O'Reilly logo

Network Security Assessment, 2nd Edition by Chris McNab

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 7. Assessing Web Applications

This chapter details assessment of web applications found running on web servers. A number of technologies and platforms are used by organizations to run and support web applications, including Microsoft ASP.NET, Sun JSP, and PHP. Upon performing web server assessment and crawling to identify web application components and variables, we can perform deep manual web application testing to compromise backend server components through command injection and other attacks.

Web Application Technologies Overview

Web applications are built and delivered using technologies and protocols across three layers:

  • Presentation tier

  • Application tier

  • Data tier

Figure 7-1 (as prepared by the OWASP team) shows these layers and associated web browser, web server, application server, and database technologies, along with the protocols that allow data to be exchanged between tiers.

Web application tiers, technologies, and protocols
Figure 7-1. Web application tiers, technologies, and protocols

Vulnerabilities can exist in any of these tiers, so it is important to ensure that even small exposures can’t be combined to result in a compromise. From a secure design and development perspective, you must filter and control data flow between the three tiers.

Fingerprinting and assessment of web servers is covered in Chapter 6. In this chapter we detail fingerprinting of application server and backend database components, and assessment ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required