| |
| |
Foreword | |
| |
| |
Acknowledgments | |
| |
| |
Introduction | |
| |
| |
Hacking Web Apps 101 | |
| |
| |
What Is Web Application Hacking? | |
| |
| |
GUI Web Hacking | |
| |
| |
URI Hacking | |
| |
| |
Methods, Headers, and Body | |
| |
| |
Resources | |
| |
| |
Authentication, Sessions, and Authorization | |
| |
| |
The Web Client and HTML | |
| |
| |
Other Protocols | |
| |
| |
Why Attack Web Applications? | |
| |
| |
Who, When, and Where? | |
| |
| |
Weak Spots | |
| |
| |
How Are Web Apps Attacked? | |
| |
| |
The Web Browser | |
| |
| |
Browser Extensions | |
| |
| |
HTTP Proxies | |
| |
| |
Command-line Tools | |
| |
| |
Older Tools | |
| |
| |
Summary | |
| |
| |
References and Further Reading | |
| |
| |
Profiling | |
| |
| |
Infrastructure Profiling | |
| |
| |
Footprinting and Scanning: Defining Scope | |
| |
| |
Basic Banner Grabbing | |
| |
| |
Advanced HTTP Fingerprinting | |
| |
| |
Infrastructure Intermediaries | |
| |
| |
Application Profiling | |
| |
| |
Manual Inspection | |
| |
| |
Using Search Tools for Profiling | |
| |
| |
Automated Web Crawling | |
| |
| |
Common Web Application Profiles | |
| |
| |
General Countermeasures | |
| |
| |
A Cautionary Note | |
| |
| |
Protecting Directories | |
| |
| |
Protecting include Files | |
| |
| |
Miscellaneous Tips | |
| |
| |
Summary | |
| |
| |
References and Further Reading | |
| |
| |
Hacking Web Platforms | |
| |
| |
Point-and-click Exploitation Using Metasploit | |
| |
| |
Manual Exploitation | |
| |
| |
Evading Detection | |
| |
| |
Web Platform Security Best Practices | |
| |
| |
Common Best Practices | |
| |
| |
IIS Hardening | |
| |
| |
Apache Hardening | |
| |
| |
PHP Best Practices | |
| |
| |
Summary | |
| |
| |
References and Further Reading | |
| |
| |
Attacking Web Authentication | |
| |
| |
Web Authentication Threats | |
| |
| |
Username/Password Threats | |
| |
| |
Strong(er) Web Authentication | |
| |
| |
Web Authentication Services | |
| |
| |
Bypassing Authentication | |
| |
| |
Token Replay | |
| |
| |
Identity Management | |
| |
| |
Client-side Piggybacking | |
| |
| |
Some Final Thoughts: Identity Theft | |
| |
| |
Summary | |
| |
| |
References and Further Reading | |
| |
| |
Attacking Web Authorization | |
| |
| |
Fingerprinting Authz | |
| |
| |
Crawling ACLs | |
| |
| |
Identifying Access/Session Tokens | |
| |
| |
Analyzing Session Tokens | |
| |
| |
Differential Analysis | |
| |
| |
Role Matrix | |
| |
| |
Attacking ACLs | |
| |
| |
Attacking Tokens | |
| |
| |
Manual Prediction | |
| |
| |
Automated Prediction | |
| |
| |
Capture/Replay | |
| |
| |
Session Fixation | |
| |
| |
Authorization Attack Case Studies | |
| |
| |
Horizontal Privilege Escalation | |
| |
| |
Vertical Privilege Escalation | |
| |
| |
Differential Analysis | |
| |
| |
Using Curl to Map Permissions | |
| |
| |
Authorization Best Practices | |
| |
| |
Web ACL Best Practices | |
| |
| |
Web Authorization/Session Token Security | |
| |
| |
Security Logs | |
| |
| |
Summary | |
| |
| |
References and Further Reading | |
| |
| |
Input Validation Attacks | |
| |
| |
Expect the Unexpected | |
| |
| |
Where to Find Attack Vectors | |
| |
| |
Bypass Client-side Validation Routines | |
| |
| |
Common Input Validation Attacks | |
| |
| |
Buffer Overflow | |
| |
| |
Canonicalization (dot-dot-slash) | |
| |
| |
HTML Injection | |
| |
| |
Boundary Checks | |
| |
| |
Manipulate Application Behavior | |
| |
| |
SQL Injection and Datastore Attacks | |
| |
| |
Command Execution | |
| |
| |
Encoding Abuse | |
| |
| |
PHP Global Variables | |
| |
| |
Common Side-effects | |
| |
| |
Summary | |
| |
| |
References and Further Reading | |
| |
| |
Attacking Web Datastores | |
| |
| |
SQL Primer | |
| |
| |
Syntax | |
| |
| |
SELECT, INSERT, and UPDATE | |
| |
| |
SQL Injection Discovery | |
| |
| |
Syntax and Errors | |
| |
| |
Semantics and Behavior | |
| |
| |
Alternate Character Encoding | |
| |
| |
Exploit SQL Injection Vulnerabilities | |
| |
| |
Alter a Process | |
| |
| |
Query Alternate Data | |
| |
| |
Platforms | |
| |
| |
Other Datastore Attacks | |
| |
| |
Input Validation | |
| |
| |
Decouple Query Logic from Query Data | |
| |
| |
Database Encryption | |
| |
| |
Database Configuration | |
| |
| |
Summary | |
| |
| |
Attacking XML Web Services | |
| |
| |
What Is a Web Service? | |
| |
| |
Transport: SOAP Over HTTP(S) | |
| |
| |
WSDL | |
| |
| |
Directory Services: UDDI and DISCO | |
| |
| |
Similarities to Web Application Security | |
| |
| |
Attacking Web Services | |
| |
| |
Web Service Security Basics | |
| |
| |
Web Services Security Measures | |
| |
| |
Summary | |
| |
| |
References and Further Reading | |
| |
| |
Attacking Web Application Management | |
| |
| |
Remote Server Management | |
| |
| |
Telnet | |
| |
| |
SSH | |
| |
| |
Proprietary Management Ports | |
| |
| |
Other Administration Services | |
| |
| |
Web Content Management | |
| |
| |
FTP | |
| |
| |
SSH/scp | |
| |
| |
FrontPage | |
| |
| |
WebDAV | |
| |
| |
Admin Misconfigurations | |
| |
| |
Unnecessary Web Server Extensions | |
| |
| |
Information Leakage | |
| |
| |
Developer-driven Mistakes | |
| |
| |
Summary | |
| |
| |
References and Further Reading | |
| |
| |
Hacking Web Clients | |
| |
| |
Exploits | |
| |
| |
Trickery | |
| |
| |
General Countermeasures | |
| |
| |
IE Security Zones | |
| |
| |
Firefox Secure Configuration | |
| |
| |
Low-privilege Browsing | |
| |
| |
Server-side Countermeasures | |
| |
| |
Summary | |
| |
| |
References and Further Reading | |
| |
| |
Denial-of-Service (DoS) Attacks | |
| |
| |
Common DoS Attack Techniques | |
| |
| |
Old School DoS: Vulnerabilities | |
| |
| |
Modern DoS: Capacity Depletion | |
| |
| |
Application-layer DoS | |
| |
| |
General DoS Countermeasures | |
| |
| |
Proactive DoS Mitigation | |
| |
| |
Detecting DoS | |
| |
| |
Responding to DoS | |
| |
| |
Summary | |
| |
| |
References and Further Reading | |
| |
| |
Full-Knowledge Analysis | |
| |
| |
Threat Modeling | |
| |
| |
Clarify Security Objectives | |
| |
| |
Identify Assets | |
| |
| |
Architecture Overview | |
| |
| |
Decompose the Application | |
| |
| |
Identify and Document Threats | |
| |
| |
Rank the Threats | |
| |
| |
Develop Threat Mitigation Strategies | |
| |
| |
Code Review | |
| |
| |
Manual Source Code Review | |
| |
| |
Automated Source Code Review | |
| |
| |
Binary Analysis | |
| |
| |
Security Testing of Web App Code | |
| |
| |
Fuzzing | |
| |
| |
Test Tools, Utilities, and Harnesses | |
| |
| |
Pen-testing | |
| |
| |
Security in the Web Development Process | |
| |
| |
People | |
| |
| |
Process | |
| |
| |
Technology | |
| |
| |
Summary | |
| |
| |
References and Further Reading | |
| |
| |
Web Application Security Scanners | |
| |
| |
Technology: Web App Security Scanners | |
| |
| |
The Testbed | |
| |
| |
The Tests | |
| |
| |
Reviews of Individual Scanners | |
| |
| |
Overall Test Results | |
| |
| |
Nontechnical Issues | |
| |
| |
Process | |
| |
| |
People | |
| |
| |
Summary | |
| |
| |
References and Further Reading | |
| |
| |
Web Application Security Checklist | |
| |
| |
Web Hacking Tools and Techniques Cribsheet | |
| |
| |
URLScan and ModSecurity | |
| |
| |
URLScan | |
| |
| |
Basic URLScan Deployment (IIS5.x and Earlier) | |
| |
| |
Advanced URLScan Configuration | |
| |
| |
Managing URLScan | |
| |
| |
ModSecurity | |
| |
| |
ModSecurity Installation | |
| |
| |
ModSecurity Configuration | |
| |
| |
Summary | |
| |
| |
References and Further Reading | |
| |
| |
About the Companion Web Site | |
| |
| |
Index | |