Cover image for Web Security Testing Cookbook

Book description

Among the tests you perform on web applications, security testing is perhaps the most important, yet it's often the most neglected. The recipes in the Web Security Testing Cookbook demonstrate how developers and testers can check for the most common web security issues, while conducting unit tests, regression tests, or exploratory tests. Unlike ad hoc security assessments, these recipes are repeatable, concise, and systematic-perfect for integrating into your regular test suite. Recipes cover the basics from observing messages between clients and servers to multi-phase tests that script the login and execution of web application features. By the end of the book, you'll be able to build tests pinpointed at Ajax functions, as well as large multi-step tests for the usual suspects: cross-site scripting and injection attacks. This book helps you:

  • Obtain, install, and configure useful-and free-security testing tools

  • Understand how your application communicates with users, so you can better simulate attacks in your tests

  • Choose from many different methods that simulate common attacks such as SQL injection, cross-site scripting, and manipulating hidden form fields

  • Make your tests repeatable by using the scripts and examples in the recipes as starting points for automated tests

Don't live in dread of the midnight phone call telling you that your site has been hacked. With Web Security Testing Cookbook and the free tools used in the book's examples, you can incorporate security coverage into your test suite, and sleep in peace.

Table of Contents

  1. Special Upgrade Offer
  2. Foreword
  3. Preface
    1. Who This Book Is For
    2. Leveraging Free Tools
    3. About the Cover
    4. Organization
    5. Conventions Used in This Book
    6. Using Code Examples
    7. Safari® Books Online
    8. Comments and Questions
    9. Acknowledgments
  4. 1. Introduction
    1. What Is Security Testing?
    2. What Are Web Applications?
    3. Web Application Fundamentals
    4. Web App Security Testing
    5. It’s About the How
  5. 2. Installing Some Free Tools
    1. 2.1. Installing Firefox
    2. 2.2. Installing Firefox Extensions
    3. 2.3. Installing Firebug
    4. 2.4. Installing OWASP’s WebScarab
    5. 2.5. Installing Perl and Packages on Windows
    6. 2.6. Installing Perl and Using CPAN on Linux, Unix, or OS X
    7. 2.7. Installing CAL9000
    8. 2.8. Installing the ViewState Decoder
    9. 2.9. Installing cURL
    10. 2.10. Installing Pornzilla
    11. 2.11. Installing Cygwin
    12. 2.12. Installing Nikto 2
    13. 2.13. Installing Burp Suite
    14. 2.14. Installing Apache HTTP Server
  6. 3. Basic Observation
    1. 3.1. Viewing a Page’s HTML Source
    2. 3.2. Viewing the Source, Advanced
    3. 3.3. Observing Live Request Headers with Firebug
    4. 3.4. Observing Live Post Data with WebScarab
    5. 3.5. Seeing Hidden Form Fields
    6. 3.6. Observing Live Response Headers with TamperData
    7. 3.7. Highlighting JavaScript and Comments
    8. 3.8. Detecting JavaScript Events
    9. 3.9. Modifying Specific Element Attributes
    10. 3.10. Track Element Attributes Dynamically
    11. 3.11. Conclusion
  7. 4. Web-Oriented Data Encoding
    1. 4.1. Recognizing Binary Data Representations
    2. 4.2. Working with Base 64
    3. 4.3. Converting Base-36 Numbers in a Web Page
    4. 4.4. Working with Base 36 in Perl
    5. 4.5. Working with URL-Encoded Data
    6. 4.6. Working with HTML Entity Data
    7. 4.7. Calculating Hashes
    8. 4.8. Recognizing Time Formats
    9. 4.9. Encoding Time Values Programmatically
    10. 4.10. Decoding ASP.NET’s ViewState
    11. 4.11. Decoding Multiple Encodings
  8. 5. Tampering with Input
    1. 5.1. Intercepting and Modifying POST Requests
    2. 5.2. Bypassing Input Limits
    3. 5.3. Tampering with the URL
    4. 5.4. Automating URL Tampering
    5. 5.5. Testing URL-Length Handling
    6. 5.6. Editing Cookies
    7. 5.7. Falsifying Browser Header Information
    8. 5.8. Uploading Files with Malicious Names
    9. 5.9. Uploading Large Files
    10. 5.10. Uploading Malicious XML Entity Files
    11. 5.11. Uploading Malicious XML Structure
    12. 5.12. Uploading Malicious ZIP Files
    13. 5.13. Uploading Sample Virus Files
    14. 5.14. Bypassing User-Interface Restrictions
  9. 6. Automated Bulk Scanning
    1. 6.1. Spidering a Website with WebScarab
    2. 6.2. Turning Spider Results into an Inventory
    3. 6.3. Reducing the URLs to Test
    4. 6.4. Using a Spreadsheet to Pare Down the List
    5. 6.5. Mirroring a Website with LWP
    6. 6.6. Mirroring a Website with wget
    7. 6.7. Mirroring a Specific Inventory with wget
    8. 6.8. Scanning a Website with Nikto
    9. 6.9. Interpretting Nikto’s Results
    10. 6.10. Scan an HTTPS Site with Nikto
    11. 6.11. Using Nikto with Authentication
    12. 6.12. Start Nikto at a Specific Starting Point
    13. 6.13. Using a Specific Session Cookie with Nikto
    14. 6.14. Testing Web Services with WSFuzzer
    15. 6.15. Interpreting WSFuzzer’s Results
  10. 7. Automating Specific Tasks with cURL
    1. 7.1. Fetching a Page with cURL
    2. 7.2. Fetching Many Variations on a URL
    3. 7.3. Following Redirects Automatically
    4. 7.4. Checking for Cross-Site Scripting with cURL
    5. 7.5. Checking for Directory Traversal with cURL
    6. 7.6. Impersonating a Specific Kind of Web Browser or Device
    7. 7.7. Interactively Impersonating Another Device
    8. Imitating a Search Engine with cURL
    9. 7.8. Faking Workflow by Forging Referer Headers
    10. 7.9. Fetching Only the HTTP Headers
    11. 7.10. POSTing with cURL
    12. 7.11. Maintaining Session State
    13. 7.12. Manipulating Cookies
    14. 7.13. Uploading a File with cURL
    15. 7.14. Building a Multistage Test Case
    16. 7.15. Conclusion
  11. 8. Automating with LibWWWPerl
    1. 8.1. Writing a Basic Perl Script to Fetch a Page
    2. 8.2. Programmatically Changing Parameters
    3. 8.3. Simulating Form Input with POST
    4. 8.4. Capturing and Storing Cookies
    5. 8.5. Checking Session Expiration
    6. 8.6. Testing Session Fixation
    7. 8.7. Sending Malicious Cookie Values
    8. 8.8. Uploading Malicious File Contents
    9. 8.9. Uploading Files with Malicious Names
    10. 8.10. Uploading Viruses to Applications
    11. 8.11. Parsing for a Received Value with Perl
    12. 8.12. Editing a Page Programmatically
    13. 8.13. Using Threading for Performance
  12. 9. Seeking Design Flaws
    1. 9.1. Bypassing Required Navigation
    2. 9.2. Attempting Privileged Operations
    3. 9.3. Abusing Password Recovery
    4. 9.4. Abusing Predictable Identifiers
    5. 9.5. Predicting Credentials
    6. 9.6. Finding Random Numbers in Your Application
    7. Testing Random Numbers
    8. 9.7. Abusing Repeatability
    9. 9.8. Abusing High-Load Actions
    10. 9.9. Abusing Restrictive Functionality
    11. 9.10. Abusing Race Conditions
  13. 10. Attacking AJAX
    1. 10.1. Observing Live AJAX Requests
    2. 10.2. Identifying JavaScript in Applications
    3. 10.3. Tracing AJAX Activity Back to Its Source
    4. 10.4. Intercepting and Modifying AJAX Requests
    5. 10.5. Intercepting and Modifying Server Responses
    6. 10.6. Subverting AJAX with Injected Data
    7. 10.7. Subverting AJAX with Injected XML
    8. 10.8. Subverting AJAX with Injected JSON
    9. 10.9. Disrupting Client State
    10. 10.10. Checking for Cross-Domain Access
    11. 10.11. Reading Private Data via JSON Hijacking
  14. 11. Manipulating Sessions
    1. 11.1. Finding Session Identifiers in Cookies
    2. 11.2. Finding Session Identifiers in Requests
    3. 11.3. Finding Authorization Headers
    4. 11.4. Analyzing Session ID Expiration
    5. 11.5. Analyzing Session Identifiers with Burp
    6. 11.6. Analyzing Session Randomness with WebScarab
    7. 11.7. Changing Sessions to Evade Restrictions
    8. 11.8. Impersonating Another User
    9. 11.9. Fixing Sessions
    10. 11.10. Testing for Cross-Site Request Forgery
  15. 12. Multifaceted Tests
    1. 12.1. Stealing Cookies Using XSS
    2. 12.2. Creating Overlays Using XSS
    3. 12.3. Making HTTP Requests Using XSS
    4. 12.4. Attempting DOM-Based XSS Interactively
    5. 12.5. Bypassing Field Length Restrictions (XSS)
    6. 12.6. Attempting Cross-Site Tracing Interactively
    7. 12.7. Modifying Host Headers
    8. 12.8. Brute-Force Guessing Usernames and Passwords
    9. 12.9. Attempting PHP Include File Injection Interactively
    10. 12.10. Creating Decompression Bombs
    11. 12.11. Attempting Command Injection Interactively
    12. 12.12. Attempting Command Injection Systematically
    13. 12.13. Attempting XPath Injection Interactively
    14. 12.14. Attempting Server-Side Includes (SSI) Injection Interactively
    15. 12.15. Attempting Server-Side Includes (SSI) Injection Systematically
    16. 12.16. Attempting LDAP Injection Interactively
    17. 12.17. Attempting Log Injection Interactively
  16. Index
  17. About the Authors
  18. Colophon
  19. Special Upgrade Offer
  20. Copyright