Hack proofing your network g
- 481 trang
- file .pdf
Praise for Hacking Exposed™ Web Applications:
Web Application Security Secrets and Solutions, Third Edition
“Whether you are a business leader attempting to understand the threat space for your business,
or an engineer tasked with writing the code for those sites, or a security engineer attempting to
identify and mitigate the threats to your applications, this book will be an invaluable weapon in
your arsenal.”
—From the Foreword by Chris Peterson
Senior Director of Application Security, Zynga Game Network
Former Director of Security Assurance, Microsoft Corporation
“I cut my teeth reading Joel’s work, and this book is no disappointment. People often ask where to
find high-quality content that will help them gain a foothold in this daunting industry. This is the
kind of desk reference every web application security practitioner needs. It will certainly hold a
place of prominence in my personal library.”
—Robert “RSnake” Hansen
CEO SecTheory and founder of ha.ckers.org
“An eye-opening resource for realizing the realities of today’s web application security landscape,
this book explores the latest vulnerabilities as well as exploitation techniques and tradecraft being
deployed against those vulnerabilities. This book is a valuable read for both the aspiring engineer
who is looking for the first foray into the world of web application security and the seasoned
application-security, penetration-testing expert who wants to keep abreast of current techniques.”
—Chad Greene
Director, eBay Global Information Security
“As our businesses push more of their information and commerce to their customers through web-
applications, the confidentiality and integrity of these transactions is our fundamental, if not
mandatory, responsibility. Hacking Exposed Web Applications provides a comprehensive blueprint for
application developers and security professionals charged with living up to this responsibility. The
authors’ research, insight, and 30+ years as information security experts, make this an invaluable
resource in the application and information protection toolkit. Great Stuff!”
—Ken Swanson
CISM, IS Business Solution Manager, regionally based P&C insurance company
“This book is so much more then the authoritative primer on web application security; it’s also an
opportunity to accompany the foremost industry experts in an apprenticeship that even seasoned
professionals will enjoy.”
—Andrew Stravitz, CISSP
Director of Information Security, Barnes & Noble.com
“A very timely reference, as cloud computing continues to expand into the enterprise and web
security emerges as the new battleground for attackers and defenders alike. This comprehensive
text is the definitive starting point for understanding the contemporary landscape of threats and
mitigations to web applications. Particularly notable for its extensive treatment of identity
management, marking the first time that challenges around authentication have been surveyed
in-depth and presented in such an accessible fashion.”
—Cem Paya
Google Security Team
This page intentionally left blank
HACKING EXPOSED ™
WEB APPLICATIONS:
WEB APPLICATION SECURITY
SECRETS AND SOLUTIONS
THIRD EDITION
J O EL S C A MB R AY
VI N C EN T LI U
C AL EB S I MA
New York Chicago San Francisco
Lisbon London Madrid Mexico City
Milan New Delhi San Juan
Seoul Singapore Sydney Toronto
Copyright © 2011 by Joel Scambray. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of
this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the
prior written permission of the publisher.
ISBN: 978-0-07-174042-5
MHID: 0-07-174042-2
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-174064-7,
MHID: 0-07-174064-3.
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked
name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the
trademark. Where such designations appear in this book, they have been printed with initial caps.
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training
programs. To contact a representative please e-mail us at [email protected].
Trademarks: McGraw-Hill, the McGraw-Hill Publishing logo, Hacking ExposedTM, and related trade dress are trademarks or registered
trademarks of The McGraw-Hill Companies and/or its affiliates in the United States and other countries and may not be used without
written permission. All other trademarks are the property of their respective owners. The McGraw-Hill Companies is not associated with
any product or vendor mentioned in this book.
Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or
mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of
any information and is not responsible for any errors or omissions or the results obtained from the use of such information.
TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGrawHill”) and its licensors reserve all rights in and to the work.
Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy
of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit,
distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the
work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be
terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS
TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,
INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE,
AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WAR-
RANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant
or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free.
Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in
the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through
the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, conse-
quential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility
of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract,
tort or otherwise.
Stop Hackers in Their Tracks Chapter 1: Upgrading to Windows XP 1
Hacking Exposed, Hacking Exposed Hacking Exposed Computer 24 Deadly Sins of
6th Edition Malware & Rootkits Forensics, 2nd Edition Software Security
Hacking Exposed Hacking Exposed Hacking Exposed Hacking Exposed:
Linux, 3rd Edition Windows, 3rd Edition Web 2.0 Web Applications, 2nd Edition
Gray Hat Hacking, Hacking Exposed Hacking Exposed IT Auditing: Using Controls to
2nd Edition Wireless VoIP Protect Information Assets
To Jane, thanks for getting Hacking Exposed off the ground and sustaining it for
so many years.
—Joel
To Heather, for keeping me laughing and smiling through it all.
—Vinnie
To my Mom and Dad (thanks for putting up with me), my brothers Jonathon, RJ,
and Andrew, and my sister Emily. Finally, to all the people of SPI who changed
my life and helped build a great company.
—Caleb
ABOUT THE AUTHORS
Joel Scambray
Joel Scambray is co-founder and CEO of Consciere, provider of strategic security
advisory services. He has assisted companies ranging from newly minted startups
to members of the Fortune 50 to address information security challenges and
opportunities for over a dozen years.
Joel’s background includes roles as an executive, technical consultant, and
entrepreneur. He has been a Senior Director at Microsoft Corporation, where he
led Microsoft’s online services security efforts for three years before joining the Windows
platform and services division to focus on security technology architecture. Joel also co-
founded security software and services startup Foundstone, Inc., and helped lead it to
acquisition by McAfee for $86M. He previously held positions as a manager for Ernst &
Young, a security columnist for Microsoft TechNet, Editor at Large for InfoWorld Magazine,
and director of IT for a major commercial real-estate firm.
Joel is widely recognized as co-author of Hacking Exposed: Network Security Secrets and
Solutions, the international best-selling computer security book that first appeared in
1999. He is also lead author of the Hacking Exposed Windows and Hacking Exposed Web
Applications series.
He has spoken widely on information security at forums including Black Hat, I-4,
INTERFACE, and The Asia Europe Meeting (ASEM), as well as organizations including
IANS, CERT, The Computer Security Institute (CSI), ISSA, ISACA, SANS, private
corporations, and government agencies such as the Korean Information Security Agency
(KISA), FBI, and the RCMP.
Joel holds a BS from the University of California at Davis, an MA from UCLA, and he
is a Certified Information Systems Security Professional (CISSP).
Vincent Liu
Vincent Liu, CISSP, is a Managing Partner at Stach & Liu. Before founding Stach &
Liu, Vincent led the Attack & Penetration and Reverse Engineering teams for the
Global Security unit at Honeywell International. Prior to that, he was a consultant
with the Ernst & Young Advanced Security Centers and an analyst at the National
Security Agency. Vincent is a sought-after speaker and has presented his research
at conferences, including Black Hat, ToorCon, and Microsoft BlueHat. Vincent
holds a Bachelor of Science and Engineering from the University of Pennsylvania with a
major in Computer Science and Engineering and a minor in Psychology.
Caleb Sima
Caleb Sima is the CEO of Armorize Technologies, the Santa Clara–based provider
of integrated Web application security solutions. He previously founded SPI
Dynamics in 2000 and, as CTO, oversaw the development of WebInspect, a
solution that set the bar in Web application security testing tools. When Hewlett-
Packard (HP) acquired SPI Dynamics in 2007, Sima took on the role of Chief
Technologist at HP’s Application Security Center, where he directed the company’s
security solutions’ lifecycles and spearheaded development of its cloud-based security
service. In this role, he also managed a team of accomplished security experts who
successfully identified new security threats and devised advanced countermeasures.
Prior to co-founding SPI Dynamics, Caleb worked for Internet Security Systems’ elite
X-Force research and development team where he drove enterprise security assessments
for the company. A thought leader and technical visionary in the web application security
field, Sima holds five patents on web security technology and has co-authored textbooks
on the subject, is a frequent media contributor, and regularly speaks at key industry
conferences such as RSA and Black Hat. He is a member of ISSA and is one of the
founding visionaries of the Application Vulnerability Description Language (AVDL)
standard within OASIS, as well as a founding member of the Web Application Security
Consortium (WASC).
ABOUT THE CONTRIBUTING AUTHORS
Hernan Ochoa is a security consultant and researcher with over 14 years of professional
experience. Hernan began his professional career in 1996 with the creation of Virus
Sentinel, a signature-based file/memory/mbr/boot sector detection/removal antivirus
application with heuristics to detect polymorphic viruses. Hernan also developed a
detailed technical virus information database and companion newsletter. He joined
Core Security Technologies in 1999 and worked there for 10 years in various roles,
including security consultant and exploit writer. As an exploit writer, he performed
diverse types of security assessments, developed methodologies, shellcode, and security
tools, and contributed new attack vectors. He also designed and developed several low-
level/kernel components for a multi-OS security system that was ultimately deployed
at a financial institution, and he served as “technical lead” for ongoing development and
support of the multi-OS system. Hernan has published a number of security tools,
including Universal Hooker (runtime instrumentation using dynamic handling routines
written in Python), Pass-The-Hash Toolkit for Windows, and WifiZoo. He is currently
working as a security consultant/researcher at Amplia Security, performing network,
wireless, and web applications penetration tests; standalone/client-server application
black-box assessments; source code audits; reverse engineering; vulnerability analysis;
and other information security–related services.
Justin Hays is a Senior Security Associate at Stach & Liu. Before joining Stach & Liu,
Justin served as an enterprise support engineer for PTC Japan where his responsibilities
included application debugging, reverse engineering, and mitigating software defects
in PTC’s flagship Windchill enterprise server J2EE software. Prior to PTC, Justin held a
software development position with Lexmark, Inc., where he designed and implemented
web application software in support of internal IT operations. Justin holds a BS from the
University of Kentucky with a major in Computer Science and a minor in Mathematics.
Carl Livitt is a Managing Security Associate at Stach & Liu. Prior to joining Stach & Liu,
Carl led the network security services group for a well-respected UK security company
and provided network security consultancy for several of the largest pharmaceutical
companies in the world. Carl has also worked with UK police counterterrorism units,
lecturing on technological security issues to specialist law-enforcement agencies.
Rob Ragan is a Senior Security Associate at Stach & Liu. Before joining Stach & Liu, Rob
served as a software engineer at Hewlett-Packard’s Application Security Center, where
he developed web application security testing tools and conducted application
penetration testing. Rob actively conducts web application security research and has
presented at Black Hat, Defcon, InfoSec World, and Outerz0ne. Rob holds a BS from
Pennsylvania State University with a major in Information Sciences and Technology and
a focus on System Development.
About the Technical Editor
Robert Hensing is a Senior Consultant at Microsoft, where he has worked in various
security roles for over 12 years. Robert previously worked with the Microsoft Security
Response Center with a focus on providing root cause analysis and identifying mitigations
and workarounds for security vulnerabilities to help protect customers from attacks.
Prior to working on the MSRC Engineering team, Robert was a senior member of the
Customer Support Services Security team, where he helped customers with incident
response–related investigations. Robert was also a contributing author on Hacking
Exposed Windows: Windows Security Secrets and Solutions, Third Edition.
AT A GLANCE
▼ 1 Hacking Web Apps 101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
▼ 2 Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
▼ 3 Hacking Web Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
▼ 4 Attacking Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 123
▼ 5 Attacking Web Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
▼ 6 Input Injection Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
▼ 7 Attacking XML Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
▼ 8 Attacking Web Application Management . . . . . . . . . . . . . . . . . 295
▼ 9 Hacking Web Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
▼ 10 The Enterprise Web Application Security Program . . . . . . . . . 371
▼ A Web Application Security Checklist . . . . . . . . . . . . . . . . . . . . . . 413
▼ B Web Hacking Tools and Techniques Cribsheet . . . . . . . . . . . . . 419
▼ Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
ix
This page intentionally left blank
CONTENTS
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
▼ 1 Hacking Web Apps 101 ................................................ 1
What Is Web Application Hacking? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
GUI Web Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
URI Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Methods, Headers, and Body . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Authentication, Sessions, and Authorization . . . . . . . . . . . . . . . . . . . . 6
The Web Client and HTML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Other Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Why Attack Web Applications? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Who, When, and Where? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Weak Spots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
How Are Web Apps Attacked? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
The Web Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Browser Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
HTTP Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Command-line Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Older Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
▼ 2 Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Infrastructure Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Footprinting and Scanning: Defining Scope . . . . . . . . . . . . . . . . . . . . . 32
Basic Banner Grabbing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Advanced HTTP Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Infrastructure Intermediaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
xi
xii Hacking Exposed Web Applications
Application Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Manual Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Search Tools for Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Automated Web Crawling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Common Web Application Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
General Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
A Cautionary Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Protecting Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Protecting include Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Miscellaneous Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
▼ 3 Hacking Web Platforms ................................................ 87
Point-and-Click Exploitation Using Metasploit . . . . . . . . . . . . . . . . . . . . . . . . 89
Manual Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Evading Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Web Platform Security Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Common Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
IIS Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Apache Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
PHP Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
▼ 4 Attacking Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Web Authentication Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Username/Password Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Strong(er) Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Web Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Bypassing Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Token Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Cross-site Request Forgery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Client-side Piggybacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Some Final Thoughts: Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
▼ 5 Attacking Web Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Fingerprinting Authz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Crawling ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Identifying Access Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Analyzing Session Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Contents xiii
Differential Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Role Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Attacking ACLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Attacking Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Manual Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Automated Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Capture/Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Session Fixation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Authorization Attack Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Horizontal Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Vertical Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Differential Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
When Encryption Fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Using cURL to Map Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Authorization Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Web ACL Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Web Authorization/Session Token Security . . . . . . . . . . . . . . . . . . . . . 214
Security Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
▼ 6 Input Injection Attacks ................................................. 221
Expect the Unexpected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Where to Find Attack Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Bypass Client-Side Validation Routines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Common Input Injection Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Buffer Overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Canonicalization (dot-dot-slash) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
HTML Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Boundary Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Manipulate Application Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
XPATH Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
LDAP Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Custom Parameter Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Log Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Command Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Encoding Abuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
PHP Global Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Common Side-effects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Common Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
xiv Hacking Exposed Web Applications
▼ 7 Attacking XML Web Services ............................................ 267
What Is a Web Service? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Transport: SOAP over HTTP(S) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
WSDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Directory Services: UDDI and DISCO . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Similarities to Web Application Security . . . . . . . . . . . . . . . . . . . . . . . 279
Attacking Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Web Service Security Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
▼ 8 Attacking Web Application Management ................................... 295
Remote Server Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Proprietary Management Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Other Administration Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Web Content Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
SSH/scp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
FrontPage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
WebDAV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Misconfigurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Unnecessary Web Server Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Information Leakage Misconfigurations . . . . . . . . . . . . . . . . . . . . . . . . 312
State Management Misconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
▼ 9 Hacking Web Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Web Client Implementation Vulnerabilities . . . . . . . . . . . . . . . . . . . . . 337
Trickery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
General Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Low-privilege Browsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Firefox Security Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
ActiveX Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Server-side Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
▼ 10 The Enterprise Web Application Security Program ........................... 371
Threat Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Clarify Security Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Identify Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Contents xv
Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Decompose the Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Identify and Document Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Rank the Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Develop Threat Mitigation Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Code Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Manual Source Code Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Automated Source Code Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Binary Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Security Testing of Web App Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Fuzzing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Test Tools, Utilities, and Harnesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Pen-testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Security in the Web Development Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
▼ A Web Application Security Checklist ....................................... 413
▼ B Web Hacking Tools and Techniques Cribsheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
▼ Index ............................................................... 429
This page intentionally left blank
FOREWORD
“If ignorant of both your enemy and yourself, you are certain in every battle
to be in peril.”
—Sun Tzu, The Art of War
There is no escaping the reality that businesses live on the Web today. From banks to
bookstores, from auctions to games, the Web is the place where most businesses ply their
trade. For consumers, the Web has become the place where they do the majority of their
business as well. For example, nearly 50 percent of all retail music sales in the United
States happen online today; the market for virtual merchandise in online games will top
$1.5B this year; and, by some estimates, over 45 percent of U.S. adults use the Internet
exclusively to do their banking. With the growing popularity of web-enabled smart
phones, much of this online commerce is now available to consumers anytime and
anywhere. By any estimation, business on the Web is an enormous part of the economy
and growing rapidly. But along with this growth has come the uncomfortable realization
that the security of this segment of commerce is not keeping pace.
In the brick and mortar world, business owners have spent decades encountering
and learning to mitigate threats. They have had to deal with break-ins, burglary, armed
robbery, counterfeit currency, fraudulent checks, and scams of all kinds. In the brick and
mortar world, however, businesses have a constrained, easily defined perimeter to their
business, and, in most cases, a reasonably constrained population of threats. They have,
over time, learned to apply an increasingly mature set of practices, tools, and safeguards
to secure their businesses against these threats. On the Web, the story is quite different.
Businesses on the Web have been around for less than 20 years, and many of the hard
lessons that they’ve learned in the physical world of commerce are only recently
beginning to surface for web-based commerce. Just as in the physical world, where there
is money or valuable assets, you will always find a certain subset of the population up to
no good and attempting to capitalize on those assets. However, unlike in the physical
world, in the world of e-commerce, businesses are faced with a dizzying array of
technologies and concepts that most leaders find difficult, if not impossible, to
comprehend. In addition, the perimeter of their assets is often not well understood, and
xvii
xviii Hacking Exposed Web Applications
the population of potential threats can span the entire globe. While any executive at a
bank can appreciate the issues of physical access to assets, the security provided by a
well-designed bank vault, the mitigation provided by a dye pack in a money drawer, or
the deterrent effect of an armed guard in a lobby, those same executives are frequently
baffled by the impact of something called cross-site scripting, or how something called
SQL injection could pose such a threat to their business. In many cases, even the “experts”
employed by these businesses to build their online commerce sites, the web developers
themselves, are barely aware of the extent of the threats to their sites, the fragility of the
code they write, or the lengths to which online attackers will go to gain access to their
systems.
Upon this lopsided battlefield of online commerce and crime, a dedicated cadre of
professionals struggles to educate businesses about the threats, improve the awareness
of developers about how to make their code resilient to attack, and are constantly trying
to understand the ever-changing tactics and tools employed by the attack community.
The authors of Hacking ExposedTM Web Applications, Third Edition, represent some of the
most experienced and most knowledgeable of this group, and this book represents their
latest attempt to share their knowledge and experience with us all.
Whether you are a business leader attempting to understand the threat space for
your business, an engineer tasked with writing the code for those sites, or a security
engineer attempting to identify and mitigate the threats to your applications, this book
will be an invaluable weapon in your arsenal. As Sun Tzu advises us, by using this book
you will have a much clearer understanding of yourself—and your enemy—and in time
you will reduce the risk to your business.
—Chris Peterson, August 2010
Senior Director of Application Security, Zynga Game Network
Former Director of Security Assurance, Microsoft Corporation
Web Application Security Secrets and Solutions, Third Edition
“Whether you are a business leader attempting to understand the threat space for your business,
or an engineer tasked with writing the code for those sites, or a security engineer attempting to
identify and mitigate the threats to your applications, this book will be an invaluable weapon in
your arsenal.”
—From the Foreword by Chris Peterson
Senior Director of Application Security, Zynga Game Network
Former Director of Security Assurance, Microsoft Corporation
“I cut my teeth reading Joel’s work, and this book is no disappointment. People often ask where to
find high-quality content that will help them gain a foothold in this daunting industry. This is the
kind of desk reference every web application security practitioner needs. It will certainly hold a
place of prominence in my personal library.”
—Robert “RSnake” Hansen
CEO SecTheory and founder of ha.ckers.org
“An eye-opening resource for realizing the realities of today’s web application security landscape,
this book explores the latest vulnerabilities as well as exploitation techniques and tradecraft being
deployed against those vulnerabilities. This book is a valuable read for both the aspiring engineer
who is looking for the first foray into the world of web application security and the seasoned
application-security, penetration-testing expert who wants to keep abreast of current techniques.”
—Chad Greene
Director, eBay Global Information Security
“As our businesses push more of their information and commerce to their customers through web-
applications, the confidentiality and integrity of these transactions is our fundamental, if not
mandatory, responsibility. Hacking Exposed Web Applications provides a comprehensive blueprint for
application developers and security professionals charged with living up to this responsibility. The
authors’ research, insight, and 30+ years as information security experts, make this an invaluable
resource in the application and information protection toolkit. Great Stuff!”
—Ken Swanson
CISM, IS Business Solution Manager, regionally based P&C insurance company
“This book is so much more then the authoritative primer on web application security; it’s also an
opportunity to accompany the foremost industry experts in an apprenticeship that even seasoned
professionals will enjoy.”
—Andrew Stravitz, CISSP
Director of Information Security, Barnes & Noble.com
“A very timely reference, as cloud computing continues to expand into the enterprise and web
security emerges as the new battleground for attackers and defenders alike. This comprehensive
text is the definitive starting point for understanding the contemporary landscape of threats and
mitigations to web applications. Particularly notable for its extensive treatment of identity
management, marking the first time that challenges around authentication have been surveyed
in-depth and presented in such an accessible fashion.”
—Cem Paya
Google Security Team
This page intentionally left blank
HACKING EXPOSED ™
WEB APPLICATIONS:
WEB APPLICATION SECURITY
SECRETS AND SOLUTIONS
THIRD EDITION
J O EL S C A MB R AY
VI N C EN T LI U
C AL EB S I MA
New York Chicago San Francisco
Lisbon London Madrid Mexico City
Milan New Delhi San Juan
Seoul Singapore Sydney Toronto
Copyright © 2011 by Joel Scambray. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of
this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the
prior written permission of the publisher.
ISBN: 978-0-07-174042-5
MHID: 0-07-174042-2
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-174064-7,
MHID: 0-07-174064-3.
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked
name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the
trademark. Where such designations appear in this book, they have been printed with initial caps.
McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training
programs. To contact a representative please e-mail us at [email protected].
Trademarks: McGraw-Hill, the McGraw-Hill Publishing logo, Hacking ExposedTM, and related trade dress are trademarks or registered
trademarks of The McGraw-Hill Companies and/or its affiliates in the United States and other countries and may not be used without
written permission. All other trademarks are the property of their respective owners. The McGraw-Hill Companies is not associated with
any product or vendor mentioned in this book.
Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or
mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of
any information and is not responsible for any errors or omissions or the results obtained from the use of such information.
TERMS OF USE
This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGrawHill”) and its licensors reserve all rights in and to the work.
Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy
of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit,
distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the
work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be
terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS
TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,
INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE,
AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WAR-
RANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant
or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free.
Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in
the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through
the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, conse-
quential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility
of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract,
tort or otherwise.
Stop Hackers in Their Tracks Chapter 1: Upgrading to Windows XP 1
Hacking Exposed, Hacking Exposed Hacking Exposed Computer 24 Deadly Sins of
6th Edition Malware & Rootkits Forensics, 2nd Edition Software Security
Hacking Exposed Hacking Exposed Hacking Exposed Hacking Exposed:
Linux, 3rd Edition Windows, 3rd Edition Web 2.0 Web Applications, 2nd Edition
Gray Hat Hacking, Hacking Exposed Hacking Exposed IT Auditing: Using Controls to
2nd Edition Wireless VoIP Protect Information Assets
To Jane, thanks for getting Hacking Exposed off the ground and sustaining it for
so many years.
—Joel
To Heather, for keeping me laughing and smiling through it all.
—Vinnie
To my Mom and Dad (thanks for putting up with me), my brothers Jonathon, RJ,
and Andrew, and my sister Emily. Finally, to all the people of SPI who changed
my life and helped build a great company.
—Caleb
ABOUT THE AUTHORS
Joel Scambray
Joel Scambray is co-founder and CEO of Consciere, provider of strategic security
advisory services. He has assisted companies ranging from newly minted startups
to members of the Fortune 50 to address information security challenges and
opportunities for over a dozen years.
Joel’s background includes roles as an executive, technical consultant, and
entrepreneur. He has been a Senior Director at Microsoft Corporation, where he
led Microsoft’s online services security efforts for three years before joining the Windows
platform and services division to focus on security technology architecture. Joel also co-
founded security software and services startup Foundstone, Inc., and helped lead it to
acquisition by McAfee for $86M. He previously held positions as a manager for Ernst &
Young, a security columnist for Microsoft TechNet, Editor at Large for InfoWorld Magazine,
and director of IT for a major commercial real-estate firm.
Joel is widely recognized as co-author of Hacking Exposed: Network Security Secrets and
Solutions, the international best-selling computer security book that first appeared in
1999. He is also lead author of the Hacking Exposed Windows and Hacking Exposed Web
Applications series.
He has spoken widely on information security at forums including Black Hat, I-4,
INTERFACE, and The Asia Europe Meeting (ASEM), as well as organizations including
IANS, CERT, The Computer Security Institute (CSI), ISSA, ISACA, SANS, private
corporations, and government agencies such as the Korean Information Security Agency
(KISA), FBI, and the RCMP.
Joel holds a BS from the University of California at Davis, an MA from UCLA, and he
is a Certified Information Systems Security Professional (CISSP).
Vincent Liu
Vincent Liu, CISSP, is a Managing Partner at Stach & Liu. Before founding Stach &
Liu, Vincent led the Attack & Penetration and Reverse Engineering teams for the
Global Security unit at Honeywell International. Prior to that, he was a consultant
with the Ernst & Young Advanced Security Centers and an analyst at the National
Security Agency. Vincent is a sought-after speaker and has presented his research
at conferences, including Black Hat, ToorCon, and Microsoft BlueHat. Vincent
holds a Bachelor of Science and Engineering from the University of Pennsylvania with a
major in Computer Science and Engineering and a minor in Psychology.
Caleb Sima
Caleb Sima is the CEO of Armorize Technologies, the Santa Clara–based provider
of integrated Web application security solutions. He previously founded SPI
Dynamics in 2000 and, as CTO, oversaw the development of WebInspect, a
solution that set the bar in Web application security testing tools. When Hewlett-
Packard (HP) acquired SPI Dynamics in 2007, Sima took on the role of Chief
Technologist at HP’s Application Security Center, where he directed the company’s
security solutions’ lifecycles and spearheaded development of its cloud-based security
service. In this role, he also managed a team of accomplished security experts who
successfully identified new security threats and devised advanced countermeasures.
Prior to co-founding SPI Dynamics, Caleb worked for Internet Security Systems’ elite
X-Force research and development team where he drove enterprise security assessments
for the company. A thought leader and technical visionary in the web application security
field, Sima holds five patents on web security technology and has co-authored textbooks
on the subject, is a frequent media contributor, and regularly speaks at key industry
conferences such as RSA and Black Hat. He is a member of ISSA and is one of the
founding visionaries of the Application Vulnerability Description Language (AVDL)
standard within OASIS, as well as a founding member of the Web Application Security
Consortium (WASC).
ABOUT THE CONTRIBUTING AUTHORS
Hernan Ochoa is a security consultant and researcher with over 14 years of professional
experience. Hernan began his professional career in 1996 with the creation of Virus
Sentinel, a signature-based file/memory/mbr/boot sector detection/removal antivirus
application with heuristics to detect polymorphic viruses. Hernan also developed a
detailed technical virus information database and companion newsletter. He joined
Core Security Technologies in 1999 and worked there for 10 years in various roles,
including security consultant and exploit writer. As an exploit writer, he performed
diverse types of security assessments, developed methodologies, shellcode, and security
tools, and contributed new attack vectors. He also designed and developed several low-
level/kernel components for a multi-OS security system that was ultimately deployed
at a financial institution, and he served as “technical lead” for ongoing development and
support of the multi-OS system. Hernan has published a number of security tools,
including Universal Hooker (runtime instrumentation using dynamic handling routines
written in Python), Pass-The-Hash Toolkit for Windows, and WifiZoo. He is currently
working as a security consultant/researcher at Amplia Security, performing network,
wireless, and web applications penetration tests; standalone/client-server application
black-box assessments; source code audits; reverse engineering; vulnerability analysis;
and other information security–related services.
Justin Hays is a Senior Security Associate at Stach & Liu. Before joining Stach & Liu,
Justin served as an enterprise support engineer for PTC Japan where his responsibilities
included application debugging, reverse engineering, and mitigating software defects
in PTC’s flagship Windchill enterprise server J2EE software. Prior to PTC, Justin held a
software development position with Lexmark, Inc., where he designed and implemented
web application software in support of internal IT operations. Justin holds a BS from the
University of Kentucky with a major in Computer Science and a minor in Mathematics.
Carl Livitt is a Managing Security Associate at Stach & Liu. Prior to joining Stach & Liu,
Carl led the network security services group for a well-respected UK security company
and provided network security consultancy for several of the largest pharmaceutical
companies in the world. Carl has also worked with UK police counterterrorism units,
lecturing on technological security issues to specialist law-enforcement agencies.
Rob Ragan is a Senior Security Associate at Stach & Liu. Before joining Stach & Liu, Rob
served as a software engineer at Hewlett-Packard’s Application Security Center, where
he developed web application security testing tools and conducted application
penetration testing. Rob actively conducts web application security research and has
presented at Black Hat, Defcon, InfoSec World, and Outerz0ne. Rob holds a BS from
Pennsylvania State University with a major in Information Sciences and Technology and
a focus on System Development.
About the Technical Editor
Robert Hensing is a Senior Consultant at Microsoft, where he has worked in various
security roles for over 12 years. Robert previously worked with the Microsoft Security
Response Center with a focus on providing root cause analysis and identifying mitigations
and workarounds for security vulnerabilities to help protect customers from attacks.
Prior to working on the MSRC Engineering team, Robert was a senior member of the
Customer Support Services Security team, where he helped customers with incident
response–related investigations. Robert was also a contributing author on Hacking
Exposed Windows: Windows Security Secrets and Solutions, Third Edition.
AT A GLANCE
▼ 1 Hacking Web Apps 101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
▼ 2 Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
▼ 3 Hacking Web Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
▼ 4 Attacking Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 123
▼ 5 Attacking Web Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
▼ 6 Input Injection Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
▼ 7 Attacking XML Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
▼ 8 Attacking Web Application Management . . . . . . . . . . . . . . . . . 295
▼ 9 Hacking Web Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
▼ 10 The Enterprise Web Application Security Program . . . . . . . . . 371
▼ A Web Application Security Checklist . . . . . . . . . . . . . . . . . . . . . . 413
▼ B Web Hacking Tools and Techniques Cribsheet . . . . . . . . . . . . . 419
▼ Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
ix
This page intentionally left blank
CONTENTS
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
▼ 1 Hacking Web Apps 101 ................................................ 1
What Is Web Application Hacking? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
GUI Web Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
URI Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Methods, Headers, and Body . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Authentication, Sessions, and Authorization . . . . . . . . . . . . . . . . . . . . 6
The Web Client and HTML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Other Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Why Attack Web Applications? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Who, When, and Where? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Weak Spots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
How Are Web Apps Attacked? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
The Web Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Browser Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
HTTP Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Command-line Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Older Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
▼ 2 Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Infrastructure Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Footprinting and Scanning: Defining Scope . . . . . . . . . . . . . . . . . . . . . 32
Basic Banner Grabbing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Advanced HTTP Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Infrastructure Intermediaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
xi
xii Hacking Exposed Web Applications
Application Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Manual Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Search Tools for Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Automated Web Crawling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Common Web Application Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
General Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
A Cautionary Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Protecting Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Protecting include Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Miscellaneous Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
▼ 3 Hacking Web Platforms ................................................ 87
Point-and-Click Exploitation Using Metasploit . . . . . . . . . . . . . . . . . . . . . . . . 89
Manual Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Evading Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Web Platform Security Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Common Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
IIS Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Apache Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
PHP Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
▼ 4 Attacking Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Web Authentication Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Username/Password Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Strong(er) Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Web Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Bypassing Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Token Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Cross-site Request Forgery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Client-side Piggybacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Some Final Thoughts: Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
▼ 5 Attacking Web Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Fingerprinting Authz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Crawling ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Identifying Access Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Analyzing Session Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Contents xiii
Differential Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Role Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Attacking ACLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Attacking Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Manual Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Automated Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Capture/Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Session Fixation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Authorization Attack Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Horizontal Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Vertical Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Differential Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
When Encryption Fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Using cURL to Map Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Authorization Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Web ACL Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Web Authorization/Session Token Security . . . . . . . . . . . . . . . . . . . . . 214
Security Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
▼ 6 Input Injection Attacks ................................................. 221
Expect the Unexpected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Where to Find Attack Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Bypass Client-Side Validation Routines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Common Input Injection Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Buffer Overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Canonicalization (dot-dot-slash) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
HTML Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Boundary Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Manipulate Application Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
XPATH Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
LDAP Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Custom Parameter Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Log Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Command Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Encoding Abuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
PHP Global Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Common Side-effects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Common Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
xiv Hacking Exposed Web Applications
▼ 7 Attacking XML Web Services ............................................ 267
What Is a Web Service? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Transport: SOAP over HTTP(S) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
WSDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Directory Services: UDDI and DISCO . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Similarities to Web Application Security . . . . . . . . . . . . . . . . . . . . . . . 279
Attacking Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Web Service Security Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
▼ 8 Attacking Web Application Management ................................... 295
Remote Server Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Proprietary Management Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Other Administration Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Web Content Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
SSH/scp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
FrontPage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
WebDAV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Misconfigurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Unnecessary Web Server Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Information Leakage Misconfigurations . . . . . . . . . . . . . . . . . . . . . . . . 312
State Management Misconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
▼ 9 Hacking Web Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Web Client Implementation Vulnerabilities . . . . . . . . . . . . . . . . . . . . . 337
Trickery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
General Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Low-privilege Browsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Firefox Security Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
ActiveX Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Server-side Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
▼ 10 The Enterprise Web Application Security Program ........................... 371
Threat Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Clarify Security Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Identify Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Contents xv
Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Decompose the Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Identify and Document Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Rank the Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Develop Threat Mitigation Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Code Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Manual Source Code Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Automated Source Code Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Binary Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Security Testing of Web App Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Fuzzing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Test Tools, Utilities, and Harnesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Pen-testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Security in the Web Development Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
▼ A Web Application Security Checklist ....................................... 413
▼ B Web Hacking Tools and Techniques Cribsheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
▼ Index ............................................................... 429
This page intentionally left blank
FOREWORD
“If ignorant of both your enemy and yourself, you are certain in every battle
to be in peril.”
—Sun Tzu, The Art of War
There is no escaping the reality that businesses live on the Web today. From banks to
bookstores, from auctions to games, the Web is the place where most businesses ply their
trade. For consumers, the Web has become the place where they do the majority of their
business as well. For example, nearly 50 percent of all retail music sales in the United
States happen online today; the market for virtual merchandise in online games will top
$1.5B this year; and, by some estimates, over 45 percent of U.S. adults use the Internet
exclusively to do their banking. With the growing popularity of web-enabled smart
phones, much of this online commerce is now available to consumers anytime and
anywhere. By any estimation, business on the Web is an enormous part of the economy
and growing rapidly. But along with this growth has come the uncomfortable realization
that the security of this segment of commerce is not keeping pace.
In the brick and mortar world, business owners have spent decades encountering
and learning to mitigate threats. They have had to deal with break-ins, burglary, armed
robbery, counterfeit currency, fraudulent checks, and scams of all kinds. In the brick and
mortar world, however, businesses have a constrained, easily defined perimeter to their
business, and, in most cases, a reasonably constrained population of threats. They have,
over time, learned to apply an increasingly mature set of practices, tools, and safeguards
to secure their businesses against these threats. On the Web, the story is quite different.
Businesses on the Web have been around for less than 20 years, and many of the hard
lessons that they’ve learned in the physical world of commerce are only recently
beginning to surface for web-based commerce. Just as in the physical world, where there
is money or valuable assets, you will always find a certain subset of the population up to
no good and attempting to capitalize on those assets. However, unlike in the physical
world, in the world of e-commerce, businesses are faced with a dizzying array of
technologies and concepts that most leaders find difficult, if not impossible, to
comprehend. In addition, the perimeter of their assets is often not well understood, and
xvii
xviii Hacking Exposed Web Applications
the population of potential threats can span the entire globe. While any executive at a
bank can appreciate the issues of physical access to assets, the security provided by a
well-designed bank vault, the mitigation provided by a dye pack in a money drawer, or
the deterrent effect of an armed guard in a lobby, those same executives are frequently
baffled by the impact of something called cross-site scripting, or how something called
SQL injection could pose such a threat to their business. In many cases, even the “experts”
employed by these businesses to build their online commerce sites, the web developers
themselves, are barely aware of the extent of the threats to their sites, the fragility of the
code they write, or the lengths to which online attackers will go to gain access to their
systems.
Upon this lopsided battlefield of online commerce and crime, a dedicated cadre of
professionals struggles to educate businesses about the threats, improve the awareness
of developers about how to make their code resilient to attack, and are constantly trying
to understand the ever-changing tactics and tools employed by the attack community.
The authors of Hacking ExposedTM Web Applications, Third Edition, represent some of the
most experienced and most knowledgeable of this group, and this book represents their
latest attempt to share their knowledge and experience with us all.
Whether you are a business leader attempting to understand the threat space for
your business, an engineer tasked with writing the code for those sites, or a security
engineer attempting to identify and mitigate the threats to your applications, this book
will be an invaluable weapon in your arsenal. As Sun Tzu advises us, by using this book
you will have a much clearer understanding of yourself—and your enemy—and in time
you will reduce the risk to your business.
—Chris Peterson, August 2010
Senior Director of Application Security, Zynga Game Network
Former Director of Security Assurance, Microsoft Corporation