Table of Contents
(NOTE: Each chapter begins with an Introduction and concludes with
a Summary.)
Foreword.
Introduction.
“We're Secure, We Have a Firewall”.To Err Is Human.Writing on the
Wall.Book Organization.Parts.Chapters.A Final
Word.Acknowledgments.Contributor.
I. THE E-COMMERCE PLAYGROUND.
Case Study: Acme Art, Inc. Hacked!
1. Web Languages: The Babylon of the 21st Century.Languages of the
Web.HTML.Dynamic HTML (DHTML).XML.XHTML.Perl.PHP.ColdFusion.Active
Server Pages.CGI.Java.2. Web and Database Servers.Web
Servers.Apache.Microsoft's Internet Information Server
(IIS).Database Servers.Microsoft SQL Server.Oracle.3. Shopping
Carts and Payment Gateways.Evolution of the Storefront.Electronic
Shopping.Shopping Cart Systems.Scope and Lifetime of an Electronic
Shopping Cart.Collecting, Analyzing, and Comparing Selected
Components.Keeping Track of the Total Cost.Change of
Mind.Processing the Purchase.Implementation of a Shopping Cart
Application.Product Catalog.Session Management.Database
Interfacing.Integration with the Payment Gateway.Examples of Poorly
Implemented Shopping Carts.Carello Shopping Cart.DCShop Shopping
Cart.Hassan Consulting's Shopping Cart.Cart32 and Several Other
Shopping Carts.Processing Payments.Finalizing the Order.Method of
Payment.Verification and Fraud Protection.Order Fulfillment and
Receipt Generation.Overview of the Payment Processing
System.Innovative Ways to Combat Credit Card Fraud.Order
Confirmation Page.Payment Gateway Interface.Transaction Database
Interface.Interfacing with a Payment Gateway—An Example.Payment
System Implementation Issues.Integration.Temporary
Information.SSL.Storing User Profiles.Vulnerabilities Caused by
Poor Integration of Shopping Cart and Payment
Gateway.PayPal—Enabling Individuals to Accept Electronic
Payments.4. HTTP and HTTPS: The Hacking Protocols.Protocols of the
Web.HTTP.HTTPS (HTTP over SSL).5. URL: The Web Hacker's Sword.URL
Structure.Web Hacker Psychology.URLs and Parameter Passing.URL
Encoding.Meta-Characters.Specifying Special Characters on the URL
String.Meta-Characters and Input Validation.Unicode Encoding.The
Acme Art, Inc. Hack.Abusing URL Encoding.Unicode Encoding and Code
Red's Shell Code.Unicode Vulnerability.The Double-Decode or
Superfluous Decode Vulnerability.HTML Forms.Anatomy of an HTML
Form.Input Elements.Parameter Passing Via GET and POST.
II. URLS UNRAVELED.
Case Study: Reconnaissance Leaks Corporate Assets.
6. Web: Under (the) Cover.The Components of a Web Application.The
Front-End Web Server.The Web Application Execution Environment.The
Database Server.Wiring the Components.The Native Application
Processing Environment.Web Server APIs and Plug-Ins.URL Mapping and
Internal Proxying.Proxying with a Back-End Application
Server.Examples.Connecting with the Database.The Craftiest Hack of
Them All.Using Native Database APIs.Examples.Using ODBC.Using
JDBC.Specialized Web Application Servers.Identifying Web
Application Components from URLs.The Basics of Technology
Identification.Examples.More Examples.Advanced Techniques for
Technology Identification.Examples.Identifying Database
Servers.Countermeasures.Rule 1: Minimize Information Leaked from
the HTTP Header.Rule 2: Prevent Error Information from Being Sent
to the Browser.7. Reading Between the Lines.Information Leakage
Through HTML.What the Browsers Don't Show You .Netscape
Navigator—View | Page Source.Internet Explorer—View | Source.Clues
to Look For.HTML Comments.Revision History.Developer or Author
Details.Cross-References to Other Areas of the Web
Application.Reminders and Placeholders.Comments Inserted by Web
Application Servers.Old “Commented-Out” Code.Internal and External
Hyperlinks.E-mail Addresses and Usernames.UBE, UCE, Junk Mail, and
Spam.Keywords and Meta Tags.Hidden Fields.Client-Side
Scripts.Automated Source Sifting Techniques.Using wget.Using
grep.Sam Spade, Black Widow, and Teleport Pro.8. Site Linkage
Analysis.HTML and Site Linkage Analysis.Site Linkage Analysis
Methodology.Step 1: Crawling the Web Site .Crawling a Site
Manually.A Closer Look at the HTTP Response Header.Some Popular
Tools for Site Linkage Analysis.Step-1 Wrap-Up.Crawlers and
Redirection.Step 2: Creating Logical Groups Within the Application
Structure.Step-2 Wrap-Up.Step 3: Analyzing Each Web Resource.1.
Extension Analysis.2. URL Path Analysis.3. Session Analysis.4. Form
Determination.5. Applet and Object Identification.6. Client-Side
Script Evaluation.7. Comment and E-Mail Address Analysis.Step-3
Wrap-Up.Step 4: Inventorying Web Resources.
III. HOW DO THEY DO IT?
Case Study: How Boris Met Anna's Need for Art Supplies.
9. Cyber Graffiti.Defacing Acme Travel, Inc.'s Web Site.Mapping the
Target Network.Throwing Proxy Servers in Reverse.Brute Forcing HTTP
Authentication.Directory Browsing.Uploading the Defaced Pages.What
Went Wrong?HTTP Brute-Forcing Tools.Brutus.WebCracker
4.0.Countermeasures Against the Acme Travel, Inc. Hack.Turning Off
Reverse Proxying.Using Stronger HTTP Authentication
Passwords.Turning off Directory Browsing.10. E-Shoplifting.Building
an Electronic Store.The Store Front-End.The Shopping Cart.The
Checkout Station.The Database.Putting It All Together.Evolution of
Electronic Storefronts.Robbing Acme Fashions, Inc.Setting Up Acme's
Electronic Storefront.Tracking Down the Problem.Bypassing
Client-Side Validation.Using Search Engines to Look for Hidden
Fields.Overhauling www.acme-fashions.com.Facing a New Problem with
the Overhauled System.Postmortem and Further
Countermeasures.Shopping Carts with Remote Command Execution.11.
Database Access.Direct SQL Attacks.A Used Car Dealership Is
Hacked.Input Validation.Countermeasures.12. Java: Remote Command
Execution.Java-Driven Technology.Architecture of Java Application
Servers.Attacking a Java Web Server.Identifying Loopholes in Java
Application Servers.Example: Online Stock Trading Portal.Invoking
FileServlet.Countermeasures.Harden the Java Web Server.Other
Conceptual Countermeasures.13. Impersonation.Session Hijacking: A
Stolen Identity and a Broken Date.March 5, 7:00 A.M.—Alice's
Residence.8:30 A.M.—Alice's Workplace.10:00 A.M.—Bob's Office.11:00
A.M.—Bob's Office.12:30 P.M.—Alice's Office.9:30 P.M.-Bertolini's
Italian Cuisine.Session Hijacking.Postmortem of the Session
Hijacking Attack.Application State Diagrams.HTTP and Session
Tracking.Stateless Versus Stateful Applications.Cookies and Hidden
Fields.Cookie Control, Using Netscape on a Unix
Platform.Cookies.Hidden Fields.Implementing Session and State
Tracking.Session Identifiers Should Be Unique.Session Identifiers
Should Not Be “Guessable”.Session Identifiers Should Be
Independent.Session Identifiers Should Be Mapped with Client-Side
Connections.14. Buffer Overflows: On-the-Fly.Example.Buffer
Overflows.Buffer Overflow: Its Simplest Form.Buffer Overflow: An
Example.Postmortem Countermeasures.
IV. ADVANCED WEB KUNG FU.
Case Study.
15. Web Hacking: Automated Tools.Netcat.Whisker.Brute
Force.Brutus.Achilles.Cookie Pal.Teleport Pro.Security
Recommendations.16. Worms.Code Red Worm.January 26, 2000.June 18,
2001: The First Attack.July 12, 2001.July 19, 2001.August 4,
2001.Nimda Worm.Combatting Worm Evolution.React and Respond.17.
Beating the IDS.IDS Basics.Network IDSs.Host-Based IDSs.IDS
Accuracy.Getting Past an IDS.Secure Hacking-Hacking Over
SSL.Example.Tunneling Attacks via SSL.Intrusion Detection via
SSL.Sniffing SSL Traffic.Polymorphic URLs.Hexadecimal
Encoding.Illegal Unicode/Superfluous Encoding.Adding Fake
Paths.Inserting Slash-Dot-Slash Strings.Using Nonstandard Path
Separators.Using Multiple Slashes.Mixing Various
Techniques.Generating False Positives.IDS Evasion in Vulnerability
Checkers.Potential Countermeasures.SSL Decryption.URL
Decoding.Appendix A: Web and Database Port Listing.Appendix B:
HTTP/1.1 and HTTP/1.0 Method and Field Definitions.Appendix C:
Remote Command Execution Cheat Sheet.Appendix D: Source Code, File,
and Directory Disclosure Cheat Sheet.Appendix E: Resources and
Links.Appendix F: Web-Related Tools.Index. 0201761769T07312002
Promotional Information
In the evolution of hacking, firewalls are a mere speed bump.
Hacking continues to develop, becoming ever more sophisticated,
adapting and growing in ingenuity as well as in the damage that
results. Web attacks running over web ports strike with enormous
impact. Stuart McClure's new book focuses on Web hacking, an area
where organizations are particularly vulnerable. The material
covers the web commerce "playground', describing web languages and
protocols, web and database servers, and payment systems. The
authors bring unparalleled insight to both well- known and lesser
known web vulnerabilities. They show the dangerous range of the
many different attacks web hackers harbor in their bag of tricks --
including buffer overflows, the most wicked of attacks, plus other
advanced attacks. The book features complete methodologies,
including techniques and attacks, countermeasures, tools, plus case
studies and web attack scenarios showing how different attacks work
and why they work.
About the Author
Stuart McClure, President/CTO, Foundstone, Inc., brings over 12
years of IT and security experience to Foundstone. Stuart is a
successful security author, speaker, and teacher whose writings
have been translated into dozens of languages around the world.
Stuart is the lead author of the best-selling security book Hacking
Exposed: Network Security Secrets and Solutions, which has been
translated into 19 languages, and has received critical acclaim
around the world. In addition, it was ranked the #4 computer book
sold on Amazon in 2001, positioning it as the best selling security
book ever sold. Prior to co-founding Foundstone, Stuart was a
Senior Manager with Ernst & Young's National Security Profiling
Team responsible for project management, attack and penetration
reviews, and security technology evaluations. Prior to Ernst &
Young, Stuart was a Security Analyst for the InfoWorld Test Center
where he covered the security industry and evaluated over 100
network and security products specializing in firewalls, security
auditing, intrusion detection, and public key infrastructure (PKI).
Prior to InfoWorld, Stuart was the IT manager for State and Local
Governments, supporting Novell, NT, Solaris, AIX, and AS/400
platforms. Stuart holds a B.A. degree from the University of
Colorado, Boulder and numerous certifications including ISC2's
CISSP, Novell's CNE, and Check Point's CCSE. Saumil continues to
lead the efforts in e-commerce security research at Net-Square. His
focus is on researching vulnerabilities with various e-commerce and
Web-based application systems. Saumil also provides information
security consulting services to Net-Square clients, specializing in
ethical hacking and security architecture. He holds a designation
of Certified Information Systems Security Professional. Saumil has
had more than eight years experience with system administration,
network architecture, integrating heterogenous platforms and
information security, and has perfomed numerous ethical hacking
exercises for many significant companies in the IT area. Saumil is
a regular speaker at security conferences such as BlackHat, RSA,
etc. Previously, Saumil was the Director of Indian Operations for
Foundstone Inc, where he was instrumental in developing their Web
application security assessment methodology, the Web assessment
component of FoundScan--Foundstone's Managed Security Services
software and was instrumental in pioneering Foundstone's Ultimate
Web Hacking training class. Prior to joining Foundstone, Saumil was
a senior consultant with Ernst & Young, where he was responsible
for the company's ethical hacking and security architecture
solutions. Saumil has also worked at the Indian Institute of
Management, Ahmedabad, as a research assistant and is currently a
visiting faculty member there. Saumil graduated from Purdue
University with a master's degree in computer science and a strong
research background in operating systems, networking, information
security, and cryptography. At Purdue, he was a research assistant
in the COAST (Computer Operations, Audit and Security Technology)
laboratory. He got his undergraduate degree in computer engineering
from Gujarat University, India. Saumil is also the author of The
Anti-Virus Book (Tata McGraw-Hill, 1996). Shreeraj leads the
software development and research arm of Net-Square. His role is to
develop new methodologies for Web application security assessment
and defense. In the past, he has been involved in several Web
application assessment projects, protocol analysis, code reviews,
ethical Web hacking, etc. He has also been a speaker at RSA and
BlackHat. Shreeraj has vast experience in the fields of security,
application development, and network administration in addition to
his strong technical background, client management skills, project
management, and research methodologies. He was a member of the core
development t