Book description
This book is a practical guide to discovering and exploiting security flaws in web applications. The authors explain each category of vulnerability using real-world examples, screen shots and code extracts. The book is extremely practical in focus, and describes in detail the steps involved in detecting and exploiting each kind of security weakness found within a variety of applications such as online banking, e-commerce and other web applications.
The topics covered include bypassing login mechanisms, injecting code, exploiting logic flaws and compromising other users. Because every web application is different, attacking them entails bringing to bear various general principles, techniques and experience in an imaginative way. The most successful hackers go beyond this, and find ways to automate their bespoke attacks. This handbook describes a proven methodology that combines the virtues of human intelligence and computerized brute force, often with devastating results.
The authors are professional penetration testers who have been involved in web application security for nearly a decade. They have presented training courses at the Black Hat security conferences throughout the world. Under the alias "PortSwigger", Dafydd developed the popular Burp Suite of web application hack tools.
Table of contents
- Copyright
- About the Authors
- Credits
- Acknowledgments
- Introduction
- 1. Web Application (In)Security
- 2. Core Defense Mechanisms
- 3. Web Application Technologies
-
4. Mapping the Application
- 4.1. Enumerating Content and Functionality
- 4.2. Analyzing the Application
- 4.3. Chapter Summary
- 4.4. Questions
- 5. Bypassing Client-Side Controls
-
6. Attacking Authentication
- 6.1. Authentication Technologies
-
6.1. Design Flaws in Authentication Mechanisms
- 6.1.1. Bad Passwords
- 6.1.2. Brute-Forcible Login
- 6.1.3. Verbose Failure Messages
- 6.1.4. Vulnerable Transmission of Credentials
- 6.1.5. Password Change Functionality
- 6.1.6. Forgotten Password Functionality
- 6.1.7. "Remember Me" Functionality
- 6.1.8. User Impersonation Functionality
- 6.1.9. Incomplete Validation of Credentials
- 6.1.10. Non-Unique Usernames
- 6.1.11. Predictable Usernames
- 6.1.12. Predictable Initial Passwords
- 6.1.13. Insecure Distribution of Credentials
- 6.2. Implementation Flaws in Authentication
-
6.3. Securing Authentication
- 6.3.1. Use Strong Credentials
- 6.3.2. Handle Credentials Secretively
- 6.3.3. Validate Credentials Properly
- 6.3.4. Prevent Information Leakage
- 6.3.5. Prevent Brute-Force Attacks
- 6.3.6. Prevent Misuse of the Password Change Function
- 6.3.7. Prevent Misuse of the Account Recovery Function
- 6.3.8. Log, Monitor, and Notify
- 6.4. Chapter Summary
- 6.5. Questions
-
7. Attacking Session Management
- 7.1. The Need for State
- 7.2. Weaknesses in Session Token Generation
- 7.3. Weaknesses in Session Token Handling
- 7.4. Securing Session Management
- 7.5. Chapter Summary
- 7.6. Questions
- 8. Attacking Access Controls
-
9. Injecting Code
- 9.1. Injecting into Interpreted Languages
-
9.1. Injecting into SQL
- 9.1.1. Exploiting a Basic Vulnerability
- 9.1.2. Bypassing a Login
- 9.1.3. Finding SQL Injection Bugs
- 9.1.4. Injecting into Different Statement Types
- 9.1.5. The UNION Operator
- 9.1.6. Fingerprinting the Database
- 9.1.7. Extracting Useful Data
- 9.1.8. Exploiting ODBC Error Messages (MS-SQL Only)
- 9.1.9. Bypassing Filters
- 9.1.10. Second-Order SQL Injection
- 9.1.11. Advanced Exploitation
- 9.1.12. Beyond SQL Injection: Escalating the Database Attack
- 9.1.13. SQL Syntax and Error Reference
- 9.1.14. Preventing SQL Injection
- 9.2. Injecting OS Commands
- 9.3. Injecting into Web Scripting Languages
- 9.4. Injecting into SOAP
- 9.5. Injecting into XPath
- 9.6. Injecting into SMTP
- 9.7. Injecting into LDAP
- 9.8. Chapter Summary
- 9.9. Questions
- 10. Exploiting Path Traversal
-
11. Attacking Application Logic
- 11.1. The Nature of Logic Flaws
-
11.1. Real-World Logic Flaws
- 11.1.1. Example 1: Fooling a Password Change Function
- 11.1.2. Example 2: Proceeding to Checkout
- 11.1.3. Example 3: Rolling Your Own Insurance
- 11.1.4. Example 4: Breaking the Bank
- 11.1.5. Example 5: Erasing an Audit Trail
- 11.1.6. Example 6: Beating a Business Limit
- 11.1.7. Example 7: Cheating on Bulk Discounts
- 11.1.8. Example 8: Escaping from Escaping
- 11.1.9. Example 9: Abusing a Search Function
- 11.1.10. Example 10: Snarfing Debug Messages
- 11.1.11. Example 11: Racing against the Login
- 11.2. Avoiding Logic Flaws
- 11.3. Chapter Summary
- 11.4. Questions
-
12. Attacking Other Users
-
12.1. Cross-Site Scripting
- 12.1. Reflected XSS Vulnerabilities
- 12.2. Stored XSS Vulnerabilities
- 12.3. DOM-Based XSS Vulnerabilities
- 12.4. Real-World XSS Attacks
- 12.5. Chaining XSS and Other Attacks
- 12.6. Payloads for XSS Attacks
- 12.7. Delivery Mechanisms for XSS Attacks
-
12.8. Finding and Exploiting XSS Vulnerabilities
-
12.8.1. Finding and Exploiting Reflected XSS Vulnerabilities
- 12.8.1.1. Example 1
- 12.8.1.2. Example 2
- 12.8.1.3. Example 3
- 12.8.1.4. Other Entry Points for JavaScript
- 12.8.1.5. Beating Signature-Based Filters
- 12.8.1.6. Beating Sanitization
- 12.8.1.7. Beating Length Limits
- 12.8.1.8. Modifying the Request Method
- 12.8.1.9. Using Nonstandard Content Encoding
- 12.8.1.10. UTF-7:
- 12.8.1.11. US-ASCII:
- 12.8.1.12. UTF-16:
- 12.8.2. Finding and Exploiting Stored XSS Vulnerabilities
- 12.8.3. Finding and Exploiting DOM-Based XSS Vulnerabilities
-
12.8.1. Finding and Exploiting Reflected XSS Vulnerabilities
- 12.9. HttpOnly Cookies and Cross-Site Tracing
- 12.10. Preventing XSS Attacks
- 12.2. Redirection Attacks
- 12.3. HTTP Header Injection
- 12.4. Frame Injection
- 12.5. Request Forgery
- 12.6. JSON Hijacking
- 12.7. Session Fixation
- 12.8. Attacking ActiveX Controls
- 12.9. Local Privacy Attacks
- 12.10. Advanced Exploitation Techniques
- 12.11. Chapter Summary
- 12.12. Questions
-
12.1. Cross-Site Scripting
- 13. Automating Bespoke Attacks
- 14. Exploiting Information Disclosure
- 15. Attacking Compiled Applications
- 16. Attacking Application Architecture
-
17. Attacking the Web Server
- 17.1. Vulnerable Web Server Configuration
- 17.2. Vulnerable Web Server Software
- 17.3. Chapter Summary
- 17.4. Questions
-
18. Finding Vulnerabilities in Source Code
- 18.1. Approaches to Code Review
- 18.2. Signatures of Common Vulnerabilities
- 18.3. The Java Platform
- 18.4. ASP.NET
- 18.5. PHP
- 18.6. Perl
- 18.7. JavaScript
- 18.8. Database Code Components
- 18.9. Tools for Code Browsing
- 18.10. Chapter Summary
- 18.11. Questions
-
19. A Web Application Hacker's Toolkit
- 19.1. Web Browsers
- 19.2. Integrated Testing Suites
- 19.3. Vulnerability Scanners
- 19.4. Other Tools
- 19.5. Chapter Summary
-
20. A Web Application Hacker's Methodology
- 20.1. Map the Application's Content
- 20.2. Analyze the Application
- 20.3. Test Client-Side Controls
-
20.4. Test the Authentication Mechanism
- 20.4.1. Understand the Mechanism
- 20.4.2. Test Password Quality
- 20.4.3. Test for Username Enumeration
- 20.4.4. Test Resilience to Password Guessing
- 20.4.5. Test Any Account Recovery Function
- 20.4.6. Test Any Remember Me Function
- 20.4.7. Test Any Impersonation Function
- 20.4.8. Test Username Uniqueness
- 20.4.9. Test Predictability of Auto-Generated Credentials
- 20.4.10. Check for Unsafe Transmission of Credentials
- 20.4.11. Check for Unsafe Distribution of Credentials
- 20.4.12. Test for Logic Flaws
- 20.4.13. Exploit Any Vulnerabilities to Gain Unauthorized Access
-
20.5. Test the Session Management Mechanism
- 20.5.1. Understand the Mechanism
- 20.5.2. Test Tokens for Meaning
- 20.5.3. Test Tokens for Predictability
- 20.5.4. Check for Insecure Transmission of Tokens
- 20.5.5. Check for Disclosure of Tokens in Logs
- 20.5.6. Check Mapping of Tokens to Sessions
- 20.5.7. Test Session Termination
- 20.5.8. Check for Session Fixation
- 20.5.9. Check for XSRF
- 20.5.10. Check Cookie Scope
- 6.. Test Access Controls
- 7.. Test for Input-Based Vulnerabilities
- 8.. Test for Function-Specific Input Vulnerabilities
- 9.. Test for Logic Flaws
- 10.. Test for Shared Hosting Vulnerabilities
- 11.. Test for Web Server Vulnerabilities
- 12.. Miscellaneous Checks
Product information
- Title: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws
- Author(s):
- Release date: October 2007
- Publisher(s): Wiley
- ISBN: 9780470170779
You might also like
book
The Shellcoder's Handbook: Discovering and Exploiting Security Holes, Second Edition
This much-anticipated revision, written by the ultimate group of top security experts in the world, features …
book
CEH v11 Certified Ethical Hacker Study Guide
As protecting information continues to be a growing concern for today’s businesses, certifications in IT security …
book
The Browser Hacker's Handbook
Hackers exploit browser vulnerabilities to attack deep within networks The Browser Hacker's Handbook gives a practical …
book
Web Application Security, 2nd Edition
In the first edition of this critically acclaimed book, Andrew Hoffman defined the three pillars of …