Table of Contents

1 Hacking Web Apps 101

What Is Web Application Hacking?

GUI Web Hacking

URI Hacking

Methods, Headers, and Body

Resources

Authentication, Sessions, and Authorization

The Web Client and HTML

Other Protocols

Why Attack Web Applications?

Who, When, and Where?

Weak Spots

How Are Web Apps Attacked?

The Web Browser

Browser Extensions

HTTP Proxies

Command-line Tools

Older Tools

2 Profiling

Infrastructure Profiling

Footprinting and Scanning: Defining Scope

Basic Banner Grabbing

Advanced HTTP Fingerprinting

Infrastructure Intermediaries

Application Profiling

Manual Inspection

Using Search Tools for Profiling

Automated Web Crawling

Common Web Application Profiles

General Countermeasures

A Cautionary Note

Protecting Directories

Protecting include Files

Miscellaneous Tips

3 Hacking Web Platforms

Point-and-click Exploitation Using Metasploit

Manual Exploitation

Evading Detection

Web Platform Security Best Practices

Common Best Practices

IIS Hardening

Apache Hardening

PHP Best Practices

4 Attacking Web Authentication

Web Authentication Threats

Username/Password Threats

Strong(er) Web Authentication

Web Authentication Services

Bypassing Authentication

Token Replay

Identity Management

Client-side Piggybacking

Some Final Thoughts: Identity Theft

5 Attacking Web Authorization

Fingerprinting Authz

Crawling ACLs

Identifying Access/Session Tokens

Analyzing Session Tokens

Differential Analysis

Role Matrix

Attacking ACLs

Attacking Tokens

Manual Prediction

Automated Prediction

Capture/Replay

Session Fixation

Authorization Attack Case Studies

Horizontal Privilege Escalation

Vertical Privilege Escalation

Differential Analysis

Using Curl to Map Permissions

Authorization Best Practices

Web ACL Best Practices

Web Authorization/Session Token Security

Security Logs

6 Input Validation Attacks

Expect the Unexpected

Where to Find Attack Vectors

Bypass Client-side Validation Routines

Common Input Validation Attacks

Buffer Overflow

Canonicalization (dot-dot-slash)

HTML Injection

Boundary Checks

Manipulate Application Behavior

SQL Injection and Datastore Attacks

Command Execution

Encoding Abuse

PHP Global Variables

Common Side-effects

7 Attacking Web Datastores

SQL Primer

Syntax

SELECT, INSERT, and UPDATE

SQL Injection Discovery

Syntax and Errors

Semantics and Behavior

Alternate Character Encoding

Exploit SQL Injection Vulnerabilities

Alter a Process

Query Alternate Data

Platforms

Other Datastore Attacks

Input Validation

Decouple Query Logic from Query Data

Database Encryption

Database Configuration

8 Attacking XML Web Services

What Is a Web Service?

Transport: SOAP Over HTTP(S)

WSDL

Directory Services: UDDI and DISCO

Similarities to Web Application Security

Attacking Web Services

Web Service Security Basics

Web Services Security Measures

9 Attacking Web Application Management

Remote Server Management

Telnet

SSH

Proprietary Management Ports

Other Administration Services

Web Content Management

FTP

SSH/scp

FrontPage

WebDAV

Admin Misconfigurations

Unnecessary Web Server Extensions

Information Leakage

Developer-driven Mistakes

10 Hacking Web Clients

Exploits

Trickery

General Countermeasures

IE Security Zones

Firefox Secure Configuration

Low-privilege Browsing

Server-side Countermeasures

11 Denial-of-Service (DoS) Attacks

Common DoS Attack Techniques

Old School DoS: Vulnerabilities

Modern DoS: Capacity Depletion

Application-layer DoS

General DoS Countermeasures

Proactive DoS Mitigation

Detecting DoS

Responding to DoS

12 Full-Knowledge Analysis

Threat Modeling

Clarify Security Objectives

Identify Assets

Architecture Overview

Decompose the Application

Identify and Document Threats

Rank the Threats

Develop Threat Mitigation Strategies

Code Review

Manual Source Code Review

Automated Source Code Review

Binary Analysis

Security Testing of Web App Code

Fuzzing

Test Tools, Utilities, and Harnesses

Pen-testing

Security in the Web Development Process

People

Process

Technology

13 Web Application Security Scanners

Technology: Web App Security Scanners

The Testbed

The Tests

Reviews of Individual Scanners

Overall Test Results

Non-technical Issues

Process

People

Appendices

A Web Application Security Checklist

B Web Hacking Tools and Techniques Cribsheet

C URLScan and ModSecurity

URLScan

Basic URLScan Deployment (IIS5.x and Earlier)

Advanced URLScan Configuration

Managing URLScan

ModSecurity

ModSecurity Installation

ModSecurity Configuration

D About the Companion Web Site