book

The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws

Name: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws
ISBN: 9780470170779

by Dafydd Stuttard, Marcus Pinto

October 2007

Intermediate to advanced

768 pages

19h 19m

English

Wiley

Read now

Unlock full access

Copyright
About the Authors
Credits
Acknowledgments
Introduction
Overview of This BookWho Should Read This BookHow This Book Is OrganizedTools You Will NeedWhat's on the Web SiteBring It On
1. Web Application (In)Security
1.1. The Evolution of Web Applications1.1.1. Common Web Application Functions1.1.2. Benefits of Web Applications1.2. Web Application Security1.2.1. "This Site Is Secure"1.2.2. The Core Security Problem: Users Can Submit Arbitrary Input1.2.3. Key Problem Factors1.2.3.1. Immature Security Awareness1.2.3.2. In-House Development1.2.3.3. Deceptive Simplicity1.2.3.4. Rapidly Evolving Threat Profile1.2.3.5. Resource and Time Constraints1.2.3.6. Overextended Technologies1.2.4. The New Security Perimeter1.2.5. The Future of Web Application Security1.3. Chapter Summary
2. Core Defense Mechanisms
2.1. Handling User Access2.1. Authentication2.1.1. Session Management2.1.2. Access Control2.2. Handling User Input2.2.1. Varieties of Input2.2.2. Approaches to Input Handling2.2.2.1. "Reject Known Bad"2.2.2.2. "Accept Known Good"2.2.2.3. Sanitization2.2.2.4. Safe Data Handling2.2.2.5. Semantic Checks2.2.3. Boundary Validation2.2.4. Multistep Validation and Canonicalization2.3. Handling Attackers2.3.1. Handling Errors2.3.2. Maintaining Audit Logs2.3.3. Alerting Administrators2.3.4. Reacting to Attacks2.4. Managing the Application2.5. Chapter Summary2.6. Questions
3. Web Application Technologies
3.1. The HTTP Protocol3.1. HTTP Requests3.1.1. HTTP Responses3.1.2. HTTP Methods3.1.3. URLs3.1.4. HTTP Headers3.1.4.1. General Headers3.1.4.2. Request Headers3.1.4.3. Response Headers3.1.5. Cookies3.1.6. Status Codes3.1.7. HTTPS3.1.8. HTTP Proxies3.1.9. HTTP Authentication3.2. Web Functionality3.2.1. Server-Side Functionality3.2.1.1. The Java Platform3.2.1.2. ASP.NET3.2.1.3. PHP3.2.2. Client-Side Functionality3.2.2.1. HTML3.2.2.2. Hyperlinks3.2.2.3. Forms3.2.2.4. JavaScript3.2.2.5. Thick Client Components3.2.3. State and Sessions3.3. Encoding Schemes3.3.1. URL Encoding3.3.2. Unicode Encoding3.3.3. HTML Encoding3.3.4. Base64 Encoding3.3.5. Hex Encoding3.4. Next Steps3.5. Questions
4. Mapping the Application
4.1. Enumerating Content and Functionality4.1. Web Spidering4.1.1. User-Directed Spidering4.1.2. Discovering Hidden Content4.1.2.1. Brute-Force Techniques4.1.2.2. Inference from Published Content4.1.2.3. Use of Public Information4.1.2.4. Leveraging the Web Server4.1.3. Application Pages vs. Functional Paths4.1.4. Discovering Hidden Parameters4.2. Analyzing the Application4.2.1. Identifying Entry Points for User Input4.2.2. Identifying Server-Side Technologies4.2.2.1. Banner Grabbing4.2.2.2. HTTP Fingerprinting4.2.2.3. File Extensions4.2.2.4. Directory Names4.2.2.5. Session Tokens4.2.2.6. Third-Party Code Components4.2.3. Identifying Server-Side Functionality4.2.3.1. Dissecting Requests4.2.3.2. Extrapolating Application Behavior4.2.4. Mapping the Attack Surface4.3. Chapter Summary4.4. Questions
5. Bypassing Client-Side Controls
5.1. Transmitting Data via the Client5.1. Hidden Form Fields5.1.1. HTTP Cookies5.1.2. URL Parameters5.1.3. The Referer Header5.1.4. Opaque Data5.1.5. The ASP.NET ViewState5.2. Capturing User Data: HTML Forms5.2.1. Length Limits5.2.2. Script-Based Validation5.2.3. Disabled Elements5.3. Capturing User Data: Thick-Client Components5.3.1. Java Applets5.3.1.1. Decompiling Java Bytecode5.3.1.2. Coping with Bytecode Obfuscation5.3.2. ActiveX Controls5.3.2.1. Reverse Engineering5.3.2.2. Manipulating Exported Functions5.3.2.3. Fixing Inputs Processed by Controls5.3.2.4. Decompiling Managed Code5.3.3. Shockwave Flash Objects5.4. Handling Client-Side Data Securely5.4.1. Transmitting Data via the Client5.4.2. Validating Client-Generated Data5.4.3. Logging and Alerting5.5. Chapter Summary5.6. Questions

6. Attacking Authentication
6.1. Authentication Technologies6.1. Design Flaws in Authentication Mechanisms6.1.1. Bad Passwords6.1.2. Brute-Forcible Login6.1.3. Verbose Failure Messages6.1.4. Vulnerable Transmission of Credentials6.1.5. Password Change Functionality6.1.6. Forgotten Password Functionality6.1.7. "Remember Me" Functionality6.1.8. User Impersonation Functionality6.1.9. Incomplete Validation of Credentials6.1.10. Non-Unique Usernames6.1.11. Predictable Usernames6.1.12. Predictable Initial Passwords6.1.13. Insecure Distribution of Credentials6.2. Implementation Flaws in Authentication6.2.1. Fail-Open Login Mechanisms6.2.2. Defects in Multistage Login Mechanisms6.2.3. Insecure Storage of Credentials6.3. Securing Authentication6.3.1. Use Strong Credentials6.3.2. Handle Credentials Secretively6.3.3. Validate Credentials Properly6.3.4. Prevent Information Leakage6.3.5. Prevent Brute-Force Attacks6.3.6. Prevent Misuse of the Password Change Function6.3.7. Prevent Misuse of the Account Recovery Function6.3.8. Log, Monitor, and Notify6.4. Chapter Summary6.5. Questions
7. Attacking Session Management
7.1. The Need for State7.1. Alternatives to Sessions7.2. Weaknesses in Session Token Generation7.2.1. Meaningful Tokens7.2.2. Predictable Tokens7.2.2.1. Concealed Sequences7.2.2.2. Time Dependency7.2.2.3. Weak Random Number Generation7.2.2.3.1. Full-Blown Tests for Randomness7.3. Weaknesses in Session Token Handling7.3.1. Disclosure of Tokens on the Network7.3.2. Disclosure of Tokens in Logs7.3.3. Vulnerable Mapping of Tokens to Sessions7.3.4. Vulnerable Session Termination7.3.5. Client Exposure to Token Hijacking7.3.6. Liberal Cookie Scope7.3.6.1. Cookie Domain Restrictions7.3.6.2. Cookie Path Restrictions7.4. Securing Session Management7.4.1. Generate Strong Tokens7.4.2. Protect Tokens throughout Their Lifecycle7.4.2.1. Per-Page Tokens7.4.3. Log, Monitor, and Alert7.4.3.1. Reactive Session Termination7.5. Chapter Summary7.6. Questions
8. Attacking Access Controls
8.1. Common Vulnerabilities8.1. Completely Unprotected Functionality8.1.1. Identifier-Based Functions8.1.2. Multistage Functions8.1.3. Static Files8.1.4. Insecure Access Control Methods8.2. Attacking Access Controls8.3. Securing Access Controls8.3.1. A Multi-Layered Privilege Model8.4. Chapter Summary8.5. Questions
9. Injecting Code
9.1. Injecting into Interpreted Languages9.1. Injecting into SQL9.1.1. Exploiting a Basic Vulnerability9.1.2. Bypassing a Login9.1.3. Finding SQL Injection Bugs9.1.3.1.9.1.3.1.1. String Data9.1.3.1.2. Numeric Data9.1.4. Injecting into Different Statement Types9.1.4.1.9.1.4.1.1. SELECT Statements9.1.4.1.2. INSERT Statements9.1.4.1.3. UPDATE Statements9.1.4.1.4. DELETE Statements9.1.5. The UNION Operator9.1.6. Fingerprinting the Database9.1.7. Extracting Useful Data9.1.7.1. An Oracle Hack9.1.7.2. An MS-SQL Hack9.1.8. Exploiting ODBC Error Messages (MS-SQL Only)9.1.8.1. Enumerating Table and Column Names9.1.8.2. Extracting Arbitrary Data9.1.8.3. Using Recursion9.1.9. Bypassing Filters9.1.9.1.9.1.9.1.1. Avoiding Blocked Characters9.1.9.1.2. Circumventing Simple Validation9.1.9.1.3. Using SQL Comments9.1.9.1.4. Manipulating Blocked Strings9.1.9.1.5. Using Dynamic Execution9.1.9.1.6. Exploiting Defective Filters9.1.10. Second-Order SQL Injection9.1.11. Advanced Exploitation9.1.11.1. Retrieving Data as Numbers9.1.11.2. Using an Out-of-Band Channel9.1.11.2.1. MS-SQL9.1.11.2.2. Oracle9.1.11.2.3. MySQL9.1.11.2.4. Leveraging the Operating System9.1.11.3. Using Inference: Conditional Responses9.1.11.3.1. Absinthe9.1.11.3.2. Inducing Conditional Errors9.1.11.3.3. Using Time Delays9.1.12. Beyond SQL Injection: Escalating the Database Attack9.1.12.1. MS-SQL9.1.12.2. Oracle9.1.12.3. MySQL9.1.13. SQL Syntax and Error Reference9.1.13.1. SQL Syntax9.1.13.2. SQL Error Messages9.1.14. Preventing SQL Injection9.1.14.1. Partially Effective Measures9.1.14.2. Parameterized Queries9.1.14.3. Defense in Depth9.2. Injecting OS Commands9.2.1. Example 1: Injecting via Perl9.2.2. Example 2: Injecting via ASP9.2.3. Finding OS Command Injection Flaws9.2.4. Preventing OS Command Injection9.3. Injecting into Web Scripting Languages9.3.1. Dynamic Execution Vulnerabilities9.3.1.1. Dynamic Execution in PHP9.3.1.2. Dynamic Execution in ASP9.3.1.3. Finding Dynamic Execution Vulnerabilities9.3.2. File Inclusion Vulnerabilities9.3.2.1. Remote File Inclusion9.3.2.2. Local File Inclusion9.3.2.3. Finding File Inclusion Vulnerabilities9.3.3. Preventing Script Injection Vulnerabilities9.4. Injecting into SOAP9.4.1. Finding and Exploiting SOAP Injection9.4.2. Preventing SOAP Injection9.5. Injecting into XPath9.5.1. Subverting Application Logic9.5.2. Informed XPath Injection9.5.3. Blind XPath Injection9.5.4. Finding XPath Injection Flaws9.5.5. Preventing XPath Injection9.6. Injecting into SMTP9.6.1. Email Header Manipulation9.6.2. SMTP Command Injection9.6.3. Finding SMTP Injection Flaws9.6.4. Preventing SMTP Injection9.7. Injecting into LDAP9.7.1. Injecting Query Attributes9.7.2. Modifying the Search Filter9.7.3. Finding LDAP Injection Flaws9.7.4. Preventing LDAP Injection9.8. Chapter Summary9.9. Questions
10. Exploiting Path Traversal
10.1. Common Vulnerabilities10.1. Finding and Exploiting Path Traversal Vulnerabilities10.1.1. Locating Targets for Attack10.1.2. Detecting Path Traversal Vulnerabilities10.1.3. Circumventing Obstacles to Traversal Attacks10.1.3.1. Coping with Custom Encoding10.1.4. Exploiting Traversal Vulnerabilities10.2. Preventing Path Traversal Vulnerabilities10.3. Chapter Summary10.4. Questions
11. Attacking Application Logic
11.1. The Nature of Logic Flaws11.1. Real-World Logic Flaws11.1.1. Example 1: Fooling a Password Change Function11.1.1.1. The Functionality11.1.1.2. The Assumption11.1.1.3. The Attack11.1.2. Example 2: Proceeding to Checkout11.1.2.1. The Functionality11.1.2.2. The Assumption11.1.2.3. The Attack11.1.3. Example 3: Rolling Your Own Insurance11.1.3.1. The Functionality11.1.3.2. The Assumption11.1.3.3. The Attack11.1.4. Example 4: Breaking the Bank11.1.4.1. The Functionality11.1.4.2. The Assumption11.1.4.3. The Attack11.1.5. Example 5: Erasing an Audit Trail11.1.5.1. The Functionality11.1.5.2. The Assumption11.1.5.3. The Attack11.1.6. Example 6: Beating a Business Limit11.1.6.1. The Functionality11.1.6.2. The Assumption11.1.6.3. The Attack11.1.7. Example 7: Cheating on Bulk Discounts11.1.7.1. The Functionality11.1.7.2. The Assumption11.1.7.3. The Attack11.1.8. Example 8: Escaping from Escaping11.1.8.1. The Functionality11.1.8.2. The Assumption11.1.8.3. The Attack11.1.9. Example 9: Abusing a Search Function11.1.9.1. The Functionality11.1.9.2. The Assumption11.1.9.3. The Attack11.1.10. Example 10: Snarfing Debug Messages11.1.10.1. The Functionality11.1.10.2. The Assumption11.1.10.3. The Attack11.1.11. Example 11: Racing against the Login11.1.11.1. The Functionality11.1.11.2. The Assumption11.1.11.3. The Attack11.2. Avoiding Logic Flaws11.3. Chapter Summary11.4. Questions
12. Attacking Other Users
12.1. Cross-Site Scripting12.1. Reflected XSS Vulnerabilities12.1.1. Exploiting the Vulnerability12.2. Stored XSS Vulnerabilities12.2.1. Storing XSS in Uploaded Files12.3. DOM-Based XSS Vulnerabilities12.4. Real-World XSS Attacks12.5. Chaining XSS and Other Attacks12.6. Payloads for XSS Attacks12.6.1. Virtual Defacement12.6.2. Injecting Trojan Functionality12.6.3. Inducing User Actions12.6.4. Exploiting Any Trust Relationships12.6.5. Escalating the Client-Side Attack12.6.5.1. Log Keystrokes12.6.5.2. Capture Clipboard Contents12.6.5.3. Steal History and Search Queries12.6.5.4. Enumerate Currently Used Applications12.6.5.5. Port Scan the Local Network12.6.5.6. Attack Other Network Hosts12.6.5.7. Exploit Browser Vulnerabilities12.7. Delivery Mechanisms for XSS Attacks12.7.1. Delivering Reflected and DOM-Based XSS Attacks12.7.2. Delivering Stored XSS Attacks12.8. Finding and Exploiting XSS Vulnerabilities12.8.1. Finding and Exploiting Reflected XSS Vulnerabilities12.8.1.1. Example 112.8.1.2. Example 212.8.1.3. Example 312.8.1.4. Other Entry Points for JavaScript12.8.1.5. Beating Signature-Based Filters12.8.1.6. Beating Sanitization12.8.1.7. Beating Length Limits12.8.1.8. Modifying the Request Method12.8.1.9. Using Nonstandard Content Encoding12.8.1.10. UTF-7:12.8.1.11. US-ASCII:12.8.1.12. UTF-16:12.8.2. Finding and Exploiting Stored XSS Vulnerabilities12.8.3. Finding and Exploiting DOM-Based XSS Vulnerabilities12.9. HttpOnly Cookies and Cross-Site Tracing12.10. Preventing XSS Attacks12.10.1. Preventing Reflected and Stored XSS12.10.1.1. Validate Input12.10.1.2. Validate Output12.10.1.3. Eliminate Dangerous Insertion Points12.10.2. Preventing DOM-Based XSS12.10.2.1. Validate Input12.10.2.2. Validate Output12.10.3. Preventing XST12.2. Redirection Attacks12.2.1. Finding and Exploiting Redirection Vulnerabilities12.2.1.1. Circumventing Obstacles to Attack12.2.1.1.1. Blocking of Absolute URLs12.2.1.1.2. Addition of an Absolute Prefix12.2.2. Preventing Redirection Vulnerabilities12.3. HTTP Header Injection12.3.1. Exploiting Header Injection Vulnerabilities12.3.1.1. Injecting Cookies12.3.1.2. Delivering Other Attacks12.3.1.3. HTTP Response Splitting12.3.2. Preventing Header Injection Vulnerabilities12.4. Frame Injection12.4.1. Exploiting Frame Injection12.4.1.1. Preventing Frame Injection12.5. Request Forgery12.5.1. On-Site Request Forgery12.5.2. Cross-Site Request Forgery12.5.2.1. Exploiting XSRF Flaws12.5.2.2. Preventing XSRF Flaws12.5.2.2.1. Defeating Anti-XSRF Defenses via XSS12.6. JSON Hijacking12.6.1. JSON12.6.2. Attacks against JSON12.6.2.1. Overriding the Array Constructor12.6.2.2. Implementing a Callback Function12.6.3. Finding JSON Hijacking Vulnerabilities12.6.4. Preventing JSON Hijacking12.7. Session Fixation12.7.1. Finding and Exploiting Session Fixation Vulnerabilities12.7.2. Preventing Session Fixation Vulnerabilities12.8. Attacking ActiveX Controls12.8.1. Finding ActiveX Vulnerabilities12.8.2. Preventing ActiveX Vulnerabilities12.9. Local Privacy Attacks12.9.1. Persistent Cookies12.9.2. Cached Web Content12.9.3. Browsing History12.9.4. Autocomplete12.9.5. Preventing Local Privacy Attacks12.10. Advanced Exploitation Techniques12.10.1. Leveraging Ajax12.10.1.1. Making Asynchronous Off-Site Requests12.10.2. Anti-DNS Pinning12.10.2.1. A Hypothetical Attack12.10.2.2. DNS Pinning12.10.2.3. Attacks against DNS Pinning12.10.3. Browser Exploitation Frameworks12.11. Chapter Summary12.12. Questions
13. Automating Bespoke Attacks
13.1. Uses for Bespoke Automation13.1. Enumerating Valid Identifiers13.1.1. The Basic Approach13.1.2. Detecting Hits13.1.2.1. HTTP Status Code13.1.2.2. Response Length13.1.2.3. Response Body13.1.2.4. Location Header13.1.2.5. Set-Cookie Header13.1.2.6. Time Delays13.1.3. Scripting the Attack13.1.4. JAttack13.2. Harvesting Useful Data13.3. Fuzzing for Common Vulnerabilities13.4. Putting It All Together: Burp Intruder13.4.1. Positioning Payloads13.4.1.1. Choosing Payloads13.4.1.2. Configuring Response Analysis13.4.1.3. Attack 1: Enumerating Identifiers13.4.1.4. Attack 2: Harvesting Information13.4.1.5. Attack 3: Application Fuzzing13.5. Chapter Summary13.6. Questions
14. Exploiting Information Disclosure
14.1. Exploiting Error Messages14.1. Script Error Messages14.1.1. Stack Traces14.1.2. Informative Debug Messages14.1.3. Server and Database Messages14.1.4. Using Public Information14.1.5. Engineering Informative Error Messages14.2. Gathering Published Information14.3. Using Inference14.4. Preventing Information Leakage14.4.1. Use Generic Error Messages14.4.2. Protect Sensitive Information14.4.3. Minimize Client-Side Information Leakage14.5. Chapter Summary14.6. Questions
15. Attacking Compiled Applications
15.1. Buffer Overflow Vulnerabilities15.1. Stack Overflows15.1.1. Heap Overflows15.1.2. "Off-by-One" Vulnerabilities15.1.3. Detecting Buffer Overflow Vulnerabilities15.2. Integer Vulnerabilities15.2.1. Integer Overflows15.2.2. Signedness Errors15.2.3. Detecting Integer Vulnerabilities15.3. Format String Vulnerabilities15.3.1. Detecting Format String Vulnerabilities15.4. Chapter Summary15.5. Questions
16. Attacking Application Architecture
16.1. Tiered Architectures16.1. Attacking Tiered Architectures16.1.1. Exploiting Trust Relationships between Tiers16.1.1. Subverting Other Tiers16.1.2. Attacking Other Tiers16.2. Securing Tiered Architectures16.2.1. Minimize Trust Relationships16.2.2. Segregate Different Components16.2.3. Apply Defense in Depth16.2. Shared Hosting and Application Service Providers16.2.1. Virtual Hosting16.2.2. Shared Application Services16.2.3. Attacking Shared Environments16.2.3.1. Attacks against Access Mechanisms16.2.3.2. Attacks between Applications16.2.3.2.1. Deliberate Backdoors16.2.3.2.2. Attacks between Vulnerable Applications16.2.3.2.3. Attacks between ASP Application Components16.2.4. Securing Shared Environments16.2.4.1. Secure Customer Access16.2.4.2. Segregate Customer Functionality16.2.4.3. Segregate Components in a Shared Application16.3. Chapter Summary16.4. Questions
17. Attacking the Web Server
17.1. Vulnerable Web Server Configuration17.1. Default Credentials17.1.1. Default Content17.1.1.1. Debug Functionality17.1.1.2. Sample Functionality17.1.1.3. Powerful Functions17.1.2. Directory Listings17.1.3. Dangerous HTTP Methods17.1.4. The Web Server as a Proxy17.1.5. Misconfigured Virtual Hosting17.1.6. Securing Web Server Configuration17.2. Vulnerable Web Server Software17.2.1. Buffer Overflow Vulnerabilities17.2.1.1. Microsoft IIS ISAPI Extensions17.2.1.2. Apache Chunked Encoding Overflow17.2.1.3. Microsoft IIS WebDav Overflow17.2.1.4. iPlanet Search Overflow17.2.2. Path Traversal Vulnerabilities17.2.2.1. Accipiter DirectServer17.2.2.2. Alibaba17.2.2.3. Cisco ACS Acme.server17.2.2.4. McAfee EPolicy Orcestrator17.2.3. Encoding and Canonicalization Vulnerabilities17.2.3.1. Allaire JRun Directory Listing Vulnerability17.2.3.2. Microsoft IIS Unicode Path Traversal Vulnerabilities17.2.3.3. Oracle PL/SQL Exclusion List Bypasses17.2.4. Finding Web Server Flaws17.2.5. Securing Web Server Software17.2.5.1. Choose Software with a Good Track Record17.2.5.2. Apply Vendor Patches17.2.5.3. Perform Security Hardening17.2.5.4. Monitor for New Vulnerabilities17.2.5.5. Use Defense-in-Depth17.3. Chapter Summary17.4. Questions
18. Finding Vulnerabilities in Source Code
18.1. Approaches to Code Review18.1. Black-Box vs. White-Box Testing18.1.1. Code Review Methodology18.2. Signatures of Common Vulnerabilities18.2.1. Cross-Site Scripting18.2.2. SQL Injection18.2.3. Path Traversal18.2.4. Arbitrary Redirection18.2.5. OS Command Injection18.2.6. Backdoor Passwords18.2.7. Native Software Bugs18.2.7.1. Buffer Overflow Vulnerabilities18.2.7.2. Integer Vulnerabilities18.2.7.3. Format String Vulnerabilities18.2.8. Source Code Comments18.3. The Java Platform18.3.1. Identifying User-Supplied Data18.3.2. Session Interaction18.3.3. Potentially Dangerous APIs18.3.3.1. File Access18.3.3.2. Database Access18.3.3.3. Dynamic Code Execution18.3.3.4. OS Command Execution18.3.3.5. URL Redirection18.3.3.6. Sockets18.3.4. Configuring the Java Environment18.4. ASP.NET18.4.1. Identifying User-Supplied Data18.4.2. Session Interaction18.4.3. Potentially Dangerous APIs18.4.3.1. File Access18.4.3.2. Database Access18.4.3.3. Dynamic Code Execution18.4.3.4. OS Command Execution18.4.3.5. URL Redirection18.4.3.6. Sockets18.4.4. Configuring the ASP.NET Environment18.5. PHP18.5.1. Identifying User-Supplied Data18.5.2. Session Interaction18.5.3. Potentially Dangerous APIs18.5.3.1. File Access18.5.3.2. Database Access18.5.3.3. Dynamic Code Execution18.5.3.4. OS Command Execution18.5.3.5. URL Redirection18.5.3.6. Sockets18.5.4. Configuring the PHP Environment18.5.4.1. Register Globals18.5.4.2. Safe Mode18.5.4.3. Magic Quotes18.5.4.4. Miscellaneous18.6. Perl18.6.1. Identifying User-Supplied Data18.6.2. Session Interaction18.6.3. Potentially Dangerous APIs18.6.3.1. File Access18.6.3.2. Database Access18.6.3.3. Dynamic Code Execution18.6.3.4. OS Command Execution18.6.3.5. URL Redirection18.6.3.6. Sockets18.6.4. Configuring the Perl Environment18.7. JavaScript18.8. Database Code Components18.8.1. SQL Injection18.8.2. Calls to Dangerous Functions18.9. Tools for Code Browsing18.10. Chapter Summary18.11. Questions
19. A Web Application Hacker's Toolkit
19.1. Web Browsers19.1. Internet Explorer19.1.1. Firefox19.1.2. Opera19.2. Integrated Testing Suites19.2.1. How the Tools Work19.2.1.1. Intercepting Proxies19.2.1.1.1. Configuring Your Browser19.2.1.1.2. Intercepting Proxies and HTTPS19.2.1.1.3. Common Features19.2.1.2. Web Application Spiders19.2.1.3. Application Fuzzers and Scanners19.2.1.4. Manual Request Tools19.2.1.4.1. Shared Functions and Utilities19.2.2. Feature Comparison19.2.2.1. Burp Suite19.2.2.2. Paros19.2.2.3. WebScarab19.2.3. Alternatives to the Intercepting Proxy19.2.3.1. Tamper Data19.2.3.2. TamperIE19.3. Vulnerability Scanners19.3.1. Vulnerabilities Detected by Scanners19.3.2. Inherent Limitations of Scanners19.3.2.1. Every Web Application Is Different19.3.2.2. Scanners Operate on Syntax19.3.2.3. Scanners Do Not Improvise19.3.2.4. Scanners Are Not Intuitive19.3.3. Technical Challenges Faced by Scanners19.3.3.1. Authentication and Session Handling19.3.3.2. Dangerous Effects19.3.3.3. Individuating Functionality19.3.3.4. Other Challenges to Automation19.3.4. Current Products19.3.5. Using a Vulnerability Scanner19.4. Other Tools19.4.1. Nikto19.4.2. Hydra19.4.3. Custom Scripts19.4.3.1. Wget19.4.3.2. Curl19.4.3.3. Netcat19.4.3.4. Stunnel19.5. Chapter Summary
20. A Web Application Hacker's Methodology
20.1. Map the Application's Content20.1.1. Explore Visible Content20.1.2. Consult Public Resources20.1.3. Discover Hidden Content20.1.4. Discover Default Content20.1.5. Enumerate Identifier-Specified Functions20.1.6. Test for Debug Parameters20.2. Analyze the Application20.2.1. Identify Functionality20.2.2. Identify Data Entry Points20.2.3. Identify the Technologies Used20.2.4. Map the Attack Surface20.3. Test Client-Side Controls20.3.1. Test Transmission of Data via the Client20.3.2. Test Client-Side Controls over User Input20.3.3. Test Thick-Client Components20.3.3.1. Test Java Applets20.3.3.2. Test ActiveX controls20.3.3.3. Test Shockwave Flash objects20.4. Test the Authentication Mechanism20.4.1. Understand the Mechanism20.4.2. Test Password Quality20.4.3. Test for Username Enumeration20.4.4. Test Resilience to Password Guessing20.4.5. Test Any Account Recovery Function20.4.6. Test Any Remember Me Function20.4.7. Test Any Impersonation Function20.4.8. Test Username Uniqueness20.4.9. Test Predictability of Auto-Generated Credentials20.4.10. Check for Unsafe Transmission of Credentials20.4.11. Check for Unsafe Distribution of Credentials20.4.12. Test for Logic Flaws20.4.12.1. Test for Fail-Open Conditions20.4.12.2. Test Any Multistage Mechanisms20.4.13. Exploit Any Vulnerabilities to Gain Unauthorized Access20.5. Test the Session Management Mechanism20.5.1. Understand the Mechanism20.5.2. Test Tokens for Meaning20.5.3. Test Tokens for Predictability20.5.4. Check for Insecure Transmission of Tokens20.5.5. Check for Disclosure of Tokens in Logs20.5.6. Check Mapping of Tokens to Sessions20.5.7. Test Session Termination20.5.8. Check for Session Fixation20.5.9. Check for XSRF20.5.10. Check Cookie Scope6.. Test Access Controls20.6.1. Understand the Access Control Requirements20.6.2. Testing with Multiple Accounts20.6.3. Testing with Limited Access20.6.4. Test for Insecure Access Control Methods7.. Test for Input-Based Vulnerabilities20.7.1. Fuzz All Request Parameters20.7.2. Test for SQL Injection20.7.3. Test for XSS and Other Response Injection7.3.1.. Identify Reflected Request Parameters7.3.2.. Test for Reflected XSS7.3.3.. Test for HTTP Header Injection7.3.4.. Test for Arbitrary Redirection7.3.5.. Test for Stored Attacks20.7.4. Test for OS Command Injection20.7.5. Test for Path Traversal20.7.6. Test for Script Injection20.7.7. Test for File Inclusion8.. Test for Function-Specific Input Vulnerabilities20.8.1. Test for SMTP Injection20.8.2. Test for Native Software Vulnerabilities8.2.1.. Test for Buffer Overflows8.2.2.. Test for Integer Vulnerabilities8.2.3.. Test for Format String Vulnerabilities20.8.3. Test for SOAP Injection20.8.4. Test for LDAP Injection20.8.5. Test for XPath Injection9.. Test for Logic Flaws20.9.1. Identify the Key Attack Surface20.9.2. Test Multistage Processes20.9.3. Test Handling of Incomplete Input20.9.4. Test Trust Boundaries20.9.5. Test Transaction Logic10.. Test for Shared Hosting Vulnerabilities20.10.1. Test Segregation in Shared Infrastructures20.10.2. Test Segregation between ASP-Hosted Applications11.. Test for Web Server Vulnerabilities20.11.1. Test for Default Credentials20.11.2. Test for Default Content20.11.3. Test for Dangerous HTTP Methods20.11.4. Test for Proxy Functionality20.11.5. Test for Virtual Hosting Misconfiguration20.11.6. Test for Web Server Software Bugs12.. Miscellaneous Checks20.12.1. Check for DOM-Based Attacks20.12.2. Check for Frame Injection20.12.3. Check for Local Privacy Vulnerabilities20.12.4. Follow Up Any Information Leakage20.12.5. Check for Weak SSL Ciphers

Content preview from The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws

About the Authors

Dafydd Stuttard is a Principal Security Consultant at Next Generation Security Software, where he leads the web application security competency. He has nine years' experience in security consulting and specializes in the penetration testing of web applications and compiled software.

Dafydd has worked with numerous banks, retailers, and other enterprises to help secure their web applications, and has provided security consulting to several software manufacturers and governments to help secure their compiled software. Dafydd is an accomplished programmer in several languages, and his interests include developing tools to facilitate all kinds of software security testing.

Dafydd has developed and presented training courses at the Black Hat security conferences around the world. Under the alias "PortSwigger," Dafydd created the popular Burp Suite of web application hacking tools. Dafydd holds master's and doctorate degrees in philosophy from the University of Oxford.

Marcus Pinto is a Principal Security Consultant at Next Generation Security Software, where he leads the database competency development team, and has lead the development of NGS' primary training courses. He has eight years' experience in security consulting and specializes in penetration testing of web applications and supporting architectures.

Marcus has worked with numerous banks, retailers, and other enterprises to help secure their web applications, and has provided security consulting to the development ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780470170779Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws

by Dafydd Stuttard, Marcus Pinto

About the Authors

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.