The Web Application Hacker's Handbook

Provides information on how to discover security flaws in Web applications to defend against hackers.

Auteur

DAFYDD STUTTARD is an independent security consultant, author, and software developer specializing in penetration testing of web applications and compiled software. Under the alias PortSwigger, Dafydd created the popular Burp Suite of hacking tools. MARCUS PINTO delivers security consultancy and training on web application attack and defense to leading global organizations in the financial, government, telecom, gaming, and retail sectors.
The authors cofounded MDSec, a consulting company that provides training in attack and defense-based security.

Texte du rabat

New technologies. New attack techniques. Start hacking. Web applications are everywhere, and they're insecure. Banks, retailers, and others have deployed millions of applications that are full of holes, allowing attackers to steal personal data, carry out fraud, and compromise other systems. This book shows you how they do it.

This fully updated edition contains the very latest attack techniques and countermeasures, showing you how to break into today's complex and highly functional applications. Roll up your sleeves and dig in.

• Discover how cloud architectures and social networking have added exploitable attack surfaces to applications

• Leverage the latest HTML features to deliver powerful cross-site scripting attacks

• Deliver new injection exploits, including XML external entity and HTTP parameter pollution attacks

• Learn how to break encrypted session tokens and other sensitive data found in cloud services

• Discover how technologies like HTML5, REST, CSS and JSON can be exploited to attack applications and compromise users

• Learn new techniques for automating attacksand dealing with CAPTCHAs and cross-site request forgery tokens

• Steal sensitive data across domains using seemingly harmless application functions and new browser features

Find help and resources at http://mdsec.net/wahh

• Source code for some of the scripts in the book

• Links to tools and other resources

• A checklist of tasks involved in most attacks

• Answers to the questions posed in each chapter

• Hundreds of interactive vulnerability labs

Résumé
The highly successful security book returns with a new edition, completely updated Web applications are the front door to most organizations, exposing them to attacks that may disclose personal information, execute fraudulent transactions, or compromise ordinary users.

Contenu

Introduction xxiii

Chapter 1 Web Application (In)security 1

The Evolution of Web Applications 2

Web Application Security 6

Summary 15

Chapter 2 Core Defense Mechanisms 17

Handling User Access 18

Handling User Input 21

Handling Attackers 30

Managing the Application 35

Summary 36

Questions 36

Chapter 3 Web Application Technologies 39

The HTTP Protocol 39

Web Functionality 51

Encoding Schemes 66

Next Steps 70

Questions 71

Chapter 4 Mapping the Application 73

Enumerating Content and Functionality 74

Analyzing the Application 97

Summary 114

Questions 114

Chapter 5 Bypassing Client-Side Controls 117

Transmitting Data Via the Client 118

Capturing User Data: HTML Forms 127

Capturing User Data: Browser Extensions 133

Handling Client-Side Data Securely 154

Summary 156

Questions 157

Chapter 6 Attacking Authentication 159

Authentication Technologies 160

Design Flaws in Authentication Mechanisms 161

Implementation Flaws in Authentication 185

Securing Authentication 191

Summary 201

Questions 202

Chapter 7 Attacking Session Management 205

The Need for State 206

Weaknesses in Token Generation 210

Weaknesses in Session Token Handling 233

Securing Session Management 248

Summary 254

Questions 255

Chapter 8 Attacking Access Controls 257

Common Vulnerabilities 258

Attacking Access Controls 266

Securing Access Controls 278

Summary 284

Questions 284

Chapter 9 Attacking Data Stores 287

Injecting into Interpreted Contexts 288

Injecting into SQL 291

Injecting into NoSQL 342

Injecting into XPath 344

Injecting into LDAP 349

Summary 354

Questions 354

Chapter 10 Attacking Back-End Components 357

Injecting OS Commands 358

Manipulating File Paths 368

Injecting into XML Interpreters 383

Injecting into Back-end HTTP Requests 390

Injecting into Mail Services 397

Summary 402

Questions 403

Chapter 11 Attacking Application Logic 405

The Nature of Logic Flaws 406

Real-World Logic Flaws 406

Avoiding Logic Flaws 428

Summary 429

Questions 430

Chapter 12 Attacking Users: Cross-Site Scripting 431

Varieties of XSS 433

XSS Attacks in Action 442

Finding and Exploiting XSS Vulnerabilities 451

Preventing XSS Attacks 492

Summary 498

Questions 498

Chapter 13 Attacking Users: Other Techniques 501

Inducing User Actions 501

Capturing Data Cross-Domain 515

The Same-Origin Policy Revisited 524

Other Client-Side Injection Attacks 531

Local Privacy Attacks 550

Attacking ActiveX Controls 555

Attacking the Browser 559

Summary 568

Questions 568

Chapter 14 Automating Customized Attacks 571

Uses for Customized Automation 572

Enumerating Valid Identifiers 573

Harvesting Useful Data 583

Fuzzing for Common Vulnerabilities 586

Putting It All Together: Burp Intruder 590

Barriers to Automation 602

Summary 613

Questions 613

Chapter 15 Exploiting Information Disclosure 615

Exploiting Error Messages 615

Gathering Published Information 625

Using Inference 626

Preventing Information Leakage 627

Summary 629

Questions 630

Chapter 16 Attacking Native Compiled Applications 633

Buffer Overflow Vulnerabilities 634

Integer Vulnerabilities 640

Format String Vulnerabilities 643

Summary 645

Questions 645

Chapter 17 Attacking Application Architecture 647

Tiered Architectures 647

Shared Hosting and Application Service Providers 656

Summary 667

Questions 667

Chapter 18 Attacking the Application Server 669

Vulnerable Server Configuration 670

Vulnerable Server Software 684

Web Application Firewalls 697

Summary 699

Questions 699

Chapter 19 Finding Vulnerabilities in Source Code 701

Approaches to Code Review 702

Signatures of Common Vulnerabilities 704

The Java Platform 711

ASP.NET 718

PHP 724

Perl 735

JavaScript 740

Database Code Components 741

Tools for Code Browsing 743

Summary 744

Questions 744

Chapter 20 A Web Application Hacker's Toolkit 747

Web Browsers 748

Integrated Testing Suites 751

Standalone Vulnerability Scanners 773

Other Tools 785

Summary 789

Chapter 21 A Web Application Hacker's Methodology 791

General Guidelines 793

1 Map the Application's Content 795

2 Analyze the Application 798

3 Test Client-Side Controls 800

4 Test the Authentication Mechanism 805

5 Test the Session Management Mechanism 814

6 Test Access Controls 821

7 Test for Input-Based Vulnerabilities 824

8 Test for Function-Specific Input Vulnerabilities 836

9 Test for Logic Flaws 842

10 Test for Shared Hosting Vulnerabilities 845

11 Test for Application Server Vulnerabilities 846

12 Miscellaneous Checks 849

13 Follow Up Any Information Leakage 852

Index 853