Hacking Web Apps. Syngress

Detecting and Preventing Web

Application Security Problems

Mike Shema

Technical Editor
Jorge Blanco Alcover

Hacking Web Apps

About the Author
Mike Shema develops web application security solutions at Qualys, Inc.
His current work is focused on an automated web assessment service. Mike
previously worked as a security consultant and trainer for Foundstone where
he conducted information security assessments across a range of industries and
technologies. His security background ranges from network penetration testing,
wireless security, code review, and web security. He is the co-author of Hacking
Exposed: Web Applications, The Anti-Hacker Toolkit and the author of Hack
Notes: Web Application Security. In addition to writing, Mike has presented at
security conferences in the U.S., Europe, and Asia.

Acknowledgements
Several people deserve thanks for helping move this book from concept to
completion. The Lorimer crew provided endless entertainment and unexpected
lessons in motivation. The development team at Elsevier helped immensely.
Thanks to Chris Katsaropoulos for urging this book along; and Alex Burack, Dave
Bevans, Jessica Vaughn, Meagan White, and Andre Cuello for shepherding it to
the finish line. Finally, it’s important to thank the readers of the Seven Deadliest
Web Attacks whose interest in web security and feedback helped make the writing
process a rewarding experience.

Introduction

BOOK OVERVIEW AND KEY LEARNING POINTS

Each of the chapters in this book presents examples of different hacks against Web

applications. The methodology behind the attack is explored as well as showing its

potential impact. An impact may be against a site’s security, or a user’s privacy.

A hack may not even care about compromising a Web server, instead turning its

focus on the browser. Web security impacts applications and browsers alike. After

all, that’s where the information is.

Then the chapter moves on to explain possible countermeasures for different

aspects of the attack. Countermeasures are a tricky beast. It’s important to understand

how an attack works before designing a good defense. It’s equally important to

understand the limitations of a countermeasure and how other vulnerabilities might

entirely bypass it. Security is an emergent property of the Web site; it’s not a summation

of individual protections. Some countermeasures will show up several times,

others make only a brief appearance.

BOOK AUDIENCE

Anyone who uses the Web to check email, shop, or work will benefit from knowing

how the personal information on those sites might be compromised or how sites

harbor malicious content. The greatest security burden lies with a site’s developers.

Users have their own part to play, too. Especially in terms of maintaining an up-todate

browser, being careful with passwords, and being wary of non-technical attacks

like social engineering.

Web application developers and security professionals will benefit from the technical

details and methodology behind the Web attacks covered in this book. The first

steps to improving a site’s security are understanding the threats to an application

and poor programming practices lead to security weaknesses that lead to vulnerabilities

that lead to millions of passwords being pilfered from an unencrypted data

store. Plus, several chapters dive into effective countermeasures independent of the

programming languages or technologies underpinning a specific site.

Executive level management will benefit from understanding the threats to a Web

site and in many cases how a simple hack—requiring no more tools than a browser

and a brain—negatively impacts a site and its users. It should also illustrate that even

though many attacks are simple to execute, good countermeasures require time and

resources to implement properly. These points should provide strong arguments for

allocating funding and resources to a site’s security in order to protect the wealth of

information that Web sites manage.

This book assumes some basic familiarity with the Web. Web security attacks

manipulate HTTP traffic to inject payloads or take advantage of deficiencies in the

protocol. They also require understanding HTML in order to manipulate forms or

inject code that puts the browser at the mercy of the attacker. This isn’t a prerequisite

for understanding the broad strokes of a hack or learning how hackers compromise

a site. For example, it’s good to start off with the familiarity that HTTP uses port 80

by default for unencrypted traffic and port 443 for traffic encrypted with the Secure

Sockets Layer/Transport Layer Security (SSL/TLS). Sites use the https://scheme to

designate TLS connections. Additional details are necessary for developers and security

professionals who wish to venture deeper into the methodology of attacks and

defense. The book strives to present accurate information. It does not strive for exacting

adherence to nuances of terminology. Terms like URL and link are often used

interchangeably, as are Web site and Web application. Hopefully, hacking concepts

and countermeasure descriptions are clear enough that casual references to HTML

tags and HTML elements don’t irk those used to reading standards and specifications.

We’re here to hack and have fun.

Readers already familiar with basic Web concepts can skip the next two sections.

The Modern Browser

There are few references to specific browser versions in this book. The primary

reason is that most attacks work with standard HTML or against server-side technologies

to which the browser is agnostic. Buffer overflows and malware care about

specific browser versions, hacks against Web sites rarely do. Another reason is that

browser developers have largely adopted a self-updating process or at least very fast

release process. This means that browsers stay up to date more often, a positive security

trend for users. Finally, as we’ll discover in Chapter 1, HTML5 is still an emerging

standard. In this book, a “modern browser” is any browser or rendering engine

(remember, HTML can be accessed by all sorts of devices) that supports some aspect

of HTML5. It’s safe to say that, as you read this, if your browser has been updated

within the last 2 months, then it’s a modern browser. It’s probably true that if the

browser is even a year old it counts as a modern browser. If it’s more than a year old,

set the book down and go install the security updates that have been languishing in

uselessness for you all this time. You’ll be better off for it.

Gone are the days when Web applications had to be developed with one browser

in mind due to market share or reliance on rendering quirks. It’s a commendable feat

of engineering and standards (networking, HTTP, HTML, etc.) that “dead” browsers

like Internet Explorer 6 still render a vast majority of today’s Web sites. However,

these relics of the past have no excuse for being in use today. If Microsoft wants IE6

to disappear, there’s no reason a Web site should be willing to support it—in fact, it

would be a bold step to actively deny access to older browsers for sites whose content

and use requires a high degree of security and privacy protections.

HOW THIS BOOK IS ORGANIZED

This book contains eight chapters that describe hacks against Web sites and browsers

alike. Each chapter provides examples of hacks used against real sites. Then it

explores the details of how the exploits work. The chapters don’t need to be tackled

in order. Many attacks are related or combine in ways that make certain countermeasures

ineffective. That’s why it’s important to understand different aspects of Web

security, especially the point that Web security includes the browser as well as the site.

Chapter 1: HTML5

A new standard means new vulnerabilities. It also means new ways to exploit old

vulnerabilities. This chapter introduces some of the major APIs and features of the

forthcoming HTML5 standard. HTML5 may not be official, but it’s in your browser

now and being used by Web sites. And it has implications not only for security, but

for the privacy of your information as well.

Chapter 2: HTML Injection and Cross-Site Scripting

This chapter describes one of the most pervasive and easily exploited vulnerabilities

that crop up in Web sites. XSS vulnerabilities are like the cockroaches of the Web,

always lurking in unexpected corners of a site regardless of its size, popularity, or

sophistication of its security team. This chapter shows how one of the most prolific

vulnerabilities on the Web is exploited with nothing more than a browser and basic

knowledge of HTML. It also shows how the tight coupling between the Web site and

the Web browser is a fragile relationship in terms of security.

Chapter 3: Cross-Site Request Forgery

Chapter 3 continues the idea of vulnerabilities that target Web sites and Web browsers.

CSRF attacks fool a victim’s browser into making requests that the user didn’t

intend. These attacks are subtle and difficult to block. After all, every Web page is

technically vulnerable to CSRF by default.

Chapter 4: SQL Injection and Data Store Manipulation

The next chapter shifts focus squarely onto the Web application and the database

that drives it. SQL injection attacks are most commonly known as the source of

credit card theft. This chapter explains how many other exploits are possible with this

simple vulnerability. It also shows that the countermeasures are relatively easy and

simple to implement compared to the high impact successful attacks carry. And even

if your site doesn’t have a SQL database it may still be vulnerable to SQL-like data

injection, command injection, and similar hacks.

Chapter 5: Breaking Authentication Schemes

Chapter 5 covers one of the oldest attacks in computer security: brute force password

guessing against the login prompt. Yet brute force attacks aren’t the only way that a

site’s authentication scheme falls apart. This chapter covers alternate attack vectors

and the countermeasures that will—and will not—protect the site.

Chapter 6: Abusing Design Deficiencies

Chapter 6 covers a more interesting type of attack that blurs the line between technical

prowess and basic curiosity. Attacks that target a site’s business logic vary as

much as Web sites do, but many have common techniques or target poor site designs

in ways that can lead to direct financial gain for the attacker. This chapter talks about

the site is put together as a whole, how attackers try to find loopholes for their personal

benefit, and what developers can do when faced with a problem that doesn’t

have an easy programming checklist.

Chapter 7: Leveraging Platform Weaknesses

Even the most securely coded Web site can be crippled by a poor configuration

setting. This chapter explains how server administrators might make mistakes that

expose the Web site to attack. The chapter also covers how the site’s developers

might also leave footholds for attackers by creating areas of the site where security is

based more on assumption and obscurity than well-thought-out measures.

Chapter 8: Web of Distrust

The final chapter brings Web security back to the browser. It covers the ways in

which malicious software, malware, has been growing as a threat on the Web. The

chapter also describes ways that users can protect themselves when the site’s security

is out of their hands.

Screenshot

Purchase Now !
Just with Paypal

Product details

Price
File Size	15,034 KB
Pages	284 p
File Type	PDF format
ISBN	978-1-59749-951-4
Copyright	2012 Elsevier, Inc

Index

Access

to files, 210

restrictions, 235–236

to Web Storage, 128

Access control check, 210

Access control policies, 204

Access-control-allow-credentials, 4

Access-control-allow-headers, 4

Access-control-allow-methods, 4

Access-control-allow-origin, 4

Access-control-expose-headers, 4

Access-control-max-age, 4–5

Access-control-request-headers, 4

Access-control-request-method, 4

Adobe Flex 3.3 SDK DOM-based XSS, 64

addslashes() function, 135

Algorithm complexity attacks, 233–234

alt.2600.moderated, 226–227

Anagrams, 213

Apache server use, 68–69

ArrayBuffer object, 10

Attack camouflage, with percent encoding, 50

Attack vectors, 30

bar code, 125

QR code, 125, 126

Authentication attacks, 142

brute force, 145–146

gullibility, 152

gulls, 151–152

passwords resetting, 149

payload syntax, 151

paypal versus paypa1, 152

session token, replaying, 142

CSRF, 143

network sniffing, 143–144

password, 143

security context, 142–143

SQL injection, 143

XSS, 143

session token, reverse engineering

pseudo-code, 144

strong session tokens, 144

using hash function, 144–145

sniffing, 146

cryptography, aphorism in, 148

privileged network position, 147

session cookies with tcpdump, capturing, 147

sniffing unencrypted traffic, 147

stealing cookies, firesheep automation, 148

SQL injection, 150

success/failure signaling, 146

XSS, 149–150

Authenticated actions without passwords, attacking,

Authentication schemes, breaking

See also HTML injection

ambiguous HTML tags, 61

and Chrome, 62

browsers challenges, 60

incomplete payloads, 61

Markup Fixup, 60–61

payloads creation, 62

SAMY MySpace XSS worm, 60

Brute force, 145–146, 178, 181

Built-in XSS defenses, 76

anti-XSS defenses, 77

modern browsers on simple XSS, 77

CAPTCHA. See Completely Automated Public

Turing test to tell Computers and

Humans Apart

Cascading Style Sheets (CSS), 36–37

files, 154, 213

templates, 29–30

CDN. See Content delivery network

Character

decoding, 68

encoding, 49, 115

references, 53

Character sets, abuse of, 48–49

See also HTML injection

attack camouflage, with percent encoding, 50

character encoding, 49

encoding

alternate for 0X00, 54

importance of, 54–56

0X00, 50–54

“onmouseover” attack, 56

payload construction, 55–56

UTF-7 standard, 49

XSS with styling and JavaScript libraries and

Unicode, 56

Chosen plaintext attack, 191

Chrome

browser quirks, 62

HTTPS Everywhere plugin for, 260

Clickjacking, 91, 93

HTML for hack, 92–93

iframe’s opacity and size, 91

overlay for, 92–93

targets, framed and positioned, 92

visual sleight-of-hand, 91–92

Completely Automated Public Turing test to tell

Computers and Humans Apart (CAPTCHA), 164

Content delivery network (CDN), 81–82, 213

Controlling database, 123

Microsoft SQL server extensions, 124

MySQL extensions, 124

Controlling operating system, 123

CORS. See Cross-Origin Request Sharing

Credit cards, xi

Cross-Origin Request Sharing (CORS), 3, 102

request headers, 3–4

access-control-request-headers, 4

access-control-request-method, 4

origin, 3–4

response headers, 4–5

access-control-allow-credentials, 4

access-control-allow-headers, 4

access-control-allow-methods, 4

access-control-allow-origin, 4

access-control-expose-headers, 4

access-control-max-age, 4–5

Same Origin Policy, 6

Cross-site request forgery (CSRF), 80, 83, 143,

180, 240

attack, 29

attacker forces, 85

authenticated actions, attacking, 89

Bing, 84

browser’s request headers, 80

browsers requests, 81

CDN, 81–82

clickjacking, 91

cross-site request forgery attack, 81

CSRF drama, 83

defending web browser, 103

forced query, 85

forgery aspect, 85

furtive attacker, 83

using src attribute in image file, 83

<img> tag, 84

hand-waving, 84

and HTML injection, 89

HTTP and HTTPS, 82

mashup, 82

phishing attack, 81

printed page to browser, 24

random site, 84

request forgery via forced browsing, 85–87

root problems, 94

Same Origin policy, 82

tangled web, 90

unwitting victim’s search habits, 83

user-agent, 80, 81

vulnerability and verisimilitude, 104

XSS vulnerabilities, 93–94

Cross-site request forgery attack, 81

Cross-site scripting (XSS), 23, 93, 130, 171, 227

See also HTML injection

Adobe Flex 3.3 SDK DOM-based, 64

advisories, 63–64

attack, 24, 28–29

impact, 66

data redirection, 66–67

payload, 66

weaknesses and coding mistakes, 67

with JavaScript libraries, 56

Macromedia Flash ad user tracking, vulnerability

in, 63

pop-up windows, 29

in Safari RSS reader, 64

searching for, 47

with styling, 56

with Unicode, 56

universal XSS in PDF files, 64

Cryptographic hashing algorithms, 197–198

Cryptography, implementation errors in, 188

encryption with bit-flipping, attacking,

193–194

block-based ciphers, 194

ECB encryption problem, 194–195

worst-case scenario, 194

xxd and openssl commands, 193–194

encryption with replay, attacking, 193

insufficient randomness, 188

message authentication code length-extension

attacks, 195–197

apply length extension attack, 198–199

complete message fits within, 198

cryptographic hashing algorithms,

197–198

fully padded message, 200

HMAC, 201

MAC derivation, 196–197

payloads, 201

SHA-1 hash, 196

using JavaScript, 199–200

using shasum command, 196

XOR, 189

ciphertext, 190–192

ECB, 190

encryption, 190

using JavaScript, 191–192

transmutation functions, 189–190

XOR cipher, 190

XOR operations, 191

CSRF. See Cross-site request forgery

CSS. See Cascading Style Sheets

Data encryption, 138

encryption techniques, 138

Hash algorithms, 139

segregation, 139

Data frame, 11–13

Defensive programming, 205

Denial of Service (DoS), 13, 183, 217, 237

attacking programming languages, 232

hash collisions, 233–234

regular expressions, 232

network, 237

DENY, 103

Design deficiencies, abuse of

countermeasures, employing of, 202

client verification, 205

defensive programming, 205

documenting requirements, 202

encryption guidelines, 205–206

mapping policies, to controls, 204

robust test case creating, 203–204

logic and design attacks, 174

cryptography, implementation errors in,

188–189, 195–196

denial of service, 183

induction, 180

information sieves, 201

insecure design patterns, 183–186, 188

policies and practice exploitation, 175

workflows, abuse of, 175

Direct Web Remoting (DWR), 35, 101

DNS. See Domain Name System

DNS and origins, 246–247

spoofing

dnsspoof tool, 247

dsniff tool, 247

DNSSEC. See DNS Security Extensions

dnsspoof tool, 247

document.location property, 36

Document Object Model (DOM), 2–3, 26–27, 246

document.location property, 36

DOM-based XSS, 35–36

Document Type Definition (DTD), 64–65

do_something() function, 44

DOM. See Document Object Model

Domain Name System (DNS), 261

DoS. See Denial of Service

“Double decode” vulnerability, 54

Double submit, 100

Draft APIs, 20

dsniff tool, 247

DTD. See Document Type Definition

DWR. See Direct Web Remoting

ECB. See Electronic code book

ECB encryption problem, 194–195

Electronic code book (ECB), 190

Electronic Frontier Foundation (EFF)

in browser fingerprinting, 252

Panopticlick, 252

Element attributes, 42–44

Elements and text nodes, 44

Encoding

HTML encoding, 39–40

and normalizing character sets, 69–70

output, 70–71

percent encoding, 39–40, 50

attack camouflage with, 50

special characters, 31

entity encoding for, 71

0X00, 50–54, 53

Encryption guidelines, 205–206

Encryption with bit-flipping, attacking, 193–194

block-based ciphers, 194

ECB encryption problem, 194–195

worst-case scenario, 194

xxd and openssl commands, 193–194

Encryption with replay, attacking, 193

Enterprising hacker, 172

hack targeted, 172–173

logic-based attacks, 173–174

Entity encoding, 71

Entity Tags (ETags), 251

Ephemeral HTML injection, 37–38

vulnerability, 76

Errors, exploitation, 117–120

ETags. See Entity Tags

EV. See Extended Validation

EVSSL. See Extended Verification SSL

Exposed APIs, 224

Extended Validation (EV), 167

Extended Verification SSL (EVSSL), 253

Failure mode exploitation, 56–57

See also HTML injection

code point, 58–59

mb_* family, 58

naive PHP developer, 57–58

Favored hacking technique, 59

File access

and path traversal, 216–217

restricting, 235–236

Firefox

Firebug plugin, 211

Greasemonkey, plugin, 245

HTTPS Everywhere plugin for, 260

Web Console, 211

Firefox, version 8.0.1

and Chrome, 62

ambiguous HTML fixation and XSS creation, 63

incorrect building of elements, 53

NoScript plug-in, 67

Firefox browsers, 29–30

Flickr’s web API, 201

Form fields, 31–33

Framed content, 21

Furtive Attacker, 83–84

GCD. See Greatest common divisor

GET method, 46

and <img> tag, 86–87

GET request, 5, 224

ggl_hints parameter, 28

Google Web Toolkit (GWT), 35

Grammar injection, 186

Grammar-based payloads, 171

Grammatical hacking tangents, 113

Greatest common divisor (GCD), 219

Gullibility, 151–152

GWT. See Google Web Toolkit

Hacking, 48

favored technique, 59

grammatical hacking tangents, 113

persistent HTML injection, 48

mathematical hacking tangents, 112

Hand-waving, 84

Hash

algorithms, 139

collisions, 233–235

functions, 100

Hash-based MAC (HMAC), 201

Heading in right direction, CSRF

anti-framing via JavaScript, 102

dependable origin, 94

CSRF attacks characteristic, 95

HTML host using “reset password”, 95–96

<img> tag, 96

origin header, 94–95

resources, 96

traffic capture, 95

XHR request, 95

framing solution, 103

DENY, 103

SAMEORIGIN, 103

security measure, 103

HTTP headers, 94

manual confirmation, 101

shared secrets, 99

mirror the cookie, 100–101

predictable tokens, 99–100

secret tokens, 99

Same Origin Policy understanding, 101–102

unreliable referer, 96–98

referer header, 96

X-marks-the-spot, 98–99

Higher order XSS. See Out of band HTML

injection

History API, 19, 20

HMAC. See Hash-based MAC

HPP. See HTTP Parameter Pollution

href attribute, 53

href value, 53

HTML. See HyperText Markup Language

HTML and JavaScript, 211–212

anonymous functions, 211

common clues, 212–216

poisoned context menu, 212–211

web security tenet, 211

HTML injection

See also HTML injection

browsers’ built-in XSS defenses, 76

anti-XSS defenses, 77

modern browsers and simple

XSS, 77

character sets and encoding normalization,

69–70

encoding output, 70–71

entity encoding, 71

NFKC, 70

race condition, 69

don’t reimplement, 73

exclusion lists and regexes, 71–73

insecure code, reusing, 73

JavaScript sandboxes, 73–74

HTML5 <iframe> sandboxes, 74–76

sandbox attribute for <iframe> tags, 75

prevention, 67

static character set fixing, 68–69

Apache server use, 68–69

character encoding and decoding, 68

HTML4 and HTML5, 68

web sites and character sets, 68

xxd commands, 193–194

Zed attack proxy, 33–34

traffic monitoring, 252

●▬▬▬▬▬❂❂❂▬▬▬▬▬●

●▬▬❂❂▬▬●

●▬❂▬●

●❂●

═════● ●═════

Hacking Web Apps. Syngress

Detecting and Preventing Web

Application Security Problems

Mike Shema

Contact Form