There is no such thing as "perfect security" when it comes to keeping all systems intact and functioning properly. Good penetration (pen) testing creates a balance that allows a system to be secure while simultaneously being fully functional. With this book, you'll learn how to become an effective penetrator (i.e., a white hat or ethical hacker) in order to circumvent the security features of a Web application so that those features can be accurately evaluated and adequate security precautions can be put in place. After a review of the basics of web applications, you'll be introduced to web application hacking concepts and techniques such as vulnerability analysis, attack simulation, results analysis, manuals, source code, and circuit diagrams. These web application hacking concepts and techniques will prove useful information for ultimately securing the resources that need your protection. What you will learn from this book * Surveillance techniques that an attacker uses when targeting a system for a strike * Various types of issues that exist within the modern day web application space * How to audit web services in order to assess areas of risk and exposure * How to analyze your results and translate them into documentation that is useful for remediation * Techniques for pen-testing trials to practice before a live project Who this book is for This book is for programmers, developers, and information security professionals who want to become familiar with web application security and how to audit it. Wrox Professional guides are planned and written by working programmers to meet the real-world needs of programmers, developers, and IT professionals. Focused and relevant, they address the issues technology professionals face every day. They provide examples, practical solutions, and expert education in new technologies, all designed to help programmers do a better job.

Andres Andreu, CISSP-ISSAP, GSEC currently operates neuroFuzz Application Security LLC (http://www.neurofuzz.com), and has a strong background with the U.S. government. He served the United States of America in Information Technology and Security capacities within a “3-Letter” federal law enforcement agency. The bulk of his time there was spent building the IT Infrastructure and working on numerous intelligence software programs for one of the largest Title III Interception Operations within the continental U.S. He worked there for a decade and during that time he was the recipient of numerous agency awards for outstanding performance.

He holds a bachelor’s degree in Computer Science, graduating Summa Cum Laude with a 3.9 GPA from the American College of Computer and Informational Sciences. Mr. Andreu specializes in software, application, and Web services security, working with XML security, TCP and HTTP(S) level proxying technology, and strong encryption. He has many years of experience with technologies like LDAP, Web services (SOA, SOAP, and so on), enterprise applications, and application integration.

Acknowledgments

xi

Introduction

xix

Penetration Testing Web Applications

1

(14)

Security Industry Weaknesses

1

(2)

Application Development Considerations

2

(1)

Limitations of Edge Security Models

2

(1)

The Case for Pen Testing

3

(3)

Industry Preparedness

3

(2)

The Bottom Line

5

(1)

The Mindset

6

(2)

Creativity

6

(1)

Digging Deep

7

(1)

The Goal

8

(1)

Methodology

8

(2)

Rolling Documentation

9

(1)

This Book

9

(1)

The Business

10

(3)

Requirements

11

(1)

Rules of Engagement

11

(1)

Self Protection

12

(1)

Summary

13

(2)

Web Applications: Some Basics

15

(56)

Architectural Aspects

15

(20)

What Is a Web Application?

16

(3)

The Tiers

19

(2)

The HTTP Protocol

21

(4)

HTTP Proxy

25

(3)

SSL/TLS

28

(7)

Application Aspects

35

(7)

State

35

(2)

Dynamic Technologies

37

(4)

Web-Based Authentication

41

(1)

Data Aspects

42

(14)

Encryption vs. Encoding

42

(9)

XML

51

(5)

Emerging Web Application Models

56

(14)

Integration

56

(11)

Frameworks

67

(1)

Wireless

68

(2)

Summary

70

(1)

Discovery

71

(62)

Logistics

72

(13)

WHOIS

72

(3)

DNS

75

(1)

ARIN

76

(1)

SamSpade

77

(3)

Filter Detection

80

(5)

OS Fingerprinting

85

(4)

Netcraft

85

(1)

pOf

86

(3)

Web Server Fingerprinting

89

(4)

HTTP Headers

89

(3)

httprint

92

(1)

Application Fingerprinting

93

(25)

Port Mapping

94

(3)

Service Identification

97

(6)

Database Identification

103

(1)

Analyze Error Pages

104

(2)

File Type Probes

106

(1)

Resource Enumeration

107

(9)

HTML Source Sifting

116

(2)

Information Harvesting

118

(6)

Web Services

124

(7)

UDDI and DISCO

125

(2)

WSIL

127

(1)

J2EE

128

(3)

Summary

131

(2)

Vulnerability Analysis

133

(62)

OWASP and the Top Ten Threats

134

(1)

WASC

134

(2)

Unvalidated Input

136

(5)

Validation

136

(1)

Manipulation

136

(5)

Broken Access Control

141

(1)

Broken Authentication and Session Management

142

(12)

Authentication

142

(4)

Session

146

(8)

Cross-Site Scripting (XSS) Flaws

154

(4)

Cross-Site Tracing (XST)

157

(1)

Buffer Overflows

158

(5)

Injection Flaws

163

(12)

LDAP Injection

163

(2)

OS Commanding

165

(1)

SQL Injection

166

(7)

SSI Injection

173

(1)

XPath Injection

173

(1)

XXE

174

(1)

Improper Error Handling

175

(1)

Insecure Storage

176

(2)

Live Data

177

(1)

Archived Data

177

(1)

Denial of Service (DoS)

178

(3)

Target: Web Server

179

(1)

Target: User

180

(1)

Target: DB

180

(1)

Insecure Configuration Management

181

(2)

Other Areas

183

(3)

Insufficient Authentication

183

(1)

Weak Password Recovery Validation

183

(1)

Content Spoofing

183

(1)

Information Leakage

184

(1)

Abuse of Functionality

184

(1)

Insufficient Anti-Automation

185

(1)

Insufficient Process Validation

185

(1)

Reverse Engineering

185

(1)

Threat Modeling

186

(8)

Decompose and Understand the Application

187

(1)

Analysis of Threats

188

(1)

Categorization and Ranking of Threats

189

(1)

Identification of Mitigation Strategies

190

(3)

Pen Test

193

(1)

Methodologies and Tools

193

(1)

Summary

194

(1)

Attack Simulation Techniques and Tools: Web Server

195

(24)

Identifying Threats

196

(18)

Default Content and Settings

196

(1)

Attacks on the System

197

(4)

Configuration

201

(3)

Product-Specific Issues

204

(10)

Tools

214

(1)

Nessus

214

(1)

Commercial Tools

215

(2)

Summary

217

(2)

Attack Simulation Techniques and Tools: Web Application

219

(96)

The App Checklist

220

(2)

Manual Testing

222

(51)

The Proxy

222

(12)

Custom Scripts

234

(10)

Frameworks

244

(2)

SQL Injection

246

(2)

Authentication

248

(18)

Buffer Overflow

266

(2)

Client-Side Attacks

268

(1)

XSS

268

(2)

Active Content

270

(1)

Cookies

271

(1)

Client-Side Example

272

(1)

Automated Testing

273

(33)

The Proxy

274

(11)

Scanners

285

(9)

Multi-Purpose Scanners

294

(12)

Commercial Tools

306

(7)

Web Application Related

306

(7)

DB Related

313

(1)

Summary

313

(2)

Attack Simulation Techniques and Tools: Known Exploits

315

(42)

Manual Examples

317

(21)

Example 1 --- Domino WebMail

317

(9)

Example 2 --- IIS

326

(12)

Using MetaSploit

338

(9)

Moving Forward . . .

347

(5)

Security Focus

347

(2)

HSC

349

(2)

CERT

351

(1)

Secunia

351

(1)

eEye

351

(1)

OSVDB

351

(1)

CVE

352

(1)

Warning

352

(3)

Commercial Products

355

(1)

Immunity CANVAS

355

(1)

Core Impact

356

(1)

Summary

356

(1)

Attack Simulation Techniques and Tools: Web Services

357

(44)

The Reality

358

(1)

Identifying Threats

359

(5)

XML Content Attacks

359

(3)

Web Service Attacks

362

(1)

Infrastructure Attacks

362

(2)

Simulating the Attack

364

(30)

Footprinting

364

(4)

Enumeration

368

(3)

Analysis

371

(2)

Testing/Attacking

373

(19)

Documentation

392

(2)

Commercial Tools

394

(2)

WebInspect

395

(1)

Moving Forward . . .

396

(3)

WSID4ID

396

(1)

AJAX

397

(2)

Summary

399

(2)

Documentation and Presentation

401

(24)

Results Verification

402

(4)

False Positives

402

(4)

Document Structure

406

(17)

Executive Summary

406

(2)

Risk Matrix

408

(5)

Best Practices

413

(3)

Final Summary

416

(1)

Results Document Security

416

(1)

Compliance Factors

417

(6)

Presentation Techniques

423

(1)

Summary

423

(2)

Remediation

425

(24)

Edge-Level Protection

426

(6)

Web Application Firewalls

426

(4)

Web Services

430

(2)

Some Best Practices

432

(13)

Input Validation

432

(10)

Session Management

442

(3)

Code Audit

445

(1)

Summary

446

(3)

Your Lab

449

(22)

Hardware

450

(1)

Servers

450

(1)

Network

450

(1)

Storage

450

(1)

Software

451

(18)

Client Tools

451

(1)

Server OS Installations

452

(5)

Web Applications

457

(11)

webAppHoneypot

468

(1)

Summary

469

(2)

Appendix A: Basic SQL

471

(6)

Appendix B: Basic LDAP

477

(6)

Appendix C: XPath and XQuery

483

(12)

Appendix D: Injection Attack Dictionaries

495

(10)

Index

505

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.