You are previewing The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws.
O'Reilly logo
The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws

Book Description

This book is a practical guide to discovering and exploiting security flaws in web applications. The authors explain each category of vulnerability using real-world examples, screen shots and code extracts. The book is extremely practical in focus, and describes in detail the steps involved in detecting and exploiting each kind of security weakness found within a variety of applications such as online banking, e-commerce and other web applications.

The topics covered include bypassing login mechanisms, injecting code, exploiting logic flaws and compromising other users. Because every web application is different, attacking them entails bringing to bear various general principles, techniques and experience in an imaginative way. The most successful hackers go beyond this, and find ways to automate their bespoke attacks. This handbook describes a proven methodology that combines the virtues of human intelligence and computerized brute force, often with devastating results.

The authors are professional penetration testers who have been involved in web application security for nearly a decade. They have presented training courses at the Black Hat security conferences throughout the world. Under the alias "PortSwigger", Dafydd developed the popular Burp Suite of web application hack tools.

Table of Contents

  1. Copyright
  2. About the Authors
  3. Credits
  4. Acknowledgments
  5. Introduction
    1. Overview of This Book
    2. Who Should Read This Book
    3. How This Book Is Organized
    4. Tools You Will Need
    5. What's on the Web Site
    6. Bring It On
  6. 1. Web Application (In)Security
    1. 1.1. The Evolution of Web Applications
      1. 1.1.1. Common Web Application Functions
      2. 1.1.2. Benefits of Web Applications
    2. 1.2. Web Application Security
      1. 1.2.1. "This Site Is Secure"
      2. 1.2.2. The Core Security Problem: Users Can Submit Arbitrary Input
      3. 1.2.3. Key Problem Factors
        1. 1.2.3.1. Immature Security Awareness
        2. 1.2.3.2. In-House Development
        3. 1.2.3.3. Deceptive Simplicity
        4. 1.2.3.4. Rapidly Evolving Threat Profile
        5. 1.2.3.5. Resource and Time Constraints
        6. 1.2.3.6. Overextended Technologies
      4. 1.2.4. The New Security Perimeter
      5. 1.2.5. The Future of Web Application Security
    3. 1.3. Chapter Summary
  7. 2. Core Defense Mechanisms
    1. 2.1. Handling User Access
      1. 2.1. Authentication
      2. 2.1.1. Session Management
      3. 2.1.2. Access Control
    2. 2.2. Handling User Input
      1. 2.2.1. Varieties of Input
      2. 2.2.2. Approaches to Input Handling
        1. 2.2.2.1. "Reject Known Bad"
        2. 2.2.2.2. "Accept Known Good"
        3. 2.2.2.3. Sanitization
        4. 2.2.2.4. Safe Data Handling
        5. 2.2.2.5. Semantic Checks
      3. 2.2.3. Boundary Validation
      4. 2.2.4. Multistep Validation and Canonicalization
    3. 2.3. Handling Attackers
      1. 2.3.1. Handling Errors
      2. 2.3.2. Maintaining Audit Logs
      3. 2.3.3. Alerting Administrators
      4. 2.3.4. Reacting to Attacks
    4. 2.4. Managing the Application
    5. 2.5. Chapter Summary
    6. 2.6. Questions
  8. 3. Web Application Technologies
    1. 3.1. The HTTP Protocol
      1. 3.1. HTTP Requests
      2. 3.1.1. HTTP Responses
      3. 3.1.2. HTTP Methods
      4. 3.1.3. URLs
      5. 3.1.4. HTTP Headers
        1. 3.1.4.1. General Headers
        2. 3.1.4.2. Request Headers
        3. 3.1.4.3. Response Headers
      6. 3.1.5. Cookies
      7. 3.1.6. Status Codes
      8. 3.1.7. HTTPS
      9. 3.1.8. HTTP Proxies
      10. 3.1.9. HTTP Authentication
    2. 3.2. Web Functionality
      1. 3.2.1. Server-Side Functionality
        1. 3.2.1.1. The Java Platform
        2. 3.2.1.2. ASP.NET
        3. 3.2.1.3. PHP
      2. 3.2.2. Client-Side Functionality
        1. 3.2.2.1. HTML
        2. 3.2.2.2. Hyperlinks
        3. 3.2.2.3. Forms
        4. 3.2.2.4. JavaScript
        5. 3.2.2.5. Thick Client Components
      3. 3.2.3. State and Sessions
    3. 3.3. Encoding Schemes
      1. 3.3.1. URL Encoding
      2. 3.3.2. Unicode Encoding
      3. 3.3.3. HTML Encoding
      4. 3.3.4. Base64 Encoding
      5. 3.3.5. Hex Encoding
    4. 3.4. Next Steps
    5. 3.5. Questions
  9. 4. Mapping the Application
    1. 4.1. Enumerating Content and Functionality
      1. 4.1. Web Spidering
      2. 4.1.1. User-Directed Spidering
      3. 4.1.2. Discovering Hidden Content
        1. 4.1.2.1. Brute-Force Techniques
        2. 4.1.2.2. Inference from Published Content
        3. 4.1.2.3. Use of Public Information
        4. 4.1.2.4. Leveraging the Web Server
      4. 4.1.3. Application Pages vs. Functional Paths
      5. 4.1.4. Discovering Hidden Parameters
    2. 4.2. Analyzing the Application
      1. 4.2.1. Identifying Entry Points for User Input
      2. 4.2.2. Identifying Server-Side Technologies
        1. 4.2.2.1. Banner Grabbing
        2. 4.2.2.2. HTTP Fingerprinting
        3. 4.2.2.3. File Extensions
        4. 4.2.2.4. Directory Names
        5. 4.2.2.5. Session Tokens
        6. 4.2.2.6. Third-Party Code Components
      3. 4.2.3. Identifying Server-Side Functionality
        1. 4.2.3.1. Dissecting Requests
        2. 4.2.3.2. Extrapolating Application Behavior
      4. 4.2.4. Mapping the Attack Surface
    3. 4.3. Chapter Summary
    4. 4.4. Questions
  10. 5. Bypassing Client-Side Controls
    1. 5.1. Transmitting Data via the Client
      1. 5.1. Hidden Form Fields
      2. 5.1.1. HTTP Cookies
      3. 5.1.2. URL Parameters
      4. 5.1.3. The Referer Header
      5. 5.1.4. Opaque Data
      6. 5.1.5. The ASP.NET ViewState
    2. 5.2. Capturing User Data: HTML Forms
      1. 5.2.1. Length Limits
      2. 5.2.2. Script-Based Validation
      3. 5.2.3. Disabled Elements
    3. 5.3. Capturing User Data: Thick-Client Components
      1. 5.3.1. Java Applets
        1. 5.3.1.1. Decompiling Java Bytecode
        2. 5.3.1.2. Coping with Bytecode Obfuscation
      2. 5.3.2. ActiveX Controls
        1. 5.3.2.1. Reverse Engineering
        2. 5.3.2.2. Manipulating Exported Functions
        3. 5.3.2.3. Fixing Inputs Processed by Controls
        4. 5.3.2.4. Decompiling Managed Code
      3. 5.3.3. Shockwave Flash Objects
    4. 5.4. Handling Client-Side Data Securely
      1. 5.4.1. Transmitting Data via the Client
      2. 5.4.2. Validating Client-Generated Data
      3. 5.4.3. Logging and Alerting
    5. 5.5. Chapter Summary
    6. 5.6. Questions
  11. 6. Attacking Authentication
    1. 6.1. Authentication Technologies
    2. 6.1. Design Flaws in Authentication Mechanisms
      1. 6.1.1. Bad Passwords
      2. 6.1.2. Brute-Forcible Login
      3. 6.1.3. Verbose Failure Messages
      4. 6.1.4. Vulnerable Transmission of Credentials
      5. 6.1.5. Password Change Functionality
      6. 6.1.6. Forgotten Password Functionality
      7. 6.1.7. "Remember Me" Functionality
      8. 6.1.8. User Impersonation Functionality
      9. 6.1.9. Incomplete Validation of Credentials
      10. 6.1.10. Non-Unique Usernames
      11. 6.1.11. Predictable Usernames
      12. 6.1.12. Predictable Initial Passwords
      13. 6.1.13. Insecure Distribution of Credentials
    3. 6.2. Implementation Flaws in Authentication
      1. 6.2.1. Fail-Open Login Mechanisms
      2. 6.2.2. Defects in Multistage Login Mechanisms
      3. 6.2.3. Insecure Storage of Credentials
    4. 6.3. Securing Authentication
      1. 6.3.1. Use Strong Credentials
      2. 6.3.2. Handle Credentials Secretively
      3. 6.3.3. Validate Credentials Properly
      4. 6.3.4. Prevent Information Leakage
      5. 6.3.5. Prevent Brute-Force Attacks
      6. 6.3.6. Prevent Misuse of the Password Change Function
      7. 6.3.7. Prevent Misuse of the Account Recovery Function
      8. 6.3.8. Log, Monitor, and Notify
    5. 6.4. Chapter Summary
    6. 6.5. Questions
  12. 7. Attacking Session Management
    1. 7.1. The Need for State
      1. 7.1. Alternatives to Sessions
    2. 7.2. Weaknesses in Session Token Generation
      1. 7.2.1. Meaningful Tokens
      2. 7.2.2. Predictable Tokens
        1. 7.2.2.1. Concealed Sequences
        2. 7.2.2.2. Time Dependency
        3. 7.2.2.3. Weak Random Number Generation
          1. 7.2.2.3.1. Full-Blown Tests for Randomness
    3. 7.3. Weaknesses in Session Token Handling
      1. 7.3.1. Disclosure of Tokens on the Network
      2. 7.3.2. Disclosure of Tokens in Logs
      3. 7.3.3. Vulnerable Mapping of Tokens to Sessions
      4. 7.3.4. Vulnerable Session Termination
      5. 7.3.5. Client Exposure to Token Hijacking
      6. 7.3.6. Liberal Cookie Scope
        1. 7.3.6.1. Cookie Domain Restrictions
        2. 7.3.6.2. Cookie Path Restrictions
    4. 7.4. Securing Session Management
      1. 7.4.1. Generate Strong Tokens
      2. 7.4.2. Protect Tokens throughout Their Lifecycle
        1. 7.4.2.1. Per-Page Tokens
      3. 7.4.3. Log, Monitor, and Alert
        1. 7.4.3.1. Reactive Session Termination
    5. 7.5. Chapter Summary
    6. 7.6. Questions
  13. 8. Attacking Access Controls
    1. 8.1. Common Vulnerabilities
      1. 8.1. Completely Unprotected Functionality
      2. 8.1.1. Identifier-Based Functions
      3. 8.1.2. Multistage Functions
      4. 8.1.3. Static Files
      5. 8.1.4. Insecure Access Control Methods
    2. 8.2. Attacking Access Controls
    3. 8.3. Securing Access Controls
      1. 8.3.1. A Multi-Layered Privilege Model
    4. 8.4. Chapter Summary
    5. 8.5. Questions
  14. 9. Injecting Code
    1. 9.1. Injecting into Interpreted Languages
    2. 9.1. Injecting into SQL
      1. 9.1.1. Exploiting a Basic Vulnerability
      2. 9.1.2. Bypassing a Login
      3. 9.1.3. Finding SQL Injection Bugs
        1. 9.1.3.1.
          1. 9.1.3.1.1. String Data
          2. 9.1.3.1.2. Numeric Data
      4. 9.1.4. Injecting into Different Statement Types
        1. 9.1.4.1.
          1. 9.1.4.1.1. SELECT Statements
          2. 9.1.4.1.2. INSERT Statements
          3. 9.1.4.1.3. UPDATE Statements
          4. 9.1.4.1.4. DELETE Statements
      5. 9.1.5. The UNION Operator
      6. 9.1.6. Fingerprinting the Database
      7. 9.1.7. Extracting Useful Data
        1. 9.1.7.1. An Oracle Hack
        2. 9.1.7.2. An MS-SQL Hack
      8. 9.1.8. Exploiting ODBC Error Messages (MS-SQL Only)
        1. 9.1.8.1. Enumerating Table and Column Names
        2. 9.1.8.2. Extracting Arbitrary Data
        3. 9.1.8.3. Using Recursion
      9. 9.1.9. Bypassing Filters
        1. 9.1.9.1.
          1. 9.1.9.1.1. Avoiding Blocked Characters
          2. 9.1.9.1.2. Circumventing Simple Validation
          3. 9.1.9.1.3. Using SQL Comments
          4. 9.1.9.1.4. Manipulating Blocked Strings
          5. 9.1.9.1.5. Using Dynamic Execution
          6. 9.1.9.1.6. Exploiting Defective Filters
      10. 9.1.10. Second-Order SQL Injection
      11. 9.1.11. Advanced Exploitation
        1. 9.1.11.1. Retrieving Data as Numbers
        2. 9.1.11.2. Using an Out-of-Band Channel
          1. 9.1.11.2.1. MS-SQL
          2. 9.1.11.2.2. Oracle
          3. 9.1.11.2.3. MySQL
          4. 9.1.11.2.4. Leveraging the Operating System
        3. 9.1.11.3. Using Inference: Conditional Responses
          1. 9.1.11.3.1. Absinthe
          2. 9.1.11.3.2. Inducing Conditional Errors
          3. 9.1.11.3.3. Using Time Delays
      12. 9.1.12. Beyond SQL Injection: Escalating the Database Attack
        1. 9.1.12.1. MS-SQL
        2. 9.1.12.2. Oracle
        3. 9.1.12.3. MySQL
      13. 9.1.13. SQL Syntax and Error Reference
        1. 9.1.13.1. SQL Syntax
        2. 9.1.13.2. SQL Error Messages
      14. 9.1.14. Preventing SQL Injection
        1. 9.1.14.1. Partially Effective Measures
        2. 9.1.14.2. Parameterized Queries
        3. 9.1.14.3. Defense in Depth
    3. 9.2. Injecting OS Commands
      1. 9.2.1. Example 1: Injecting via Perl
      2. 9.2.2. Example 2: Injecting via ASP
      3. 9.2.3. Finding OS Command Injection Flaws
      4. 9.2.4. Preventing OS Command Injection
    4. 9.3. Injecting into Web Scripting Languages
      1. 9.3.1. Dynamic Execution Vulnerabilities
        1. 9.3.1.1. Dynamic Execution in PHP
        2. 9.3.1.2. Dynamic Execution in ASP
        3. 9.3.1.3. Finding Dynamic Execution Vulnerabilities
      2. 9.3.2. File Inclusion Vulnerabilities
        1. 9.3.2.1. Remote File Inclusion
        2. 9.3.2.2. Local File Inclusion
        3. 9.3.2.3. Finding File Inclusion Vulnerabilities
      3. 9.3.3. Preventing Script Injection Vulnerabilities
    5. 9.4. Injecting into SOAP
      1. 9.4.1. Finding and Exploiting SOAP Injection
      2. 9.4.2. Preventing SOAP Injection
    6. 9.5. Injecting into XPath
      1. 9.5.1. Subverting Application Logic
      2. 9.5.2. Informed XPath Injection
      3. 9.5.3. Blind XPath Injection
      4. 9.5.4. Finding XPath Injection Flaws
      5. 9.5.5. Preventing XPath Injection
    7. 9.6. Injecting into SMTP
      1. 9.6.1. Email Header Manipulation
      2. 9.6.2. SMTP Command Injection
      3. 9.6.3. Finding SMTP Injection Flaws
      4. 9.6.4. Preventing SMTP Injection
    8. 9.7. Injecting into LDAP
      1. 9.7.1. Injecting Query Attributes
      2. 9.7.2. Modifying the Search Filter
      3. 9.7.3. Finding LDAP Injection Flaws
      4. 9.7.4. Preventing LDAP Injection
    9. 9.8. Chapter Summary
    10. 9.9. Questions
  15. 10. Exploiting Path Traversal
    1. 10.1. Common Vulnerabilities
    2. 10.1. Finding and Exploiting Path Traversal Vulnerabilities
      1. 10.1.1. Locating Targets for Attack
      2. 10.1.2. Detecting Path Traversal Vulnerabilities
      3. 10.1.3. Circumventing Obstacles to Traversal Attacks
        1. 10.1.3.1. Coping with Custom Encoding
      4. 10.1.4. Exploiting Traversal Vulnerabilities
    3. 10.2. Preventing Path Traversal Vulnerabilities
    4. 10.3. Chapter Summary
    5. 10.4. Questions
  16. 11. Attacking Application Logic
    1. 11.1. The Nature of Logic Flaws
    2. 11.1. Real-World Logic Flaws
      1. 11.1.1. Example 1: Fooling a Password Change Function
        1. 11.1.1.1. The Functionality
        2. 11.1.1.2. The Assumption
        3. 11.1.1.3. The Attack
      2. 11.1.2. Example 2: Proceeding to Checkout
        1. 11.1.2.1. The Functionality
        2. 11.1.2.2. The Assumption
        3. 11.1.2.3. The Attack
      3. 11.1.3. Example 3: Rolling Your Own Insurance
        1. 11.1.3.1. The Functionality
        2. 11.1.3.2. The Assumption
        3. 11.1.3.3. The Attack
      4. 11.1.4. Example 4: Breaking the Bank
        1. 11.1.4.1. The Functionality
        2. 11.1.4.2. The Assumption
        3. 11.1.4.3. The Attack
      5. 11.1.5. Example 5: Erasing an Audit Trail
        1. 11.1.5.1. The Functionality
        2. 11.1.5.2. The Assumption
        3. 11.1.5.3. The Attack
      6. 11.1.6. Example 6: Beating a Business Limit
        1. 11.1.6.1. The Functionality
        2. 11.1.6.2. The Assumption
        3. 11.1.6.3. The Attack
      7. 11.1.7. Example 7: Cheating on Bulk Discounts
        1. 11.1.7.1. The Functionality
        2. 11.1.7.2. The Assumption
        3. 11.1.7.3. The Attack
      8. 11.1.8. Example 8: Escaping from Escaping
        1. 11.1.8.1. The Functionality
        2. 11.1.8.2. The Assumption
        3. 11.1.8.3. The Attack
      9. 11.1.9. Example 9: Abusing a Search Function
        1. 11.1.9.1. The Functionality
        2. 11.1.9.2. The Assumption
        3. 11.1.9.3. The Attack
      10. 11.1.10. Example 10: Snarfing Debug Messages
        1. 11.1.10.1. The Functionality
        2. 11.1.10.2. The Assumption
        3. 11.1.10.3. The Attack
      11. 11.1.11. Example 11: Racing against the Login
        1. 11.1.11.1. The Functionality
        2. 11.1.11.2. The Assumption
        3. 11.1.11.3. The Attack
    3. 11.2. Avoiding Logic Flaws
    4. 11.3. Chapter Summary
    5. 11.4. Questions
  17. 12. Attacking Other Users
    1. 12.1. Cross-Site Scripting
      1. 12.1. Reflected XSS Vulnerabilities
        1. 12.1.1. Exploiting the Vulnerability
      2. 12.2. Stored XSS Vulnerabilities
        1. 12.2.1. Storing XSS in Uploaded Files
      3. 12.3. DOM-Based XSS Vulnerabilities
      4. 12.4. Real-World XSS Attacks
      5. 12.5. Chaining XSS and Other Attacks
      6. 12.6. Payloads for XSS Attacks
        1. 12.6.1. Virtual Defacement
        2. 12.6.2. Injecting Trojan Functionality
        3. 12.6.3. Inducing User Actions
        4. 12.6.4. Exploiting Any Trust Relationships
        5. 12.6.5. Escalating the Client-Side Attack
          1. 12.6.5.1. Log Keystrokes
          2. 12.6.5.2. Capture Clipboard Contents
          3. 12.6.5.3. Steal History and Search Queries
          4. 12.6.5.4. Enumerate Currently Used Applications
          5. 12.6.5.5. Port Scan the Local Network
          6. 12.6.5.6. Attack Other Network Hosts
          7. 12.6.5.7. Exploit Browser Vulnerabilities
      7. 12.7. Delivery Mechanisms for XSS Attacks
        1. 12.7.1. Delivering Reflected and DOM-Based XSS Attacks
        2. 12.7.2. Delivering Stored XSS Attacks
      8. 12.8. Finding and Exploiting XSS Vulnerabilities
        1. 12.8.1. Finding and Exploiting Reflected XSS Vulnerabilities
          1. 12.8.1.1. Example 1
          2. 12.8.1.2. Example 2
          3. 12.8.1.3. Example 3
          4. 12.8.1.4. Other Entry Points for JavaScript
          5. 12.8.1.5. Beating Signature-Based Filters
          6. 12.8.1.6. Beating Sanitization
          7. 12.8.1.7. Beating Length Limits
          8. 12.8.1.8. Modifying the Request Method
          9. 12.8.1.9. Using Nonstandard Content Encoding
          10. 12.8.1.10. UTF-7:
          11. 12.8.1.11. US-ASCII:
          12. 12.8.1.12. UTF-16:
        2. 12.8.2. Finding and Exploiting Stored XSS Vulnerabilities
        3. 12.8.3. Finding and Exploiting DOM-Based XSS Vulnerabilities
      9. 12.9. HttpOnly Cookies and Cross-Site Tracing
      10. 12.10. Preventing XSS Attacks
        1. 12.10.1. Preventing Reflected and Stored XSS
          1. 12.10.1.1. Validate Input
          2. 12.10.1.2. Validate Output
          3. 12.10.1.3. Eliminate Dangerous Insertion Points
        2. 12.10.2. Preventing DOM-Based XSS
          1. 12.10.2.1. Validate Input
          2. 12.10.2.2. Validate Output
        3. 12.10.3. Preventing XST
    2. 12.2. Redirection Attacks
      1. 12.2.1. Finding and Exploiting Redirection Vulnerabilities
        1. 12.2.1.1. Circumventing Obstacles to Attack
          1. 12.2.1.1.1. Blocking of Absolute URLs
          2. 12.2.1.1.2. Addition of an Absolute Prefix
      2. 12.2.2. Preventing Redirection Vulnerabilities
    3. 12.3. HTTP Header Injection
      1. 12.3.1. Exploiting Header Injection Vulnerabilities
        1. 12.3.1.1. Injecting Cookies
        2. 12.3.1.2. Delivering Other Attacks
        3. 12.3.1.3. HTTP Response Splitting
      2. 12.3.2. Preventing Header Injection Vulnerabilities
    4. 12.4. Frame Injection
      1. 12.4.1. Exploiting Frame Injection
        1. 12.4.1.1. Preventing Frame Injection
    5. 12.5. Request Forgery
      1. 12.5.1. On-Site Request Forgery
      2. 12.5.2. Cross-Site Request Forgery
        1. 12.5.2.1. Exploiting XSRF Flaws
        2. 12.5.2.2. Preventing XSRF Flaws
          1. 12.5.2.2.1. Defeating Anti-XSRF Defenses via XSS
    6. 12.6. JSON Hijacking
      1. 12.6.1. JSON
      2. 12.6.2. Attacks against JSON
        1. 12.6.2.1. Overriding the Array Constructor
        2. 12.6.2.2. Implementing a Callback Function
      3. 12.6.3. Finding JSON Hijacking Vulnerabilities
      4. 12.6.4. Preventing JSON Hijacking
    7. 12.7. Session Fixation
      1. 12.7.1. Finding and Exploiting Session Fixation Vulnerabilities
      2. 12.7.2. Preventing Session Fixation Vulnerabilities
    8. 12.8. Attacking ActiveX Controls
      1. 12.8.1. Finding ActiveX Vulnerabilities
      2. 12.8.2. Preventing ActiveX Vulnerabilities
    9. 12.9. Local Privacy Attacks
      1. 12.9.1. Persistent Cookies
      2. 12.9.2. Cached Web Content
      3. 12.9.3. Browsing History
      4. 12.9.4. Autocomplete
      5. 12.9.5. Preventing Local Privacy Attacks
    10. 12.10. Advanced Exploitation Techniques
      1. 12.10.1. Leveraging Ajax
        1. 12.10.1.1. Making Asynchronous Off-Site Requests
      2. 12.10.2. Anti-DNS Pinning
        1. 12.10.2.1. A Hypothetical Attack
        2. 12.10.2.2. DNS Pinning
        3. 12.10.2.3. Attacks against DNS Pinning
      3. 12.10.3. Browser Exploitation Frameworks
    11. 12.11. Chapter Summary
    12. 12.12. Questions
  18. 13. Automating Bespoke Attacks
    1. 13.1. Uses for Bespoke Automation
    2. 13.1. Enumerating Valid Identifiers
      1. 13.1.1. The Basic Approach
      2. 13.1.2. Detecting Hits
        1. 13.1.2.1. HTTP Status Code
        2. 13.1.2.2. Response Length
        3. 13.1.2.3. Response Body
        4. 13.1.2.4. Location Header
        5. 13.1.2.5. Set-Cookie Header
        6. 13.1.2.6. Time Delays
      3. 13.1.3. Scripting the Attack
      4. 13.1.4. JAttack
    3. 13.2. Harvesting Useful Data
    4. 13.3. Fuzzing for Common Vulnerabilities
    5. 13.4. Putting It All Together: Burp Intruder
      1. 13.4.1. Positioning Payloads
        1. 13.4.1.1. Choosing Payloads
        2. 13.4.1.2. Configuring Response Analysis
        3. 13.4.1.3. Attack 1: Enumerating Identifiers
        4. 13.4.1.4. Attack 2: Harvesting Information
        5. 13.4.1.5. Attack 3: Application Fuzzing
    6. 13.5. Chapter Summary
    7. 13.6. Questions
  19. 14. Exploiting Information Disclosure
    1. 14.1. Exploiting Error Messages
      1. 14.1. Script Error Messages
      2. 14.1.1. Stack Traces
      3. 14.1.2. Informative Debug Messages
      4. 14.1.3. Server and Database Messages
      5. 14.1.4. Using Public Information
      6. 14.1.5. Engineering Informative Error Messages
    2. 14.2. Gathering Published Information
    3. 14.3. Using Inference
    4. 14.4. Preventing Information Leakage
      1. 14.4.1. Use Generic Error Messages
      2. 14.4.2. Protect Sensitive Information
      3. 14.4.3. Minimize Client-Side Information Leakage
    5. 14.5. Chapter Summary
    6. 14.6. Questions
  20. 15. Attacking Compiled Applications
    1. 15.1. Buffer Overflow Vulnerabilities
      1. 15.1. Stack Overflows
      2. 15.1.1. Heap Overflows
      3. 15.1.2. "Off-by-One" Vulnerabilities
      4. 15.1.3. Detecting Buffer Overflow Vulnerabilities
    2. 15.2. Integer Vulnerabilities
      1. 15.2.1. Integer Overflows
      2. 15.2.2. Signedness Errors
      3. 15.2.3. Detecting Integer Vulnerabilities
    3. 15.3. Format String Vulnerabilities
      1. 15.3.1. Detecting Format String Vulnerabilities
    4. 15.4. Chapter Summary
    5. 15.5. Questions
  21. 16. Attacking Application Architecture
    1. 16.1. Tiered Architectures
      1. 16.1. Attacking Tiered Architectures
        1. 16.1.1. Exploiting Trust Relationships between Tiers
        2. 16.1.1. Subverting Other Tiers
        3. 16.1.2. Attacking Other Tiers
      2. 16.2. Securing Tiered Architectures
        1. 16.2.1. Minimize Trust Relationships
        2. 16.2.2. Segregate Different Components
        3. 16.2.3. Apply Defense in Depth
    2. 16.2. Shared Hosting and Application Service Providers
      1. 16.2.1. Virtual Hosting
      2. 16.2.2. Shared Application Services
      3. 16.2.3. Attacking Shared Environments
        1. 16.2.3.1. Attacks against Access Mechanisms
        2. 16.2.3.2. Attacks between Applications
          1. 16.2.3.2.1. Deliberate Backdoors
          2. 16.2.3.2.2. Attacks between Vulnerable Applications
          3. 16.2.3.2.3. Attacks between ASP Application Components
      4. 16.2.4. Securing Shared Environments
        1. 16.2.4.1. Secure Customer Access
        2. 16.2.4.2. Segregate Customer Functionality
        3. 16.2.4.3. Segregate Components in a Shared Application
    3. 16.3. Chapter Summary
    4. 16.4. Questions
  22. 17. Attacking the Web Server
    1. 17.1. Vulnerable Web Server Configuration
      1. 17.1. Default Credentials
      2. 17.1.1. Default Content
        1. 17.1.1.1. Debug Functionality
        2. 17.1.1.2. Sample Functionality
        3. 17.1.1.3. Powerful Functions
      3. 17.1.2. Directory Listings
      4. 17.1.3. Dangerous HTTP Methods
      5. 17.1.4. The Web Server as a Proxy
      6. 17.1.5. Misconfigured Virtual Hosting
      7. 17.1.6. Securing Web Server Configuration
    2. 17.2. Vulnerable Web Server Software
      1. 17.2.1. Buffer Overflow Vulnerabilities
        1. 17.2.1.1. Microsoft IIS ISAPI Extensions
        2. 17.2.1.2. Apache Chunked Encoding Overflow
        3. 17.2.1.3. Microsoft IIS WebDav Overflow
        4. 17.2.1.4. iPlanet Search Overflow
      2. 17.2.2. Path Traversal Vulnerabilities
        1. 17.2.2.1. Accipiter DirectServer
        2. 17.2.2.2. Alibaba
        3. 17.2.2.3. Cisco ACS Acme.server
        4. 17.2.2.4. McAfee EPolicy Orcestrator
      3. 17.2.3. Encoding and Canonicalization Vulnerabilities
        1. 17.2.3.1. Allaire JRun Directory Listing Vulnerability
        2. 17.2.3.2. Microsoft IIS Unicode Path Traversal Vulnerabilities
        3. 17.2.3.3. Oracle PL/SQL Exclusion List Bypasses
      4. 17.2.4. Finding Web Server Flaws
      5. 17.2.5. Securing Web Server Software
        1. 17.2.5.1. Choose Software with a Good Track Record
        2. 17.2.5.2. Apply Vendor Patches
        3. 17.2.5.3. Perform Security Hardening
        4. 17.2.5.4. Monitor for New Vulnerabilities
        5. 17.2.5.5. Use Defense-in-Depth
    3. 17.3. Chapter Summary
    4. 17.4. Questions
  23. 18. Finding Vulnerabilities in Source Code
    1. 18.1. Approaches to Code Review
      1. 18.1. Black-Box vs. White-Box Testing
      2. 18.1.1. Code Review Methodology
    2. 18.2. Signatures of Common Vulnerabilities
      1. 18.2.1. Cross-Site Scripting
      2. 18.2.2. SQL Injection
      3. 18.2.3. Path Traversal
      4. 18.2.4. Arbitrary Redirection
      5. 18.2.5. OS Command Injection
      6. 18.2.6. Backdoor Passwords
      7. 18.2.7. Native Software Bugs
        1. 18.2.7.1. Buffer Overflow Vulnerabilities
        2. 18.2.7.2. Integer Vulnerabilities
        3. 18.2.7.3. Format String Vulnerabilities
      8. 18.2.8. Source Code Comments
    3. 18.3. The Java Platform
      1. 18.3.1. Identifying User-Supplied Data
      2. 18.3.2. Session Interaction
      3. 18.3.3. Potentially Dangerous APIs
        1. 18.3.3.1. File Access
        2. 18.3.3.2. Database Access
        3. 18.3.3.3. Dynamic Code Execution
        4. 18.3.3.4. OS Command Execution
        5. 18.3.3.5. URL Redirection
        6. 18.3.3.6. Sockets
      4. 18.3.4. Configuring the Java Environment
    4. 18.4. ASP.NET
      1. 18.4.1. Identifying User-Supplied Data
      2. 18.4.2. Session Interaction
      3. 18.4.3. Potentially Dangerous APIs
        1. 18.4.3.1. File Access
        2. 18.4.3.2. Database Access
        3. 18.4.3.3. Dynamic Code Execution
        4. 18.4.3.4. OS Command Execution
        5. 18.4.3.5. URL Redirection
        6. 18.4.3.6. Sockets
      4. 18.4.4. Configuring the ASP.NET Environment
    5. 18.5. PHP
      1. 18.5.1. Identifying User-Supplied Data
      2. 18.5.2. Session Interaction
      3. 18.5.3. Potentially Dangerous APIs
        1. 18.5.3.1. File Access
        2. 18.5.3.2. Database Access
        3. 18.5.3.3. Dynamic Code Execution
        4. 18.5.3.4. OS Command Execution
        5. 18.5.3.5. URL Redirection
        6. 18.5.3.6. Sockets
      4. 18.5.4. Configuring the PHP Environment
        1. 18.5.4.1. Register Globals
        2. 18.5.4.2. Safe Mode
        3. 18.5.4.3. Magic Quotes
        4. 18.5.4.4. Miscellaneous
    6. 18.6. Perl
      1. 18.6.1. Identifying User-Supplied Data
      2. 18.6.2. Session Interaction
      3. 18.6.3. Potentially Dangerous APIs
        1. 18.6.3.1. File Access
        2. 18.6.3.2. Database Access
        3. 18.6.3.3. Dynamic Code Execution
        4. 18.6.3.4. OS Command Execution
        5. 18.6.3.5. URL Redirection
        6. 18.6.3.6. Sockets
      4. 18.6.4. Configuring the Perl Environment
    7. 18.7. JavaScript
    8. 18.8. Database Code Components
      1. 18.8.1. SQL Injection
      2. 18.8.2. Calls to Dangerous Functions
    9. 18.9. Tools for Code Browsing
    10. 18.10. Chapter Summary
    11. 18.11. Questions
  24. 19. A Web Application Hacker's Toolkit
    1. 19.1. Web Browsers
      1. 19.1. Internet Explorer
      2. 19.1.1. Firefox
      3. 19.1.2. Opera
    2. 19.2. Integrated Testing Suites
      1. 19.2.1. How the Tools Work
        1. 19.2.1.1. Intercepting Proxies
          1. 19.2.1.1.1. Configuring Your Browser
          2. 19.2.1.1.2. Intercepting Proxies and HTTPS
          3. 19.2.1.1.3. Common Features
        2. 19.2.1.2. Web Application Spiders
        3. 19.2.1.3. Application Fuzzers and Scanners
        4. 19.2.1.4. Manual Request Tools
          1. 19.2.1.4.1. Shared Functions and Utilities
      2. 19.2.2. Feature Comparison
        1. 19.2.2.1. Burp Suite
        2. 19.2.2.2. Paros
        3. 19.2.2.3. WebScarab
      3. 19.2.3. Alternatives to the Intercepting Proxy
        1. 19.2.3.1. Tamper Data
        2. 19.2.3.2. TamperIE
    3. 19.3. Vulnerability Scanners
      1. 19.3.1. Vulnerabilities Detected by Scanners
      2. 19.3.2. Inherent Limitations of Scanners
        1. 19.3.2.1. Every Web Application Is Different
        2. 19.3.2.2. Scanners Operate on Syntax
        3. 19.3.2.3. Scanners Do Not Improvise
        4. 19.3.2.4. Scanners Are Not Intuitive
      3. 19.3.3. Technical Challenges Faced by Scanners
        1. 19.3.3.1. Authentication and Session Handling
        2. 19.3.3.2. Dangerous Effects
        3. 19.3.3.3. Individuating Functionality
        4. 19.3.3.4. Other Challenges to Automation
      4. 19.3.4. Current Products
      5. 19.3.5. Using a Vulnerability Scanner
    4. 19.4. Other Tools
      1. 19.4.1. Nikto
      2. 19.4.2. Hydra
      3. 19.4.3. Custom Scripts
        1. 19.4.3.1. Wget
        2. 19.4.3.2. Curl
        3. 19.4.3.3. Netcat
        4. 19.4.3.4. Stunnel
    5. 19.5. Chapter Summary
  25. 20. A Web Application Hacker's Methodology
    1. 20.1. Map the Application's Content
      1. 20.1.1. Explore Visible Content
      2. 20.1.2. Consult Public Resources
      3. 20.1.3. Discover Hidden Content
      4. 20.1.4. Discover Default Content
      5. 20.1.5. Enumerate Identifier-Specified Functions
      6. 20.1.6. Test for Debug Parameters
    2. 20.2. Analyze the Application
      1. 20.2.1. Identify Functionality
      2. 20.2.2. Identify Data Entry Points
      3. 20.2.3. Identify the Technologies Used
      4. 20.2.4. Map the Attack Surface
    3. 20.3. Test Client-Side Controls
      1. 20.3.1. Test Transmission of Data via the Client
      2. 20.3.2. Test Client-Side Controls over User Input
      3. 20.3.3. Test Thick-Client Components
        1. 20.3.3.1. Test Java Applets
        2. 20.3.3.2. Test ActiveX controls
        3. 20.3.3.3. Test Shockwave Flash objects
    4. 20.4. Test the Authentication Mechanism
      1. 20.4.1. Understand the Mechanism
      2. 20.4.2. Test Password Quality
      3. 20.4.3. Test for Username Enumeration
      4. 20.4.4. Test Resilience to Password Guessing
      5. 20.4.5. Test Any Account Recovery Function
      6. 20.4.6. Test Any Remember Me Function
      7. 20.4.7. Test Any Impersonation Function
      8. 20.4.8. Test Username Uniqueness
      9. 20.4.9. Test Predictability of Auto-Generated Credentials
      10. 20.4.10. Check for Unsafe Transmission of Credentials
      11. 20.4.11. Check for Unsafe Distribution of Credentials
      12. 20.4.12. Test for Logic Flaws
        1. 20.4.12.1. Test for Fail-Open Conditions
        2. 20.4.12.2. Test Any Multistage Mechanisms
      13. 20.4.13. Exploit Any Vulnerabilities to Gain Unauthorized Access
    5. 20.5. Test the Session Management Mechanism
      1. 20.5.1. Understand the Mechanism
      2. 20.5.2. Test Tokens for Meaning
      3. 20.5.3. Test Tokens for Predictability
      4. 20.5.4. Check for Insecure Transmission of Tokens
      5. 20.5.5. Check for Disclosure of Tokens in Logs
      6. 20.5.6. Check Mapping of Tokens to Sessions
      7. 20.5.7. Test Session Termination
      8. 20.5.8. Check for Session Fixation
      9. 20.5.9. Check for XSRF
      10. 20.5.10. Check Cookie Scope
    6. 6.. Test Access Controls
      1. 20.6.1. Understand the Access Control Requirements
      2. 20.6.2. Testing with Multiple Accounts
      3. 20.6.3. Testing with Limited Access
      4. 20.6.4. Test for Insecure Access Control Methods
    7. 7.. Test for Input-Based Vulnerabilities
      1. 20.7.1. Fuzz All Request Parameters
      2. 20.7.2. Test for SQL Injection
      3. 20.7.3. Test for XSS and Other Response Injection
        1. 7.3.1.. Identify Reflected Request Parameters
        2. 7.3.2.. Test for Reflected XSS
        3. 7.3.3.. Test for HTTP Header Injection
        4. 7.3.4.. Test for Arbitrary Redirection
        5. 7.3.5.. Test for Stored Attacks
      4. 20.7.4. Test for OS Command Injection
      5. 20.7.5. Test for Path Traversal
      6. 20.7.6. Test for Script Injection
      7. 20.7.7. Test for File Inclusion
    8. 8.. Test for Function-Specific Input Vulnerabilities
      1. 20.8.1. Test for SMTP Injection
      2. 20.8.2. Test for Native Software Vulnerabilities
        1. 8.2.1.. Test for Buffer Overflows
        2. 8.2.2.. Test for Integer Vulnerabilities
        3. 8.2.3.. Test for Format String Vulnerabilities
      3. 20.8.3. Test for SOAP Injection
      4. 20.8.4. Test for LDAP Injection
      5. 20.8.5. Test for XPath Injection
    9. 9.. Test for Logic Flaws
      1. 20.9.1. Identify the Key Attack Surface
      2. 20.9.2. Test Multistage Processes
      3. 20.9.3. Test Handling of Incomplete Input
      4. 20.9.4. Test Trust Boundaries
      5. 20.9.5. Test Transaction Logic
    10. 10.. Test for Shared Hosting Vulnerabilities
      1. 20.10.1. Test Segregation in Shared Infrastructures
      2. 20.10.2. Test Segregation between ASP-Hosted Applications
    11. 11.. Test for Web Server Vulnerabilities
      1. 20.11.1. Test for Default Credentials
      2. 20.11.2. Test for Default Content
      3. 20.11.3. Test for Dangerous HTTP Methods
      4. 20.11.4. Test for Proxy Functionality
      5. 20.11.5. Test for Virtual Hosting Misconfiguration
      6. 20.11.6. Test for Web Server Software Bugs
    12. 12.. Miscellaneous Checks
      1. 20.12.1. Check for DOM-Based Attacks
      2. 20.12.2. Check for Frame Injection
      3. 20.12.3. Check for Local Privacy Vulnerabilities
      4. 20.12.4. Follow Up Any Information Leakage
      5. 20.12.5. Check for Weak SSL Ciphers