Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. 70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page i The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws Dafydd Stuttard Marcus Pinto Wiley Publishing, Inc.
  2. 2. 70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page ii
  3. 3. 70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page i The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws Dafydd Stuttard Marcus Pinto Wiley Publishing, Inc.
  4. 4. 70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page ii The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws Published by Wiley Publishing, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2008 by Dafydd Stuttard and Marcus Pinto. Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-0-470-17077-9 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies con- tained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware that Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services or to obtain technical support, please con- tact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002. Library of Congress Cataloging-in-Publication Data Stuttard, Dafydd, 1972- The web application hackers handbook : discovering and exploiting security flaws / Dafydd Stut- tard, Marcus Pinto. p. cm. Includes index. ISBN 978-0-470-17077-9 (pbk.) 1. Internet--Security measures. 2. Computer security. I. Pinto, Marcus, 1978- II. Title. TK5105.875.I57S85 2008 005.8--dc22 2007029983 Trademarks: Wiley and related trade dress are registered trademarks of Wiley Publishing, Inc., in the United States and other countries, and may not be used without written permission. All other trade- marks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.
  5. 5. 70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page iii About the Authors Dafydd Stuttard is a Principal Security Consultant at Next Generation Secu- rity Software, where he leads the web application security competency. He has nine years’ experience in security consulting and specializes in the penetration testing of web applications and compiled software. Dafydd has worked with numerous banks, retailers, and other enterprises to help secure their web applications, and has provided security consulting to several software manufacturers and governments to help secure their com- piled software. Dafydd is an accomplished programmer in several languages, and his interests include developing tools to facilitate all kinds of software security testing. Dafydd has developed and presented training courses at the Black Hat secu- rity conferences around the world. Under the alias “PortSwigger,” Dafydd cre- ated the popular Burp Suite of web application hacking tools. Dafydd holds master’s and doctorate degrees in philosophy from the University of Oxford. Marcus Pinto is a Principal Security Consultant at Next Generation Security Software, where he leads the database competency development team, and has lead the development of NGS’ primary training courses. He has eight years’ experience in security consulting and specializes in penetration testing of web applications and supporting architectures. Marcus has worked with numerous banks, retailers, and other enterprises to help secure their web applications, and has provided security consulting to the development projects of several security-critical applications. He has worked extensively with large-scale web application deployments in the financial ser- vices industry. Marcus has developed and presented database and web application train- ing courses at the Black Hat and other security conferences around the world. Marcus holds a master’s degree in physics from the University of Cambridge. iii
  6. 6. 70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page iv Credits Executive Editor Vice President and Executive Publisher Carol Long Joseph B. Wikert Development Editor Project Coordinator, Cover Adaobi Obi Tulton Lynsey Osborn Production Editor Compositor Christine O’Connor Happenstance Type-O-Rama Copy Editor Proofreader Foxxe Editorial Services Kathryn Duggan Editorial Manager Indexer Mary Beth Wakefield Johnna VanHoose Dinse Production Manager Anniversary Logo Design Tim Tate Richard Pacifico Vice President and Executive Group Publisher Richard Swadley iv
  7. 7. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page v Contents Acknowledgments xxiii Introduction xxv Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 3 Benefits of Web Applications 4 Web Application Security 5 “This Site Is Secure” 6 The Core Security Problem: Users Can Submit Arbitrary Input 8 Key Problem Factors 9 Immature Security Awareness 9 In-House Development 9 Deceptive Simplicity 9 Rapidly Evolving Threat Profile 10 Resource and Time Constraints 10 Overextended Technologies 10 The New Security Perimeter 10 The Future of Web Application Security 12 Chapter Summary 13 Chapter 2 Core Defense Mechanisms 15 Handling User Access 16 Authentication 16 Session Management 17 Access Control 18 Handling User Input 19 Varieties of Input 20 Approaches to Input Handling 21 v
  8. 8. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page vi vi Contents “Reject Known Bad” 21 “Accept Known Good” 21 Sanitization 22 Safe Data Handling 22 Semantic Checks 23 Boundary Validation 23 Multistep Validation and Canonicalization 26 Handling Attackers 27 Handling Errors 27 Maintaining Audit Logs 29 Alerting Administrators 30 Reacting to Attacks 31 Managing the Application 32 Chapter Summary 33 Questions 34 Chapter 3 Web Application Technologies 35 The HTTP Protocol 35 HTTP Requests 36 HTTP Responses 37 HTTP Methods 38 URLs 40 HTTP Headers 41 General Headers 41 Request Headers 41 Response Headers 42 Cookies 43 Status Codes 44 HTTPS 45 HTTP Proxies 46 HTTP Authentication 47 Web Functionality 47 Server-Side Functionality 48 The Java Platform 49 ASP.NET 50 PHP 50 Client-Side Functionality 51 HTML 51 Hyperlinks 51 Forms 52 JavaScript 54 Thick Client Components 54 State and Sessions 55 Encoding Schemes 56 URL Encoding 56 Unicode Encoding 57
  9. 9. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page vii Contents vii HTML Encoding 57 Base64 Encoding 58 Hex Encoding 59 Next Steps 59 Questions 59 Chapter 4 Mapping the Application 61 Enumerating Content and Functionality 62 Web Spidering 62 User-Directed Spidering 65 Discovering Hidden Content 67 Brute-Force Techniques 67 Inference from Published Content 70 Use of Public Information 72 Leveraging the Web Server 75 Application Pages vs. Functional Paths 76 Discovering Hidden Parameters 79 Analyzing the Application 79 Identifying Entry Points for User Input 80 Identifying Server-Side Technologies 82 Banner Grabbing 82 HTTP Fingerprinting 82 File Extensions 84 Directory Names 86 Session Tokens 86 Third-Party Code Components 87 Identifying Server-Side Functionality 88 Dissecting Requests 88 Extrapolating Application Behavior 90 Mapping the Attack Surface 91 Chapter Summary 92 Questions 93 Chapter 5 Bypassing Client-Side Controls 95 Transmitting Data via the Client 95 Hidden Form Fields 96 HTTP Cookies 99 URL Parameters 99 The Referer Header 100 Opaque Data 101 The ASP.NET ViewState 102 Capturing User Data: HTML Forms 106 Length Limits 106 Script-Based Validation 108 Disabled Elements 110 Capturing User Data: Thick-Client Components 111 Java Applets 112
  10. 10. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page viii viii Contents Decompiling Java Bytecode 114 Coping with Bytecode Obfuscation 117 ActiveX Controls 119 Reverse Engineering 120 Manipulating Exported Functions 122 Fixing Inputs Processed by Controls 123 Decompiling Managed Code 124 Shockwave Flash Objects 124 Handling Client-Side Data Securely 128 Transmitting Data via the Client 128 Validating Client-Generated Data 129 Logging and Alerting 131 Chapter Summary 131 Questions 132 Chapter 6 Attacking Authentication 133 Authentication Technologies 134 Design Flaws in Authentication Mechanisms 135 Bad Passwords 135 Brute-Forcible Login 136 Verbose Failure Messages 139 Vulnerable Transmission of Credentials 142 Password Change Functionality 144 Forgotten Password Functionality 145 “Remember Me” Functionality 148 User Impersonation Functionality 149 Incomplete Validation of Credentials 152 Non-Unique Usernames 152 Predictable Usernames 154 Predictable Initial Passwords 154 Insecure Distribution of Credentials 155 Implementation Flaws in Authentication 156 Fail-Open Login Mechanisms 156 Defects in Multistage Login Mechanisms 157 Insecure Storage of Credentials 161 Securing Authentication 162 Use Strong Credentials 162 Handle Credentials Secretively 163 Validate Credentials Properly 164 Prevent Information Leakage 166 Prevent Brute-Force Attacks 167 Prevent Misuse of the Password Change Function 170 Prevent Misuse of the Account Recovery Function 170 Log, Monitor, and Notify 172 Chapter Summary 172
  11. 11. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page ix Contents ix Chapter 7 Attacking Session Management 175 The Need for State 176 Alternatives to Sessions 178 Weaknesses in Session Token Generation 180 Meaningful Tokens 180 Predictable Tokens 182 Concealed Sequences 184 Time Dependency 185 Weak Random Number Generation 187 Weaknesses in Session Token Handling 191 Disclosure of Tokens on the Network 192 Disclosure of Tokens in Logs 196 Vulnerable Mapping of Tokens to Sessions 198 Vulnerable Session Termination 200 Client Exposure to Token Hijacking 201 Liberal Cookie Scope 203 Cookie Domain Restrictions 203 Cookie Path Restrictions 205 Securing Session Management 206 Generate Strong Tokens 206 Protect Tokens throughout Their Lifecycle 208 Per-Page Tokens 211 Log, Monitor, and Alert 212 Reactive Session Termination 212 Chapter Summary 213 Questions 214 Chapter 8 Attacking Access Controls 217 Common Vulnerabilities 218 Completely Unprotected Functionality 219 Identifier-Based Functions 220 Multistage Functions 222 Static Files 222 Insecure Access Control Methods 223 Attacking Access Controls 224 Securing Access Controls 228 A Multi-Layered Privilege Model 231 Chapter Summary 234 Questions 235 Chapter 9 Injecting Code 237 Injecting into Interpreted Languages 238 Injecting into SQL 240 Exploiting a Basic Vulnerability 241 Bypassing a Login 243 Finding SQL Injection Bugs 244 Injecting into Different Statement Types 247
  12. 12. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page x x Contents The UNION Operator 251 Fingerprinting the Database 255 Extracting Useful Data 256 An Oracle Hack 257 An MS-SQL Hack 260 Exploiting ODBC Error Messages (MS-SQL Only) 262 Enumerating Table and Column Names 263 Extracting Arbitrary Data 265 Using Recursion 266 Bypassing Filters 267 Second-Order SQL Injection 271 Advanced Exploitation 272 Retrieving Data as Numbers 273 Using an Out-of-Band Channel 274 Using Inference: Conditional Responses 277 Beyond SQL Injection: Escalating the Database Attack 285 MS-SQL 286 Oracle 288 MySQL 288 SQL Syntax and Error Reference 289 SQL Syntax 290 SQL Error Messages 292 Preventing SQL Injection 296 Partially Effective Measures 296 Parameterized Queries 297 Defense in Depth 299 Injecting OS Commands 300 Example 1: Injecting via Perl 300 Example 2: Injecting via ASP 302 Finding OS Command Injection Flaws 304 Preventing OS Command Injection 307 Injecting into Web Scripting Languages 307 Dynamic Execution Vulnerabilities 307 Dynamic Execution in PHP 308 Dynamic Execution in ASP 308 Finding Dynamic Execution Vulnerabilities 309 File Inclusion Vulnerabilities 310 Remote File Inclusion 310 Local File Inclusion 311 Finding File Inclusion Vulnerabilities 312 Preventing Script Injection Vulnerabilities 312 Injecting into SOAP 313 Finding and Exploiting SOAP Injection 315 Preventing SOAP Injection 316 Injecting into XPath 316 Subverting Application Logic 317
  13. 13. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xi Contents xi Informed XPath Injection 318 Blind XPath Injection 319 Finding XPath Injection Flaws 320 Preventing XPath Injection 321 Injecting into SMTP 321 Email Header Manipulation 322 SMTP Command Injection 323 Finding SMTP Injection Flaws 324 Preventing SMTP Injection 326 Injecting into LDAP 326 Injecting Query Attributes 327 Modifying the Search Filter 328 Finding LDAP Injection Flaws 329 Preventing LDAP Injection 330 Chapter Summary 331 Questions 331 Chapter 10 Exploiting Path Traversal 333 Common Vulnerabilities 333 Finding and Exploiting Path Traversal Vulnerabilities 335 Locating Targets for Attack 335 Detecting Path Traversal Vulnerabilities 336 Circumventing Obstacles to Traversal Attacks 339 Coping with Custom Encoding 342 Exploiting Traversal Vulnerabilities 344 Preventing Path Traversal Vulnerabilities 344 Chapter Summary 346 Questions 346 Chapter 11 Attacking Application Logic 349 The Nature of Logic Flaws 350 Real-World Logic Flaws 350 Example 1: Fooling a Password Change Function 351 The Functionality 351 The Assumption 351 The Attack 352 Example 2: Proceeding to Checkout 352 The Functionality 352 The Assumption 353 The Attack 353 Example 3: Rolling Your Own Insurance 354 The Functionality 354 The Assumption 354 The Attack 355 Example 4: Breaking the Bank 356 The Functionality 356 The Assumption 357 The Attack 358
  14. 14. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xii xii Contents Example 5: Erasing an Audit Trail 359 The Functionality 359 The Assumption 359 The Attack 359 Example 6: Beating a Business Limit 360 The Functionality 360 The Assumption 361 The Attack 361 Example 7: Cheating on Bulk Discounts 362 The Functionality 362 The Assumption 362 The Attack 362 Example 8: Escaping from Escaping 363 The Functionality 363 The Assumption 364 The Attack 364 Example 9: Abusing a Search Function 365 The Functionality 365 The Assumption 365 The Attack 365 Example 10: Snarfing Debug Messages 366 The Functionality 366 The Assumption 367 The Attack 367 Example 11: Racing against the Login 368 The Functionality 368 The Assumption 368 The Attack 368 Avoiding Logic Flaws 370 Chapter Summary 372 Questions 372 Chapter 12 Attacking Other Users 375 Cross-Site Scripting 376 Reflected XSS Vulnerabilities 377 Exploiting the Vulnerability 379 Stored XSS Vulnerabilities 383 Storing XSS in Uploaded Files 385 DOM-Based XSS Vulnerabilities 386 Real-World XSS Attacks 388 Chaining XSS and Other Attacks 390 Payloads for XSS Attacks 391 Virtual Defacement 391 Injecting Trojan Functionality 392 Inducing User Actions 394 Exploiting Any Trust Relationships 394 Escalating the Client-Side Attack 396
  15. 15. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xiii Contents xiii Delivery Mechanisms for XSS Attacks 399 Delivering Reflected and DOM-Based XSS Attacks 399 Delivering Stored XSS Attacks 400 Finding and Exploiting XSS Vulnerabilities 401 Finding and Exploiting Reflected XSS Vulnerabilities 402 Finding and Exploiting Stored XSS Vulnerabilities 415 Finding and Exploiting DOM-Based XSS Vulnerabilities 417 HttpOnly Cookies and Cross-Site Tracing 421 Preventing XSS Attacks 423 Preventing Reflected and Stored XSS 423 Preventing DOM-Based XSS 427 Preventing XST 428 Redirection Attacks 428 Finding and Exploiting Redirection Vulnerabilities 429 Circumventing Obstacles to Attack 431 Preventing Redirection Vulnerabilities 433 HTTP Header Injection 434 Exploiting Header Injection Vulnerabilities 434 Injecting Cookies 435 Delivering Other Attacks 436 HTTP Response Splitting 436 Preventing Header Injection Vulnerabilities 438 Frame Injection 438 Exploiting Frame Injection 439 Preventing Frame Injection 440 Request Forgery 440 On-Site Request Forgery 441 Cross-Site Request Forgery 442 Exploiting XSRF Flaws 443 Preventing XSRF Flaws 444 JSON Hijacking 446 JSON 446 Attacks against JSON 447 Overriding the Array Constructor 447 Implementing a Callback Function 448 Finding JSON Hijacking Vulnerabilities 449 Preventing JSON Hijacking 450 Session Fixation 450 Finding and Exploiting Session Fixation Vulnerabilities 452 Preventing Session Fixation Vulnerabilities 453 Attacking ActiveX Controls 454 Finding ActiveX Vulnerabilities 455 Preventing ActiveX Vulnerabilities 456 Local Privacy Attacks 458 Persistent Cookies 458 Cached Web Content 458
  16. 16. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xiv xiv Contents Browsing History 459 Autocomplete 460 Preventing Local Privacy Attacks 460 Advanced Exploitation Techniques 461 Leveraging Ajax 461 Making Asynchronous Off-Site Requests 463 Anti-DNS Pinning 464 A Hypothetical Attack 465 DNS Pinning 466 Attacks against DNS Pinning 466 Browser Exploitation Frameworks 467 Chapter Summary 469 Questions 469 Chapter 13 Automating Bespoke Attacks 471 Uses for Bespoke Automation 472 Enumerating Valid Identifiers 473 The Basic Approach 474 Detecting Hits 474 HTTP Status Code 474 Response Length 475 Response Body 475 Location Header 475 Set-cookie Header 475 Time Delays 476 Scripting the Attack 476 JAttack 477 Harvesting Useful Data 484 Fuzzing for Common Vulnerabilities 487 Putting It All Together: Burp Intruder 491 Positioning Payloads 492 Choosing Payloads 493 Configuring Response Analysis 494 Attack 1: Enumerating Identifiers 495 Attack 2: Harvesting Information 498 Attack 3: Application Fuzzing 500 Chapter Summary 502 Questions 502 Chapter 14 Exploiting Information Disclosure 505 Exploiting Error Messages 505 Script Error Messages 506 Stack Traces 507 Informative Debug Messages 508 Server and Database Messages 509 Using Public Information 511 Engineering Informative Error Messages 512
  17. 17. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xv Contents xv Gathering Published Information 513 Using Inference 514 Preventing Information Leakage 516 Use Generic Error Messages 516 Protect Sensitive Information 517 Minimize Client-Side Information Leakage 517 Chapter Summary 518 Questions 518 Chapter 15 Attacking Compiled Applications 521 Buffer Overflow Vulnerabilities 522 Stack Overflows 522 Heap Overflows 523 “Off-by-One” Vulnerabilities 524 Detecting Buffer Overflow Vulnerabilities 527 Integer Vulnerabilities 529 Integer Overflows 529 Signedness Errors 529 Detecting Integer Vulnerabilities 530 Format String Vulnerabilities 531 Detecting Format String Vulnerabilities 532 Chapter Summary 533 Questions 534 Chapter 16 Attacking Application Architecture 535 Tiered Architectures 535 Attacking Tiered Architectures 536 Exploiting Trust Relationships between Tiers 537 Subverting Other Tiers 538 Attacking Other Tiers 539 Securing Tiered Architectures 540 Minimize Trust Relationships 540 Segregate Different Components 541 Apply Defense in Depth 542 Shared Hosting and Application Service Providers 542 Virtual Hosting 543 Shared Application Services 543 Attacking Shared Environments 544 Attacks against Access Mechanisms 545 Attacks between Applications 546 Securing Shared Environments 549 Secure Customer Access 549 Segregate Customer Functionality 550 Segregate Components in a Shared Application 551 Chapter Summary 551 Questions 551
  18. 18. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xvi xvi Contents Chapter 17 Attacking the Web Server 553 Vulnerable Web Server Configuration 553 Default Credentials 554 Default Content 555 Debug Functionality 555 Sample Functionality 556 Powerful Functions 557 Directory Listings 559 Dangerous HTTP Methods 560 The Web Server as a Proxy 562 Misconfigured Virtual Hosting 564 Securing Web Server Configuration 565 Vulnerable Web Server Software 566 Buffer Overflow Vulnerabilities 566 Microsoft IIS ISAPI Extensions 567 Apache Chunked Encoding Overflow 567 Microsoft IIS WebDav Overflow 567 iPlanet Search Overflow 567 Path Traversal Vulnerabilities 568 Accipiter DirectServer 568 Alibaba 568 Cisco ACS Acme.server 568 McAfee EPolicy Orcestrator 568 Encoding and Canonicalization Vulnerabilities 568 Allaire JRun Directory Listing Vulnerability 569 Microsoft IIS Unicode Path Traversal Vulnerabilities 569 Oracle PL/SQL Exclusion List Bypasses 570 Finding Web Server Flaws 571 Securing Web Server Software 572 Choose Software with a Good Track Record 572 Apply Vendor Patches 572 Perform Security Hardening 573 Monitor for New Vulnerabilities 573 Use Defense-in-Depth 573 Chapter Summary 574 Questions 574 Chapter 18 Finding Vulnerabilities in Source Code 577 Approaches to Code Review 578 Black-Box vs. White-Box Testing 578 Code Review Methodology 579 Signatures of Common Vulnerabilities 580 Cross-Site Scripting 580 SQL Injection 581 Path Traversal 582 Arbitrary Redirection 583
  19. 19. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xvii Contents xvii OS Command Injection 584 Backdoor Passwords 584 Native Software Bugs 585 Buffer Overflow Vulnerabilities 585 Integer Vulnerabilities 586 Format String Vulnerabilities 586 Source Code Comments 586 The Java Platform 587 Identifying User-Supplied Data 587 Session Interaction 589 Potentially Dangerous APIs 589 File Access 589 Database Access 590 Dynamic Code Execution 591 OS Command Execution 591 URL Redirection 592 Sockets 592 Configuring the Java Environment 593 ASP.NET 594 Identifying User-Supplied Data 594 Session Interaction 595 Potentially Dangerous APIs 596 File Access 596 Database Access 597 Dynamic Code Execution 598 OS Command Execution 598 URL Redirection 599 Sockets 600 Configuring the ASP.NET Environment 600 PHP 601 Identifying User-Supplied Data 601 Session Interaction 603 Potentially Dangerous APIs 604 File Access 604 Database Access 606 Dynamic Code Execution 607 OS Command Execution 607 URL Redirection 608 Sockets 608 Configuring the PHP Environment 609 Register Globals 609 Safe Mode 610 Magic Quotes 610 Miscellaneous 611 Perl 611 Identifying User-Supplied Data 612
  20. 20. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xviii xviii Contents Session Interaction 613 Potentially Dangerous APIs 613 File Access 613 Database Access 613 Dynamic Code Execution 614 OS Command Execution 614 URL Redirection 615 Sockets 615 Configuring the Perl Environment 615 JavaScript 616 Database Code Components 617 SQL Injection 617 Calls to Dangerous Functions 618 Tools for Code Browsing 619 Chapter Summary 620 Questions 621 Chapter 19 A Web Application Hacker’s Toolkit 623 Web Browsers 624 Internet Explorer 624 Firefox 624 Opera 626 Integrated Testing Suites 627 How the Tools Work 628 Intercepting Proxies 628 Web Application Spiders 633 Application Fuzzers and Scanners 636 Manual Request Tools 637 Feature Comparison 640 Burp Suite 643 Paros 644 WebScarab 645 Alternatives to the Intercepting Proxy 646 Tamper Data 647 TamperIE 647 Vulnerability Scanners 649 Vulnerabilities Detected by Scanners 649 Inherent Limitations of Scanners 651 Every Web Application Is Different 652 Scanners Operate on Syntax 652 Scanners Do Not Improvise 652 Scanners Are Not Intuitive 653 Technical Challenges Faced by Scanners 653 Authentication and Session Handling 653 Dangerous Effects 654 Individuating Functionality 655 Other Challenges to Automation 655
  21. 21. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xix Contents xix Current Products 656 Using a Vulnerability Scanner 658 Other Tools 659 Nikto 660 Hydra 660 Custom Scripts 661 Wget 662 Curl 662 Netcat 663 Stunnel 663 Chapter Summary 664 Chapter 20 A Web Application Hacker’s Methodology 665 General Guidelines 667 1. Map the Application’s Content 669 1.1. Explore Visible Content 669 1.2. Consult Public Resources 670 1.3. Discover Hidden Content 670 1.4. Discover Default Content 671 1.5. Enumerate Identifier-Specified Functions 671 1.6. Test for Debug Parameters 672 2. Analyze the Application 672 2.1. Identify Functionality 673 2.2. Identify Data Entry Points 673 2.3. Identify the Technologies Used 673 2.4. Map the Attack Surface 674 3. Test Client-Side Controls 675 3.1. Test Transmission of Data via the Client 675 3.2. Test Client-Side Controls over User Input 676 3.3. Test Thick-Client Components 677 3.3.1. Test Java Applets 677 3.3.2. Test ActiveX controls 678 3.3.3. Test Shockwave Flash objects 678 4. Test the Authentication Mechanism 679 4.1. Understand the Mechanism 680 4.2. Test Password Quality 680 4.3. Test for Username Enumeration 680 4.4. Test Resilience to Password Guessing 681 4.5. Test Any Account Recovery Function 682 4.6. Test Any Remember Me Function 682 4.7. Test Any Impersonation Function 683 4.8. Test Username Uniqueness 683 4.9. Test Predictability of Auto-Generated Credentials 684 4.10. Check for Unsafe Transmission of Credentials 684 4.11. Check for Unsafe Distribution of Credentials 685
  22. 22. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xx xx Contents 4.12. Test for Logic Flaws 685 4.12.1. Test for Fail-Open Conditions 685 4.12.2. Test Any Multistage Mechanisms 686 4.13. Exploit Any Vulnerabilities to Gain Unauthorized Access 687 5. Test the Session Management Mechanism 688 5.1. Understand the Mechanism 689 5.2. Test Tokens for Meaning 689 5.3. Test Tokens for Predictability 690 5.4. Check for Insecure Transmission of Tokens 691 5.5. Check for Disclosure of Tokens in Logs 692 5.6. Check Mapping of Tokens to Sessions 692 5.7. Test Session Termination 693 5.8. Check for Session Fixation 694 5.9. Check for XSRF 694 5.10. Check Cookie Scope 695 6. Test Access Controls 696 6.1. Understand the Access Control Requirements 696 6.2. Testing with Multiple Accounts 697 6.3. Testing with Limited Access 697 6.4. Test for Insecure Access Control Methods 698 7. Test for Input-Based Vulnerabilities 699 7.1. Fuzz All Request Parameters 699 7.2. Test for SQL Injection 702 7.3. Test for XSS and Other Response Injection 704 7.3.1. Identify Reflected Request Parameters 704 7.3.2. Test for Reflected XSS 705 7.3.3. Test for HTTP Header Injection 705 7.3.4. Test for Arbitrary Redirection 706 7.3.5. Test for Stored Attacks 706 7.4. Test for OS Command Injection 707 7.5. Test for Path Traversal 709 7.6. Test for Script Injection 711 7.7. Test for File Inclusion 711 8. Test for Function-Specific Input Vulnerabilities 712 8.1. Test for SMTP Injection 712 8.2. Test for Native Software Vulnerabilities 713 8.2.1. Test for Buffer Overflows 713 8.2.2. Test for Integer Vulnerabilities 714 8.2.3. Test for Format String Vulnerabilities 714 8.3. Test for SOAP Injection 715 8.4. Test for LDAP Injection 715 8.5. Test for XPath Injection 716 9. Test for Logic Flaws 717 9.1. Identify the Key Attack Surface 717 9.2. Test Multistage Processes 718 9.3. Test Handling of Incomplete Input 718
  23. 23. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xxi Contents xxi 9.4. Test Trust Boundaries 719 9.5. Test Transaction Logic 719 10. Test for Shared Hosting Vulnerabilities 720 10.1. Test Segregation in Shared Infrastructures 720 10.2. Test Segregation between ASP-Hosted Applications 721 11. Test for Web Server Vulnerabilities 721 11.1. Test for Default Credentials 722 11.2. Test for Default Content 722 11.3. Test for Dangerous HTTP Methods 722 11.4. Test for Proxy Functionality 723 11.5. Test for Virtual Hosting Misconfiguration 723 11.6. Test for Web Server Software Bugs 723 12. Miscellaneous Checks 724 12.1. Check for DOM-Based Attacks 724 12.2. Check for Frame Injection 725 12.3. Check for Local Privacy Vulnerabilities 726 12.4. Follow Up Any Information Leakage 726 12.5. Check for Weak SSL Ciphers 727 Index 729
  24. 24. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xxii
  25. 25. 70779flast.qxd:WileyRed 9/14/07 3:12 PM Page xxiii Acknowledgments Our primary debt is to the directors and our other colleagues at Next Genera- tion Security Software, who have provided a creative working environment, promoted sharing of knowledge, and supported us during the months spent producing this book. In particular, we received direct assistance from Chris Anley, Dave Armstrong, Dominic Beecher, David Litchfield, Adam Matthews, Dave Spencer, and Peter Winter-Smith. In addition to our immediate colleagues, we are greatly indebted to the wider community of researchers who have shared their ideas and contributed to the collective understanding of web application security issues that exists today. Because this is a practical handbook rather than a work of scholarship, we deliberately avoided filling it with a thousand citations of influential arti- cles, books, and blog postings which spawned the ideas involved. We hope that people whose work we discuss anonymously are content with the general credit given here. We are grateful to the people at Wiley, in particular to Carol Long for enthusi- astically supporting our project from the outset, to Adaobi Obi Tulton for helping to polish our manuscript and coaching us in the quirks of “American English,” and to Christine O’Connor’s team for delivering a first-rate production. A large measure of thanks is due to our respective partners, Becky and Susan, for tolerating the significant distraction and time involved in producing a book of this size. Both authors are indebted to the people who led us into our unusual line of work. Dafydd would like to thank Martin Law. Martin is a great guy who first taught me how to hack, and encouraged me to spend my time developing tech- niques and tools for attacking applications. Marcus would like to thank his par- ents for a great many things, a significant one being getting me into computers. I’ve been getting into computers ever since. xxiii
  26. 26. 70779flast.qxd:WileyRed 9/14/07 3:12 PM Page xxiv
  27. 27. 70779flast.qxd:WileyRed 9/14/07 3:12 PM Page xxv Introduction This book is a practical guide to discovering and exploiting security flaws in web applications. By “web application” we mean an application that is accessed by using a web browser to communicate with a web server. We examine a wide variety of different technologies, such as databases, file systems, and web ser- vices, but only in the context in which these are employed by web applications. If you want to learn how to run port scans, attack firewalls, or break into servers in other ways, we suggest you look elsewhere. But if you want to know how to hack into a web application, steal sensitive data, and perform unau- thorized actions, then this is the book for you. There is enough that is interest- ing and fun to say on that subject without straying into any other territory. Overview of This Book The focus of this book is highly practical. While we include sufficient back- ground and theory for you to understand the vulnerabilities that web applica- tions contain, our primary concern is with the tasks and techniques that you need to master in order to break into them. Throughout the book, we spell out the specific steps that you need to take to detect each type of vulnerability, and how to exploit it to perform unauthorized actions. We also include a wealth of real-world examples, derived from the authors’ many years of experience, illus- trating how different kinds of security flaw manifest themselves in today’s web applications. Security awareness is usually a two-edged sword. Just as application devel- opers can benefit from understanding the methods used by attackers, hackers xxv
  28. 28. 70779flast.qxd:WileyRed 9/14/07 3:12 PM Page xxvi xxvi Introduction can gain from knowing how applications can effectively defend themselves. In addition to describing security vulnerabilities and attack techniques, we also describe in detail the countermeasures that applications can take to thwart an attacker. For those of you who perform penetration tests of web applications, this will enable you to provide high-quality remediation advice to the owners of the applications you compromise. Who Should Read This Book The primary audience for this book is anyone with a personal or professional interest in attacking web applications. It is also aimed at anyone responsible for developing and administering web applications — knowing how your enemy operates will help you to defend against them. We assume that the reader is familiar with core security concepts, such as logins and access controls, and has a basic grasp of core web technologies, such as browsers, web servers, and HTTP. However, any gaps in your current knowledge of these areas will be easy to remedy, through either the explana- tions contained within this book or references elsewhere. In the course of illustrating many categories of security flaws, we provide code extracts showing how applications can be vulnerable. These examples are simple enough to be understood without any prior knowledge of the lan- guage in question but will be most useful if you have some basic experience of reading or writing code. How This Book Is Organized This book is organized roughly in line with the dependencies between the dif- ferent topics covered. If you are new to web application hacking, you should read the book through from start to finish, acquiring the knowledge and under- standing you need to tackle later chapters. If you already have some experience in this area, you can jump straight into any chapter or subsection that particu- larly interests you. Where necessary, we have included cross-references to other chapters, which you can use to fill in any gaps in your understanding. We begin with three context-setting chapters describing the current state of web application security and the trends that indicate how it is likely to evolve in the near future. We examine the core security problem affecting web appli- cations and the defense mechanisms that applications implement to address this problem. We also provide a primer in the key technologies used in today’s web applications. The bulk of the book is concerned with our core topic — the techniques that you can use to break into web applications. This material is organized around
  29. 29. 70779flast.qxd:WileyRed 9/14/07 3:12 PM Page xxvii Introduction xxvii the key tasks that you need to perform to carry out a comprehensive attack: from mapping the application’s functionality, scrutinizing and attacking its core defense mechanisms, to probing for specific categories of security flaws. The book concludes with three chapters that pull together the various strands introduced within the book. We describe the process of finding vul- nerabilities in an application’s source code, review the tools that can assist you when hacking web applications, and present a detailed methodology for per- forming a comprehensive and deep attack against a specific target. Chapter 1, “Web Application (In)security,” describes the current state of security in web applications on the Internet today. Despite common assur- ances, the majority of applications are insecure and can be compromised in some way with a modest degree of skill. Vulnerabilities in web applications arise because of a single core problem: users can submit arbitrary input. In this chapter, we examine the key factors that contribute to the weak security pos- ture of today’s applications, and describe how defects in web applications can leave an organization’s wider technical infrastructure highly vulnerable to attack. Chapter 2, “Core Defense Mechanisms,” describes the key security mecha- nisms that web applications employ to address the fundamental problem that all user input is untrusted. These mechanisms are the means by which an application manages user access, handles user input, and responds to attack- ers, and the functions provided for administrators to manage and monitor the application itself. The application’s core security mechanisms also represent its primary attack surface, and you need to understand how these mechanisms are intended to function before you can effectively attack them. Chapter 3, “Web Application Technologies,” provides a short primer on the key technologies that you are likely to encounter when attacking web applica- tions. This covers all relevant aspects of the HTTP protocol, the technologies commonly used on the client and server sides, and various schemes used for encoding data. If you are already familiar with the main web technologies, then you can quickly skim through this chapter. Chapter 4, “Mapping the Application,” describes the first exercise that you need to take when targeting a new application, which is to gather as much information as possible about it, in order to map its attack surface and formu- late your plan of attack. This process includes exploring and probing the appli- cation to catalogue all of its content and functionality, identifying all of the entry points for user input and discovering the technologies in use. Chapter 5, “Bypassing Client-Side Controls,” describes the first area of actual vulnerability, which arises when an application relies upon controls implemented on the client side for its security. This approach is normally flawed, because any client-side controls can, of course, be circumvented. The two main ways in which applications make themselves vulnerable are (a) to transmit data via the client in the assumption that this will not be modified,
  30. 30. 70779flast.qxd:WileyRed 9/14/07 3:12 PM Page xxviii xxviii Introduction and (b) to rely upon client-side checks on user input. In this chapter, we exam- ine a range of interesting technologies, including lightweight controls imple- mented within HTML, HTTP, and JavaScript, and more heavyweight controls using Java applets, ActiveX controls, and Shockwave Flash objects. Chapters 6 to 8 examine some of the most important defense mechanisms implemented within web applications: those responsible for controlling user access. Chapter 6, “Attacking Authentication,” examines the various functions by which applications gain assurance of the identity of their users. This includes the main login function and also the more peripheral authentication- related functions such as user registration, password changing, and account recovery. Authentication mechanisms contain a wealth of different vulnerabil- ities, in both design and implementation, which an attacker can leverage to gain unauthorized access. These range from obvious defects, such as bad pass- words and susceptibility to brute-force attacks, to more obscure problems within the authentication logic. We also examine in detail the type of multi- stage login mechanisms used in many security-critical applications, and describe the new kinds of vulnerability which these frequently contain. Chapter 7, “Attacking Session Management,” examines the mechanism by which most applications supplement the stateless HTTP protocol with the con- cept of a stateful session, enabling them to uniquely identify each user across several different requests. This mechanism is a key target when you are attack- ing a web application, because if you can break it, then you can effectively bypass the login and masquerade as other users without knowing their cre- dentials. We look at various common defects in the generation and transmis- sion of session tokens, and describe the steps you can take to discover and exploit these. Chapter 8, “Attacking Access Controls,” examines the ways in which appli- cations actually enforce access controls, relying upon the authentication and session management mechanisms to do so. We describe various ways in which access controls can be broken and the ways in which you can detect and exploit these weaknesses. Chapter 9, “Injecting Code,” covers a large category of related vulnerabili- ties, which arise when applications embed user input into interpreted code in an unsafe way. We begin with a detailed examination of SQL injection vulner- abilities, covering the full range of attacks from the most obvious and trivial to advanced exploitation techniques involving out-of-band channels, inference, and time delays. For each kind of vulnerability and attack technique, we describe the relevant differences between three common types of databases: MS-SQL, Oracle, and MySQL. We then cover several other categories of injec- tion vulnerability, including the injection of operating system commands, injection into web scripting languages, and injection into the SOAP, XPath, SMTP, and LDAP protocols.
  31. 31. 70779flast.qxd:WileyRed 9/14/07 3:12 PM Page xxix Introduction xxix Chapter 10, “Exploiting Path Traversal,” examines a small but important category of vulnerabilities that arise when user input is passed to file system APIs in an unsafe way, enabling an attacker to retrieve or modify arbitrary files on the web server. We describe various bypasses that may be effective against the defenses commonly implemented to prevent path traversal attacks. Chapter 11, “Attacking Application Logic,” examines a significant, and fre- quently overlooked, area of every application’s attack surface: the internal logic which it carries out to implement its functionality. Defects in an applica- tion’s logic are extremely varied and are harder to characterize than common vulnerabilities like SQL injection and cross-site scripting. For this reason, we present a series of real-world examples where defective logic has left an appli- cation vulnerable, and thereby illustrate the variety of faulty assumptions made by application designers and developers. From these different individ- ual flaws, we w derive a series of specific tests that you can perform to locate many types of logic flaws that often go undetected. Chapter 12, “Attacking Other Users,” covers a large and very topical area of related vulnerabilities which arise when defects within a web application can enable a malicious user of the application to attack other users and compro- mise them in various ways. The largest vulnerability of this kind is cross-site scripting, a hugely prevalent flaw affecting the vast majority of web applica- tions on the Internet. We examine in detail all of the different flavors of XSS vulnerabilities, and describe an effective methodology for detecting and exploiting even the most obscure manifestations of these. We then look at sev- eral other types of attacks against other users, including redirection attacks, HTTP header injection, frame injection, cross-site request forgery, session fixa- tion, exploiting bugs in ActiveX controls, and local privacy attacks. Chapter 13, “Automating Bespoke Attacks,” does not introduce any new categories of vulnerability, but instead, describes a crucial technique which you need to master to attack web applications effectively. Because every web application is different, most attacks are bespoke (or custom-made) in some way, tailored to the application’s specific behavior and the ways you have dis- covered to manipulate it to your advantage. They also frequently require issu- ing a large number of similar requests and monitoring the application’s responses. Performing these requests manually is extremely laborious and one is prone to make mistakes. To become a truly accomplished web application hacker, you need to automate as much of this work as possible, to make your bespoke attacks easier, faster, and more effective. In this chapter, we describe in detail a proven methodology for achieving this. Chapter 14, “Exploiting Information Disclosure,” examines various ways in which applications leak information when under active attack. When you are performing all of the other types of attacks described in this book, you should always monitor the application to identify further sources of information