book

Web Security Testing Cookbook

by Paco Hope, Ben Walther

October 2008

Intermediate to advanced

312 pages

8h 57m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Who This Book Is ForLeveraging Free ToolsAbout the CoverOrganizationConventions Used in This BookUsing Code ExamplesSafari® Books OnlineComments and QuestionsAcknowledgments
What Is Security Testing?What Are Web Applications?Web Application FundamentalsWeb App Security TestingIt’s About the How
2.1. Installing Firefox2.2. Installing Firefox Extensions2.3. Installing Firebug2.4. Installing OWASP’s WebScarab2.5. Installing Perl and Packages on Windows2.6. Installing Perl and Using CPAN on Linux, Unix, or OS X2.7. Installing CAL90002.8. Installing the ViewState Decoder2.9. Installing cURL2.10. Installing Pornzilla2.11. Installing Cygwin2.12. Installing Nikto 22.13. Installing Burp Suite2.14. Installing Apache HTTP Server
3.1. Viewing a Page’s HTML Source3.2. Viewing the Source, Advanced3.3. Observing Live Request Headers with Firebug3.4. Observing Live Post Data with WebScarab3.5. Seeing Hidden Form Fields3.6. Observing Live Response Headers with TamperData3.7. Highlighting JavaScript and Comments3.8. Detecting JavaScript Events3.9. Modifying Specific Element Attributes3.10. Track Element Attributes Dynamically3.11. Conclusion
4.1. Recognizing Binary Data Representations4.2. Working with Base 644.3. Converting Base-36 Numbers in a Web Page4.4. Working with Base 36 in Perl4.5. Working with URL-Encoded Data4.6. Working with HTML Entity Data4.7. Calculating Hashes4.8. Recognizing Time Formats4.9. Encoding Time Values Programmatically4.10. Decoding ASP.NET’s ViewState4.11. Decoding Multiple Encodings
5.1. Intercepting and Modifying POST Requests5.2. Bypassing Input Limits5.3. Tampering with the URL5.4. Automating URL Tampering5.5. Testing URL-Length Handling5.6. Editing Cookies5.7. Falsifying Browser Header Information5.8. Uploading Files with Malicious Names5.9. Uploading Large Files5.10. Uploading Malicious XML Entity Files5.11. Uploading Malicious XML Structure5.12. Uploading Malicious ZIP Files5.13. Uploading Sample Virus Files5.14. Bypassing User-Interface Restrictions
6.1. Spidering a Website with WebScarab6.2. Turning Spider Results into an Inventory6.3. Reducing the URLs to Test6.4. Using a Spreadsheet to Pare Down the List6.5. Mirroring a Website with LWP6.6. Mirroring a Website with wget6.7. Mirroring a Specific Inventory with wget6.8. Scanning a Website with Nikto6.9. Interpretting Nikto’s Results6.10. Scan an HTTPS Site with Nikto6.11. Using Nikto with Authentication6.12. Start Nikto at a Specific Starting Point6.13. Using a Specific Session Cookie with Nikto6.14. Testing Web Services with WSFuzzer6.15. Interpreting WSFuzzer’s Results
7.1. Fetching a Page with cURL7.2. Fetching Many Variations on a URL7.3. Following Redirects Automatically7.4. Checking for Cross-Site Scripting with cURL7.5. Checking for Directory Traversal with cURL7.6. Impersonating a Specific Kind of Web Browser or Device7.7. Interactively Impersonating Another DeviceImitating a Search Engine with cURL7.8. Faking Workflow by Forging Referer Headers7.9. Fetching Only the HTTP Headers7.10. POSTing with cURL7.11. Maintaining Session State7.12. Manipulating Cookies7.13. Uploading a File with cURL7.14. Building a Multistage Test Case7.15. Conclusion
8.1. Writing a Basic Perl Script to Fetch a Page8.2. Programmatically Changing Parameters8.3. Simulating Form Input with POST8.4. Capturing and Storing Cookies8.5. Checking Session Expiration8.6. Testing Session Fixation8.7. Sending Malicious Cookie Values8.8. Uploading Malicious File Contents8.9. Uploading Files with Malicious Names8.10. Uploading Viruses to Applications8.11. Parsing for a Received Value with Perl8.12. Editing a Page Programmatically8.13. Using Threading for Performance

9.1. Bypassing Required Navigation9.2. Attempting Privileged Operations9.3. Abusing Password Recovery9.4. Abusing Predictable Identifiers9.5. Predicting Credentials9.6. Finding Random Numbers in Your ApplicationTesting Random Numbers9.7. Abusing Repeatability9.8. Abusing High-Load Actions9.9. Abusing Restrictive Functionality9.10. Abusing Race Conditions
10.1. Observing Live AJAX Requests10.2. Identifying JavaScript in Applications10.3. Tracing AJAX Activity Back to Its Source10.4. Intercepting and Modifying AJAX Requests10.5. Intercepting and Modifying Server Responses10.6. Subverting AJAX with Injected Data10.7. Subverting AJAX with Injected XML10.8. Subverting AJAX with Injected JSON10.9. Disrupting Client State10.10. Checking for Cross-Domain Access10.11. Reading Private Data via JSON Hijacking
11.1. Finding Session Identifiers in Cookies11.2. Finding Session Identifiers in Requests11.3. Finding Authorization Headers11.4. Analyzing Session ID Expiration11.5. Analyzing Session Identifiers with Burp11.6. Analyzing Session Randomness with WebScarab11.7. Changing Sessions to Evade Restrictions11.8. Impersonating Another User11.9. Fixing Sessions11.10. Testing for Cross-Site Request Forgery
12.1. Stealing Cookies Using XSS12.2. Creating Overlays Using XSS12.3. Making HTTP Requests Using XSS12.4. Attempting DOM-Based XSS Interactively12.5. Bypassing Field Length Restrictions (XSS)12.6. Attempting Cross-Site Tracing Interactively12.7. Modifying Host Headers12.8. Brute-Force Guessing Usernames and Passwords12.9. Attempting PHP Include File Injection Interactively12.10. Creating Decompression Bombs12.11. Attempting Command Injection Interactively12.12. Attempting Command Injection Systematically12.13. Attempting XPath Injection Interactively12.14. Attempting Server-Side Includes (SSI) Injection Interactively12.15. Attempting Server-Side Includes (SSI) Injection Systematically12.16. Attempting LDAP Injection Interactively12.17. Attempting Log Injection Interactively

Content preview from Web Security Testing Cookbook

Chapter 3. Basic Observation

Tommy Webber: Go for the mouth, then, the throat, his vulnerable spots!

Jason Nesmith: It’s a rock! It doesn’t have any vulnerable spots!

—Galaxy Quest

One of the more difficult aspects of testing system-level attributes such as security is the sheer inability to exhaustively complete the task. In the case of security, we provide evidence about the lack of vulnerabilities. Just as you cannot prove the non-existence of bugs, exhaustive security testing is both theoretically and practically impossible.

One advantage you have over an attacker is that you don’t have to fully exploit a defect in order to demonstrate its existence and fix it. Often just observing a potential vulnerability is enough to prompt a fix. Spotting the warning signs is the first step towards securing an application. If your tests do not reveal signs of trouble, you are that much more confident in your software’s security. So while many of these recipes may seem simplistic, they form a basis for noticing warning signs, if not actual vulnerabilities.

Fixing the application’s behavior is more effective than simply preventing pre-canned attacks. For instance, many penetration testers will cause a standard alert box to show up on a web page and declare a job well done—the website can be hacked! This causes confusion among developers and product managers. They ask: who cares about a stupid pop-up alert box? The answer is that the alert box is just a hint—a warning sign that a website is vulnerable ...