book

Web Security Testing Cookbook

by Paco Hope, Ben Walther

October 2008

Intermediate to advanced

312 pages

8h 57m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Who This Book Is ForLeveraging Free ToolsAbout the CoverOrganizationConventions Used in This BookUsing Code ExamplesSafari® Books OnlineComments and QuestionsAcknowledgments
What Is Security Testing?What Are Web Applications?Web Application FundamentalsWeb App Security TestingIt’s About the How
2.1. Installing Firefox2.2. Installing Firefox Extensions2.3. Installing Firebug2.4. Installing OWASP’s WebScarab2.5. Installing Perl and Packages on Windows2.6. Installing Perl and Using CPAN on Linux, Unix, or OS X2.7. Installing CAL90002.8. Installing the ViewState Decoder2.9. Installing cURL2.10. Installing Pornzilla2.11. Installing Cygwin2.12. Installing Nikto 22.13. Installing Burp Suite2.14. Installing Apache HTTP Server
3.1. Viewing a Page’s HTML Source3.2. Viewing the Source, Advanced3.3. Observing Live Request Headers with Firebug3.4. Observing Live Post Data with WebScarab3.5. Seeing Hidden Form Fields3.6. Observing Live Response Headers with TamperData3.7. Highlighting JavaScript and Comments3.8. Detecting JavaScript Events3.9. Modifying Specific Element Attributes3.10. Track Element Attributes Dynamically3.11. Conclusion
4.1. Recognizing Binary Data Representations4.2. Working with Base 644.3. Converting Base-36 Numbers in a Web Page4.4. Working with Base 36 in Perl4.5. Working with URL-Encoded Data4.6. Working with HTML Entity Data4.7. Calculating Hashes4.8. Recognizing Time Formats4.9. Encoding Time Values Programmatically4.10. Decoding ASP.NET’s ViewState4.11. Decoding Multiple Encodings
5.1. Intercepting and Modifying POST Requests5.2. Bypassing Input Limits5.3. Tampering with the URL5.4. Automating URL Tampering5.5. Testing URL-Length Handling5.6. Editing Cookies5.7. Falsifying Browser Header Information5.8. Uploading Files with Malicious Names5.9. Uploading Large Files5.10. Uploading Malicious XML Entity Files5.11. Uploading Malicious XML Structure5.12. Uploading Malicious ZIP Files5.13. Uploading Sample Virus Files5.14. Bypassing User-Interface Restrictions
6.1. Spidering a Website with WebScarab6.2. Turning Spider Results into an Inventory6.3. Reducing the URLs to Test6.4. Using a Spreadsheet to Pare Down the List6.5. Mirroring a Website with LWP6.6. Mirroring a Website with wget6.7. Mirroring a Specific Inventory with wget6.8. Scanning a Website with Nikto6.9. Interpretting Nikto’s Results6.10. Scan an HTTPS Site with Nikto6.11. Using Nikto with Authentication6.12. Start Nikto at a Specific Starting Point6.13. Using a Specific Session Cookie with Nikto6.14. Testing Web Services with WSFuzzer6.15. Interpreting WSFuzzer’s Results
7.1. Fetching a Page with cURL7.2. Fetching Many Variations on a URL7.3. Following Redirects Automatically7.4. Checking for Cross-Site Scripting with cURL7.5. Checking for Directory Traversal with cURL7.6. Impersonating a Specific Kind of Web Browser or Device7.7. Interactively Impersonating Another DeviceImitating a Search Engine with cURL7.8. Faking Workflow by Forging Referer Headers7.9. Fetching Only the HTTP Headers7.10. POSTing with cURL7.11. Maintaining Session State7.12. Manipulating Cookies7.13. Uploading a File with cURL7.14. Building a Multistage Test Case7.15. Conclusion
8.1. Writing a Basic Perl Script to Fetch a Page8.2. Programmatically Changing Parameters8.3. Simulating Form Input with POST8.4. Capturing and Storing Cookies8.5. Checking Session Expiration8.6. Testing Session Fixation8.7. Sending Malicious Cookie Values8.8. Uploading Malicious File Contents8.9. Uploading Files with Malicious Names8.10. Uploading Viruses to Applications8.11. Parsing for a Received Value with Perl8.12. Editing a Page Programmatically8.13. Using Threading for Performance

9.1. Bypassing Required Navigation9.2. Attempting Privileged Operations9.3. Abusing Password Recovery9.4. Abusing Predictable Identifiers9.5. Predicting Credentials9.6. Finding Random Numbers in Your ApplicationTesting Random Numbers9.7. Abusing Repeatability9.8. Abusing High-Load Actions9.9. Abusing Restrictive Functionality9.10. Abusing Race Conditions
10.1. Observing Live AJAX Requests10.2. Identifying JavaScript in Applications10.3. Tracing AJAX Activity Back to Its Source10.4. Intercepting and Modifying AJAX Requests10.5. Intercepting and Modifying Server Responses10.6. Subverting AJAX with Injected Data10.7. Subverting AJAX with Injected XML10.8. Subverting AJAX with Injected JSON10.9. Disrupting Client State10.10. Checking for Cross-Domain Access10.11. Reading Private Data via JSON Hijacking
11.1. Finding Session Identifiers in Cookies11.2. Finding Session Identifiers in Requests11.3. Finding Authorization Headers11.4. Analyzing Session ID Expiration11.5. Analyzing Session Identifiers with Burp11.6. Analyzing Session Randomness with WebScarab11.7. Changing Sessions to Evade Restrictions11.8. Impersonating Another User11.9. Fixing Sessions11.10. Testing for Cross-Site Request Forgery
12.1. Stealing Cookies Using XSS12.2. Creating Overlays Using XSS12.3. Making HTTP Requests Using XSS12.4. Attempting DOM-Based XSS Interactively12.5. Bypassing Field Length Restrictions (XSS)12.6. Attempting Cross-Site Tracing Interactively12.7. Modifying Host Headers12.8. Brute-Force Guessing Usernames and Passwords12.9. Attempting PHP Include File Injection Interactively12.10. Creating Decompression Bombs12.11. Attempting Command Injection Interactively12.12. Attempting Command Injection Systematically12.13. Attempting XPath Injection Interactively12.14. Attempting Server-Side Includes (SSI) Injection Interactively12.15. Attempting Server-Side Includes (SSI) Injection Systematically12.16. Attempting LDAP Injection Interactively12.17. Attempting Log Injection Interactively

Content preview from Web Security Testing Cookbook

Chapter 1. Introduction

For, usually and fitly, the presence of an introduction is held to imply that there is something of consequence and importance to be introduced.

—Arthur Machen

Many of us test web applications on either a daily or regular basis. We may be following a script of interactions (“click here, type XYZ, click Submit, check for OK message…”) or we might be writing frameworks that invoke batteries of automated tests against our web applications. Most of us are somewhere in between. Regardless of how we test, we need to get security testing into what we’re doing. These days, testing web applications must include some consideration of how the application performs in the face of active misuse or abuse.

This chapter sets the stage for our activities and how we are laying out tools and techniques for you to use. Before we talk about testing web applications for security, we want to define a few terms. What applications are we talking about when we say “web applications”? What do they have in common and why can we write a book like this? What do we mean when we say “security”? How different are security tests from our regular tests, anyway?

What Is Security Testing?

It’s often straightforward to test our application’s functionality—we follow the paths through it that normal users should follow. When we aren’t sure what the expected behavior is, there’s usually some way to figure that out—ask someone, read a requirement, use our intuition. Negative testing follows somewhat naturally ...