Unleash the hackers' arsenal to secure your Web applications In today's world of pervasive Internet connectivity and rapidly evolving Web technology, online security is as critical as it is challenging. With the enhanced availability of information and services online and Web-based attacks and break-ins on the rise, security risks are at an all time high. Hacking Exposed Web Applications shows you, step-by-step, how to defend against the latest Web-based attacks by understanding the hacker's devious methods and thought processes. Discover how intruders gather information, acquire targets, identify weak spots, gain control, and cover their tracks. You'll get in-depth coverage of real-world hacks — both simple and sophisticated — and detailed countermeasures to protect against them. What you'll learn: • The proven Hacking Exposed methodology to locate, exploit, and patch vulnerable platforms and applications • How attackers identify potential weaknesses in Web application components • What devastating vulnerabilities exist within Web server platforms such as Apache, Microsoft's Internet Information Server (IIS), Netscape Enterprise Server, J2EE, ASP.NET, and more • How to survey Web applications for potential vulnerabilities — including checking directory structures, helper files, Java classes and applets, HTML comments, forms, and query strings • Attack methods against authentication and session management features such as cookies, hidden tags, and session identifiers • Most common input validation attacks — crafted input, command execution characters, and buffer overflows • Countermeasures for SQL injection attacks such as robust error handling, custom stored procedures, and proper database configuration • XML Web services vulnerabilities and best practices • Tools and techniques used to hack Web clients — including cross-site scripting, active content attacks and cookie manipulation • Valuable checklists and tips on hardening Web applications and clients based on the authors' consulting experiences Team DDU Hacking Exposed Web Applications 1 Cover 1 CONTENTS 10 Foreword 18 Acknowledgements 20 Preface 22 Part I Reconnaissance 28 1 Introduction to Web Applications and Security 30 The Web Application Architecture 32 A Brief Word about HTML 33 Transport: HTTP 34 The Web Client 38 The Web Server 39 The Web Application 40 The Database 43 Complications and Intermediaries 43 The New Model: Web Services 45 Potential Weak Spots 46 The Methodology of Web Hacking 47 Profile the Infrastructure 47 Attack Web Servers 47 Survey the Application 47 Attack the Authentication Mechanism 48 Attack the Authorization Schemes 48 Perform a Functional Analysis 48 Exploit the Data Connectivity 48 Attack the Management Interfaces 49 Attack the Client 49 Launch a Denial-of-Service Attack 49 Summary 49 References and Further Reading 50 2 Profiling 52 Server Discovery 53 Intuition 53 Internet Footprinting 53 DNS Interrogation 58 Ping 59 Discovery Using Port Scanning 59 Dealing with Virtual Servers 61 Service Discovery 62 Server Identification 64 Dealing with SSL 65 Summary 66 References and Further Reading 67 3 Hacking Web Servers 68 Common Vulnerabilities by Platform 69 Apache 69 Microsoft Internet Information Server (IIS) 73 Attacks Against IIS Components 73 Attacks Against IIS 83 Escalating Privileges on IIS 90 Netscape Enterprise Server 99 Other Web Server Vulnerabilities 102 Miscellaneous Web Server Hacking Techniques 105 Automated Vulnerability Scanning Software 107 Whisker 107 Nikto 110 twwwscan/arirang 111 Stealth HTTP Scanner 112 Typhon 114 WebInspect 116 AppScan 117 FoundScan Web Module 118 Denial of Service Against Web Servers 119 Summary 122 References and Further Reading 122 4 Surveying the Application 126 Documenting Application Structure 127 Manually Inspecting the Application 129 Statically and Dynamically Generated Pages 129 Directory Structure 132 Helper Files 135 Java Classes and Applets 136 HTML Comments and Content 137 Forms 139 Query Strings 141 Back-End Connectivity 144 Tools to Automate the Survey 144 lynx 145 Wget 146 Teleport Pro 147 Black Widow 148 WebSleuth 149 Common Countermeasures 152 A Cautionary Note 152 Protecting Directories 152 Protecting Include Files 153 Miscellaneous Tips 153 Summary 154 References and Further Reading 154 Part II The Attack 156 5 Authentication 158 Authentication Mechanisms 159 HTTP Authentication: Basic and Digest 159 Forms-Based Authentication 170 Microsoft Passport 172 Attacking Web Authentication 176 Password Guessing 176 Session ID Prediction and Brute Forcing 182 Subverting Cookies 182 Bypassing SQL-Backed Login Forms 184 Bypassing Authentication 185 Summary 186 References and Further Reading 186 6 Authorization 188 The Attacks 189 Role Matrix 190 The Methodology 191 Query String 192 POST Data 192 Hidden Tags 193 URI 193 HTTP Headers 194 Cookies 194 Final Notes 195 Case Study: Using Curl to Map Permissions 197 Apache Authorization 200 IIS Authorization 202 Summary 203 References and Further Reading 203 7 Attacking Session State Management 204 Client-Side Techniques 206 Hidden Fields 207 The URL 209 HTTP Headers and Cookies 209 Server-Side Techniques 210 Server-Generated Session IDs 211 Session Database 211 SessionID Analysis 212 Content Analysis 212 Time Windows 225 Summary 227 References and Further Reading 227 8 Input Validation Attacks 228 Expecting the Unexpected 229 Input Validation EndGame 230 Where to Find Potential Targets 230 Bypassing Client-Side Validation Routines 231 Common Input Validation Attacks 232 Buffer Overflow 232 Canonicalization (dot-dot-slash) 234 Script Attacks 239 Boundary Checking 243 Manipulating the Application 244 SQL Injection and Datastore Attacks 245 Command Execution 245 Common Side Effects 247 Common Countermeasures 247 Summary 248 References and Further Reading 249 9 Attacking Web Datastores 252 A SQL Primer 253 SQL Injection 253 Common Countermeasures 267 Summary 268 References and Further Reading 268 10 Attacking Web Services 270 What Is a Web Service? 271 Transport: SOAP over HTTP(S) 272 WSDL 274 Directory Services: UDDI and DISCO 276 Sample Web Services Hacks 279 Basics of Web Service Security 280 Similarities to Web Application Security 281 Web Services Security Measures 281 Summary 285 References and Further Reading 285 11 Hacking Web Application Management 288 Web Server Administration 289 Telnet 289 SSH 290 Proprietary Management Ports 290 Other Administration Services 290 Web Content Management 291 FTP 292 SSH/scp 292 FrontPage 292 WebDAV 297 Web-Based Network and System Management 298 Other Web-Based Management Products 301 Summary 302 References and Further Reading 302 12 Web Client Hacking 304 The Problem of Client-Side Security 305 Attack Methodologies 306 Active Content Attacks 306 Java and JavaScript 307 ActiveX 308 Cross-Site Scripting 316 Cookie Hijacking 319 Summary 323 References and Further Reading 324 13 Case Studies 326 Case Study #1: From the URL to the Command Line and Back 327 Case Study #2: XOR Does Not Equal Security 330 Case Study #3: The Cross-Site Scripting Calendar 332 Summary 334 References and Further Reading 334 Part III Appendixes 336 A Web Site Security Checklist 338 B Web Hacking Tools and Techniques Cribsheet 344 C Using Libwhisker 360 Inside Libwhisker 361 http_do_request Function 361 crawl Function 364 utils_randstr Function 367 Building a Script with Libwhisker 367 Sinjection.pl 368 D UrlScan Installation and Configuration 372 Overview of UrlScan 373 Obtaining UrlScan 374 Updating UrlScan 374 Updating Windows Family Products 375 hfnetchk 375 Third-Party Tools 376 Basic UrlScan Deployment 378 Rolling Back IISLockdown 383 Unattended IISLockdown Installation 385 Advanced UrlScan Deployment 385 Extracting UrlScan.dll 386 Configuring UrlScan.ini 386 Installing the UrlScan ISAPI Filter in IIS 388 Removing UrlScan 391 UrlScan.ini Command Reference 392 Options Section 392 AllowVerbs Section 394 DenyVerbs Section 394 DenyHeaders Section 395 AllowExtensions Section 395 DenyExtensions Section 396 Summary 396 References and Further Reading 396 E About the Companion Web Site 398 Index 400 Team DDU 1 Addressing all major Web applications and platforms this manual focuses on vulnerabilities across a range of programming languages. It includes all the tools and techniques needed to maintain a secure, Internet-based business