The web application hacker’s handbook

  • Số trang: 771 |
  • Loại file: PDF |
  • Lượt xem: 18 |
  • Lượt tải: 0
hoangtuavartar

Đã đăng 24635 tài liệu

Mô tả:

70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page i The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws Dafydd Stuttard Marcus Pinto Wiley Publishing, Inc. 70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page ii 70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page i The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws Dafydd Stuttard Marcus Pinto Wiley Publishing, Inc. 70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page ii The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws Published by Wiley Publishing, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2008 by Dafydd Stuttard and Marcus Pinto. Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-0-470-17077-9 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware that Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002. Library of Congress Cataloging-in-Publication Data Stuttard, Dafydd, 1972The web application hacker's handbook : discovering and exploiting security flaws / Dafydd Stuttard, Marcus Pinto. p. cm. Includes index. ISBN 978-0-470-17077-9 (pbk.) 1. Internet--Security measures. 2. Computer security. I. Pinto, Marcus, 1978- II. Title. TK5105.875.I57S85 2008 005.8--dc22 2007029983 Trademarks: Wiley and related trade dress are registered trademarks of Wiley Publishing, Inc., in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. 70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page iii About the Authors Dafydd Stuttard is a Principal Security Consultant at Next Generation Security Software, where he leads the web application security competency. He has nine years’ experience in security consulting and specializes in the penetration testing of web applications and compiled software. Dafydd has worked with numerous banks, retailers, and other enterprises to help secure their web applications, and has provided security consulting to several software manufacturers and governments to help secure their compiled software. Dafydd is an accomplished programmer in several languages, and his interests include developing tools to facilitate all kinds of software security testing. Dafydd has developed and presented training courses at the Black Hat security conferences around the world. Under the alias “PortSwigger,” Dafydd created the popular Burp Suite of web application hacking tools. Dafydd holds master’s and doctorate degrees in philosophy from the University of Oxford. Marcus Pinto is a Principal Security Consultant at Next Generation Security Software, where he leads the database competency development team, and has lead the development of NGS’ primary training courses. He has eight years’ experience in security consulting and specializes in penetration testing of web applications and supporting architectures. Marcus has worked with numerous banks, retailers, and other enterprises to help secure their web applications, and has provided security consulting to the development projects of several security-critical applications. He has worked extensively with large-scale web application deployments in the financial services industry. Marcus has developed and presented database and web application training courses at the Black Hat and other security conferences around the world. Marcus holds a master’s degree in physics from the University of Cambridge. iii 70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page iv Credits Executive Editor Carol Long Vice President and Executive Publisher Joseph B. Wikert Development Editor Adaobi Obi Tulton Project Coordinator, Cover Lynsey Osborn Production Editor Christine O’Connor Compositor Happenstance Type-O-Rama Copy Editor Foxxe Editorial Services Proofreader Kathryn Duggan Editorial Manager Mary Beth Wakefield Indexer Johnna VanHoose Dinse Production Manager Tim Tate Anniversary Logo Design Richard Pacifico Vice President and Executive Group Publisher Richard Swadley iv 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page v Contents Acknowledgments Introduction Chapter 1 xxv Web Application (In)security The Evolution of Web Applications Common Web Application Functions Benefits of Web Applications Web Application Security “This Site Is Secure” The Core Security Problem: Users Can Submit Arbitrary Input Key Problem Factors Immature Security Awareness In-House Development Deceptive Simplicity Rapidly Evolving Threat Profile Resource and Time Constraints Overextended Technologies The New Security Perimeter The Future of Web Application Security Chapter 2 xxiii 1 2 3 4 5 6 8 9 9 9 9 10 10 10 10 12 Chapter Summary 13 Core Defense Mechanisms Handling User Access 15 16 Authentication Session Management Access Control Handling User Input Varieties of Input Approaches to Input Handling 16 17 18 19 20 21 v 70779toc.qxd:WileyRed vi 9/16/07 5:07 PM Page vi Contents “Reject Known Bad” “Accept Known Good” Sanitization Safe Data Handling Semantic Checks Boundary Validation Multistep Validation and Canonicalization Handling Attackers Chapter 3 21 21 22 22 23 23 26 27 Handling Errors Maintaining Audit Logs Alerting Administrators Reacting to Attacks 27 29 30 31 Managing the Application Chapter Summary Questions 32 33 34 Web Application Technologies The HTTP Protocol 35 35 HTTP Requests HTTP Responses HTTP Methods URLs HTTP Headers General Headers Request Headers Response Headers Cookies Status Codes HTTPS HTTP Proxies HTTP Authentication Web Functionality Server-Side Functionality The Java Platform ASP.NET PHP Client-Side Functionality HTML Hyperlinks Forms JavaScript Thick Client Components State and Sessions Encoding Schemes URL Encoding Unicode Encoding 36 37 38 40 41 41 41 42 43 44 45 46 47 47 48 49 50 50 51 51 51 52 54 54 55 56 56 57 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page vii Contents HTML Encoding Base64 Encoding Hex Encoding Chapter 4 Next Steps Questions 59 59 Mapping the Application Enumerating Content and Functionality 61 62 Web Spidering User-Directed Spidering Discovering Hidden Content Brute-Force Techniques Inference from Published Content Use of Public Information Leveraging the Web Server Application Pages vs. Functional Paths Discovering Hidden Parameters 62 65 67 67 70 72 75 76 79 Analyzing the Application Identifying Entry Points for User Input Identifying Server-Side Technologies Banner Grabbing HTTP Fingerprinting File Extensions Directory Names Session Tokens Third-Party Code Components Identifying Server-Side Functionality Dissecting Requests Extrapolating Application Behavior Mapping the Attack Surface Chapter 5 57 58 59 79 80 82 82 82 84 86 86 87 88 88 90 91 Chapter Summary Questions 92 93 Bypassing Client-Side Controls Transmitting Data via the Client 95 95 Hidden Form Fields HTTP Cookies URL Parameters The Referer Header Opaque Data The ASP.NET ViewState Capturing User Data: HTML Forms Length Limits Script-Based Validation Disabled Elements Capturing User Data: Thick-Client Components Java Applets 96 99 99 100 101 102 106 106 108 110 111 112 vii 70779toc.qxd:WileyRed viii 9/16/07 5:07 PM Page viii Contents Decompiling Java Bytecode Coping with Bytecode Obfuscation ActiveX Controls Reverse Engineering Manipulating Exported Functions Fixing Inputs Processed by Controls Decompiling Managed Code Shockwave Flash Objects Handling Client-Side Data Securely Transmitting Data via the Client Validating Client-Generated Data Logging and Alerting Chapter 6 114 117 119 120 122 123 124 124 128 128 129 131 Chapter Summary Questions 131 132 Attacking Authentication Authentication Technologies Design Flaws in Authentication Mechanisms 133 134 135 Bad Passwords Brute-Forcible Login Verbose Failure Messages Vulnerable Transmission of Credentials Password Change Functionality Forgotten Password Functionality “Remember Me” Functionality User Impersonation Functionality Incomplete Validation of Credentials Non-Unique Usernames Predictable Usernames Predictable Initial Passwords Insecure Distribution of Credentials 135 136 139 142 144 145 148 149 152 152 154 154 155 Implementation Flaws in Authentication 156 Fail-Open Login Mechanisms Defects in Multistage Login Mechanisms Insecure Storage of Credentials Securing Authentication Use Strong Credentials Handle Credentials Secretively Validate Credentials Properly Prevent Information Leakage Prevent Brute-Force Attacks Prevent Misuse of the Password Change Function Prevent Misuse of the Account Recovery Function Log, Monitor, and Notify Chapter Summary 156 157 161 162 162 163 164 166 167 170 170 172 172 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page ix Contents Chapter 7 Attacking Session Management The Need for State Alternatives to Sessions 180 Meaningful Tokens Predictable Tokens Concealed Sequences Time Dependency Weak Random Number Generation 180 182 184 185 187 Weaknesses in Session Token Handling 191 Securing Session Management Generate Strong Tokens Protect Tokens throughout Their Lifecycle Per-Page Tokens Log, Monitor, and Alert Reactive Session Termination 192 196 198 200 201 203 203 205 206 206 208 211 212 212 Chapter Summary Questions 213 214 Attacking Access Controls Common Vulnerabilities 217 218 Completely Unprotected Functionality Identifier-Based Functions Multistage Functions Static Files Insecure Access Control Methods Attacking Access Controls Securing Access Controls A Multi-Layered Privilege Model Chapter 9 178 Weaknesses in Session Token Generation Disclosure of Tokens on the Network Disclosure of Tokens in Logs Vulnerable Mapping of Tokens to Sessions Vulnerable Session Termination Client Exposure to Token Hijacking Liberal Cookie Scope Cookie Domain Restrictions Cookie Path Restrictions Chapter 8 175 176 219 220 222 222 223 224 228 231 Chapter Summary Questions 234 235 Injecting Code Injecting into Interpreted Languages Injecting into SQL 237 238 240 Exploiting a Basic Vulnerability Bypassing a Login Finding SQL Injection Bugs Injecting into Different Statement Types 241 243 244 247 ix 70779toc.qxd:WileyRed x 9/16/07 5:07 PM Page x Contents The UNION Operator Fingerprinting the Database Extracting Useful Data An Oracle Hack An MS-SQL Hack Exploiting ODBC Error Messages (MS-SQL Only) Enumerating Table and Column Names Extracting Arbitrary Data Using Recursion Bypassing Filters Second-Order SQL Injection Advanced Exploitation Retrieving Data as Numbers Using an Out-of-Band Channel Using Inference: Conditional Responses Beyond SQL Injection: Escalating the Database Attack MS-SQL Oracle MySQL SQL Syntax and Error Reference SQL Syntax SQL Error Messages Preventing SQL Injection Partially Effective Measures Parameterized Queries Defense in Depth Injecting OS Commands 251 255 256 257 260 262 263 265 266 267 271 272 273 274 277 285 286 288 288 289 290 292 296 296 297 299 300 Example 1: Injecting via Perl Example 2: Injecting via ASP Finding OS Command Injection Flaws Preventing OS Command Injection 300 302 304 307 Injecting into Web Scripting Languages 307 Dynamic Execution Vulnerabilities Dynamic Execution in PHP Dynamic Execution in ASP Finding Dynamic Execution Vulnerabilities File Inclusion Vulnerabilities Remote File Inclusion Local File Inclusion Finding File Inclusion Vulnerabilities Preventing Script Injection Vulnerabilities Injecting into SOAP Finding and Exploiting SOAP Injection Preventing SOAP Injection Injecting into XPath Subverting Application Logic 307 308 308 309 310 310 311 312 312 313 315 316 316 317 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xi Contents Informed XPath Injection Blind XPath Injection Finding XPath Injection Flaws Preventing XPath Injection Injecting into SMTP Email Header Manipulation SMTP Command Injection Finding SMTP Injection Flaws Preventing SMTP Injection Injecting into LDAP Injecting Query Attributes Modifying the Search Filter Finding LDAP Injection Flaws Preventing LDAP Injection Chapter Summary Questions Chapter 10 Exploiting Path Traversal Common Vulnerabilities Finding and Exploiting Path Traversal Vulnerabilities Locating Targets for Attack Detecting Path Traversal Vulnerabilities Circumventing Obstacles to Traversal Attacks Coping with Custom Encoding Exploiting Traversal Vulnerabilities Preventing Path Traversal Vulnerabilities Chapter Summary Questions Chapter 11 Attacking Application Logic The Nature of Logic Flaws Real-World Logic Flaws Example 1: Fooling a Password Change Function The Functionality The Assumption The Attack Example 2: Proceeding to Checkout The Functionality The Assumption The Attack Example 3: Rolling Your Own Insurance The Functionality The Assumption The Attack Example 4: Breaking the Bank The Functionality The Assumption The Attack 318 319 320 321 321 322 323 324 326 326 327 328 329 330 331 331 333 333 335 335 336 339 342 344 344 346 346 349 350 350 351 351 351 352 352 352 353 353 354 354 354 355 356 356 357 358 xi 70779toc.qxd:WileyRed xii 9/16/07 5:07 PM Page xii Contents Example 5: Erasing an Audit Trail The Functionality The Assumption The Attack Example 6: Beating a Business Limit The Functionality The Assumption The Attack Example 7: Cheating on Bulk Discounts The Functionality The Assumption The Attack Example 8: Escaping from Escaping The Functionality The Assumption The Attack Example 9: Abusing a Search Function The Functionality The Assumption The Attack Example 10: Snarfing Debug Messages The Functionality The Assumption The Attack Example 11: Racing against the Login The Functionality The Assumption The Attack Avoiding Logic Flaws Chapter Summary Questions Chapter 12 Attacking Other Users Cross-Site Scripting Reflected XSS Vulnerabilities Exploiting the Vulnerability Stored XSS Vulnerabilities Storing XSS in Uploaded Files DOM-Based XSS Vulnerabilities Real-World XSS Attacks Chaining XSS and Other Attacks Payloads for XSS Attacks Virtual Defacement Injecting Trojan Functionality Inducing User Actions Exploiting Any Trust Relationships Escalating the Client-Side Attack 359 359 359 359 360 360 361 361 362 362 362 362 363 363 364 364 365 365 365 365 366 366 367 367 368 368 368 368 370 372 372 375 376 377 379 383 385 386 388 390 391 391 392 394 394 396 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xiii Contents Delivery Mechanisms for XSS Attacks Delivering Reflected and DOM-Based XSS Attacks Delivering Stored XSS Attacks Finding and Exploiting XSS Vulnerabilities Finding and Exploiting Reflected XSS Vulnerabilities Finding and Exploiting Stored XSS Vulnerabilities Finding and Exploiting DOM-Based XSS Vulnerabilities HttpOnly Cookies and Cross-Site Tracing Preventing XSS Attacks Preventing Reflected and Stored XSS Preventing DOM-Based XSS Preventing XST Redirection Attacks Finding and Exploiting Redirection Vulnerabilities Circumventing Obstacles to Attack Preventing Redirection Vulnerabilities HTTP Header Injection Exploiting Header Injection Vulnerabilities Injecting Cookies Delivering Other Attacks HTTP Response Splitting Preventing Header Injection Vulnerabilities Frame Injection Exploiting Frame Injection Preventing Frame Injection Request Forgery On-Site Request Forgery Cross-Site Request Forgery Exploiting XSRF Flaws Preventing XSRF Flaws JSON Hijacking JSON Attacks against JSON Overriding the Array Constructor Implementing a Callback Function Finding JSON Hijacking Vulnerabilities Preventing JSON Hijacking Session Fixation Finding and Exploiting Session Fixation Vulnerabilities Preventing Session Fixation Vulnerabilities Attacking ActiveX Controls Finding ActiveX Vulnerabilities Preventing ActiveX Vulnerabilities Local Privacy Attacks Persistent Cookies Cached Web Content 399 399 400 401 402 415 417 421 423 423 427 428 428 429 431 433 434 434 435 436 436 438 438 439 440 440 441 442 443 444 446 446 447 447 448 449 450 450 452 453 454 455 456 458 458 458 xiii 70779toc.qxd:WileyRed xiv 9/16/07 5:07 PM Page xiv Contents Browsing History Autocomplete Preventing Local Privacy Attacks Advanced Exploitation Techniques Leveraging Ajax Making Asynchronous Off-Site Requests Anti-DNS Pinning A Hypothetical Attack DNS Pinning Attacks against DNS Pinning Browser Exploitation Frameworks Chapter Summary Questions Chapter 13 Automating Bespoke Attacks Uses for Bespoke Automation Enumerating Valid Identifiers The Basic Approach Detecting Hits HTTP Status Code Response Length Response Body Location Header Set-cookie Header Time Delays Scripting the Attack JAttack 459 460 460 461 461 463 464 465 466 466 467 469 469 471 472 473 474 474 474 475 475 475 475 476 476 477 Harvesting Useful Data Fuzzing for Common Vulnerabilities Putting It All Together: Burp Intruder 484 487 491 Positioning Payloads Choosing Payloads Configuring Response Analysis Attack 1: Enumerating Identifiers Attack 2: Harvesting Information Attack 3: Application Fuzzing 492 493 494 495 498 500 Chapter Summary Questions Chapter 14 Exploiting Information Disclosure Exploiting Error Messages Script Error Messages Stack Traces Informative Debug Messages Server and Database Messages Using Public Information Engineering Informative Error Messages 502 502 505 505 506 507 508 509 511 512 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xv Contents Gathering Published Information Using Inference Preventing Information Leakage Use Generic Error Messages Protect Sensitive Information Minimize Client-Side Information Leakage Chapter Summary Questions Chapter 15 Attacking Compiled Applications Buffer Overflow Vulnerabilities Stack Overflows Heap Overflows “Off-by-One” Vulnerabilities Detecting Buffer Overflow Vulnerabilities Integer Vulnerabilities Integer Overflows Signedness Errors Detecting Integer Vulnerabilities Format String Vulnerabilities Detecting Format String Vulnerabilities Chapter Summary Questions Chapter 16 Attacking Application Architecture Tiered Architectures 513 514 516 516 517 517 518 518 521 522 522 523 524 527 529 529 529 530 531 532 533 534 535 535 Attacking Tiered Architectures Exploiting Trust Relationships between Tiers Subverting Other Tiers Attacking Other Tiers Securing Tiered Architectures Minimize Trust Relationships Segregate Different Components Apply Defense in Depth 536 537 538 539 540 540 541 542 Shared Hosting and Application Service Providers 542 Virtual Hosting Shared Application Services Attacking Shared Environments Attacks against Access Mechanisms Attacks between Applications Securing Shared Environments Secure Customer Access Segregate Customer Functionality Segregate Components in a Shared Application 543 543 544 545 546 549 549 550 551 Chapter Summary Questions 551 551 xv 70779toc.qxd:WileyRed xvi 9/16/07 5:07 PM Page xvi Contents Chapter 17 Attacking the Web Server Vulnerable Web Server Configuration Default Credentials Default Content Debug Functionality Sample Functionality Powerful Functions Directory Listings Dangerous HTTP Methods The Web Server as a Proxy Misconfigured Virtual Hosting Securing Web Server Configuration Vulnerable Web Server Software Buffer Overflow Vulnerabilities Microsoft IIS ISAPI Extensions Apache Chunked Encoding Overflow Microsoft IIS WebDav Overflow iPlanet Search Overflow Path Traversal Vulnerabilities Accipiter DirectServer Alibaba Cisco ACS Acme.server McAfee EPolicy Orcestrator Encoding and Canonicalization Vulnerabilities Allaire JRun Directory Listing Vulnerability Microsoft IIS Unicode Path Traversal Vulnerabilities Oracle PL/SQL Exclusion List Bypasses Finding Web Server Flaws Securing Web Server Software Choose Software with a Good Track Record Apply Vendor Patches Perform Security Hardening Monitor for New Vulnerabilities Use Defense-in-Depth Chapter Summary Questions Chapter 18 Finding Vulnerabilities in Source Code Approaches to Code Review Black-Box vs. White-Box Testing Code Review Methodology Signatures of Common Vulnerabilities Cross-Site Scripting SQL Injection Path Traversal Arbitrary Redirection 553 553 554 555 555 556 557 559 560 562 564 565 566 566 567 567 567 567 568 568 568 568 568 568 569 569 570 571 572 572 572 573 573 573 574 574 577 578 578 579 580 580 581 582 583 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xvii Contents OS Command Injection Backdoor Passwords Native Software Bugs Buffer Overflow Vulnerabilities Integer Vulnerabilities Format String Vulnerabilities Source Code Comments The Java Platform Identifying User-Supplied Data Session Interaction Potentially Dangerous APIs File Access Database Access Dynamic Code Execution OS Command Execution URL Redirection Sockets Configuring the Java Environment ASP.NET Identifying User-Supplied Data Session Interaction Potentially Dangerous APIs File Access Database Access Dynamic Code Execution OS Command Execution URL Redirection Sockets Configuring the ASP.NET Environment PHP Identifying User-Supplied Data Session Interaction Potentially Dangerous APIs File Access Database Access Dynamic Code Execution OS Command Execution URL Redirection Sockets Configuring the PHP Environment Register Globals Safe Mode Magic Quotes Miscellaneous Perl Identifying User-Supplied Data 584 584 585 585 586 586 586 587 587 589 589 589 590 591 591 592 592 593 594 594 595 596 596 597 598 598 599 600 600 601 601 603 604 604 606 607 607 608 608 609 609 610 610 611 611 612 xvii
- Xem thêm -