Hackers of India

Web Hacking: Attacks and Defense

 Saumil Shah   Shreeraj Shah  , Stuart MC Clure 

2002/08/18

Abstract

Web Hacking: Attacks and Defense by Stuart McClure, Saumil Shah, Shreeraj Shah Released August 2002 Publisher(s): Addison-Wesley Professional ISBN: 9780201761764

Book Description “Both novice and seasoned readers will come away with an increased understanding of how Web hacking occurs and enhanced skill at developing defenses against such Web attacks. Technologies covered include Web languages and protocols, Web and database servers, payment systems and shopping carts, and critical vulnerabilities associated with URLs. This book is a virtual battle plan that will help you identify and eliminate threats that could take your Web site off line…” –From the Foreword by William C. Boni, Chief Information Security Officer, Motorola

“Just because you have a firewall and IDS sensor does not mean you aresecure; this book shows you why.” –Lance Spitzner, Founder, The Honeynet Project

Whether it’s petty defacing or full-scale cyber robbery, hackers are moving to the Web along with everyone else. Organizations using Web-based business applications are increasingly at risk. Web Hacking: Attacks and Defense is a powerful guide to the latest information on Web attacks and defense. Security experts Stuart McClure (lead author of Hacking Exposed), Saumil Shah, and Shreeraj Shah present a broad range of Web attacks and defense.

Features include:

Overview of the Web and what hackers go after

Complete Web application security methodologies

Detailed analysis of hack techniques

Countermeasures

What to do at development time to eliminate vulnerabilities

New case studies and eye-opening attack scenarios

Advanced Web hacking concepts, methodologies, and tools

“How Do They Do It?” sections show how and why different attacks succeed, including:

Cyber graffiti and Web site defacements

e-Shoplifting

Database access and Web applications

Java™ application servers; how to harden your Java™ Web Server

Impersonation and session hijacking

Buffer overflows, the most wicked of attacks

Automated attack tools and worms

Appendices include a listing of Web and database ports, cheat sheets for remote command execution, and source code disclosure techniques.

Web Hacking informs from the trenches. Experts show you how to connect the dots–how to put the stages of a Web hack together so you can best defend against them. Written for maximum brain absorption with unparalleled technical content and battle-tested analysis, Web Hacking will help you combat potentially costly security threats and attacks.

0201761769B07192002

https://www.helpnetsecurity.com/2002/08/22/web-hacking-attacks-and-defense/

https://www.helpnetsecurity.com/2002/10/15/interview-with-saumil-shah-security-researcher/

TOC

Copyright Dedication Foreword Introduction “We’re Secure, We Have a Firewall” To Err Is Human Writing on the Wall Book Organization Parts Chapters A Final Word Acknowledgments Contributor

  1. The E-Commerce Playground
  2. Web Languages: The Babylon of the 21st Century Introduction Languages of the Web HTML Dynamic HTML (DHTML) XML XHTML Perl PHP ColdFusion ColdFusion Application Server ColdFusion Markup Language ColdFusion Studio Active Server Pages Database Connectivity ConnectionString ActiveX ASP Summary CGI Environmental Variables Server-Side Includes (SSI): HTML and SHTML Microsoft’s IIS Web Server and SSI Java Client-Based Java Applets Java Scripting Languages JavaScript Jscript Server-Based Java Java Server Pages (JSP) Database Connectivity Source Code Disclosure Case Sensitivity Forcing Default Handlers Arbitrary Command Execution JHTML Source Code Disclosure Forcing Default Handlers Case Sensitivity Summary
  3. Web and Database Servers Introduction Web Servers Apache Virtual Hosts Name-Based Mechanism IP-Based Mechanism UNIX IP Aliasing Server Side Includes CGI ScriptAlias Handlers Microsoft’s Internet Information Server (IIS) ISAPI Applications Virtual Directories Sample Files Virtual Hosts Secondary IP Addresses Multiple Web Sites Database Servers SQL Poisoning Data Producing Error Producing SQL Commands Microsoft SQL Server Default Stored Procedures Default Databases Default System Tables Default System and Meta-Data Functions Information Schema Views Passwords Microsoft SQL Server Summary Oracle System Tables Passwords Privileges Oracle Listener Status Request Summary
  4. Shopping Carts and Payment Gateways Introduction Evolution of the Storefront Electronic Shopping Shopping Cart Systems Scope and Lifetime of an Electronic Shopping Cart Collecting, Analyzing, and Comparing Selected Components Keeping Track of the Total Cost Change of Mind Processing the Purchase Implementation of a Shopping Cart Application Product Catalog Session Management Database Interfacing Integration with the Payment Gateway Examples of Poorly Implemented Shopping Carts Carello Shopping Cart DCShop Shopping Cart Hassan Consulting’s Shopping Cart Cart32 and Several Other Shopping Carts Processing Payments Finalizing the Order Method of Payment Verification and Fraud Protection Order Fulfillment and Receipt Generation Overview of the Payment Processing System Order Confirmation Page Payment Gateway Interface Transaction Database Interface Interfacing with a Payment Gateway—An Example Payment System Implementation Issues Integration Temporary Information SSL Storing User Profiles PayPal—Enabling Individuals to Accept Electronic Payments Summary
  5. HTTP and HTTPS: The Hacking Protocols Introduction Protocols of the Web HTTP HTTP/0.9 HTTP/1.0 HTTP Request HTTP Response Response Code Header Fields Data HTTP/1.1 HTTP Request HTTP Response Response Codes Header Fields HTTPS (HTTP over SSL) Summary
  6. URL: The Web Hacker’s Sword Introduction URL Structure URLs and Parameter Passing URL Encoding Meta-Characters Specifying Special Characters on the URL String Unicode Encoding Abusing URL Encoding Unicode Vulnerability The Double-Decode or Superfluous Decode Vulnerability HTML Forms Anatomy of an HTML Form Input Elements Parameter Passing Via GET and POST Summary
  7. URLs Unraveled
  8. Web: Under (the) Cover Introduction The Components of a Web Application The Front-End Web Server The Web Application Execution Environment The Database Server Wiring the Components The Native Application Processing Environment Web Server APIs and Plug-Ins URL Mapping and Internal Proxying Proxying with a Back-End Application Server Examples Interfacing PHP3 with Apache Interfacing ServletExec as an Apache DSO Interfacing ServletExec as an ISAPI Extension to Microsoft IIS Interfacing IIS and Domino Servers with Netscape Enterprise Server Connecting with the Database Using Native Database APIs Examples Calling the SQL Server from Active Server Pages Calling Oracle 8i from PHP Using ODBC Using JDBC Specialized Web Application Servers Identifying Web Application Components from URLs The Basics of Technology Identification Examples URL: http://www1.example.com/homepage.nsf?Open URL: http://www2.example.com/software/buy.jhtml;jsessionid=ZYQFN5W HKORD5QFIAE0SFF GAVAAUIIV0 URL: http://www3.example.com/cgi-bin/ncommerce3/ExecMacro/webstore/ home.d2w/report URL: http://www4.example.com/ category.jsp?id=21&StoreSession=PC1q Nwwm0xqCFOWHZcYxZaZ21laYQEfOetnSjrYtrsxSC1V7b|3886513130244820/ 167838525/6/7001/7001/7002/7002/7001/-1 URL: http://www5.example.com/site/index/0,10017,2578,00.html More Examples URL: http://www6.example.com/report.cgi?page=3 URL: http://www7.example.com/ui/Login.jsp Advanced Techniques for Technology Identification Examples URL: http://www8.example.com/webapp/wcs/stores/servlet/Display?storeId= 10001&langId=-1&catalogId=10001&categoryId=10052&clearance=0&catTree= 10052 URL: https://www9.example.com/OA_HTML/store.jsp?section=101&prod_ses=j= 4081:Guest:US:jtfpfalse:jtfpi-1:671:504:75123~zv=75123~zs=t~zp=504~zo=2~zm= 101~zj=Guest~zi=504 Identifying Database Servers Countermeasures Rule 1: Minimize Information Leaked from the HTTP Header Rule 2: Prevent Error Information from Being Sent to the Browser Summary
  9. Reading Between the Lines Introduction Information Leakage Through HTML What the Browsers Don’t Show You Netscape Navigator—View | Page Source Internet Explorer—View | Source Clues to Look For HTML Comments Revision History Developer or Author Details Cross-References to Other Areas of the Web Application Reminders and Placeholders Comments Inserted by Web Application Servers Old “Commented-Out” Code Internal and External Hyperlinks E-Mail Addresses and Usernames UBE, UCE, Junk Mail, and Spam Keywords and Meta Tags Hidden Fields Client-Side Scripts Automated Source Sifting Techniques Using wget Using grep Sam Spade, Black Widow, and Teleport Pro Summary
  10. Site Linkage Analysis Introduction HTML and Site Linkage Analysis Site Linkage Analysis Methodology Step 1: Crawling the Web Site Crawling a Site Manually A Closer Look at the HTTP Response Header Some Popular Tools for Site Linkage Analysis GNU wget BlackWidow from SoftByteLabs Funnel Web Profiler from Quest Software Step-1 Wrap-Up Step 2: Creating Logical Groups Within the Application Structure Step-2 Wrap-Up Step 3: Analyzing Each Web Resource
  11. Extension Analysis
  12. URL Path Analysis
  13. Session Analysis
  14. Form Determination
  15. Applet and Object Identification
  16. Client-Side Script Evaluation
  17. Comment and E-Mail Address Analysis Step-3 Wrap-Up Step 4: Inventorying Web Resources Summary
  18. How Do They Do It?
  19. Cyber Graffiti Introduction Defacing Acme Travel, Inc.’s Web Site Mapping the Target Network Throwing Proxy Servers in Reverse Brute Forcing HTTP Authentication Directory Browsing Uploading the Defaced Pages What Went Wrong? HTTP Brute-Forcing Tools Brutus WebCracker 4.0 Countermeasures Against the Acme Travel, Inc. Hack Turning Off Reverse Proxying Using Stronger HTTP Authentication Passwords Turning off Directory Browsing Summary
  20. E-Shoplifting Introduction Building an Electronic Store The Store Front-End The Shopping Cart The Checkout Station The Database Putting It All Together Evolution of Electronic Storefronts Robbing Acme Fashions, Inc. Setting Up Acme’s Electronic Storefront Tracking Down the Problem The Hidden Dangers of Hidden Fields Bypassing Client-Side Validation Overhauling www.acme-fashions.com Facing a New Problem with the Overhauled System Remote Command Execution Postmortem and Further Countermeasures Summary
  21. Database Access Introduction A Used Car Dealership Is Hacked Input Validation Countermeasures Summary
  22. Java: Remote Command Execution Introduction Java-Driven Technology Architecture of Java Application Servers Attacking a Java Web Server Identifying Loopholes in Java Application Servers Example: Online Stock Trading Portal WebLogic Servlets and Handlers Application Handlers and Invokers Invoking FileServlet Invoking SSIServlet Invoking the JSPServlet and Forcing It to Compile html/txt Countermeasures Harden the Java Web Server Other Conceptual Countermeasures Isolate System Core Servlets from Application Servlets Prohibit Execution of Unregistered Servlets Bind Servlets to Resource Types Validate Input Thoroughly Disable Direct Application Servlet Invocation Unregister All Unused and Example Servlets Summary
  23. Impersonation Introduction Session Hijacking: A Stolen Identity and a Broken Date March 5, 7:00 A.M.—Alice’s Residence 8:30 A.M.—Alice’s Workplace 10:00 A.M.—Bob’s Office 11:00 A.M.—Bob’s Office 12:30 P.M.—Alice’s Office 9:30 P.M.—Bertolini’s Italian Cuisine Session Hijacking Postmortem of the Session Hijacking Attack Application State Diagrams HTTP and Session Tracking Stateless Versus Stateful Applications Cookies and Hidden Fields Cookies Hidden Fields Implementing Session and State Tracking Session Identifiers Should Be Unique Session Identifiers Should Not Be “Guessable” Session Identifiers Should Be Independent Session Identifiers Should Be Mapped with Client-Side Connections Summary
  24. Buffer Overflows: On-the-Fly Introduction Example Buffer Overflows Buffer Overflow: Its Simplest Form Assembly Language in a Nutshell General Purpose Registers Pointer (a.k.a. Index) Registers The Stack Assembler Instructions Tracking the Rogue Bytes Buffer Overflow: An Example Disassembly Blind Stress Testing Postmortem Countermeasures Summary
  25. Advanced Web Kung Fu
  26. Web Hacking: Automated Tools Introduction Netcat Whisker Brute Force Brutus Achilles Cookie Pal Teleport Pro Security Recommendations Summary
  27. Worms Introduction Code Red Worm January 26, 2000 June 18, 2001: The First Attack July 12, 2001 The Details July 19, 2001 August 4, 2001 Nimda Worm September 18, 2001 Network Shares—Nimda Also Has the Ability to Spread via Misconfigured or Insecure Network Shares The Details Combatting Worm Evolution React and Respond Summary
  28. Beating the IDS Introduction IDS Basics Network IDSs Host-Based IDSs IDS Accuracy Getting Past an IDS Secure Hacking—Hacking Over SSL Example Tunneling Attacks via SSL Intrusion Detection via SSL Sniffing SSL Traffic Polymorphic URLs Hexadecimal Encoding Illegal Unicode/Superfluous Encoding Adding Fake Paths Inserting Slash-Dot-Slash Strings Using Nonstandard Path Separators Using Multiple Slashes Mixing Various Techniques Generating False Positives Potential Countermeasures SSL Decryption URL Decoding Summary A. Web and Database Port Listing B. HTTP/1.1 and HTTP/1.0 Method and Field Definitions C. Remote Command Execution Cheat Sheet D. Source Code, File, and Directory Disclosure Cheat Sheet E. Resources and Links F. Web-Related Tools

https://books.google.co.in/books/about/Web_Hacking.html?id=WD6s5DwfLSsC&printsec=frontcover&source=kp_read_button&redir_esc=y#v=onepage&q&f=false