- any other use of the work is strictly prohibited. - By any estimation, business on the Web is an enormous part of the economy and growing rapidly. - This book is the sum of chapters, each of which describes one aspect of the Hacking Exposed Web Application attack methodology. - T his chapter provides a brief overview of the “who, what, when, where, how, and why” of web application hacking. - We’ll also introduce the basic web application hacking toolset, since these tools will be used throughout the rest of the book for numerous purposes.. - In Chapter 6, we’ll discuss one of the most devastating classes of web app attacks: SQL injection. - Don’t be too dismissive of the browser, however. - In fact, some of the most elegant attacks we’ve seen involved only a browser.. - Per RFC 3986, URIs are comprised of the following pieces:. - Everything to the right of the. - Typically, the ultimate goal of the attacker is to gain unauthorized access to web application resources. - Some of the most common include Microsoft’s Internet Server Application Programming Interface (ISAPI) and the public Common Gateway Interface (CGI) specification.. - This again demonstrates the power of the URI, but from the perspective of the web client. - Suffice to say, the client side of the web application security story is receiving even more attention than the server side lately. - One of the most significant additions in recent memory is Web Distributed Authoring and Versioning (WebDAV). - “Web 2.0.” For a good example of the possibilities here, check out http://www.crn.com/. - As you saw in the earlier discussion of the dangerous. - Much of the allure of web apps is their. - In the final section of this chapter, we’ll provide a brief overview of some of our favorites so you can work along with us on the examples presented throughout the rest of the book. - Each of the tools described next can be obtained from the locations listed in the “References &. - Integration with the browser Integration gives a more natural feel to the analysis, from the perspective of an actual user of the application. - From this screen, all aspects of the HTTP request can be altered. - Every aspect of the HTTP/S request is available for manipulation within this screen. - On the whole, we prefer browser-based tools because they’re generally easier to use and put you closer to the natural flow of the application. - Now you can tamper with any of the data in the request before pressing either of these buttons to submit the manipulated request. - The request structure essentially has to be gathered via manual analysis of the application. - Google’s announcement of the release of its first web security tool in July 2008 made waves in the security community. - Banner grabbing is critical to the web hacker, as it typically identifies the make and model (version) of the web server software in play. - Note the use of the HEAD method to retrieve the server banner. - In the following examples, we send a PUT request instead of the typical GET or HEAD, again using netcat. - These variations can indicate the make and model of the web server.. - One issue that can skew the outcome of profiling is the placement of intermediate infrastructure in front of the web application. - folder left behind on one of the servers, but not on the others. - For example, one of the servers may support only 128-bit encryption, just as it should. - One of the pages on the site reveals more cryptic HTML comments. - URLScan will also reject the request if you add any of the following headers to the request:. - This section will present a basic approach to web application profiling comprised of the following key tasks:. - The versatility of the “getit” scripts does not end with two command-line arguments. - Obtaining the directory structure for the public portion of the site is trivial. - Try to guess the mindset of the administrators and site developers. - File extensions are a great indicator of the nature of an application. - Applets seem to be some of the most insecure pieces of software. - They could point to an old portion of the web site that could contain security holes. - Of course, there are more important, security-related parts of the form. - You can find most of the forms by a click-through of the site. - Now you have the name of the form, gs. - Remember to download the HTML source of the /search file, if possible.. - Parameter names may also provide information about the internal workings of the application. - So one of the first things that you need to do is to identify the paths, filenames, and parameters. - The big giveaway is the = sign (or two) at the end of the string. - It’s a good bet that at least one of the major Internet search engines has indexed your target web application at least once in the past. - Luckily, we found an API in the documentation called “wwMain~EditConfig.” The documentation noted that this API call permitted editing of the Web Connection Configuration files remotely. - That gave us the full directory listing of all of the files on the system and dumped them into a text file located in the web root. - A complete list of the queries the tool can perform can be found at http://ctas.paterva .com/view/Category:Transforms.. - We hope that it’s been an informa- tional tour of the “under-the-hood” techniques of web application profiling.. - You’ll fi nd that many of the advanced commercial crawlers have overcome this problem. - Here are our favorite tools to help automate the grunt work of the application survey.. - them create a mirror of the site on your system. - These tools perform most of the grunt work of collecting files.. - If you want to see the HTML source instead of the formatted page, then use the –source option. - The content of the page on the right will usually be heavily written with JavaScript. - That’s one of the reasons you can spot a PeopleSoft application right away.. - The following shows a screenshot of an application that is suspected to be a PeopleSoft application, but the URL gives no indication of the usual PeopleSoft parameter structure (https://www.site.com/n/signon.html):. - Also notice the color and shape of the Continue button.. - Other methods require actions on the part of the programmer. - Next, we covered the process of cataloging site structure, content, and functionality, laying the groundwork for all of the subsequent steps in the web application security assessment methodology described in this book. - We’ll now walk through the same example using Metasploit Framework to illustrate the power and efficiency of the tool, even in the hands of semi-skilled adversaries. - The user-specified script can be any executable file in the working directory of the currently selected WebLogic domain.. - Our further analysis of the. - which creates an instance of the DomainManager class. - value of the local environment variable. - If the request originates from the Internet, the value of the variable is usually the web server’s IP address. - Table 3-1 The Value of the SERVER_NAME Variable Depends on the Origin of the Request. - The response to a TRACK request is a repeat of the request sent.. - With appropriate egress filtering on the firewall in front of the web server(s), these requests can be blocked, significantly raising the bar for attackers. - Some of the most common failures include these:. - One of the most important things to consider when installing Apache is what types of functionality the web server needs to have. - One of the standard rules in security is to practice defense in depth. - Location of the Apache server binary. - Let’s look at some of the automated web password-guessing tools available today.. - One of the most common authentication protocols used on the Internet today is HTTP Basic. - Unfortunately, some of the most popular web authentication protocols do expose credentials on the wire. - Now we’ll talk about another weakness of the protocol. - As you can see, Basic authentication is wide open to eavesdropping attacks, despite the inscrutable nature of the value it sends in the Authorization header. - RFC 2617 describes the use of the MD5 hash function as the default.. - Microsoft’s implementation of Digest authentication requires that the server have access to the cleartext version of the user’s password so digests can be calculated. - All of the 301 and 302 redirects occur transparently in the background without notifying the end-user of the activity. - This is a generic attack that does not require much customization based on the web site, as do many of the other attacks for Forms-based authentication. - would have a SQL statement of the following (this example has been wrapped across two lines due to page-width constraints):. - One of the early assertions that PassMark is vulnerable to man-in-the-middle (MITM) attacks appears unfounded. - For example, one popular provider, MyOpenID (www.myopenid.com), creates URLs of the form <username>.myopenid.com, where. - Links to both an article describing the attack and legitimate criticisms of the methods used (including a response by Kim Cameron, Chief Identity Architect of Identity at Microsoft) can be found in the “References &. - The number of requests that need to be made depends on the key space of the session ID. - David Endler of iDefense.com has written a detailed exposé of many of the weaknesses in session ID implementations. - and confused simply refers to the inability of the browser to properly distinguish between a legitimate and unauthorized request.. - and set the source to that of the funds transfer action on the vulnerable banking application. - Given knowledge of the remediation strategies listed in the previous section, identifying XSRF vulnerabilities in web applications is a trivial activity. - As of this writing, the PWNtcha is the most successful of the CAPTCHA decoders. - Table 4-2 A Summary of the Web Authentication Mechanisms Discussed So Far. - “Risks of the Passport Single Signon Protocol”
Xem thử không khả dụng, vui lòng xem tại trang nguồn hoặc xem
Tóm tắt