You are previewing Web Hacking: Attacks and Defense.
O'Reilly logo
Web Hacking: Attacks and Defense

Book Description

"Both novice and seasoned readers will come away with an increased understanding of how Web hacking occurs and enhanced skill at developing defenses against such Web attacks. Technologies covered include Web languages and protocols, Web and database servers, payment systems and shopping carts, and critical vulnerabilities associated with URLs. This book is a virtual battle plan that will help you identify and eliminate threats that could take your Web site off line..."
--From the Foreword by William C. Boni, Chief Information Security Officer, Motorola

"Just because you have a firewall and IDS sensor does not mean you aresecure; this book shows you why."
--Lance Spitzner, Founder, The Honeynet Project

Whether it's petty defacing or full-scale cyber robbery, hackers are moving to the Web along with everyone else. Organizations using Web-based business applications are increasingly at risk. Web Hacking: Attacks and Defense is a powerful guide to the latest information on Web attacks and defense. Security experts Stuart McClure (lead author of Hacking Exposed), Saumil Shah, and Shreeraj Shah present a broad range of Web attacks and defense.

Features include:

  • Overview of the Web and what hackers go after

  • Complete Web application security methodologies

  • Detailed analysis of hack techniques

  • Countermeasures

  • What to do at development time to eliminate vulnerabilities

  • New case studies and eye-opening attack scenarios

  • Advanced Web hacking concepts, methodologies, and tools

  • "How Do They Do It?" sections show how and why different attacks succeed, including:

  • Cyber graffiti and Web site defacements

  • e-Shoplifting

  • Database access and Web applications

  • Java™ application servers; how to harden your Java™ Web Server

  • Impersonation and session hijacking

  • Buffer overflows, the most wicked of attacks

  • Automated attack tools and worms

  • Appendices include a listing of Web and database ports, cheat sheets for remote command execution, and source code disclosure techniques.

    Web Hacking informs from the trenches. Experts show you how to connect the dots--how to put the stages of a Web hack together so you can best defend against them. Written for maximum brain absorption with unparalleled technical content and battle-tested analysis, Web Hacking will help you combat potentially costly security threats and attacks.



    0201761769B07192002

    Table of Contents

    1. Copyright
      1. Dedication
    2. Foreword
    3. Introduction
      1. “We're Secure, We Have a Firewall”
        1. To Err Is Human
        2. Writing on the Wall
      2. Book Organization
        1. Parts
        2. Chapters
      3. A Final Word
      4. Acknowledgments
      5. Contributor
    4. 1. The E-Commerce Playground
      1. 1. Web Languages: The Babylon of the 21st Century
        1. Introduction
        2. Languages of the Web
          1. HTML
          2. Dynamic HTML (DHTML)
          3. XML
          4. XHTML
          5. Perl
          6. PHP
          7. ColdFusion
            1. ColdFusion Application Server
            2. ColdFusion Markup Language
            3. ColdFusion Studio
          8. Active Server Pages
            1. Database Connectivity
              1. ConnectionString
            2. ActiveX
            3. ASP Summary
          9. CGI
            1. Environmental Variables
            2. Server-Side Includes (SSI): HTML and SHTML
              1. Microsoft's IIS Web Server and SSI
        3. Java
          1. Client-Based Java
            1. Applets
              1. Java Scripting Languages
                1. JavaScript
                2. Jscript
            2. Server-Based Java
              1. Java Server Pages (JSP)
                1. Database Connectivity
                2. Source Code Disclosure
                  1. Case Sensitivity
                  2. Forcing Default Handlers
                3. Arbitrary Command Execution
              2. JHTML
                1. Source Code Disclosure
                  1. Forcing Default Handlers
                  2. Case Sensitivity
        4. Summary
      2. 2. Web and Database Servers
        1. Introduction
        2. Web Servers
          1. Apache
            1. Virtual Hosts
              1. Name-Based Mechanism
              2. IP-Based Mechanism
                1. UNIX IP Aliasing
            2. Server Side Includes
            3. CGI
              1. ScriptAlias
            4. Handlers
          2. Microsoft's Internet Information Server (IIS)
            1. ISAPI Applications
            2. Virtual Directories
            3. Sample Files
            4. Virtual Hosts
              1. Secondary IP Addresses
              2. Multiple Web Sites
        3. Database Servers
          1. SQL Poisoning
            1. Data Producing
            2. Error Producing
          2. SQL Commands
          3. Microsoft SQL Server
            1. Default Stored Procedures
            2. Default Databases
            3. Default System Tables
            4. Default System and Meta-Data Functions
            5. Information Schema Views
            6. Passwords
            7. Microsoft SQL Server Summary
          4. Oracle
            1. System Tables
            2. Passwords
            3. Privileges
            4. Oracle Listener
              1. Status Request
        4. Summary
      3. 3. Shopping Carts and Payment Gateways
        1. Introduction
        2. Evolution of the Storefront
        3. Electronic Shopping
        4. Shopping Cart Systems
          1. Scope and Lifetime of an Electronic Shopping Cart
          2. Collecting, Analyzing, and Comparing Selected Components
          3. Keeping Track of the Total Cost
          4. Change of Mind
          5. Processing the Purchase
        5. Implementation of a Shopping Cart Application
          1. Product Catalog
          2. Session Management
          3. Database Interfacing
          4. Integration with the Payment Gateway
        6. Examples of Poorly Implemented Shopping Carts
          1. Carello Shopping Cart
          2. DCShop Shopping Cart
          3. Hassan Consulting's Shopping Cart
          4. Cart32 and Several Other Shopping Carts
        7. Processing Payments
          1. Finalizing the Order
          2. Method of Payment
          3. Verification and Fraud Protection
          4. Order Fulfillment and Receipt Generation
        8. Overview of the Payment Processing System
          1. Order Confirmation Page
          2. Payment Gateway Interface
          3. Transaction Database Interface
        9. Interfacing with a Payment Gateway—An Example
        10. Payment System Implementation Issues
          1. Integration
          2. Temporary Information
          3. SSL
          4. Storing User Profiles
        11. PayPal—Enabling Individuals to Accept Electronic Payments
        12. Summary
      4. 4. HTTP and HTTPS: The Hacking Protocols
        1. Introduction
        2. Protocols of the Web
          1. HTTP
            1. HTTP/0.9
            2. HTTP/1.0
              1. HTTP Request
              2. HTTP Response
                1. Response Code
                2. Header Fields
                3. Data
            3. HTTP/1.1
              1. HTTP Request
              2. HTTP Response
                1. Response Codes
                2. Header Fields
          2. HTTPS (HTTP over SSL)
        3. Summary
      5. 5. URL: The Web Hacker's Sword
        1. Introduction
        2. URL Structure
        3. URLs and Parameter Passing
        4. URL Encoding
          1. Meta-Characters
          2. Specifying Special Characters on the URL String
          3. Unicode Encoding
        5. Abusing URL Encoding
          1. Unicode Vulnerability
          2. The Double-Decode or Superfluous Decode Vulnerability
        6. HTML Forms
          1. Anatomy of an HTML Form
          2. Input Elements
          3. Parameter Passing Via GET and POST
        7. Summary
    5. 2. URLs Unraveled
      1. 6. Web: Under (the) Cover
        1. Introduction
        2. The Components of a Web Application
          1. The Front-End Web Server
          2. The Web Application Execution Environment
          3. The Database Server
        3. Wiring the Components
          1. The Native Application Processing Environment
          2. Web Server APIs and Plug-Ins
          3. URL Mapping and Internal Proxying
          4. Proxying with a Back-End Application Server
          5. Examples
            1. Interfacing PHP3 with Apache
            2. Interfacing ServletExec as an Apache DSO
            3. Interfacing ServletExec as an ISAPI Extension to Microsoft IIS
            4. Interfacing IIS and Domino Servers with Netscape Enterprise Server
        4. Connecting with the Database
          1. Using Native Database APIs
          2. Examples
            1. Calling the SQL Server from Active Server Pages
            2. Calling Oracle 8i from PHP
          3. Using ODBC
          4. Using JDBC
        5. Specialized Web Application Servers
        6. Identifying Web Application Components from URLs
        7. The Basics of Technology Identification
          1. Examples
            1. URL: http://www1.example.com/homepage.nsf?Open
            2. URL: http://www2.example.com/software/buy.jhtml;jsessionid=ZYQFN5W HKORD5QFIAE0SFF GAVAAUIIV0
            3. URL: http://www3.example.com/cgi-bin/ncommerce3/ExecMacro/webstore/ home.d2w/report
            4. URL: http://www4.example.com/ category.jsp?id=21&StoreSession=PC1q Nwwm0xqCFOWHZcYxZaZ21laYQEfOetnSjrYtrsxSC1V7b|3886513130244820/ 167838525/6/7001/7001/7002/7002/7001/-1
            5. URL: http://www5.example.com/site/index/0,10017,2578,00.html
          2. More Examples
            1. URL: http://www6.example.com/report.cgi?page=3
            2. URL: http://www7.example.com/ui/Login.jsp
        8. Advanced Techniques for Technology Identification
          1. Examples
            1. URL: http://www8.example.com/webapp/wcs/stores/servlet/Display?storeId= 10001&langId=-1&catalogId=10001&categoryId=10052&clearance=0&catTree= 10052
            2. URL: https://www9.example.com/OA_HTML/store.jsp?section=101&prod_ses=j= 4081:Guest:US:jtfpfalse:jtfpi-1:671:504:75123~zv=75123~zs=t~zp=504~zo=2~zm= 101~zj=Guest~zi=504
        9. Identifying Database Servers
        10. Countermeasures
          1. Rule 1: Minimize Information Leaked from the HTTP Header
          2. Rule 2: Prevent Error Information from Being Sent to the Browser
        11. Summary
      2. 7. Reading Between the Lines
        1. Introduction
        2. Information Leakage Through HTML
        3. What the Browsers Don't Show You
          1. Netscape Navigator—View | Page Source
          2. Internet Explorer—View | Source
        4. Clues to Look For
        5. HTML Comments
          1. Revision History
          2. Developer or Author Details
          3. Cross-References to Other Areas of the Web Application
          4. Reminders and Placeholders
          5. Comments Inserted by Web Application Servers
          6. Old “Commented-Out” Code
        6. Internal and External Hyperlinks
        7. E-Mail Addresses and Usernames
          1. UBE, UCE, Junk Mail, and Spam
        8. Keywords and Meta Tags
        9. Hidden Fields
        10. Client-Side Scripts
        11. Automated Source Sifting Techniques
          1. Using wget
          2. Using grep
        12. Sam Spade, Black Widow, and Teleport Pro
        13. Summary
      3. 8. Site Linkage Analysis
        1. Introduction
        2. HTML and Site Linkage Analysis
        3. Site Linkage Analysis Methodology
        4. Step 1: Crawling the Web Site
          1. Crawling a Site Manually
          2. A Closer Look at the HTTP Response Header
          3. Some Popular Tools for Site Linkage Analysis
            1. GNU wget
            2. BlackWidow from SoftByteLabs
            3. Funnel Web Profiler from Quest Software
          4. Step-1 Wrap-Up
        5. Step 2: Creating Logical Groups Within the Application Structure
          1. Step-2 Wrap-Up
        6. Step 3: Analyzing Each Web Resource
          1. 1. Extension Analysis
          2. 2. URL Path Analysis
          3. 3. Session Analysis
          4. 4. Form Determination
          5. 5. Applet and Object Identification
          6. 6. Client-Side Script Evaluation
          7. 7. Comment and E-Mail Address Analysis
          8. Step-3 Wrap-Up
        7. Step 4: Inventorying Web Resources
        8. Summary
    6. 3. How Do They Do It?
      1. 9. Cyber Graffiti
        1. Introduction
        2. Defacing Acme Travel, Inc.'s Web Site
          1. Mapping the Target Network
          2. Throwing Proxy Servers in Reverse
          3. Brute Forcing HTTP Authentication
          4. Directory Browsing
          5. Uploading the Defaced Pages
        3. What Went Wrong?
        4. HTTP Brute-Forcing Tools
          1. Brutus
          2. WebCracker 4.0
        5. Countermeasures Against the Acme Travel, Inc. Hack
          1. Turning Off Reverse Proxying
          2. Using Stronger HTTP Authentication Passwords
          3. Turning off Directory Browsing
        6. Summary
      2. 10. E-Shoplifting
        1. Introduction
        2. Building an Electronic Store
          1. The Store Front-End
          2. The Shopping Cart
          3. The Checkout Station
          4. The Database
          5. Putting It All Together
        3. Evolution of Electronic Storefronts
        4. Robbing Acme Fashions, Inc.
          1. Setting Up Acme's Electronic Storefront
          2. Tracking Down the Problem
            1. The Hidden Dangers of Hidden Fields
          3. Bypassing Client-Side Validation
        5. Overhauling www.acme-fashions.com
          1. Facing a New Problem with the Overhauled System
            1. Remote Command Execution
        6. Postmortem and Further Countermeasures
        7. Summary
      3. 11. Database Access
        1. Introduction
        2. A Used Car Dealership Is Hacked
          1. Input Validation
        3. Countermeasures
        4. Summary
      4. 12. Java: Remote Command Execution
        1. Introduction
        2. Java-Driven Technology
          1. Architecture of Java Application Servers
        3. Attacking a Java Web Server
        4. Identifying Loopholes in Java Application Servers
          1. Example: Online Stock Trading Portal
            1. WebLogic Servlets and Handlers
            2. Application Handlers and Invokers
          2. Invoking FileServlet
            1. Invoking SSIServlet
            2. Invoking the JSPServlet and Forcing It to Compile html/txt
        5. Countermeasures
          1. Harden the Java Web Server
          2. Other Conceptual Countermeasures
            1. Isolate System Core Servlets from Application Servlets
            2. Prohibit Execution of Unregistered Servlets
            3. Bind Servlets to Resource Types
            4. Validate Input Thoroughly
            5. Disable Direct Application Servlet Invocation
            6. Unregister All Unused and Example Servlets
        6. Summary
      5. 13. Impersonation
        1. Introduction
        2. Session Hijacking: A Stolen Identity and a Broken Date
          1. March 5, 7:00 A.M.—Alice's Residence
          2. 8:30 A.M.—Alice's Workplace
          3. 10:00 A.M.—Bob's Office
          4. 11:00 A.M.—Bob's Office
          5. 12:30 P.M.—Alice's Office
          6. 9:30 P.M.—Bertolini's Italian Cuisine
        3. Session Hijacking
        4. Postmortem of the Session Hijacking Attack
        5. Application State Diagrams
        6. HTTP and Session Tracking
        7. Stateless Versus Stateful Applications
        8. Cookies and Hidden Fields
          1. Cookies
          2. Hidden Fields
        9. Implementing Session and State Tracking
          1. Session Identifiers Should Be Unique
          2. Session Identifiers Should Not Be “Guessable”
          3. Session Identifiers Should Be Independent
          4. Session Identifiers Should Be Mapped with Client-Side Connections
        10. Summary
      6. 14. Buffer Overflows: On-the-Fly
        1. Introduction
          1. Example
        2. Buffer Overflows
          1. Buffer Overflow: Its Simplest Form
            1. Assembly Language in a Nutshell
              1. General Purpose Registers
              2. Pointer (a.k.a. Index) Registers
              3. The Stack
              4. Assembler Instructions
            2. Tracking the Rogue Bytes
          2. Buffer Overflow: An Example
            1. Disassembly
            2. Blind Stress Testing
        3. Postmortem Countermeasures
        4. Summary
    7. 4. Advanced Web Kung Fu
      1. 15. Web Hacking: Automated Tools
        1. Introduction
        2. Netcat
        3. Whisker
          1. Brute Force
        4. Brutus
        5. Achilles
        6. Cookie Pal
        7. Teleport Pro
        8. Security Recommendations
        9. Summary
      2. 16. Worms
        1. Introduction
        2. Code Red Worm
          1. January 26, 2000
          2. June 18, 2001: The First Attack
          3. July 12, 2001
            1. The Details
          4. July 19, 2001
          5. August 4, 2001
          6. Nimda Worm
            1. September 18, 2001
            2. Network Shares—Nimda Also Has the Ability to Spread via Misconfigured or Insecure Network Shares
              1. The Details
          7. Combatting Worm Evolution
          8. React and Respond
        3. Summary
      3. 17. Beating the IDS
        1. Introduction
        2. IDS Basics
          1. Network IDSs
          2. Host-Based IDSs
        3. IDS Accuracy
        4. Getting Past an IDS
        5. Secure Hacking—Hacking Over SSL
          1. Example
          2. Tunneling Attacks via SSL
          3. Intrusion Detection via SSL
          4. Sniffing SSL Traffic
        6. Polymorphic URLs
          1. Hexadecimal Encoding
          2. Illegal Unicode/Superfluous Encoding
          3. Adding Fake Paths
          4. Inserting Slash-Dot-Slash Strings
          5. Using Nonstandard Path Separators
          6. Using Multiple Slashes
          7. Mixing Various Techniques
        7. Generating False Positives
        8. Potential Countermeasures
          1. SSL Decryption
          2. URL Decoding
        9. Summary
    8. A. Web and Database Port Listing
    9. B. HTTP/1.1 and HTTP/1.0 Method and Field Definitions
    10. C. Remote Command Execution Cheat Sheet
    11. D. Source Code, File, and Directory Disclosure Cheat Sheet
    12. E. Resources and Links
    13. F. Web-Related Tools