Tài liệu Hacking Exposed Web Applications, 3rd Edition ppt

www.it-ebooks.info

Praise for Hacking Exposed™ Web Applications:

Web Application Security Secrets and Solutions, Third Edition

“Whether you are a business leader attempting to understand the threat space for your business,

or an engineer tasked with writing the code for those sites, or a security engineer attempting to

identify and mitigate the threats to your applications, this book will be an invaluable weapon in

your arsenal.”

—From the Foreword by Chris Peterson

Senior Director of Application Security, Zynga Game Network

Former Director of Security Assurance, Microsoft Corporation

“I cut my teeth reading Joel’s work, and this book is no disappointment. People often ask where to

find high-quality content that will help them gain a foothold in this daunting industry. This is the

kind of desk reference every web application security practitioner needs. It will certainly hold a

place of prominence in my personal library.”

—Robert “RSnake” Hansen

CEO SecTheory and founder of ha.ckers.org

“An eye-opening resource for realizing the realities of today’s web application security landscape,

this book explores the latest vulnerabilities as well as exploitation techniques and tradecraft being

deployed against those vulnerabilities. This book is a valuable read for both the aspiring engineer

who is looking for the first foray into the world of web application security and the seasoned

application-security, penetration-testing expert who wants to keep abreast of current techniques.”

—Chad Greene

Director, eBay Global Information Security

“As our businesses push more of their information and commerce to their customers through web￾applications, the confidentiality and integrity of these transactions is our fundamental, if not

mandatory, responsibility. Hacking Exposed Web Applications provides a comprehensive blueprint for

application developers and security professionals charged with living up to this responsibility. The

authors’ research, insight, and 30+ years as information security experts, make this an invaluable

resource in the application and information protection toolkit. Great Stuff!”

—Ken Swanson

CISM, IS Business Solution Manager, regionally based P&C insurance company

“This book is so much more then the authoritative primer on web application security; it’s also an

opportunity to accompany the foremost industry experts in an apprenticeship that even seasoned

professionals will enjoy.”

—Andrew Stravitz, CISSP

Director of Information Security, Barnes & Noble.com

“A very timely reference, as cloud computing continues to expand into the enterprise and web

security emerges as the new battleground for attackers and defenders alike. This comprehensive

text is the definitive starting point for understanding the contemporary landscape of threats and

mitigations to web applications. Particularly notable for its extensive treatment of identity

management, marking the first time that challenges around authentication have been surveyed

in-depth and presented in such an accessible fashion.”

—Cem Paya

Google Security Team

www.it-ebooks.info

This page intentionally left blank

www.it-ebooks.info

HACKING EXPOSED™

WEB APPLICATIONS:

WEB APPLICATION SECURITY

SECRETS AND SOLUTIONS

THIRD EDITION

JOEL SCAMBRAY

VINCENT LIU

CALEB SIMA

New York Chicago San Francisco

Lisbon London Madrid Mexico City

Milan New Delhi San Juan

Seoul Singapore Sydney Toronto

www.it-ebooks.info

Copyright © 2011 by Joel Scambray. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of

this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the

prior written permission of the publisher.

ISBN: 978-0-07-174042-5

MHID: 0-07-174042-2

The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-174064-7,

MHID: 0-07-174064-3.

All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked

name, we use names in an editorial fashion only, and to the benefi t of the trademark owner, with no intention of infringement of the

trademark. Where such designations appear in this book, they have been printed with initial caps.

McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training

programs. To contact a representative please e-mail us at [email protected].

Trademarks: McGraw-Hill, the McGraw-Hill Publishing logo, Hacking ExposedTM, and related trade dress are trademarks or registered

trademarks of The McGraw-Hill Companies and/or its affi liates in the United States and other countries and may not be used without

written permission. All other trademarks are the property of their respective owners. The McGraw-Hill Companies is not associated with

any product or vendor mentioned in this book.

Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or

mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of

any information and is not responsible for any errors or omissions or the results obtained from the use of such information.

TERMS OF USE

This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGrawHill”) and its licensors reserve all rights in and to the work.

Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy

of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit,

distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the

work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be

terminated if you fail to comply with these terms.

THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS

TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK,

INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE,

AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WAR￾RANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant

or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free.

Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in

the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through

the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, conse￾quential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility

of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract,

tort or otherwise.

www.it-ebooks.info

Chapter 1: Upgrading to Windows XP Stop Hackers in Their Tracks 1

Hacking Exposed,

6th Edition

Hacking Exposed

Malware & Rootkits

Hacking Exposed Computer

Forensics, 2nd Edition

24 Deadly Sins of

Software Security

Gray Hat Hacking,

2nd Edition

Hacking Exposed

Wireless

Hacking Exposed

VoIP

IT Auditing: Using Controls to

Protect Information Assets

Hacking Exposed

Linux, 3rd Edition

Hacking Exposed

Windows, 3rd Edition

Hacking Exposed

Web 2.0

Hacking Exposed:

Web Applications, 2nd Edition

www.it-ebooks.info

To Jane, thanks for getting Hacking Exposed off the ground and sustaining it for

so many years.

—Joel

To Heather, for keeping me laughing and smiling through it all.

—Vinnie

To my Mom and Dad (thanks for putting up with me), my brothers Jonathon, RJ,

and Andrew, and my sister Emily. Finally, to all the people of SPI who changed

my life and helped build a great company.

—Caleb

www.it-ebooks.info

ABOUT THE AUTHORS

Joel Scambray

Joel Scambray is co-founder and CEO of Consciere, provider of strategic security

advisory services. He has assisted companies ranging from newly minted startups

to members of the Fortune 50 to address information security challenges and

opportunities for over a dozen years.

Joel’s background includes roles as an executive, technical consultant, and

entrepreneur. He has been a Senior Director at Microsoft Corporation, where he

led Microsoft’s online services security efforts for three years before joining the Windows

platform and services division to focus on security technology architecture. Joel also co￾founded security software and services startup Foundstone, Inc., and helped lead it to

acquisition by McAfee for $86M. He previously held positions as a manager for Ernst &

Young, a security columnist for Microsoft TechNet, Editor at Large for InfoWorld Magazine,

and director of IT for a major commercial real-estate firm.

Joel is widely recognized as co-author of Hacking Exposed: Network Security Secrets and

Solutions, the international best-selling computer security book that first appeared in

1999. He is also lead author of the Hacking Exposed Windows and Hacking Exposed Web

Applications series.

He has spoken widely on information security at forums including Black Hat, I-4,

INTERFACE, and The Asia Europe Meeting (ASEM), as well as organizations including

IANS, CERT, The Computer Security Institute (CSI), ISSA, ISACA, SANS, private

corporations, and government agencies such as the Korean Information Security Agency

(KISA), FBI, and the RCMP.

Joel holds a BS from the University of California at Davis, an MA from UCLA, and he

is a Certified Information Systems Security Professional (CISSP).

Vincent Liu

Vincent Liu, CISSP, is a Managing Partner at Stach & Liu. Before founding Stach &

Liu, Vincent led the Attack & Penetration and Reverse Engineering teams for the

Global Security unit at Honeywell International. Prior to that, he was a consultant

with the Ernst & Young Advanced Security Centers and an analyst at the National

Security Agency. Vincent is a sought-after speaker and has presented his research

at conferences, including Black Hat, ToorCon, and Microsoft BlueHat. Vincent

holds a Bachelor of Science and Engineering from the University of Pennsylvania with a

major in Computer Science and Engineering and a minor in Psychology.

Caleb Sima

Caleb Sima is the CEO of Armorize Technologies, the Santa Clara–based provider

of integrated Web application security solutions. He previously founded SPI

Dynamics in 2000 and, as CTO, oversaw the development of WebInspect, a

solution that set the bar in Web application security testing tools. When Hewlett￾Packard (HP) acquired SPI Dynamics in 2007, Sima took on the role of Chief

www.it-ebooks.info

Technologist at HP’s Application Security Center, where he directed the company’s

security solutions’ lifecycles and spearheaded development of its cloud-based security

service. In this role, he also managed a team of accomplished security experts who

successfully identified new security threats and devised advanced countermeasures.

Prior to co-founding SPI Dynamics, Caleb worked for Internet Security Systems’ elite

X-Force research and development team where he drove enterprise security assessments

for the company. A thought leader and technical visionary in the web application security

field, Sima holds five patents on web security technology and has co-authored textbooks

on the subject, is a frequent media contributor, and regularly speaks at key industry

conferences such as RSA and Black Hat. He is a member of ISSA and is one of the

founding visionaries of the Application Vulnerability Description Language (AVDL)

standard within OASIS, as well as a founding member of the Web Application Security

Consortium (WASC).

ABOUT THE CONTRIBUTING AUTHORS

Hernan Ochoa is a security consultant and researcher with over 14 years of professional

experience. Hernan began his professional career in 1996 with the creation of Virus

Sentinel, a signature-based file/memory/mbr/boot sector detection/removal antivirus

application with heuristics to detect polymorphic viruses. Hernan also developed a

detailed technical virus information database and companion newsletter. He joined

Core Security Technologies in 1999 and worked there for 10 years in various roles,

including security consultant and exploit writer. As an exploit writer, he performed

diverse types of security assessments, developed methodologies, shellcode, and security

tools, and contributed new attack vectors. He also designed and developed several low￾level/kernel components for a multi-OS security system that was ultimately deployed

at a financial institution, and he served as “technical lead” for ongoing development and

support of the multi-OS system. Hernan has published a number of security tools,

including Universal Hooker (runtime instrumentation using dynamic handling routines

written in Python), Pass-The-Hash Toolkit for Windows, and WifiZoo. He is currently

working as a security consultant/researcher at Amplia Security, performing network,

wireless, and web applications penetration tests; standalone/client-server application

black-box assessments; source code audits; reverse engineering; vulnerability analysis;

and other information security–related services.

Justin Hays is a Senior Security Associate at Stach & Liu. Before joining Stach & Liu,

Justin served as an enterprise support engineer for PTC Japan where his responsibilities

included application debugging, reverse engineering, and mitigating software defects

in PTC’s flagship Windchill enterprise server J2EE software. Prior to PTC, Justin held a

software development position with Lexmark, Inc., where he designed and implemented

web application software in support of internal IT operations. Justin holds a BS from the

University of Kentucky with a major in Computer Science and a minor in Mathematics.

www.it-ebooks.info

Carl Livitt is a Managing Security Associate at Stach & Liu. Prior to joining Stach & Liu,

Carl led the network security services group for a well-respected UK security company

and provided network security consultancy for several of the largest pharmaceutical

companies in the world. Carl has also worked with UK police counterterrorism units,

lecturing on technological security issues to specialist law-enforcement agencies.

Rob Ragan is a Senior Security Associate at Stach & Liu. Before joining Stach & Liu, Rob

served as a software engineer at Hewlett-Packard’s Application Security Center, where

he developed web application security testing tools and conducted application

penetration testing. Rob actively conducts web application security research and has

presented at Black Hat, Defcon, InfoSec World, and Outerz0ne. Rob holds a BS from

Pennsylvania State University with a major in Information Sciences and Technology and

a focus on System Development.

About the Technical Editor

Robert Hensing is a Senior Consultant at Microsoft, where he has worked in various

security roles for over 12 years. Robert previously worked with the Microsoft Security

Response Center with a focus on providing root cause analysis and identifying mitigations

and workarounds for security vulnerabilities to help protect customers from attacks.

Prior to working on the MSRC Engineering team, Robert was a senior member of the

Customer Support Services Security team, where he helped customers with incident

response–related investigations. Robert was also a contributing author on Hacking

Exposed Windows: Windows Security Secrets and Solutions, Third Edition.

www.it-ebooks.info

ix

AT A GLANCE

▼ 1 Hacking Web Apps 101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

▼ 2 Profi ling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

▼ 3 Hacking Web Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

▼ 4 Attacking Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 123

▼ 5 Attacking Web Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

▼ 6 Input Injection Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

▼ 7 Attacking XML Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

▼ 8 Attacking Web Application Management . . . . . . . . . . . . . . . . . 295

▼ 9 Hacking Web Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

▼ 10 The Enterprise Web Application Security Program . . . . . . . . . 371

▼ A Web Application Security Checklist . . . . . . . . . . . . . . . . . . . . . . 413

▼ B Web Hacking Tools and Techniques Cribsheet . . . . . . . . . . . . . 419

▼ Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

www.it-ebooks.info

This page intentionally left blank

www.it-ebooks.info

xi

CONTENTS

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

▼ 1 Hacking Web Apps 101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

What Is Web Application Hacking? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

GUI Web Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

URI Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Methods, Headers, and Body . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Authentication, Sessions, and Authorization . . . . . . . . . . . . . . . . . . . . 6

The Web Client and HTML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Other Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Why Attack Web Applications? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Who, When, and Where? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Weak Spots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

How Are Web Apps Attacked? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

The Web Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Browser Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

HTTP Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Command-line Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Older Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

▼ 2 Profi ling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Infrastructure Profi ling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Footprinting and Scanning: Defi ning Scope . . . . . . . . . . . . . . . . . . . . . 32

Basic Banner Grabbing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Advanced HTTP Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Infrastructure Intermediaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

www.it-ebooks.info

xii Hacking Exposed Web Applications

Application Profi ling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Manual Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Search Tools for Profi ling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Automated Web Crawling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Common Web Application Profi les . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

General Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

A Cautionary Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Protecting Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Protecting include Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Miscellaneous Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

▼ 3 Hacking Web Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Point-and-Click Exploitation Using Metasploit . . . . . . . . . . . . . . . . . . . . . . . . 89

Manual Exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Evading Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Web Platform Security Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Common Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

IIS Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Apache Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

PHP Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

▼ 4 Attacking Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Web Authentication Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Username/Password Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Strong(er) Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Web Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Bypassing Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Token Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Cross-site Request Forgery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Client-side Piggybacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Some Final Thoughts: Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

▼ 5 Attacking Web Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Fingerprinting Authz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Crawling ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Identifying Access Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Analyzing Session Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

www.it-ebooks.info

Contents xiii

Differential Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Role Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Attacking ACLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Attacking Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Manual Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Automated Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Capture/Replay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Session Fixation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Authorization Attack Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Horizontal Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Vertical Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Differential Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

When Encryption Fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Using cURL to Map Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Authorization Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Web ACL Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Web Authorization/Session Token Security . . . . . . . . . . . . . . . . . . . . . 214

Security Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

▼ 6 Input Injection Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Expect the Unexpected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Where to Find Attack Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Bypass Client-Side Validation Routines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Common Input Injection Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Buffer Overfl ow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Canonicalization (dot-dot-slash) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

HTML Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Boundary Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Manipulate Application Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

XPATH Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

LDAP Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Custom Parameter Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Log Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Command Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Encoding Abuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

PHP Global Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

Common Side-effects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

Common Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

www.it-ebooks.info