| |
| |
| Foreword | |
| |
| |
| Preface | |
| |
| |
| Acknowledgments | |
| |
| |
| About the Authors | |
| |
| |
| |
| Introduction | |
| |
| |
| |
| Case Your Own Joint: A Paradigm Shift from Traditional Software Testing | |
| |
| |
| Security Testing Versus Traditional Software Testing | |
| |
| |
| SQL Injection Attack Pattern | |
| |
| |
| The Paradigm Shift of Security Testing | |
| |
| |
| High-Level Security Testing Strategies | |
| |
| |
| The Fault Injection Model of Testing: Testers as Detectives | |
| |
| |
| Think Like an Attacker | |
| |
| |
| Prioritizing Your Work | |
| |
| |
| Take the Easy Road: Using Tools to Aid in the Detective Work | |
| |
| |
| Learn from the Vulnerability Tree of Knowledge | |
| |
| |
| Testing Recipe: Summary | |
| |
| |
| Endnotes | |
| |
| |
| |
| How Vulnerabilities Get into All Software | |
| |
| |
| Design Versus Implementation Vulnerabilities | |
| |
| |
| Common Secure Design Issues | |
| |
| |
| Poor Use of Cryptography | |
| |
| |
| Tracking Users and Their Permissions | |
| |
| |
| Flawed Input Validation | |
| |
| |
| Weak Structural Security | |
| |
| |
| Other Design Flaws | |
| |
| |
| Programming Language Implementation Issues | |
| |
| |
| Compiled Language: C/C++ | |
| |
| |
| Interpreted Languages: Shell Scripting and PHP | |
| |
| |
| Virtual Machine Languages: Java and C# | |
| |
| |
| Platform Implementation Issues | |
| |
| |
| Problem: Symbolic Linking | |
| |
| |
| Problem: Directory Traversal | |
| |
| |
| Problem: Character Conversions | |
| |
| |
| Generic Application Security Implementation Issues | |
| |
| |
| SQL Injection | |
| |
| |
| Cross-Site Scripting | |
| |
| |
| Problems During the Development Process | |
| |
| |
| Poorly Documented Security Requirements and Assumptions | |
| |
| |
| Poor Communication and Documentation | |
| |
| |
| Lack of Security Processes During the Development Process | |
| |
| |
| Weak Deployment | |
| |
| |
| Vulnerability Root Cause Taxonomy | |
| |
| |
| Summary: Testing Notes | |
| |
| |
| Endnotes | |
| |
| |
| |
| The Secure Software Development Lifecycle | |
| |
| |
| Fitting Security Testing into the Software Development Lifecycle | |
| |
| |
| |
| Security Guidelines, Rules, and Regulations | |
| |
| |
| |
| Security Requirements: Attack Use Cases | |
| |
| |
| Sample Security Requirements | |
| |
| |
| |
| Architectural and Design Reviews/Threat Modeling | |
| |
| |
| |
| Secure Coding Guidelines | |
| |
| |
| |
| Black/Gray/White Box Testing | |
| |
| |
| |
| Determining Exploitability | |
| |
| |
| Deploying Applications Securely | |
| |
| |
| Patch Management: Managing Vulnerabilities | |
| |
| |
| Roles and Responsibilities | |
| |
| |
| SSDL Relationship to System Development Lifecycle | |
| |
| |
| Summary | |
| |
| |
| Endnotes | |
| |
| |
| |
| Risk-Based Security Testing: Prioritizing Security Testing with Threat Modeling | |
| |
| |
| Information Gathering | |
| |
| |
| Meeting with the Architects | |
| |
| |
| Runtime Inspection | |
| |
| |
| Windows Platform | |
| |
| |
| UNIX Footprinting | |
| |
| |
| Finalizing Information Gathering | |
| |
| |
| The Modeling Process | |
| |
| |
| Identifying Threat Paths | |
| |
| |
| Identifying Threats | |
| |
| |
| Identifying Vulnerabilities | |
| |
| |
| Ranking the Risk Associated with a Vulnerability | |
| |
| |
| Determining Exploitability | |
| |
| |
| Endnote | |
| |
| |
| |
| Shades of Analysis: White, Gray, and Black Box Testing | |
| |
| |
| White Box Testing | |
| |
| |
| Black Box Testing | |
| |
| |
| Gray Box Testing | |
| |
| |
| Setting Up a Lab for Testing | |
| |
| |
| Fuzzers | |
| |
| |
| Sniffers | |
| |
| |
| Debuggers | |
| |
| |
| Hardware | |
| |
| |
| Commercial Testing Appliances | |
| |
| |
| Network Hardware | |
| |
| |
| Staging Application Attacks | |
| |
| |
| Lab Environment | |
| |
| |
| Network Attacks | |
| |
| |
| Endnote | |
| |
| |
| |
| Performing the Attacks | |
| |
| |
| |
| Generic Network Fault Injection | |
| |
| |
| Networks | |
| |
| |
| Port Discovery | |
| |
| |
| netstat and Local Tools | |
| |
| |
| Port Scanning | |
| |
| |
| Proxies | |
| |
| |
| The Simplest Proxy: Random TCP/UDP Fault Injector | |
| |
| |
| Building the Fault Injection Data Set | |
| |
| |
| Man-in-the-Middle Proxies | |
| |
| |
| Conclusion | |
| |
| |
| Summary | |
| |
| |
| Endnotes | |
| |
| |
| |
| Web Applications: Session Attacks | |
| |
| |
| Targeting the Application | |
| |
| |
| Authentication Versus Authorization | |
| |
| |
| Brute-Forcing Session and Resource IDs | |
| |
| |
| Cookie Gathering | |
| |
| |
| Determining SID Strength: Phase Space Analysis | |
| |
| |
| Cross-Site Scripting | |
| |
| |
| Conclusion | |
| |
| |
| Summary | |
| |
| |
| Endnote | |
| |
| |
| |
| Web Applications: Common Issues | |
| |
| |
| Bypassing Authorization | |
| |
| |
| SQL Injection | |
| |
| |
| The Basics | |
| |
| |
| Database Schema Discovery | |
| |
| |
| Executing Commands on the SQL Server | |
| |
| |
| Uploading Executable Content (ASP/PHP/bat) | |
| |
| |
| File Enumeration | |
| |
| |
| Source Code Disclosure Vulnerabilities | |
| |
| |
| Hidden Fields in HTTP | |
| |
| |
| Conclusion | |
| |
| |
| Summary | |
| |
| |
| Endnotes | |
| |
| |
| |
| Web Proxies: Using WebScarab | |
| |
| |
| WebScarab Proxy | |
| |
| |
| Conclusion | |
| |
| |
| Summary | |
| |
| |
| Endnotes | |
| |
| |
| |
| Implementing a Custom Fuzz Utility | |
| |
| |
| Protocol Discovery | |
| |
| |
| SOAP and the WSDL | |
| |
| |
| The SOAPpy Library | |
| |
| |
| Conclusion | |
| |
| |
| Summary | |
| |
| |
| Endnotes | |
| |
| |
| |
| Local Fault Injection | |
| |
| |
| Local Resources and Interprocess Communication | |
| |
| |
| Windows NT Objects | |
| |
| |
| UNIX set-user-id Processes and Interprocess Communication | |
| |
| |
| Threat-Modeling Local Applications | |
| |
| |
| Enumerating Windows Application Resources | |
| |
| |
| Enumerating UNIX Application Resources | |
| |
| |
| Testing Scriptable ActiveX Object Interfaces | |
| |
| |
| Identifying "Safe" Scriptable Objects | |
| |
| |
| Testing Object Interfaces | |
| |
| |
| Manual Interface Testing | |
| |
| |
| Automated ActiveX Interface Testing | |
| |
| |
| Evaluating Crashes | |
| |
| |
| Fuzzing File Formats | |
| |
| |
| File Corruption Testing | |
| |
| |
| Automated File Corruption | |
| |
| |
| Command-Line Utility Fuzzing | |
| |
| |
| Immunity ShareFuzz | |
| |
| |
| Brute-Force Binary Tester | |
| |
| |
| CLI Fuzz | |
| |
| |
| Shared Memory | |
| |
| |
| Summary | |
| |
| |
| Endnotes | |
| |
| |
| |
| Analysis | |
| |
| |
| |
| Determining Exploitability | |
| |
| |
| Classifying a Vulnerability | |
| |
| |
| Time | |
| |
| |
| Reliability/Reproducibility | |
| |
| |
| Access | |
| |
| |
| Positioning | |
| |
| |
| Memory Trespass and Arbitrary Code Execution | |
| |
| |
| Computer Architecture | |
| |
| |
| The Stack | |
| |
| |
| Stack Buffer Overflows | |
| |
| |
| The Heap | |
| |
| |
| Determining Exploitability | |
| |
| |
| Process Crash Dumps | |
| |
| |
| Controlled Memory and Registers | |
| |
| |
| Mitigating Factors: Stack and Heap Protections | |
| |
| |
| Further Resources | |
| |
| |
| Index | |