book

Web Security Testing Cookbook

by Paco Hope, Ben Walther

October 2008

Intermediate to advanced

312 pages

8h 57m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Who This Book Is ForLeveraging Free ToolsAbout the CoverOrganizationConventions Used in This BookUsing Code ExamplesSafari® Books OnlineComments and QuestionsAcknowledgments
What Is Security Testing?What Are Web Applications?Web Application FundamentalsWeb App Security TestingIt’s About the How
2.1. Installing Firefox2.2. Installing Firefox Extensions2.3. Installing Firebug2.4. Installing OWASP’s WebScarab2.5. Installing Perl and Packages on Windows2.6. Installing Perl and Using CPAN on Linux, Unix, or OS X2.7. Installing CAL90002.8. Installing the ViewState Decoder2.9. Installing cURL2.10. Installing Pornzilla2.11. Installing Cygwin2.12. Installing Nikto 22.13. Installing Burp Suite2.14. Installing Apache HTTP Server
3.1. Viewing a Page’s HTML Source3.2. Viewing the Source, Advanced3.3. Observing Live Request Headers with Firebug3.4. Observing Live Post Data with WebScarab3.5. Seeing Hidden Form Fields3.6. Observing Live Response Headers with TamperData3.7. Highlighting JavaScript and Comments3.8. Detecting JavaScript Events3.9. Modifying Specific Element Attributes3.10. Track Element Attributes Dynamically3.11. Conclusion
4.1. Recognizing Binary Data Representations4.2. Working with Base 644.3. Converting Base-36 Numbers in a Web Page4.4. Working with Base 36 in Perl4.5. Working with URL-Encoded Data4.6. Working with HTML Entity Data4.7. Calculating Hashes4.8. Recognizing Time Formats4.9. Encoding Time Values Programmatically4.10. Decoding ASP.NET’s ViewState4.11. Decoding Multiple Encodings
5.1. Intercepting and Modifying POST Requests5.2. Bypassing Input Limits5.3. Tampering with the URL5.4. Automating URL Tampering5.5. Testing URL-Length Handling5.6. Editing Cookies5.7. Falsifying Browser Header Information5.8. Uploading Files with Malicious Names5.9. Uploading Large Files5.10. Uploading Malicious XML Entity Files5.11. Uploading Malicious XML Structure5.12. Uploading Malicious ZIP Files5.13. Uploading Sample Virus Files5.14. Bypassing User-Interface Restrictions
6.1. Spidering a Website with WebScarab6.2. Turning Spider Results into an Inventory6.3. Reducing the URLs to Test6.4. Using a Spreadsheet to Pare Down the List6.5. Mirroring a Website with LWP6.6. Mirroring a Website with wget6.7. Mirroring a Specific Inventory with wget6.8. Scanning a Website with Nikto6.9. Interpretting Nikto’s Results6.10. Scan an HTTPS Site with Nikto6.11. Using Nikto with Authentication6.12. Start Nikto at a Specific Starting Point6.13. Using a Specific Session Cookie with Nikto6.14. Testing Web Services with WSFuzzer6.15. Interpreting WSFuzzer’s Results
7.1. Fetching a Page with cURL7.2. Fetching Many Variations on a URL7.3. Following Redirects Automatically7.4. Checking for Cross-Site Scripting with cURL7.5. Checking for Directory Traversal with cURL7.6. Impersonating a Specific Kind of Web Browser or Device7.7. Interactively Impersonating Another DeviceImitating a Search Engine with cURL7.8. Faking Workflow by Forging Referer Headers7.9. Fetching Only the HTTP Headers7.10. POSTing with cURL7.11. Maintaining Session State7.12. Manipulating Cookies7.13. Uploading a File with cURL7.14. Building a Multistage Test Case7.15. Conclusion
8.1. Writing a Basic Perl Script to Fetch a Page8.2. Programmatically Changing Parameters8.3. Simulating Form Input with POST8.4. Capturing and Storing Cookies8.5. Checking Session Expiration8.6. Testing Session Fixation8.7. Sending Malicious Cookie Values8.8. Uploading Malicious File Contents8.9. Uploading Files with Malicious Names8.10. Uploading Viruses to Applications8.11. Parsing for a Received Value with Perl8.12. Editing a Page Programmatically8.13. Using Threading for Performance

9.1. Bypassing Required Navigation9.2. Attempting Privileged Operations9.3. Abusing Password Recovery9.4. Abusing Predictable Identifiers9.5. Predicting Credentials9.6. Finding Random Numbers in Your ApplicationTesting Random Numbers9.7. Abusing Repeatability9.8. Abusing High-Load Actions9.9. Abusing Restrictive Functionality9.10. Abusing Race Conditions
10.1. Observing Live AJAX Requests10.2. Identifying JavaScript in Applications10.3. Tracing AJAX Activity Back to Its Source10.4. Intercepting and Modifying AJAX Requests10.5. Intercepting and Modifying Server Responses10.6. Subverting AJAX with Injected Data10.7. Subverting AJAX with Injected XML10.8. Subverting AJAX with Injected JSON10.9. Disrupting Client State10.10. Checking for Cross-Domain Access10.11. Reading Private Data via JSON Hijacking
11.1. Finding Session Identifiers in Cookies11.2. Finding Session Identifiers in Requests11.3. Finding Authorization Headers11.4. Analyzing Session ID Expiration11.5. Analyzing Session Identifiers with Burp11.6. Analyzing Session Randomness with WebScarab11.7. Changing Sessions to Evade Restrictions11.8. Impersonating Another User11.9. Fixing Sessions11.10. Testing for Cross-Site Request Forgery
12.1. Stealing Cookies Using XSS12.2. Creating Overlays Using XSS12.3. Making HTTP Requests Using XSS12.4. Attempting DOM-Based XSS Interactively12.5. Bypassing Field Length Restrictions (XSS)12.6. Attempting Cross-Site Tracing Interactively12.7. Modifying Host Headers12.8. Brute-Force Guessing Usernames and Passwords12.9. Attempting PHP Include File Injection Interactively12.10. Creating Decompression Bombs12.11. Attempting Command Injection Interactively12.12. Attempting Command Injection Systematically12.13. Attempting XPath Injection Interactively12.14. Attempting Server-Side Includes (SSI) Injection Interactively12.15. Attempting Server-Side Includes (SSI) Injection Systematically12.16. Attempting LDAP Injection Interactively12.17. Attempting Log Injection Interactively

Content preview from Web Security Testing Cookbook

Chapter 12. Multifaceted Tests

This chapter contributed by Amit Sethi

There are two ways of constructing a software design: one way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult.

—C.A.R. Hoare

By now we have shown you many different techniques for testing web applications and their logic. The tests have ranged in difficulty, but we have tried to keep each one focused on a specific part of the web application. We may have targeted input handling, session management, or data encoding, but each test tried to isolate one behavior. In this chapter, we try to put more than one technique together to simulate sophisticated attacks. We still try to be specific and pinpoint faulty logic in the application, but we’re using several techniques at the same time. The recipes in this chapter borrow heavily from prior chapters and assume that you’ve understood and executed the prerequisite recipes before you try these.

12.1. Stealing Cookies Using XSS

Problem

Several recipes in this book discuss how to search for XSS issues. However, XSS may seem like a mysterious attack when given the standard detection mechanism of inserting an alert box into a web page. When you find XSS in an application, you may be called upon to demonstrate why it is really a problem. After all, simply showing that you can type <script>alert("XSS!")</script> into a search box and have ...