract Grep
- Figure 14-7: Cycling through function index values and extracting the title of each resulting page
- Attack 3: Application Fuzzing
- Figure 14-8: Configuring Burp Intruder to fuzz a login request
- Figure 14-9: Results from fuzzing a single request
- Try It!
- TIP
- Session-Handling Mechanisms
- Session-Handling Support in Burp Suite
- Cookie Jar
- Figure 14-10: The Burp Suite cookie jar
- Request Macros
- Figure 14-11: Recording a request macro in Burp Suite
- Figure 14-12: Configuring cookie and parameter handling for a macro item
- Session-Handling Rules
- Figure 14-13: Configuring the scope of a session-handling rule
- Figure 14-14: Configuring actions for a session-handling rule
- Figure 14-15: A set of session-handling rules to handle session termination and anti-CSRF tokens used by an application
- Figure 14-16: Burp's session handling tracer, which lets you monitor and debug your session handling rules
- Cookie Jar
- Session-Handling Support in Burp Suite
- Figure 14-17: A CAPTCHA puzzle
- Attacking CAPTCHA Implementations
- Try It!
- Try It!
- NOTE
- Automatically Solving CAPTCHA Puzzles
- Try It!
- Using Human Solvers
- Exploiting Error Messages
- Script Error Messages
- Stack Traces
- Informative Debug Messages
- Server and Database Messages
- Using Information Disclosure to Advance an Attack
- Cross-Site Scripting Attacks Within Error Messages
- Decryption Oracles in Information Disclosure
- Hack Steps
- TIP
- Using Public Information
- Hack Steps
- Engineering Informative Error Messages
- Try It
- Hack Steps
- Hack Steps
- Use Generic Error Messages
- Protect Sensitive Information
- Minimize Client-Side Information Leakage
- NOTE
- Buffer Overflow Vulnerabilities
- Stack Overflows
- Heap Overflows
- NOTE
- “Off-by-One” Vulnerabilities
- Detecting Buffer Overflow Vulnerabilities
- Hack Steps
- Integer Overflows
- Signedness Errors
- Detecting Integer Vulnerabilities
- Hack Steps
- Detecting Format String Vulnerabilities
- Hack Steps
- Tiered Architectures
- Attacking Tiered Architectures
- Exploiting Trust Relationships Between Tiers
- Subverting Other Tiers
- Accessing Decryption Algorithms
- NOTE
- Using File Read Access to Extract MySQL Data
- Figure 17-1: An application containing a function to view a selected file
- Figure 17-2: An attack that undercuts the database tier to retrieve arbitrary data
- TIP
- Using Local File Inclusion to Execute Commands
- Figure 17-3: Configuring a nickname containing server-executable script code
- Figure 17-4: Executing the session file containing the malicious nickname via the local file inclusion function
- Hack Steps
- Accessing Decryption Algorithms
- Attacking Tiered Architectures
- Minimize Trust Relationships
- Segregate Different Components
- Apply Defense in Depth
- Virtual Hosting
- Shared Application Services
- Figure 17-5: The organization of a typical application service provider
- Attacking Shared Environments
- Attacks Against Access Mechanisms
- Attacks Between Applications
- Deliberate Backdoors
- TIP
- Attacks Between Vulnerable Applications
- Attacks Between ASP Application Components
- Hack Steps
- Deliberate Backdoors
- Attacking the Cloud
- Cloud Security from a Web Application Perspective
- NOTE
- Cloned Systems
- Migration of Management Tools to the Cloud
- Feature-First Approach
- Token-Based Access
- Web Storage
- Cloud Security from a Web Application Perspective
- Secure Customer Access
- Segregate Customer Functionality
- NOTE
- TIP
- Segregate Components in a Shared Application
- Vulnerable Server Configuration
- Default Credentials
- Table 18.1: Default Credentials on Some Common Administrative Interfaces
- Hack Steps
- Default Content
- Debug Functionality
- Figure 18-1: The default page phpinfo.php
- Sample Functionality
- Figure 18-2: The default Sessions Example script shipped with Apache Tomcat
- Powerful Functions
- Figure 18-3: Using Metasploit to compromise a vulnerable Tomcat server
- JMX
- Figure 18-4: The JMX console contains functionality allowing arbitrary WAR files to be deployed
- Figure 18-5: A successful attack using the JMX console to deploy a backdoor WAR file onto a JBoss server
- NOTE
- Oracle Applications
- Hack Steps
- Debug Functionality
- Default Credentials
- Directory Listings
- Figure 18-6: A directory listing
- Hack Steps
- NOTE
- WebDAV Methods
- Try It!
- TIP
- Hack Steps
- The Application Server as a Proxy
- Hack Steps
- Misconfigured Virtual Hosting
- Hack Steps
- Securing Web Server Configuration
- Application Framework Flaws
- The .NET Padding Oracle
- The Padding Oracle
- NOTE
- WARNING
- Try It!
- The Padding Oracle
- The .NET Padding Oracle
- Apache mod_isapi Dangling Pointer
- Microsoft IIS ISAPI Extensions
- Seven Years Later
- Apache Chunked Encoding Overflow
- Eight Years Later
- WebDAV Overflows
- Seven Years Later
- Apple iDisk Server Path Traversal
- Ruby WEBrick Web Server
- Java Web Server Directory Traversal
- Allaire JRun Directory Listing Vulnerability
- Eight Years Later
- Microsoft IIS Unicode Path Traversal Vulnerabilities
- Nine Years Later
- Oracle PL/SQL Exclusion List Bypasses
- Seven Years Later
- Choose Software with a Good Track Record
- Apply Vendor Patches
- Perform Security Hardening
- Monitor for New Vulnerabilities
- Use Defense-in-Depth
- Hack Steps
- Approaches to Code Review
- Black-Box Versus White-Box Testing
- Code Review Methodology
- NOTE
- Cross-Site Scripting
- SQL Injection
- Path Traversal
- Arbitrary Redirection
- OS Command Injection
- Backdoor Passwords
- Native Software Bugs
- Buffer Overflow Vulnerabilities
- Integer Vulnerabilities
- Format String Vulnerabilities
- Source Code Comments
- Identifying User-Supplied Data
- Table 19.1: APIs Used to Acquire User-Supplied Data on the Java Platform
- Session Interaction
- Table 19.2: APIs Used to Interact with the User's Session on the Java Platform
- Potentially Dangerous APIs
- File Access
- Database Access
- Dynamic Code Execution
- OS Command Execution
- URL Redirection
- Sockets
- Configuring the Java Environment
- Table 19.3: Security-Relevant Configuration Settings for the Java Environment
- Identifying User-Supplied Data
- Table 19.4: APIs Used to Acquire User-Supplied Data on the ASP.NET Platform
- Session Interaction
- Table 19.5: APIs Used to Interact with the User's Session on the ASP.NET Platform
- Potentially Dangerous APIs
- File Access
- Database Access
- Dynamic Code Execution
- OS Command Execution
- URL Redirection
- Sockets
- Configuring the ASP.NET Environment
- Table 19.6: Security-Relevant Configuration Settings for the ASP.NET Environment
- Identifying User-Supplied Data
- Table 19.7: Variables Used to Acquire User-Supplied Data on the PHP Platform
- Session Interaction
- Potentially Dangerous APIs
- File Access
- Table 19.8: Network Protocols That Can Be Used to Retrieve a Remote File
- Table 19.9: Methods That May Allow Access to Remote Files Even If allow_url_fopen Is Set to 0
- NOTE
- Database Access
- Dynamic Code Execution
- OS Command Execution
- URL Redirection
- Sockets
- File Access
- Configuring the PHP Environment
- Register Globals
- NOTE
- Safe Mode
- NOTE
- Magic Quotes
- NOTE
- Miscellaneous
- Table 19.10: Miscellaneous PHP Configuration Options
- Register Globals
- Identifying User-Supplied Data
- Table 19.11: CGI Query Members Used to Acquire User-Supplied Data
- Session Interaction
- Potentially Dangerous APIs
- File Access
- Database Access
- Dynamic Code Execution
- OS Command Execution
- URL Redirection
- Sockets
- Configuring the Perl Environment
- Table 19.12: JavaScript APIs That Read from DOM-Based Data
- SQL Injection
- NOTE
- Calls to Dangerous Functions
- Figure 19-1: Source Insight being used to search and browse the source code for a web application
- Web Browsers
- Internet Explorer
- NOTE
- Figure 20-1: HttpWatch analyzes the HTTP requests issued by Internet Explorer
- Firefox
- Chrome
- Internet Explorer
- Integrated Testing Suites
- How the Tools Work
- Intercepting Proxies
- Configuring Your Browser
- Figure 20-2: Editing an HTTP request on-the-fly using an intercepting proxy
- Working with Non-Proxy-Aware Clients
- Intercepting Proxies and HTTPS
- Figure 20-3: An intercepting proxy lets you view and modify HTTPS communications
- Figure 20-4: Using an intercepting proxy with HTTPS communications generates a warning in the attacker's browser
- Common Features of Intercepting Proxies
- Figure 20-5: Burp proxy supports configuration of fine-grained rules for intercepting requests and responses
- Figure 20-6: The proxy history, allowing you to view, filter, search, and annotate requests and responses made via the proxy
- Configuring Your Browser
- Intercepting Proxies
- Web Application Spiders
- Figure 20-7: The results of passive application spidering, where items in gray have been identified passively but not yet requested
- Figure 20-8: Burp Spider prompting for user guidance when submitting forms
- Web Application Fuzzers
- Figure 20-9: The results of a fuzzing exercise using Burp Intruder
- Web Vulnerability Scanners
- Figure 20-10: The results of live scanning as you browse with Burp Scanner
- Manual Request Tools
- Figure 20-11: A request being reissued manually using Burp Repeater
- Session Token Analyzers
- Figure 20-12: Using Burp Sequencer to test the randomness properties of an application's session token
- Shared Functions and Utilities
- Figure 20-13: Requests and responses can be analyzed into their HTTP structure and parameters
- How the Tools Work
- Figure 20-14: A typical work flow for using an integrated testing suite
- Tamper Data
- Figure 20-15: Tamper Data lets you modify HTTP request details within Firefox
- TamperIE
- Figure 20-16: TamperIE lets you modify HTTP request details within Internet Explorer
- Vulnerabilities Detected by Scanners
- Inherent Limitations of Scanners
- Every Web Application Is Different
- Scanners Operate on Syntax
- Scanners Do Not Improvise
- Scanners Are Not Intuitive
- Technical Challenges Faced by Scanners
- Authentication and Session Handling
- Dangerous Effects
- Individuating Functionality
- Other Challenges to Automation
- Current Products
- Table 20.1: Vulnerability Detection Performance and Prices of Different Scanners According to the UCSB Study
- Using a Vulnerability Scanner
- Fully Automated Versus User-Directed Scanning
- Wikto/Nikto
- Firebug
- Hydra
- Custom Scripts
- Try It!
- Wget
- Curl
- Try It!
- Netcat
- Stunnel
- Figure 21-1: The main areas of work involved in the methodology
- General Guidelines
- 1 Map the Application's Content
- Figure 21-2: Mapping the application's content
- 1.1 Explore Visible Content
- 1.2 Consult Public Resources
- 1.3 Discover Hidden Content
- 1.4 Discover Default Content
- 1.5 Enumerate Identifier-Specified Functions
- 1.6 Test for Debug Parameters
- 2 Analyze the Application
- Figure 21-3: Analyzing the application
- 2.1 Identify Functionality
- 2.2 Identify Data Entry Points
- 2.3 Identify the Technologies Used
- 2.4 Map the Attack Surface
- 3 Test Client-Side Controls
- Figure 21-4: Testing client-side controls
- 3.1 Test Transmission of Data Via the Client
- 3.2 Test Client-Side Controls Over User Input
- 3.3 Test Browser Extension Components
- 3.3.1 Understand the Client Application's Operation
- 3.3.2 Decompile the Client
- 3.3.3 Attach a Debugger
- 3.3.4 Test ActiveX controls
- Figure 21-5: Testing the authentication mechanism
- 4.1 Understand the Mechanism
- 4.2 Test Password Quality
- 4.3 Test for Username Enumeration
- 4.4 Test Resilience to Password Guessing
- 4.5 Test Any Account Recovery Function
- 4.6 Test Any Remember Me Function
- 4.7 Test Any Impersonation Function
- 4.8 Test Username Uniqueness
- 4.9 Test Predictability of Autogenerated Credentials
- 4.10 Check for Unsafe Transmission of Credentials
- 4.11 Check for Unsafe Distribution of Credentials
- 4.12 Test for Insecure Storage
- 4.13 Test for Logic Flaws
- 4.13.1 Test for Fail-Open Conditions
- 4.13.2 Test Any Multistage Mechanisms
- 4.14 Exploit Any Vulnerabilities to Gain Unauthorized Access
- Figure 21-6: Testing the session management mechanism
- 5.1 Understand the Mechanism
- 5.2 Test Tokens for Meaning
- 5.3 Test Tokens for Predictability
- 5.4 Check for Insecure Transmission of Tokens
- 5.5 Check for Disclosure of Tokens in Logs
- 5.6 Check Mapping of Tokens to Sessions
- 5.7 Test Session Termination
- 5.8 Check for Session Fixation
- 5.9 Check for CSRF
- 5.10 Check Cookie Scope
- Figure 21-7: Testing access controls
- 6.1 Understand the Access Control Requirements
- 6.2 Test with Multiple Accounts
- 6.3 Test with Limited Access
- 6.4 Test for Insecure Access Control Methods
- Figure 21-8: Testing for input-based vulnerabilities
- 7.1 Fuzz All Request Parameters
- 7.2 Test for SQL Injection
- 7.3 Test for XSS and Other Response Injection
- 7.3.1 Identify Reflected Request Parameters
- 7.3.2 Test for Reflected XSS
- 7.3.3 Test for HTTP Header Injection
- 7.3.4 Test for Open Redirection
- 7.3.5 Test for Stored Attacks
- 7.4 Test for OS Command Injection
- 7.5 Test for Path Traversal
- 7.6 Test for Script Injection
- 7.7 Test for File Inclusion
- Figure 21-9: Testing for functionality-specific input vulnerabilities
- 8.1 Test for SMTP Injection
- 8.2 Test for Native Software Vulnerabilities
- 8.2.1 Test for Buffer Overflows
- 8.2.2 Test for Integer Vulnerabilities
- 8.2.3 Test for Format String Vulnerabilities
- 8.3 Test for SOAP Injection
- 8.4 Test for LDAP Injection
- 8.5 Test for XPath Injection
- 8.6 Test for Back-End Request Injection
- 8.7 Test for XXE Injection
- Figure 21-10: Testing for logic flaws
- 9.1 Identify the Key Attack Surface
- 9.2 Test Multistage Processes
- 9.3 Test Handling of Incomplete Input
- 9.4 Test Trust Boundaries
- 9.5 Test Transaction Logic
- Figure 21-11: Testing for shared hosting vulnerabilities
- 10.1 Test Segregation in Shared Infrastructures
- 10.2 Test Segregation Between ASP-Hosted Applications
- Figure 21-12: Testing for web server vulnerabilities
- 11.1 Test for Default Credentials
- 11.2 Test for Default Content
- 11.3 Test for Dangerous HTTP Methods
- 11.4 Test for Proxy Functionality
- 11.5 Test for Virtual Hosting Misconfiguration
- 11.6 Test for Web Server Software Bugs
- 11.7 Test for Web Application Firewalling
- Figure 21-13: Miscellaneous checks
- 12.1 Check for DOM-Based Attacks
- 12.2 Check for Local Privacy Vulnerabilities
- 12.3 Check for Weak SSL Ciphers
- 12.4 Check Same-Origin Policy Configuration
- Index
UM RAFBÆKUR Á HEIMKAUP.IS
Bókahillan þín er þitt svæði og þar eru bækurnar þínar geymdar. Þú kemst í bókahilluna þína hvar og hvenær sem er í tölvu eða snjalltæki. Einfalt og þægilegt!Rafbók til eignar
Rafbók til eignar þarf að hlaða niður á þau tæki sem þú vilt nota innan eins árs frá því bókin er keypt.
Þú kemst í bækurnar hvar sem er
Þú getur nálgast allar raf(skóla)bækurnar þínar á einu augabragði, hvar og hvenær sem er í bókahillunni þinni. Engin taska, enginn kyndill og ekkert vesen (hvað þá yfirvigt).
Auðvelt að fletta og leita
Þú getur flakkað milli síðna og kafla eins og þér hentar best og farið beint í ákveðna kafla úr efnisyfirlitinu. Í leitinni finnur þú orð, kafla eða síður í einum smelli.
Glósur og yfirstrikanir
Þú getur auðkennt textabrot með mismunandi litum og skrifað glósur að vild í rafbókina. Þú getur jafnvel séð glósur og yfirstrikanir hjá bekkjarsystkinum og kennara ef þeir leyfa það. Allt á einum stað.
Hvað viltu sjá? / Þú ræður hvernig síðan lítur út
Þú lagar síðuna að þínum þörfum. Stækkaðu eða minnkaðu myndir og texta með multi-level zoom til að sjá síðuna eins og þér hentar best í þínu námi.
Fleiri góðir kostir
- Þú getur prentað síður úr bókinni (innan þeirra marka sem útgefandinn setur)
- Möguleiki á tengingu við annað stafrænt og gagnvirkt efni, svo sem myndbönd eða spurningar úr efninu
- Auðvelt að afrita og líma efni/texta fyrir t.d. heimaverkefni eða ritgerðir
- Styður tækni sem hjálpar nemendum með sjón- eða heyrnarskerðingu
- Gerð : 208
- Höfundur : 11423
- Útgáfuár : 2011
- Leyfi : 379