Web Hacking: Attacks and Defense
by Stuart McClure, Saumil Shah, Shreeraj Shah
Released August 2002
Publisher(s): Addison-Wesley Professional
ISBN: 9780201761764
Book Description
“Both novice and seasoned readers will come away with an increased understanding of how Web hacking occurs and enhanced skill at developing defenses against such Web attacks. Technologies covered include Web languages and protocols, Web and database servers, payment systems and shopping carts, and critical vulnerabilities associated with URLs. This book is a virtual battle plan that will help you identify and eliminate threats that could take your Web site off line…”
–From the Foreword by William C. Boni, Chief Information Security Officer, Motorola
“Just because you have a firewall and IDS sensor does not mean you aresecure; this book shows you why.”
–Lance Spitzner, Founder, The Honeynet Project
Whether it’s petty defacing or full-scale cyber robbery, hackers are moving to the Web along with everyone else. Organizations using Web-based business applications are increasingly at risk. Web Hacking: Attacks and Defense is a powerful guide to the latest information on Web attacks and defense. Security experts Stuart McClure (lead author of Hacking Exposed), Saumil Shah, and Shreeraj Shah present a broad range of Web attacks and defense.
Features include:
Overview of the Web and what hackers go after
Complete Web application security methodologies
Detailed analysis of hack techniques
Countermeasures
What to do at development time to eliminate vulnerabilities
New case studies and eye-opening attack scenarios
Advanced Web hacking concepts, methodologies, and tools
“How Do They Do It?” sections show how and why different attacks succeed, including:
Cyber graffiti and Web site defacements
e-Shoplifting
Database access and Web applications
Java⢠application servers; how to harden your Java⢠Web Server
Impersonation and session hijacking
Buffer overflows, the most wicked of attacks
Automated attack tools and worms
Appendices include a listing of Web and database ports, cheat sheets for remote command execution, and source code disclosure techniques.
Web Hacking informs from the trenches. Experts show you how to connect the dots–how to put the stages of a Web hack together so you can best defend against them. Written for maximum brain absorption with unparalleled technical content and battle-tested analysis, Web Hacking will help you combat potentially costly security threats and attacks.
0201761769B07192002
https://www.helpnetsecurity.com/2002/08/22/web-hacking-attacks-and-defense/
https://www.helpnetsecurity.com/2002/10/15/interview-with-saumil-shah-security-researcher/
TOC
Copyright
Dedication
Foreword
Introduction
âWe’re Secure, We Have a Firewallâ
To Err Is Human
Writing on the Wall
Book Organization
Parts
Chapters
A Final Word
Acknowledgments
Contributor
- The E-Commerce Playground
- Web Languages: The Babylon of the 21st Century
Introduction
Languages of the Web
HTML
Dynamic HTML (DHTML)
XML
XHTML
Perl
PHP
ColdFusion
ColdFusion Application Server
ColdFusion Markup Language
ColdFusion Studio
Active Server Pages
Database Connectivity
ConnectionString
ActiveX
ASP Summary
CGI
Environmental Variables
Server-Side Includes (SSI): HTML and SHTML
Microsoft’s IIS Web Server and SSI
Java
Client-Based Java
Applets
Java Scripting Languages
JavaScript
Jscript
Server-Based Java
Java Server Pages (JSP)
Database Connectivity
Source Code Disclosure
Case Sensitivity
Forcing Default Handlers
Arbitrary Command Execution
JHTML
Source Code Disclosure
Forcing Default Handlers
Case Sensitivity
Summary
- Web and Database Servers
Introduction
Web Servers
Apache
Virtual Hosts
Name-Based Mechanism
IP-Based Mechanism
UNIX IP Aliasing
Server Side Includes
CGI
ScriptAlias
Handlers
Microsoft’s Internet Information Server (IIS)
ISAPI Applications
Virtual Directories
Sample Files
Virtual Hosts
Secondary IP Addresses
Multiple Web Sites
Database Servers
SQL Poisoning
Data Producing
Error Producing
SQL Commands
Microsoft SQL Server
Default Stored Procedures
Default Databases
Default System Tables
Default System and Meta-Data Functions
Information Schema Views
Passwords
Microsoft SQL Server Summary
Oracle
System Tables
Passwords
Privileges
Oracle Listener
Status Request
Summary
- Shopping Carts and Payment Gateways
Introduction
Evolution of the Storefront
Electronic Shopping
Shopping Cart Systems
Scope and Lifetime of an Electronic Shopping Cart
Collecting, Analyzing, and Comparing Selected Components
Keeping Track of the Total Cost
Change of Mind
Processing the Purchase
Implementation of a Shopping Cart Application
Product Catalog
Session Management
Database Interfacing
Integration with the Payment Gateway
Examples of Poorly Implemented Shopping Carts
Carello Shopping Cart
DCShop Shopping Cart
Hassan Consulting’s Shopping Cart
Cart32 and Several Other Shopping Carts
Processing Payments
Finalizing the Order
Method of Payment
Verification and Fraud Protection
Order Fulfillment and Receipt Generation
Overview of the Payment Processing System
Order Confirmation Page
Payment Gateway Interface
Transaction Database Interface
Interfacing with a Payment GatewayâAn Example
Payment System Implementation Issues
Integration
Temporary Information
SSL
Storing User Profiles
PayPalâEnabling Individuals to Accept Electronic Payments
Summary
- HTTP and HTTPS: The Hacking Protocols
Introduction
Protocols of the Web
HTTP
HTTP/0.9
HTTP/1.0
HTTP Request
HTTP Response
Response Code
Header Fields
Data
HTTP/1.1
HTTP Request
HTTP Response
Response Codes
Header Fields
HTTPS (HTTP over SSL)
Summary
- URL: The Web Hacker’s Sword
Introduction
URL Structure
URLs and Parameter Passing
URL Encoding
Meta-Characters
Specifying Special Characters on the URL String
Unicode Encoding
Abusing URL Encoding
Unicode Vulnerability
The Double-Decode or Superfluous Decode Vulnerability
HTML Forms
Anatomy of an HTML Form
Input Elements
Parameter Passing Via GET and POST
Summary
- URLs Unraveled
- Web: Under (the) Cover
Introduction
The Components of a Web Application
The Front-End Web Server
The Web Application Execution Environment
The Database Server
Wiring the Components
The Native Application Processing Environment
Web Server APIs and Plug-Ins
URL Mapping and Internal Proxying
Proxying with a Back-End Application Server
Examples
Interfacing PHP3 with Apache
Interfacing ServletExec as an Apache DSO
Interfacing ServletExec as an ISAPI Extension to Microsoft IIS
Interfacing IIS and Domino Servers with Netscape Enterprise Server
Connecting with the Database
Using Native Database APIs
Examples
Calling the SQL Server from Active Server Pages
Calling Oracle 8i from PHP
Using ODBC
Using JDBC
Specialized Web Application Servers
Identifying Web Application Components from URLs
The Basics of Technology Identification
Examples
URL: http://www1.example.com/homepage.nsf?Open
URL: http://www2.example.com/software/buy.jhtml;jsessionid=ZYQFN5W HKORD5QFIAE0SFF GAVAAUIIV0
URL: http://www3.example.com/cgi-bin/ncommerce3/ExecMacro/webstore/ home.d2w/report
URL: http://www4.example.com/ category.jsp?id=21&StoreSession=PC1q Nwwm0xqCFOWHZcYxZaZ21laYQEfOetnSjrYtrsxSC1V7b|3886513130244820/ 167838525/6/7001/7001/7002/7002/7001/-1
URL: http://www5.example.com/site/index/0,10017,2578,00.html
More Examples
URL: http://www6.example.com/report.cgi?page=3
URL: http://www7.example.com/ui/Login.jsp
Advanced Techniques for Technology Identification
Examples
URL: http://www8.example.com/webapp/wcs/stores/servlet/Display?storeId= 10001&langId=-1&catalogId=10001&categoryId=10052&clearance=0&catTree= 10052
URL: https://www9.example.com/OA_HTML/store.jsp?section=101&prod_ses=j= 4081:Guest:US:jtfpfalse:jtfpi-1:671:504:75123
zv=75123zs=tzp=504zo=2zm= 101zj=Guest~zi=504
Identifying Database Servers
Countermeasures
Rule 1: Minimize Information Leaked from the HTTP Header
Rule 2: Prevent Error Information from Being Sent to the Browser
Summary
- Reading Between the Lines
Introduction
Information Leakage Through HTML
What the Browsers Don’t Show You
Netscape NavigatorâView | Page Source
Internet ExplorerâView | Source
Clues to Look For
HTML Comments
Revision History
Developer or Author Details
Cross-References to Other Areas of the Web Application
Reminders and Placeholders
Comments Inserted by Web Application Servers
Old âCommented-Outâ Code
Internal and External Hyperlinks
E-Mail Addresses and Usernames
UBE, UCE, Junk Mail, and Spam
Keywords and Meta Tags
Hidden Fields
Client-Side Scripts
Automated Source Sifting Techniques
Using wget
Using grep
Sam Spade, Black Widow, and Teleport Pro
Summary
- Site Linkage Analysis
Introduction
HTML and Site Linkage Analysis
Site Linkage Analysis Methodology
Step 1: Crawling the Web Site
Crawling a Site Manually
A Closer Look at the HTTP Response Header
Some Popular Tools for Site Linkage Analysis
GNU wget
BlackWidow from SoftByteLabs
Funnel Web Profiler from Quest Software
Step-1 Wrap-Up
Step 2: Creating Logical Groups Within the Application Structure
Step-2 Wrap-Up
Step 3: Analyzing Each Web Resource
- Extension Analysis
- URL Path Analysis
- Session Analysis
- Form Determination
- Applet and Object Identification
- Client-Side Script Evaluation
- Comment and E-Mail Address Analysis
Step-3 Wrap-Up
Step 4: Inventorying Web Resources
Summary
- How Do They Do It?
- Cyber Graffiti
Introduction
Defacing Acme Travel, Inc.’s Web Site
Mapping the Target Network
Throwing Proxy Servers in Reverse
Brute Forcing HTTP Authentication
Directory Browsing
Uploading the Defaced Pages
What Went Wrong?
HTTP Brute-Forcing Tools
Brutus
WebCracker 4.0
Countermeasures Against the Acme Travel, Inc. Hack
Turning Off Reverse Proxying
Using Stronger HTTP Authentication Passwords
Turning off Directory Browsing
Summary
- E-Shoplifting
Introduction
Building an Electronic Store
The Store Front-End
The Shopping Cart
The Checkout Station
The Database
Putting It All Together
Evolution of Electronic Storefronts
Robbing Acme Fashions, Inc.
Setting Up Acme’s Electronic Storefront
Tracking Down the Problem
The Hidden Dangers of Hidden Fields
Bypassing Client-Side Validation
Overhauling www.acme-fashions.com
Facing a New Problem with the Overhauled System
Remote Command Execution
Postmortem and Further Countermeasures
Summary
- Database Access
Introduction
A Used Car Dealership Is Hacked
Input Validation
Countermeasures
Summary
- Java: Remote Command Execution
Introduction
Java-Driven Technology
Architecture of Java Application Servers
Attacking a Java Web Server
Identifying Loopholes in Java Application Servers
Example: Online Stock Trading Portal
WebLogic Servlets and Handlers
Application Handlers and Invokers
Invoking FileServlet
Invoking SSIServlet
Invoking the JSPServlet and Forcing It to Compile html/txt
Countermeasures
Harden the Java Web Server
Other Conceptual Countermeasures
Isolate System Core Servlets from Application Servlets
Prohibit Execution of Unregistered Servlets
Bind Servlets to Resource Types
Validate Input Thoroughly
Disable Direct Application Servlet Invocation
Unregister All Unused and Example Servlets
Summary
- Impersonation
Introduction
Session Hijacking: A Stolen Identity and a Broken Date
March 5, 7:00 A.M.âAlice’s Residence
8:30 A.M.âAlice’s Workplace
10:00 A.M.âBob’s Office
11:00 A.M.âBob’s Office
12:30 P.M.âAlice’s Office
9:30 P.M.âBertolini’s Italian Cuisine
Session Hijacking
Postmortem of the Session Hijacking Attack
Application State Diagrams
HTTP and Session Tracking
Stateless Versus Stateful Applications
Cookies and Hidden Fields
Cookies
Hidden Fields
Implementing Session and State Tracking
Session Identifiers Should Be Unique
Session Identifiers Should Not Be âGuessableâ
Session Identifiers Should Be Independent
Session Identifiers Should Be Mapped with Client-Side Connections
Summary
- Buffer Overflows: On-the-Fly
Introduction
Example
Buffer Overflows
Buffer Overflow: Its Simplest Form
Assembly Language in a Nutshell
General Purpose Registers
Pointer (a.k.a. Index) Registers
The Stack
Assembler Instructions
Tracking the Rogue Bytes
Buffer Overflow: An Example
Disassembly
Blind Stress Testing
Postmortem Countermeasures
Summary
- Advanced Web Kung Fu
- Web Hacking: Automated Tools
Introduction
Netcat
Whisker
Brute Force
Brutus
Achilles
Cookie Pal
Teleport Pro
Security Recommendations
Summary
- Worms
Introduction
Code Red Worm
January 26, 2000
June 18, 2001: The First Attack
July 12, 2001
The Details
July 19, 2001
August 4, 2001
Nimda Worm
September 18, 2001
Network SharesâNimda Also Has the Ability to Spread via Misconfigured or Insecure Network Shares
The Details
Combatting Worm Evolution
React and Respond
Summary
- Beating the IDS
Introduction
IDS Basics
Network IDSs
Host-Based IDSs
IDS Accuracy
Getting Past an IDS
Secure HackingâHacking Over SSL
Example
Tunneling Attacks via SSL
Intrusion Detection via SSL
Sniffing SSL Traffic
Polymorphic URLs
Hexadecimal Encoding
Illegal Unicode/Superfluous Encoding
Adding Fake Paths
Inserting Slash-Dot-Slash Strings
Using Nonstandard Path Separators
Using Multiple Slashes
Mixing Various Techniques
Generating False Positives
Potential Countermeasures
SSL Decryption
URL Decoding
Summary
A. Web and Database Port Listing
B. HTTP/1.1 and HTTP/1.0 Method and Field Definitions
C. Remote Command Execution Cheat Sheet
D. Source Code, File, and Directory Disclosure Cheat Sheet
E. Resources and Links
F. Web-Related Tools
https://books.google.co.in/books/about/Web_Hacking.html?id=WD6s5DwfLSsC&printsec=frontcover&source=kp_read_button&redir_esc=y#v=onepage&q&f=false