Web Hacking: Attacks and Defense (Paperback)
內容描述
Description
"Both novice and seasoned readers will
come away with an increased understanding of how Web hacking occurs and
enhanced skill at developing defenses against such Web attacks. Technologies
covered include Web languages and protocols, Web and database servers,
payment systems and shopping carts, and critical vulnerabilities associated
with URLs. This book is a virtual battle plan that will help you identify
and eliminate threats that could take your Web site off line..."--From
the Foreword by William C. Boni, Chief Information Security Officer,
Motorola
"Just because you have a firewall and
IDS sensor does not mean you aresecure; this book shows you why."
--Lance Spitzner, Founder, The Honeynet Project
Whether it's petty defacing or full-scale cyber
robbery, hackers are moving to the Web along with everyone else. Organizations
using Web-based business applications are increasingly at risk. Web
Hacking: Attacks and Defense is a powerful guide to the latest
information on Web attacks and defense. Security experts Stuart McClure (lead
author of Hacking Exposed), Saumil Shah, and Shreeraj Shah present a
broad range of Web attacks and defense.
Features include:
Overview of the Web and what hackers go after
Complete Web application security
methodologies
Detailed analysis of hack techniques
Countermeasures
What to do at development time to eliminate
vulnerabilities
New case studies and eye-opening attack
scenarios
Advanced Web hacking concepts, methodologies,
and tools
"How Do They Do It?" sections show how and why
different attacks succeed, including:
Cyber graffiti and Web site defacements
e-Shoplifting
Database access and Web applications
Java™ application servers; how to harden your
Java™ Web Server
Impersonation and session hijacking
Buffer overflows, the most wicked of attacks
Automated attack tools and
worms
Appendices include a listing of Web and database
ports, cheat sheets for remote command execution, and source code disclosure
techniques.
Web Hacking informs from the
trenches. Experts show you how to connect the dots--how to put the stages of a
Web hack together so you can best defend against them. Written for maximum
brain absorption with unparalleled technical content and battle-tested
analysis, Web Hacking will help you combat potentially costly
security threats and attacks.
Table of
Contents
(NOTE: Each chapter begins with an
Introduction and concludes with a Summary.)Foreword.
Introduction.
“We're Secure, We
Have a Firewall”.
To Err Is
Human.
Writing on the
Wall.
Book
Organization.
Parts.
Chapters.
A Final
Word.
Acknowledgments.
Contributor.
I. THE E-COMMERCE PLAYGROUND.
Case Study: Acme
Art, Inc. Hacked!
- Web Languages: The Babylon of the
21st Century.
Languages of the
Web.
HTML.
Dynamic HTML
(DHTML).
XML.
XHTML.
Perl.
PHP.
ColdFusion.
Active Server
Pages.
CGI.
Java.
- Web and Database Servers.
Web
Servers.
Apache.
Microsoft's Internet
Information Server (IIS).
Database
Servers.
Microsoft SQL
Server.
Oracle.
- Shopping Carts and Payment Gateways.
Evolution of the
Storefront.
Electronic
Shopping.
Shopping Cart
Systems.
Scope and Lifetime
of an Electronic Shopping Cart.
Collecting,
Analyzing, and Comparing Selected Components.
Keeping Track of the
Total Cost.
Change of
Mind.
Processing the
Purchase.
Implementation of a
Shopping Cart Application.
Product
Catalog.
Session
Management.
Database
Interfacing.
Integration with the
Payment Gateway.
Examples of Poorly
Implemented Shopping Carts.
Carello Shopping
Cart.
DCShop Shopping
Cart.
Hassan Consulting's
Shopping Cart.
Cart32 and Several
Other Shopping Carts.
Processing
Payments.
Finalizing the
Order.
Method of
Payment.
Verification and
Fraud Protection.
Order Fulfillment
and Receipt Generation.
Overview of the
Payment Processing System.
Innovative Ways to
Combat Credit Card Fraud.
Order Confirmation
Page.
Payment Gateway
Interface.
Transaction Database
Interface.
Interfacing with a
Payment Gateway—An Example.
Payment System
Implementation Issues.
Integration.
Temporary
Information.
SSL.
Storing User
Profiles.
Vulnerabilities
Caused by Poor Integration of Shopping Cart and Payment Gateway.
PayPal—Enabling
Individuals to Accept Electronic Payments.
- HTTP and HTTPS: The Hacking Protocols.
Protocols of the
Web.
HTTP.
HTTPS (HTTP over
SSL).
- URL: The Web Hacker's Sword.
URL
Structure.
Web Hacker
Psychology.
URLs and Parameter
Passing.
URL
Encoding.
Meta-Characters.
Specifying Special
Characters on the URL String.
Meta-Characters and
Input Validation.
Unicode
Encoding.
The Acme Art, Inc.
Hack.
Abusing URL
Encoding.
Unicode Encoding and
Code Red's Shell Code.
Unicode
Vulnerability.
The Double-Decode or
Superfluous Decode Vulnerability.
HTML
Forms.
Anatomy of an HTML
Form.
Input
Elements.
Parameter Passing
Via GET and POST.
II. URLS UNRAVELED.
Case Study:
Reconnaissance Leaks Corporate Assets.
- Web: Under (the) Cover.
The Components of a
Web Application.
The Front-End Web
Server.
The Web Application
Execution Environment.
The Database
Server.
Wiring the
Components.
The Native
Application Processing Environment.
Web Server APIs and
Plug-Ins.
URL Mapping and
Internal Proxying.
Proxying with a
Back-End Application Server.
Examples.
Connecting with the
Database.
The Craftiest Hack
of Them All.
Using Native
Database APIs.
Examples.
Using
ODBC.
Using
JDBC.
Specialized Web
Application Servers.
Identifying Web
Application Components from URLs.
The Basics of
Technology Identification.
Examples.
More
Examples.
Advanced Techniques
for Technology Identification.
Examples.
Identifying Database
Servers.
Countermeasures.
Rule 1: Minimize
Information Leaked from the HTTP Header.
Rule 2: Prevent
Error Information from Being Sent to the Browser.
- Reading Between the Lines.
Information Leakage
Through HTML.
What the Browsers
Don't Show You .
Netscape
Navigator—View | Page Source.
Internet
Explorer—View | Source.
Clues to Look
For.
HTML
Comments.
Revision
History.
Developer or Author
Details.
Cross-References to
Other Areas of the Web Application.
Reminders and
Placeholders.
Comments Inserted by
Web Application Servers.
Old “Commented-Out”
Code.
Internal and
External Hyperlinks.
E-mail Addresses and
Usernames.
UBE, UCE, Junk Mail,
and Spam.
Keywords and Meta
Tags.
Hidden
Fields.
Client-Side
Scripts.
Automated Source
Sifting Techniques.
Using
wget.
Using
grep.
Sam Spade, Black
Widow, and Teleport Pro.
- Site Linkage Analysis.
HTML and Site
Linkage Analysis.
Site Linkage
Analysis Methodology.
Step 1: Crawling the
Web Site .
Crawling a Site
Manually.
A Closer Look at the
HTTP Response Header.
Some Popular Tools
for Site Linkage Analysis.
Step-1
Wrap-Up.
Crawlers and
Redirection.
Step 2: Creating
Logical Groups Within the Application Structure.
Step-2
Wrap-Up.
Step 3: Analyzing
Each Web Resource.
- Extension
Analysis.
- URL Path
Analysis.
- Session
Analysis.
- Form
Determination.
- Applet and Object
Identification.
- Client-Side
Script Evaluation.
- Comment and
E-Mail Address Analysis.
Step-3
Wrap-Up.
Step 4: Inventorying
Web Resources.
III. HOW DO THEY DO IT?
Case Study: How
Boris Met Anna's Need for Art Supplies.
- Cyber Graffiti.
Defacing Acme
Travel, Inc.'s Web Site.
Mapping the Target
Network.
Throwing Proxy
Servers in Reverse.
Brute Forcing HTTP
Authentication.
Directory
Browsing.
Uploading the
Defaced Pages.
What Went
Wrong?
HTTP Brute-Forcing
Tools.
Brutus.
WebCracker
4.0.
Countermeasures
Against the Acme Travel, Inc. Hack.
Turning Off Reverse
Proxying.
Using Stronger HTTP
Authentication Passwords.
Turning off
Directory Browsing.
- E-Shoplifting.
Building an
Electronic Store.
The Store
Front-End.
The Shopping
Cart.
The Checkout
Station.
The
Database.
Putting It All
Together.
Evolution of
Electronic Storefronts.
Robbing Acme
Fashions, Inc.
Setting Up Acme's
Electronic Storefront.
Tracking Down the
Problem.
Bypassing
Client-Side Validation.
Using Search Engines
to Look for Hidden Fields.
Overhauling
www.acme-fashions.com.
Facing a New Problem
with the Overhauled System.
Postmortem and
Further Countermeasures.
Shopping Carts with
Remote Command Execution.
- Database Access.
Direct SQL
Attacks.
A Used Car
Dealership Is Hacked.
Input
Validation.
Countermeasures.
- Java: Remote Command Execution.
Java-Driven
Technology.
Architecture of Java
Application Servers.
Attacking a Java Web
Server.
Identifying
Loopholes in Java Application Servers.
Example: Online
Stock Trading Portal.
Invoking
FileServlet.
Countermeasures.
Harden the Java Web
Server.
Other Conceptual
Countermeasures.
- Impersonation.
Session Hijacking: A
Stolen Identity and a Broken Date.
March 5, 7:00
A.M.—Alice's Residence.
8:30 A.M.—Alice's
Workplace.
10:00 A.M.—Bob's
Office.
11:00 A.M.—Bob's
Office.
12:30 P.M.—Alice's
Office.
9:30
P.M.-Bertolini's Italian Cuisine.
Session
Hijacking.
Postmortem of the
Session Hijacking Attack.
Application State
Diagrams.
HTTP and Session
Tracking.
Stateless Versus
Stateful Applications.
Cookies and Hidden
Fields.
Cookie Control,
Using Netscape on a Unix Platform.
Cookies.
Hidden
Fields.
Implementing Session
and State Tracking.
Session Identifiers
Should Be Unique.
Session Identifiers
Should Not Be “Guessable”.
Session Identifiers
Should Be Independent.
Session Identifiers
Should Be Mapped with Client-Side Connections.
- Buffer Overflows: On-the-Fly.
Example.
Buffer
Overflows.
Buffer Overflow: Its
Simplest Form.
Buffer Overflow: An
Example.
Postmortem
Countermeasures.
IV. ADVANCED WEB KUNG FU.
Case
Study.
- Web Hacking: Automated Tools.
Netcat.
Whisker.
Brute
Force.
Brutus.
Achilles.
Cookie
Pal.
Teleport
Pro.
Security
Recommendations.
- Worms.
Code Red
Worm.
January 26,
2000.
June 18, 2001: The
First Attack.
July 12,
2001.
July 19,
2001.
August 4,
2001.
Nimda
Worm.
Combatting Worm
Evolution.
React and
Respond.
- Beating the IDS.
IDS
Basics.
Network
IDSs.
Host-Based
IDSs.
IDS
Accuracy.
Getting Past an
IDS.
Secure
Hacking-Hacking Over SSL.
Example.
Tunneling Attacks
via SSL.
Intrusion Detection
via SSL.
Sniffing SSL
Traffic.
Polymorphic
URLs.
Hexadecimal
Encoding.
Illegal
Unicode/Superfluous Encoding.
Adding Fake
Paths.
Inserting
Slash-Dot-Slash Strings.
Using Nonstandard
Path Separators.
Using Multiple
Slashes.
Mixing Various
Techniques.
Generating False
Positives.
IDS Evasion in
Vulnerability Checkers.
Potential
Countermeasures.
SSL
Decryption.
URL
Decoding.
Appendix A: Web and Database Port
Listing.Appendix B: HTTP/1.1 and HTTP/1.0 Method and Field
Definitions.Appendix C: Remote Command Execution Cheat Sheet.Appendix D:
Source Code, File, and Directory Disclosure Cheat Sheet.Appendix E: Resources
and Links.Appendix F: Web-Related Tools.Index.
0201761769T07312002