Whether it's petty defacing or full-scale cyber-robbery, hackers are moving to the web along with everyone else. In this text, security experts Stuart McClure, co-author of "Hacking Exposed", Saumil Shah and Shreeraj Shah uncover the latest web attacks and defences.
Features include: Overview of the Web and what hackers go after Complete Web application security methodologies Detailed analysis of hack techniques Countermeasures What to do at development time to eliminate vulnerabilities New case studies and eye-opening attack scenarios Advanced Web hacking concepts, methodologies, and tools "How Do They Do It?" sections show how and why different attacks succeed, including: Cyber graffiti and Web site defacements e-Shoplifting Database access and Web applications Java application servers; how to harden your Java Web Server Impersonation and session hijacking Buffer overflows, the most wicked of attacks Automated attack tools and wormsAppendices include a listing of Web and database ports, cheat sheets for remote command execution, and source code disclosure techniques.Web Hacking informs from the trenches. Experts show you how to connect the dots--how to put the stages of a Web hack together so you can best defend against them. Written for maximum brain absorption with unparalleled technical content and battle-tested analysis, Web Hacking will help you combat potentially costly security threats and attacks. 0201761769B07192002
, President/CTO, Foundstone, Inc., brings over 12 years of IT and security experience to Foundstone. Stuart is a successful security author, speaker, and teacher whose writings have been translated into dozens of languages around the world.
Stuart is the lead author of the best-selling security book Hacking Exposed: Network Security Secrets and Solutions, which has been translated into 19 languages, and has received critical acclaim around the world. In addition, it was ranked the #4 computer book sold on Amazon in 2001, positioning it as the best selling security book ever sold.
Prior to co-founding Foundstone, Stuart was a Senior Manager with Ernst & Young's National Security Profiling Team responsible for project management, attack and penetration reviews, and security technology evaluations. Prior to Ernst & Young, Stuart was a Security Analyst for the InfoWorld Test Center where he covered the security industry and evaluated over 100 network and security products specializing in firewalls, security auditing, intrusion detection, and public key infrastructure (PKI). Prior to InfoWorld, Stuart was the IT manager for State and Local Governments, supporting Novell, NT, Solaris, AIX, and AS/400 platforms.
Stuart holds a B.A. degree from the University of Colorado, Boulder and numerous certifications including ISC2's CISSP, Novell's CNE, and Check Point's CCSE.
Saumil continues to lead the efforts in e-commerce security research at Net-Square. His focus is on researching vulnerabilities with various e-commerce and Web-based application systems. Saumil also provides information security consulting services to Net-Square clients, specializing in ethical hacking and security architecture. He holds a designation of Certified Information Systems Security Professional. Saumil has had more than eight years experience with system administration, network architecture, integrating heterogenous platforms and information security, and has perfomed numerous ethical hacking exercises for many significant companies in the IT area. Saumil is a regular speaker at security conferences such as BlackHat, RSA, etc.
Previously, Saumil was the Director of Indian Operations for Foundstone Inc, where he was instrumental in developing their Web application security assessment methodology, the Web assessment component of FoundScan--Foundstone's Managed Security Services software and was instrumental in pioneering Foundstone's Ultimate Web Hacking training class.
Prior to joining Foundstone, Saumil was a senior consultant with Ernst & Young, where he was responsible for the company's ethical hacking and security architecture solutions. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant and is currently a visiting faculty member there.
Saumil graduated from Purdue University with a master's degree in computer science and a strong research background in operating systems, networking, information security, and cryptography. At Purdue, he was a research assistant in the COAST (Computer Operations, Audit and Security Technology) laboratory. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is also the author of The Anti-Virus Book (Tata McGraw-Hill, 1996).
Shreeraj leads the software development and research arm of Net-Square. His role is to develop new methodologies for Web application security assessment and defense. In the past, he has been involved in several Web application assessment projects, protocol analysis, code reviews, ethical Web hacking, etc. He has also been a speaker at RSA and BlackHat.
Shreeraj has vast experience in the fields of security, application development, and network administration in addition to his strong technical background, client management skills, project management, and research methodologies. He was a member of the core development team for the Web application assessment engine at Foundstone. Shreeraj also worked with Chase Manhattan Bank in their middleware application division. Prior to joining Chase, Shreeraj worked with IBM's Domino Application Server team.
Shreeraj graduated from Marist College with a master's degree in computer science. He received his MBA at the Nirma Institute of Managment, India. He got his bachelor's degree in instrumentation and controls engineering from Gujarat University, India. Shreeraj has also authored quite a few white papers during his academic period both in India and USA.
(NOTE: Each chapter begins with an Introduction and concludes with a Summary.
“We're Secure, We Have a Firewall”.
To Err Is Human.
Writing on the Wall.
A Final Word.
I. THE E-COMMERCE PLAYGROUND. Case Study: Acme Art, Inc. Hacked!
1. Web Languages: The Babylon of the 21st Century.
Languages of the Web.
Dynamic HTML (DHTML).
Active Server Pages.
Java. 2. Web and Database Servers.
Microsoft's Internet Information Server (IIS).
Microsoft SQL Server.
Oracle. 3. Shopping Carts and Payment Gateways.
Evolution of the Storefront.
Shopping Cart Systems.
Scope and Lifetime of an Electronic Shopping Cart.
Collecting, Analyzing, and Comparing Selected Components.
Keeping Track of the Total Cost.
Change of Mind.
Processing the Purchase.
Implementation of a Shopping Cart Application.
Integration with the Payment Gateway.
Examples of Poorly Implemented Shopping Carts.
Carello Shopping Cart.
DCShop Shopping Cart.
Hassan Consulting's Shopping Cart.
Cart32 and Several Other Shopping Carts.
Finalizing the Order.
Method of Payment.
Verification and Fraud Protection.
Order Fulfillment and Receipt Generation.
Overview of the Payment Processing System.
Innovative Ways to Combat Credit Card Fraud.
Order Confirmation Page.
Payment Gateway Interface.
Transaction Database Interface.
Interfacing with a Payment Gateway—An Example.
Payment System Implementation Issues.
Storing User Profiles.
Vulnerabilities Caused by Poor Integration of Shopping Cart and Payment Gateway.
PayPal—Enabling Individuals to Accept Electronic Payments. 4. HTTP and HTTPS: The Hacking Protocols.
Protocols of the Web.
HTTPS (HTTP over SSL). 5. URL: The Web Hacker's Sword.
Web Hacker Psychology.
URLs and Parameter Passing.
Specifying Special Characters on the URL String.
Meta-Characters and Input Validation.
The Acme Art, Inc. Hack.
Abusing URL Encoding.
Unicode Encoding and Code Red's Shell Code.
The Double-Decode or Superfluous Decode Vulnerability.
Anatomy of an HTML Form.
Parameter Passing Via GET and POST.
II. URLS UNRAVELED. Case Study: Reconnaissance Leaks Corporate Assets.
6. Web: Under (the) Cover.
The Components of a Web Application.
The Front-End Web Server.
The Web Application Execution Environment.
The Database Server.
Wiring the Components.
The Native Application Processing Environment.
Web Server APIs and Plug-Ins.
URL Mapping and Internal Proxying.
Proxying with a Back-End Application Server.
Connecting with the Database.
The Craftiest Hack of Them All.
Using Native Database APIs.
Specialized Web Application Servers.
Identifying Web Application Components from URLs.
The Basics of Technology Identification.
Advanced Techniques for Technology Identification.
Identifying Database Servers.
Rule 1: Minimize Information Leaked from the HTTP Header.
Rule 2: Prevent Error Information from Being Sent to the Browser. 7. Reading Between the Lines.
Information Leakage Through HTML.
What the Browsers Don't Show You .
Netscape Navigator—View Page Source.
Internet Explorer—View Source.
Clues to Look For.
Developer or Author Details.
Cross-References to Other Areas of the Web Application.
Reminders and Placeholders.
Comments Inserted by Web Application Servers.
Old “Commented-Out” Code.
Internal and External Hyperlinks.
E-mail Addresses and Usernames.
UBE, UCE, Junk Mail, and Spam.
Keywords and Meta Tags.
Automated Source Sifting Techniques.
Sam Spade, Black Widow, and Teleport Pro. 8. Site Linkage Analysis.
HTML and Site Linkage Analysis.
Site Linkage Analysis Methodology.
Step 1: Crawling the Web Site .
Crawling a Site Manually.
A Closer Look at the HTTP Response Header.
Some Popular Tools for Site Linkage Analysis.
Crawlers and Redirection.
Step 2: Creating Logical Groups Within the Application Structure.
Step 3: Analyzing Each Web Resource.
1. Extension Analysis.
2. URL Path Analysis.
3. Session Analysis.
4. Form Determination.
5. Applet and Object Identification.
6. Client-Side Script Evaluation.
7. Comment and E-Mail Address Analysis.
Step 4: Inventorying Web Resources.
III. HOW DO THEY DO IT? Case Study: How Boris Met Anna's Need for Art Supplies.
9. Cyber Graffiti.
Defacing Acme Travel, Inc.'s Web Site.
Mapping the Target Network.
Throwing Proxy Servers in Reverse.
Brute Forcing HTTP Authentication.
Uploading the Defaced Pages.
What Went Wrong?
HTTP Brute-Forcing Tools.
Countermeasures Against the Acme Travel, Inc. Hack.
Turning Off Reverse Proxying.
Using Stronger HTTP Authentication Passwords.
Turning off Directory Browsing. 10. E-Shoplifting.
Building an Electronic Store.
The Store Front-End.
The Shopping Cart.
The Checkout Station.
Putting It All Together.
Evolution of Electronic Storefronts.
Robbing Acme Fashions, Inc.
Setting Up Acme's Electronic Storefront.
Tracking Down the Problem.
Bypassing Client-Side Validation.
Using Search Engines to Look for Hidden Fields.
Facing a New Problem with the Overhauled System.
Postmortem and Further Countermeasures.
Shopping Carts with Remote Command Execution. 11. Database Access.
Direct SQL Attacks.
A Used Car Dealership Is Hacked.
Countermeasures. 12. Java: Remote Command Execution.
Architecture of Java Application Servers.
Attacking a Java Web Server.
Identifying Loopholes in Java Application Servers.
Example: Online Stock Trading Portal.
Harden the Java Web Server.
Other Conceptual Countermeasures. 13. Impersonation.
Session Hijacking: A Stolen Identity and a Broken Date.
March 5, 7:00 A.M.—Alice's Residence.
8:30 A.M.—Alice's Workplace.
10:00 A.M.—Bob's Office.
11:00 A.M.—Bob's Office.
12:30 P.M.—Alice's Office.
9:30 P.M.-Bertolini's Italian Cuisine.
Postmortem of the Session Hijacking Attack.
Application State Diagrams.
HTTP and Session Tracking.
Stateless Versus Stateful Applications.
Cookies and Hidden Fields.
Cookie Control, Using Netscape on a Unix Platform.
Implementing Session and State Tracking.
Session Identifiers Should Be Unique.
Session Identifiers Should Not Be “Guessable”.
Session Identifiers Should Be Independent.
Session Identifiers Should Be Mapped with Client-Side Connections. 14. Buffer Overflows: On-the-Fly.
Buffer Overflow: Its Simplest Form.
Buffer Overflow: An Example.
IV. ADVANCED WEB KUNG FU. Case Study.
15. Web Hacking: Automated Tools.
Security Recommendations. 16. Worms.
Code Red Worm.
January 26, 2000.
June 18, 2001: The First Attack.
July 12, 2001.
July 19, 2001.
August 4, 2001.
Combatting Worm Evolution.
React and Respond. 17. Beating the IDS.
Getting Past an IDS.
Secure Hacking-Hacking Over SSL.
Tunneling Attacks via SSL.
Intrusion Detection via SSL.
Sniffing SSL Traffic.
Illegal Unicode/Superfluous Encoding.
Adding Fake Paths.
Inserting Slash-Dot-Slash Strings.
Using Nonstandard Path Separators.
Using Multiple Slashes.
Mixing Various Techniques.
Generating False Positives.
IDS Evasion in Vulnerability Checkers.
URL Decoding. Appendix A: Web and Database Port Listing.Appendix B: HTTP/1.1 and HTTP/1.0 Method and Field Definitions.Appendix C: Remote Command Execution Cheat Sheet.Appendix D: Source Code, File, and Directory Disclosure Cheat Sheet.Appendix E: Resources and Links.Appendix F: Web-Related Tools.Index. 0201761769T07312002