Đăng ký Đăng nhập
Trang chủ Công nghệ thông tin An ninh bảo mật The Web Application Hacker’s Handbook...

Tài liệu The Web Application Hacker’s Handbook

.PDF
914
572
95

Mô tả:

Stuttard flast.indd V2 - 08/10/2011 Page xxii flast.indd xxii 8/19/2011 12:23:07 PM Stuttard ffirs.indd V4 - 08/17/2011 Page i The Web Application Hacker’s Handbook Second Edition Finding and Exploiting Security Flaws Dafydd Stuttard Marcus Pinto ffirs.indd i 8/19/2011 12:22:33 PM The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, Second Edition Published by John Wiley & Sons, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2011 by Dafydd Stuttard and Marcus Pinto Published by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-118-02647-2 ISBN: 978-1-118-17522-4 (ebk) ISBN: 978-1-118-17524-8 (ebk) ISBN: 978-1-118-17523-1 (ebk) Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley. com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that Internet websites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Not all content that is available in standard print versions of this book may appear or be packaged in all book formats. If you have purchased a version of this book that did not include media that is referenced by or accompanies a standard print version, you may request this media by visiting http://booksupport.wiley. com. For more information about Wiley products, visit us at www.wiley.com. Library of Congress Control Number: 2011934639 Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. Stuttard ffirs.indd V4 - 08/17/2011 Page iii About the Authors Dafydd Stuttard is an independent security consultant, author, and software developer. With more than 10 years of experience in security consulting, he specializes in the penetration testing of web applications and compiled software. Dafydd has worked with numerous banks, retailers, and other enterprises to help secure their web applications. He also has provided security consulting to several software manufacturers and governments to help secure their compiled software. Dafydd is an accomplished programmer in several languages. His interests include developing tools to facilitate all kinds of software security testing. Under the alias “PortSwigger,” Dafydd created the popular Burp Suite of web application hacking tools; he continues to work actively on Burp’s development. Dafydd is also cofounder of MDSec, a company providing training and consultancy on Internet security attack and defense. Dafydd has developed and presented training courses at various security conferences around the world, and he regularly delivers training to companies and governments. He holds master’s and doctorate degrees in philosophy from the University of Oxford. Marcus Pinto is cofounder of MDSec, developing and delivering training courses in web application security. He also performs ongoing security consultancy for financial, government, telecom, and retail verticals. His 11 years of experience in the industry have been dominated by the technical aspects of application security, from the dual perspectives of a consulting and end-user implementation role. Marcus has a background in attack-based security assessment and penetration testing. He has worked extensively with large-scale web application deployments in the financial services industry. Marcus has been developing and presenting database and web application training courses since 2005 at Black Hat and other worldwide security conferences, and for privatesector and government clients. He holds a master’s degree in physics from the University of Cambridge. iii ffirs.indd iii 8/19/2011 12:22:37 PM Stuttard ffirs.indd V4 - 08/17/2011 Page iv About the Technical Editor Dr. Josh Pauli received his Ph.D. in Software Engineering from North Dakota State University (NDSU) with an emphasis in secure requirements engineering and now serves as an Associate Professor of Information Security at Dakota State University (DSU). Dr. Pauli has published nearly 20 international journal and conference papers related to software security and his work includes invited presentations from the Department of Homeland Security and Black Hat Briefings. He teaches both undergraduate and graduate courses in system software security and web software security at DSU. Dr. Pauli also conducts web application penetration tests as a Senior Penetration Tester for an Information Security consulting firm where his duties include developing hands-on technical workshops in the area of web software security for IT professionals in the financial sector. iv ffirs.indd iv 8/19/2011 12:22:37 PM Stuttard ffirs.indd V4 - 08/17/2011 Page v MDSec: The Authors’ Company Dafydd and Marcus are cofounders of MDSec, a company that provides training in attack and defense-based security, along with other consultancy services. If while reading this book you would like to put the concepts into practice, and gain hands-on experience in the areas covered, you are encouraged to visit our website, http://mdsec.net. This will give you access to hundreds of interactive vulnerability labs and other resources that are referenced throughout the book. v ffirs.indd v 8/19/2011 12:22:37 PM Stuttard ffirs.indd V4 - 08/17/2011 Page vi Credits Executive Editor Carol Long Senior Project Editor Adaobi Obi Tulton Technical Editor Josh Pauli Production Editor Kathleen Wisor Copy Editor Gayle Johnson Editorial Manager Mary Beth Wakefield Freelancer Editorial Manager Rosemarie Graham Associate Director of Marketing David Mayhew Marketing Manager Ashley Zurcher Business Manager Amy Knies Production Manager Tim Tate Vice President and Executive Group Publisher Richard Swadley Vice President and Executive Publisher Neil Edde Associate Publisher Jim Minatel Project Coordinator, Cover Katie Crocker Proofreaders Sarah Kaikini, Word One Sheilah Ledwidge, Word One Indexer Robert Swanson Cover Designer Ryan Sneed Cover Image Wiley InHouse Design Vertical Websites Project Manager Laura Moss-Hollister Vertical Websites Assistant Project Manager Jenny Swisher Vertical Websites Associate Producers Josh Frank Shawn Patrick Doug Kuhn Marilyn Hummel vi ffirs.indd vi 8/19/2011 12:22:37 PM Stuttard ffirs.indd V4 - 08/17/2011 Page vii Acknowledgments We are indebted to the directors and others at Next Generation Security Software, who provided the right environment for us to realize the first edition of this book. Since then, our input has come from an increasingly wider community of researchers and professionals who have shared their ideas and contributed to the collective understanding of web application security issues that exists today. Because this is a practical handbook rather than a work of scholarship, we have deliberately avoided filling it with a thousand citations of influential articles, books, and blog postings that spawned the ideas involved. We hope that people whose work we discuss anonymously are content with the general credit given here. We are grateful to the people at Wiley — in particular, to Carol Long for enthusiastically supporting our project from the outset, to Adaobi Obi Tulton for helping polish our manuscript and coaching us in the quirks of “American English,” to Gayle Johnson for her very helpful and attentive copy editing, and to Katie Wisor’s team for delivering a first-rate production. A large measure of thanks is due to our respective partners, Becky and Amanda, for tolerating the significant distraction and time involved in producing a book of this size. Both authors are indebted to the people who led us into our unusual line of work. Dafydd would like to thank Martin Law. Martin is a great guy who first taught me how to hack and encouraged me to spend my time developing techniques and tools for attacking applications. Marcus would like to thank his parents for everything they have done and continue to do, including getting me into computers. I’ve been getting into computers ever since. vii ffirs.indd vii 8/19/2011 12:22:37 PM Stuttard ffirs.indd V4 - 08/17/2011 Page viii Contents at a Glance Introduction xxiii Chapter 1 Web Application (In)security 1 Chapter 2 Core Defense Mechanisms 17 Chapter 3 Web Application Technologies 39 Chapter 4 Mapping the Application 73 Chapter 5 Bypassing Client-Side Controls 117 Chapter 6 Attacking Authentication 159 Chapter 7 Attacking Session Management 205 Chapter 8 Attacking Access Controls 257 Chapter 9 Attacking Data Stores 287 Chapter 10 Attacking Back-End Components 357 Chapter 11 Attacking Application Logic 405 Chapter 12 Attacking Users: Cross-Site Scripting 431 Chapter 13 Attacking Users: Other Techniques 501 Chapter 14 Automating Customized Attacks 571 Chapter 15 Exploiting Information Disclosure 615 Chapter 16 Attacking Native Compiled Applications 633 Chapter 17 Attacking Application Architecture 647 Chapter 18 Attacking the Application Server 669 Chapter 19 Finding Vulnerabilities in Source Code 701 Chapter 20 A Web Application Hacker’s Toolkit 747 Chapter 21 A Web Application Hacker’s Methodology 791 Index 853 viii ffirs.indd viii 8/19/2011 12:22:38 PM Stuttard ftoc.indd V2 - 08/10/2011 Page ix Contents Introduction Chapter 1 xxiii Web Application (In)security The Evolution of Web Applications Common Web Application Functions Benefits of Web Applications Web Application Security “This Site Is Secure” The Core Security Problem: Users Can Submit Arbitrary Input Key Problem Factors The New Security Perimeter The Future of Web Application Security Chapter 2 1 2 4 5 6 7 9 10 12 14 Summary 15 Core Defense Mechanisms Handling User Access 17 18 Authentication Session Management Access Control Handling User Input Varieties of Input Approaches to Input Handling Boundary Validation Multistep Validation and Canonicalization Handling Attackers Handling Errors Maintaining Audit Logs Alerting Administrators Reacting to Attacks 18 19 20 21 21 23 25 28 30 30 31 33 34 ix ftoc.indd ix 8/19/2011 12:23:35 PM Stuttard ftoc.indd V2 - 08/10/2011 Page x x Contents Chapter 3 Managing the Application Summary Questions 35 36 36 Web Application Technologies The HTTP Protocol 39 39 HTTP Requests HTTP Responses HTTP Methods URLs REST HTTP Headers Cookies Status Codes HTTPS HTTP Proxies HTTP Authentication Web Functionality Server-Side Functionality Client-Side Functionality State and Sessions Encoding Schemes URL Encoding Unicode Encoding HTML Encoding Base64 Encoding Hex Encoding Remoting and Serialization Frameworks Chapter 4 51 51 57 66 66 67 67 68 69 69 70 Next Steps Questions 70 71 Mapping the Application Enumerating Content and Functionality 73 74 Web Spidering User-Directed Spidering Discovering Hidden Content Application Pages Versus Functional Paths Discovering Hidden Parameters Analyzing the Application Identifying Entry Points for User Input Identifying Server-Side Technologies Identifying Server-Side Functionality Mapping the Attack Surface Summary Questions ftoc.indd x 40 41 42 44 44 45 47 48 49 49 50 74 77 80 93 96 97 98 101 107 111 114 114 8/19/2011 12:23:35 PM x Stuttard ftoc.indd V2 - 08/10/2011 Page xi Contents Chapter 5 Bypassing Client-Side Controls Transmitting Data Via the Client Hidden Form Fields HTTP Cookies URL Parameters The Referer Header Opaque Data The ASP.NET ViewState Capturing User Data: HTML Forms Length Limits Script-Based Validation Disabled Elements Capturing User Data: Browser Extensions Common Browser Extension Technologies Approaches to Browser Extensions Intercepting Traffic from Browser Extensions Decompiling Browser Extensions Attaching a Debugger Native Client Components Handling Client-Side Data Securely Transmitting Data Via the Client Validating Client-Generated Data Logging and Alerting Chapter 6 ftoc.indd xi 117 118 118 121 121 122 123 124 127 128 129 131 133 134 135 135 139 151 153 154 154 155 156 Summary Questions 156 157 Attacking Authentication Authentication Technologies Design Flaws in Authentication Mechanisms 159 160 161 Bad Passwords Brute-Forcible Login Verbose Failure Messages Vulnerable Transmission of Credentials Password Change Functionality Forgotten Password Functionality “Remember Me” Functionality User Impersonation Functionality Incomplete Validation of Credentials Nonunique Usernames Predictable Usernames Predictable Initial Passwords Insecure Distribution of Credentials 161 162 166 169 171 173 176 178 180 181 182 183 184 Implementation Flaws in Authentication 185 Fail-Open Login Mechanisms Defects in Multistage Login Mechanisms Insecure Storage of Credentials xi 185 186 190 8/19/2011 12:23:35 PM Stuttard ftoc.indd V2 - 08/10/2011 Page xii xii Contents Securing Authentication Use Strong Credentials Handle Credentials Secretively Validate Credentials Properly Prevent Information Leakage Prevent Brute-Force Attacks Prevent Misuse of the Password Change Function Prevent Misuse of the Account Recovery Function Log, Monitor, and Notify Chapter 7 201 202 Attacking Session Management The Need for State 205 206 Alternatives to Sessions Meaningful Tokens Predictable Tokens Encrypted Tokens Weaknesses in Session Token Handling Disclosure of Tokens on the Network Disclosure of Tokens in Logs Vulnerable Mapping of Tokens to Sessions Vulnerable Session Termination Client Exposure to Token Hijacking Liberal Cookie Scope Securing Session Management Generate Strong Tokens Protect Tokens Throughout Their Life Cycle Log, Monitor, and Alert 208 210 210 213 223 233 234 237 240 241 243 244 248 248 250 253 Summary Questions 254 255 Attacking Access Controls Common Vulnerabilities 257 258 Completely Unprotected Functionality Identifier-Based Functions Multistage Functions Static Files Platform Misconfiguration Insecure Access Control Methods Attacking Access Controls Testing with Different User Accounts Testing Multistage Processes Testing with Limited Access Testing Direct Access to Methods Testing Controls Over Static Resources ftoc.indd xii 192 192 193 195 196 199 199 201 Summary Questions Weaknesses in Token Generation Chapter 8 191 259 261 262 263 264 265 266 267 271 273 276 277 8/19/2011 12:23:35 PM xii Stuttard ftoc.indd V2 - 08/10/2011 Page xiii Contents Testing Restrictions on HTTP Methods Securing Access Controls A Multilayered Privilege Model Chapter 9 280 284 284 Attacking Data Stores Injecting into Interpreted Contexts 287 288 Bypassing a Login Exploiting a Basic Vulnerability Injecting into Different Statement Types Finding SQL Injection Bugs Fingerprinting the Database The UNION Operator Extracting Useful Data Extracting Data with UNION Bypassing Filters Second-Order SQL Injection Advanced Exploitation Beyond SQL Injection: Escalating the Database Attack Using SQL Exploitation Tools SQL Syntax and Error Reference Preventing SQL Injection Injecting into NoSQL Injecting into MongoDB Injecting into XPath Subverting Application Logic Informed XPath Injection Blind XPath Injection Finding XPath Injection Flaws Preventing XPath Injection Injecting into LDAP Exploiting LDAP Injection Finding LDAP Injection Flaws Preventing LDAP Injection Summary Questions Chapter 10 Attacking Back-End Components Injecting OS Commands Example 1: Injecting Via Perl Example 2: Injecting Via ASP Injecting Through Dynamic Execution Finding OS Command Injection Flaws Finding Dynamic Execution Vulnerabilities ftoc.indd xiii 278 278 Summary Questions Injecting into SQL xiii 288 291 292 294 298 303 304 308 308 311 313 314 325 328 332 338 342 343 344 345 346 347 348 349 349 351 353 354 354 354 357 358 358 360 362 363 366 8/19/2011 12:23:35 PM Stuttard ftoc.indd V2 - 08/10/2011 Page xiv xiv Contents Preventing OS Command Injection Preventing Script Injection Vulnerabilities Manipulating File Paths 368 Path Traversal Vulnerabilities File Inclusion Vulnerabilities 368 381 Injecting into XML Interpreters 383 Injecting XML External Entities Injecting into SOAP Services Finding and Exploiting SOAP Injection Preventing SOAP Injection Injecting into Back-end HTTP Requests Server-side HTTP Redirection HTTP Parameter Injection Injecting into Mail Services E-mail Header Manipulation SMTP Command Injection Finding SMTP Injection Flaws Preventing SMTP Injection Summary Questions Chapter 11 Attacking Application Logic The Nature of Logic Flaws Real-World Logic Flaws Example 1: Asking the Oracle Example 2: Fooling a Password Change Function Example 3: Proceeding to Checkout Example 4: Rolling Your Own Insurance Example 5: Breaking the Bank Example 6: Beating a Business Limit Example 7: Cheating on Bulk Discounts Example 8: Escaping from Escaping Example 9: Invalidating Input Validation Example 10: Abusing a Search Function Example 11: Snarfing Debug Messages Example 12: Racing Against the Login Avoiding Logic Flaws Summary Questions Chapter 12 Attacking Users: Cross-Site Scripting Varieties of XSS Reflected XSS Vulnerabilities Stored XSS Vulnerabilities DOM-Based XSS Vulnerabilities XSS Attacks in Action Real-World XSS Attacks ftoc.indd xiv 367 368 384 386 389 390 390 390 393 397 398 399 400 402 402 403 405 406 406 407 409 410 412 414 416 418 419 420 422 424 426 428 429 430 431 433 434 438 440 442 442 8/19/2011 12:23:35 PM iv Stuttard ftoc.indd V2 - 08/10/2011 Page xv Contents Payloads for XSS Attacks Delivery Mechanisms for XSS Attacks Finding and Exploiting XSS Vulnerabilities Finding and Exploiting Reflected XSS Vulnerabilities Finding and Exploiting Stored XSS Vulnerabilities Finding and Exploiting DOM-Based XSS Vulnerabilities Preventing XSS Attacks Preventing Reflected and Stored XSS Preventing DOM-Based XSS Summary Questions Chapter 13 Attacking Users: Other Techniques Inducing User Actions Request Forgery UI Redress Capturing Data Cross-Domain Capturing Data by Injecting HTML Capturing Data by Injecting CSS JavaScript Hijacking The Same-Origin Policy Revisited The Same-Origin Policy and Browser Extensions The Same-Origin Policy and HTML5 Crossing Domains with Proxy Service Applications Other Client-Side Injection Attacks HTTP Header Injection Cookie Injection Open Redirection Vulnerabilities Client-Side SQL Injection Client-Side HTTP Parameter Pollution Local Privacy Attacks Persistent Cookies Cached Web Content Browsing History Autocomplete Flash Local Shared Objects Silverlight Isolated Storage Internet Explorer userData HTML5 Local Storage Mechanisms Preventing Local Privacy Attacks Attacking ActiveX Controls Finding ActiveX Vulnerabilities Preventing ActiveX Vulnerabilities Attacking the Browser Logging Keystrokes Stealing Browser History and Search Queries ftoc.indd xv xv 443 447 451 452 481 487 492 492 496 498 498 501 501 502 511 515 516 517 519 524 525 528 529 531 531 536 540 547 548 550 550 551 552 552 553 553 554 554 554 555 556 558 559 560 560 8/19/2011 12:23:35 PM Stuttard ftoc.indd V2 - 08/10/2011 Page xvi xvi Contents Enumerating Currently Used Applications Port Scanning Attacking Other Network Hosts Exploiting Non-HTTP Services Exploiting Browser Bugs DNS Rebinding Browser Exploitation Frameworks Man-in-the-Middle Attacks Summary Questions Chapter 14 Automating Customized Attacks Uses for Customized Automation Enumerating Valid Identifiers The Basic Approach Detecting Hits Scripting the Attack JAttack Harvesting Useful Data Fuzzing for Common Vulnerabilities Putting It All Together: Burp Intruder Barriers to Automation Session-Handling Mechanisms CAPTCHA Controls Summary Questions Chapter 15 Exploiting Information Disclosure Exploiting Error Messages Script Error Messages Stack Traces Informative Debug Messages Server and Database Messages Using Public Information Engineering Informative Error Messages Gathering Published Information Using Inference Preventing Information Leakage Use Generic Error Messages Protect Sensitive Information Minimize Client-Side Information Leakage Summary Questions Chapter 16 Attacking Native Compiled Applications Buffer Overflow Vulnerabilities Stack Overflows Heap Overflows ftoc.indd xvi 560 561 561 562 563 563 564 566 568 568 571 572 573 574 574 576 577 583 586 590 602 602 610 613 613 615 615 616 617 618 619 623 624 625 626 627 628 628 629 629 630 633 634 634 635 8/19/2011 12:23:35 PM vi Stuttard ftoc.indd V2 - 08/10/2011 Page xvii Contents “Off-by-One” Vulnerabilities Detecting Buffer Overflow Vulnerabilities Integer Vulnerabilities Integer Overflows Signedness Errors Detecting Integer Vulnerabilities Format String Vulnerabilities Detecting Format String Vulnerabilities Summary Questions Chapter 17 Attacking Application Architecture Tiered Architectures Attacking Tiered Architectures Securing Tiered Architectures Shared Hosting and Application Service Providers Virtual Hosting Shared Application Services Attacking Shared Environments Securing Shared Environments Summary Questions Chapter 18 Attacking the Application Server Vulnerable Server Configuration Default Credentials Default Content Directory Listings WebDAV Methods The Application Server as a Proxy Misconfigured Virtual Hosting Securing Web Server Configuration Vulnerable Server Software Application Framework Flaws Memory Management Vulnerabilities Encoding and Canonicalization Finding Web Server Flaws Securing Web Server Software 640 640 641 642 643 644 645 645 647 647 648 654 656 657 657 658 665 667 667 669 670 670 671 677 679 682 683 684 684 685 687 689 694 695 697 699 699 Chapter 19 Finding Vulnerabilities in Source Code Approaches to Code Review 701 702 Signatures of Common Vulnerabilities Cross-Site Scripting ftoc.indd xvii 636 639 Web Application Firewalls Summary Questions Black-Box Versus White-Box Testing Code Review Methodology xvii 702 703 704 704 8/19/2011 12:23:35 PM Stuttard ftoc.indd V2 - 08/10/2011 Page xviii xviii Contents SQL Injection Path Traversal Arbitrary Redirection OS Command Injection Backdoor Passwords Native Software Bugs Source Code Comments The Java Platform Identifying User-Supplied Data Session Interaction Potentially Dangerous APIs Configuring the Java Environment ASP.NET Identifying User-Supplied Data Session Interaction Potentially Dangerous APIs Configuring the ASP.NET Environment PHP Identifying User-Supplied Data Session Interaction Potentially Dangerous APIs Configuring the PHP Environment Perl Identifying User-Supplied Data Session Interaction Potentially Dangerous APIs Configuring the Perl Environment JavaScript Database Code Components SQL Injection Calls to Dangerous Functions 711 711 712 713 716 718 718 719 720 723 724 724 727 727 732 735 735 736 736 739 740 741 741 742 Tools for Code Browsing Summary Questions 743 744 744 Chapter 20 A Web Application Hacker’s Toolkit Web Browsers 747 748 Internet Explorer Firefox Chrome Integrated Testing Suites How the Tools Work Testing Work Flow Alternatives to the Intercepting Proxy Standalone Vulnerability Scanners Vulnerabilities Detected by Scanners Inherent Limitations of Scanners ftoc.indd xviii 705 706 707 708 708 709 710 748 749 750 751 751 769 771 773 774 776 8/19/2011 12:23:35 PM
- Xem thêm -

Tài liệu liên quan