| |
| |
Foreword | |
| |
| |
Preface | |
| |
| |
Acknowledgments | |
| |
| |
About the Authors | |
| |
| |
| |
Introduction | |
| |
| |
| |
Case Your Own Joint: A Paradigm Shift from Traditional Software Testing | |
| |
| |
Security Testing Versus Traditional Software Testing | |
| |
| |
SQL Injection Attack Pattern | |
| |
| |
The Paradigm Shift of Security Testing | |
| |
| |
High-Level Security Testing Strategies | |
| |
| |
The Fault Injection Model of Testing: Testers as Detectives | |
| |
| |
Think Like an Attacker | |
| |
| |
Prioritizing Your Work | |
| |
| |
Take the Easy Road: Using Tools to Aid in the Detective Work | |
| |
| |
Learn from the Vulnerability Tree of Knowledge | |
| |
| |
Testing Recipe: Summary | |
| |
| |
Endnotes | |
| |
| |
| |
How Vulnerabilities Get into All Software | |
| |
| |
Design Versus Implementation Vulnerabilities | |
| |
| |
Common Secure Design Issues | |
| |
| |
Poor Use of Cryptography | |
| |
| |
Tracking Users and Their Permissions | |
| |
| |
Flawed Input Validation | |
| |
| |
Weak Structural Security | |
| |
| |
Other Design Flaws | |
| |
| |
Programming Language Implementation Issues | |
| |
| |
Compiled Language: C/C++ | |
| |
| |
Interpreted Languages: Shell Scripting and PHP | |
| |
| |
Virtual Machine Languages: Java and C# | |
| |
| |
Platform Implementation Issues | |
| |
| |
Problem: Symbolic Linking | |
| |
| |
Problem: Directory Traversal | |
| |
| |
Problem: Character Conversions | |
| |
| |
Generic Application Security Implementation Issues | |
| |
| |
SQL Injection | |
| |
| |
Cross-Site Scripting | |
| |
| |
Problems During the Development Process | |
| |
| |
Poorly Documented Security Requirements and Assumptions | |
| |
| |
Poor Communication and Documentation | |
| |
| |
Lack of Security Processes During the Development Process | |
| |
| |
Weak Deployment | |
| |
| |
Vulnerability Root Cause Taxonomy | |
| |
| |
Summary: Testing Notes | |
| |
| |
Endnotes | |
| |
| |
| |
The Secure Software Development Lifecycle | |
| |
| |
Fitting Security Testing into the Software Development Lifecycle | |
| |
| |
| |
Security Guidelines, Rules, and Regulations | |
| |
| |
| |
Security Requirements: Attack Use Cases | |
| |
| |
Sample Security Requirements | |
| |
| |
| |
Architectural and Design Reviews/Threat Modeling | |
| |
| |
| |
Secure Coding Guidelines | |
| |
| |
| |
Black/Gray/White Box Testing | |
| |
| |
| |
Determining Exploitability | |
| |
| |
Deploying Applications Securely | |
| |
| |
Patch Management: Managing Vulnerabilities | |
| |
| |
Roles and Responsibilities | |
| |
| |
SSDL Relationship to System Development Lifecycle | |
| |
| |
Summary | |
| |
| |
Endnotes | |
| |
| |
| |
Risk-Based Security Testing: Prioritizing Security Testing with Threat Modeling | |
| |
| |
Information Gathering | |
| |
| |
Meeting with the Architects | |
| |
| |
Runtime Inspection | |
| |
| |
Windows Platform | |
| |
| |
UNIX Footprinting | |
| |
| |
Finalizing Information Gathering | |
| |
| |
The Modeling Process | |
| |
| |
Identifying Threat Paths | |
| |
| |
Identifying Threats | |
| |
| |
Identifying Vulnerabilities | |
| |
| |
Ranking the Risk Associated with a Vulnerability | |
| |
| |
Determining Exploitability | |
| |
| |
Endnote | |
| |
| |
| |
Shades of Analysis: White, Gray, and Black Box Testing | |
| |
| |
White Box Testing | |
| |
| |
Black Box Testing | |
| |
| |
Gray Box Testing | |
| |
| |
Setting Up a Lab for Testing | |
| |
| |
Fuzzers | |
| |
| |
Sniffers | |
| |
| |
Debuggers | |
| |
| |
Hardware | |
| |
| |
Commercial Testing Appliances | |
| |
| |
Network Hardware | |
| |
| |
Staging Application Attacks | |
| |
| |
Lab Environment | |
| |
| |
Network Attacks | |
| |
| |
Endnote | |
| |
| |
| |
Performing the Attacks | |
| |
| |
| |
Generic Network Fault Injection | |
| |
| |
Networks | |
| |
| |
Port Discovery | |
| |
| |
netstat and Local Tools | |
| |
| |
Port Scanning | |
| |
| |
Proxies | |
| |
| |
The Simplest Proxy: Random TCP/UDP Fault Injector | |
| |
| |
Building the Fault Injection Data Set | |
| |
| |
Man-in-the-Middle Proxies | |
| |
| |
Conclusion | |
| |
| |
Summary | |
| |
| |
Endnotes | |
| |
| |
| |
Web Applications: Session Attacks | |
| |
| |
Targeting the Application | |
| |
| |
Authentication Versus Authorization | |
| |
| |
Brute-Forcing Session and Resource IDs | |
| |
| |
Cookie Gathering | |
| |
| |
Determining SID Strength: Phase Space Analysis | |
| |
| |
Cross-Site Scripting | |
| |
| |
Conclusion | |
| |
| |
Summary | |
| |
| |
Endnote | |
| |
| |
| |
Web Applications: Common Issues | |
| |
| |
Bypassing Authorization | |
| |
| |
SQL Injection | |
| |
| |
The Basics | |
| |
| |
Database Schema Discovery | |
| |
| |
Executing Commands on the SQL Server | |
| |
| |
Uploading Executable Content (ASP/PHP/bat) | |
| |
| |
File Enumeration | |
| |
| |
Source Code Disclosure Vulnerabilities | |
| |
| |
Hidden Fields in HTTP | |
| |
| |
Conclusion | |
| |
| |
Summary | |
| |
| |
Endnotes | |
| |
| |
| |
Web Proxies: Using WebScarab | |
| |
| |
WebScarab Proxy | |
| |
| |
Conclusion | |
| |
| |
Summary | |
| |
| |
Endnotes | |
| |
| |
| |
Implementing a Custom Fuzz Utility | |
| |
| |
Protocol Discovery | |
| |
| |
SOAP and the WSDL | |
| |
| |
The SOAPpy Library | |
| |
| |
Conclusion | |
| |
| |
Summary | |
| |
| |
Endnotes | |
| |
| |
| |
Local Fault Injection | |
| |
| |
Local Resources and Interprocess Communication | |
| |
| |
Windows NT Objects | |
| |
| |
UNIX set-user-id Processes and Interprocess Communication | |
| |
| |
Threat-Modeling Local Applications | |
| |
| |
Enumerating Windows Application Resources | |
| |
| |
Enumerating UNIX Application Resources | |
| |
| |
Testing Scriptable ActiveX Object Interfaces | |
| |
| |
Identifying "Safe" Scriptable Objects | |
| |
| |
Testing Object Interfaces | |
| |
| |
Manual Interface Testing | |
| |
| |
Automated ActiveX Interface Testing | |
| |
| |
Evaluating Crashes | |
| |
| |
Fuzzing File Formats | |
| |
| |
File Corruption Testing | |
| |
| |
Automated File Corruption | |
| |
| |
Command-Line Utility Fuzzing | |
| |
| |
Immunity ShareFuzz | |
| |
| |
Brute-Force Binary Tester | |
| |
| |
CLI Fuzz | |
| |
| |
Shared Memory | |
| |
| |
Summary | |
| |
| |
Endnotes | |
| |
| |
| |
Analysis | |
| |
| |
| |
Determining Exploitability | |
| |
| |
Classifying a Vulnerability | |
| |
| |
Time | |
| |
| |
Reliability/Reproducibility | |
| |
| |
Access | |
| |
| |
Positioning | |
| |
| |
Memory Trespass and Arbitrary Code Execution | |
| |
| |
Computer Architecture | |
| |
| |
The Stack | |
| |
| |
Stack Buffer Overflows | |
| |
| |
The Heap | |
| |
| |
Determining Exploitability | |
| |
| |
Process Crash Dumps | |
| |
| |
Controlled Memory and Registers | |
| |
| |
Mitigating Factors: Stack and Heap Protections | |
| |
| |
Further Resources | |
| |
| |
Index | |