2. 70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page i
The Web Application
Hacker’s Handbook
Discovering and Exploiting Security Flaws
Dafydd Stuttard
Marcus Pinto
Wiley Publishing, Inc.
4. 70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page i
The Web Application
Hacker’s Handbook
Discovering and Exploiting Security Flaws
Dafydd Stuttard
Marcus Pinto
Wiley Publishing, Inc.
6. 70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page iii
About the Authors
Dafydd Stuttard is a Principal Security Consultant at Next Generation Secu-
rity Software, where he leads the web application security competency. He has
nine years’ experience in security consulting and specializes in the penetration
testing of web applications and compiled software.
Dafydd has worked with numerous banks, retailers, and other enterprises
to help secure their web applications, and has provided security consulting to
several software manufacturers and governments to help secure their com-
piled software. Dafydd is an accomplished programmer in several languages,
and his interests include developing tools to facilitate all kinds of software
security testing.
Dafydd has developed and presented training courses at the Black Hat secu-
rity conferences around the world. Under the alias “PortSwigger,” Dafydd cre-
ated the popular Burp Suite of web application hacking tools. Dafydd holds
master’s and doctorate degrees in philosophy from the University of Oxford.
Marcus Pinto is a Principal Security Consultant at Next Generation Security
Software, where he leads the database competency development team, and
has lead the development of NGS’ primary training courses. He has eight
years’ experience in security consulting and specializes in penetration testing
of web applications and supporting architectures.
Marcus has worked with numerous banks, retailers, and other enterprises to
help secure their web applications, and has provided security consulting to the
development projects of several security-critical applications. He has worked
extensively with large-scale web application deployments in the financial ser-
vices industry.
Marcus has developed and presented database and web application train-
ing courses at the Black Hat and other security conferences around the world.
Marcus holds a master’s degree in physics from the University of Cambridge.
iii
7. 70779ffirs.qxd:WileyRed 9/17/07 12:11 PM Page iv
Credits
Executive Editor Vice President and Executive Publisher
Carol Long Joseph B. Wikert
Development Editor Project Coordinator, Cover
Adaobi Obi Tulton Lynsey Osborn
Production Editor Compositor
Christine O’Connor Happenstance Type-O-Rama
Copy Editor Proofreader
Foxxe Editorial Services Kathryn Duggan
Editorial Manager Indexer
Mary Beth Wakefield Johnna VanHoose Dinse
Production Manager Anniversary Logo Design
Tim Tate Richard Pacifico
Vice President and Executive Group
Publisher
Richard Swadley
iv
8. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page v
Contents
Acknowledgments xxiii
Introduction xxv
Chapter 1 Web Application (In)security 1
The Evolution of Web Applications 2
Common Web Application Functions 3
Benefits of Web Applications 4
Web Application Security 5
“This Site Is Secure” 6
The Core Security Problem: Users Can Submit Arbitrary Input 8
Key Problem Factors 9
Immature Security Awareness 9
In-House Development 9
Deceptive Simplicity 9
Rapidly Evolving Threat Profile 10
Resource and Time Constraints 10
Overextended Technologies 10
The New Security Perimeter 10
The Future of Web Application Security 12
Chapter Summary 13
Chapter 2 Core Defense Mechanisms 15
Handling User Access 16
Authentication 16
Session Management 17
Access Control 18
Handling User Input 19
Varieties of Input 20
Approaches to Input Handling 21
v
9. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page vi
vi Contents
“Reject Known Bad” 21
“Accept Known Good” 21
Sanitization 22
Safe Data Handling 22
Semantic Checks 23
Boundary Validation 23
Multistep Validation and Canonicalization 26
Handling Attackers 27
Handling Errors 27
Maintaining Audit Logs 29
Alerting Administrators 30
Reacting to Attacks 31
Managing the Application 32
Chapter Summary 33
Questions 34
Chapter 3 Web Application Technologies 35
The HTTP Protocol 35
HTTP Requests 36
HTTP Responses 37
HTTP Methods 38
URLs 40
HTTP Headers 41
General Headers 41
Request Headers 41
Response Headers 42
Cookies 43
Status Codes 44
HTTPS 45
HTTP Proxies 46
HTTP Authentication 47
Web Functionality 47
Server-Side Functionality 48
The Java Platform 49
ASP.NET 50
PHP 50
Client-Side Functionality 51
HTML 51
Hyperlinks 51
Forms 52
JavaScript 54
Thick Client Components 54
State and Sessions 55
Encoding Schemes 56
URL Encoding 56
Unicode Encoding 57
10. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page vii
Contents vii
HTML Encoding 57
Base64 Encoding 58
Hex Encoding 59
Next Steps 59
Questions 59
Chapter 4 Mapping the Application 61
Enumerating Content and Functionality 62
Web Spidering 62
User-Directed Spidering 65
Discovering Hidden Content 67
Brute-Force Techniques 67
Inference from Published Content 70
Use of Public Information 72
Leveraging the Web Server 75
Application Pages vs. Functional Paths 76
Discovering Hidden Parameters 79
Analyzing the Application 79
Identifying Entry Points for User Input 80
Identifying Server-Side Technologies 82
Banner Grabbing 82
HTTP Fingerprinting 82
File Extensions 84
Directory Names 86
Session Tokens 86
Third-Party Code Components 87
Identifying Server-Side Functionality 88
Dissecting Requests 88
Extrapolating Application Behavior 90
Mapping the Attack Surface 91
Chapter Summary 92
Questions 93
Chapter 5 Bypassing Client-Side Controls 95
Transmitting Data via the Client 95
Hidden Form Fields 96
HTTP Cookies 99
URL Parameters 99
The Referer Header 100
Opaque Data 101
The ASP.NET ViewState 102
Capturing User Data: HTML Forms 106
Length Limits 106
Script-Based Validation 108
Disabled Elements 110
Capturing User Data: Thick-Client Components 111
Java Applets 112
11. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page viii
viii Contents
Decompiling Java Bytecode 114
Coping with Bytecode Obfuscation 117
ActiveX Controls 119
Reverse Engineering 120
Manipulating Exported Functions 122
Fixing Inputs Processed by Controls 123
Decompiling Managed Code 124
Shockwave Flash Objects 124
Handling Client-Side Data Securely 128
Transmitting Data via the Client 128
Validating Client-Generated Data 129
Logging and Alerting 131
Chapter Summary 131
Questions 132
Chapter 6 Attacking Authentication 133
Authentication Technologies 134
Design Flaws in Authentication Mechanisms 135
Bad Passwords 135
Brute-Forcible Login 136
Verbose Failure Messages 139
Vulnerable Transmission of Credentials 142
Password Change Functionality 144
Forgotten Password Functionality 145
“Remember Me” Functionality 148
User Impersonation Functionality 149
Incomplete Validation of Credentials 152
Non-Unique Usernames 152
Predictable Usernames 154
Predictable Initial Passwords 154
Insecure Distribution of Credentials 155
Implementation Flaws in Authentication 156
Fail-Open Login Mechanisms 156
Defects in Multistage Login Mechanisms 157
Insecure Storage of Credentials 161
Securing Authentication 162
Use Strong Credentials 162
Handle Credentials Secretively 163
Validate Credentials Properly 164
Prevent Information Leakage 166
Prevent Brute-Force Attacks 167
Prevent Misuse of the Password Change Function 170
Prevent Misuse of the Account Recovery Function 170
Log, Monitor, and Notify 172
Chapter Summary 172
12. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page ix
Contents ix
Chapter 7 Attacking Session Management 175
The Need for State 176
Alternatives to Sessions 178
Weaknesses in Session Token Generation 180
Meaningful Tokens 180
Predictable Tokens 182
Concealed Sequences 184
Time Dependency 185
Weak Random Number Generation 187
Weaknesses in Session Token Handling 191
Disclosure of Tokens on the Network 192
Disclosure of Tokens in Logs 196
Vulnerable Mapping of Tokens to Sessions 198
Vulnerable Session Termination 200
Client Exposure to Token Hijacking 201
Liberal Cookie Scope 203
Cookie Domain Restrictions 203
Cookie Path Restrictions 205
Securing Session Management 206
Generate Strong Tokens 206
Protect Tokens throughout Their Lifecycle 208
Per-Page Tokens 211
Log, Monitor, and Alert 212
Reactive Session Termination 212
Chapter Summary 213
Questions 214
Chapter 8 Attacking Access Controls 217
Common Vulnerabilities 218
Completely Unprotected Functionality 219
Identifier-Based Functions 220
Multistage Functions 222
Static Files 222
Insecure Access Control Methods 223
Attacking Access Controls 224
Securing Access Controls 228
A Multi-Layered Privilege Model 231
Chapter Summary 234
Questions 235
Chapter 9 Injecting Code 237
Injecting into Interpreted Languages 238
Injecting into SQL 240
Exploiting a Basic Vulnerability 241
Bypassing a Login 243
Finding SQL Injection Bugs 244
Injecting into Different Statement Types 247
13. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page x
x Contents
The UNION Operator 251
Fingerprinting the Database 255
Extracting Useful Data 256
An Oracle Hack 257
An MS-SQL Hack 260
Exploiting ODBC Error Messages (MS-SQL Only) 262
Enumerating Table and Column Names 263
Extracting Arbitrary Data 265
Using Recursion 266
Bypassing Filters 267
Second-Order SQL Injection 271
Advanced Exploitation 272
Retrieving Data as Numbers 273
Using an Out-of-Band Channel 274
Using Inference: Conditional Responses 277
Beyond SQL Injection: Escalating the Database Attack 285
MS-SQL 286
Oracle 288
MySQL 288
SQL Syntax and Error Reference 289
SQL Syntax 290
SQL Error Messages 292
Preventing SQL Injection 296
Partially Effective Measures 296
Parameterized Queries 297
Defense in Depth 299
Injecting OS Commands 300
Example 1: Injecting via Perl 300
Example 2: Injecting via ASP 302
Finding OS Command Injection Flaws 304
Preventing OS Command Injection 307
Injecting into Web Scripting Languages 307
Dynamic Execution Vulnerabilities 307
Dynamic Execution in PHP 308
Dynamic Execution in ASP 308
Finding Dynamic Execution Vulnerabilities 309
File Inclusion Vulnerabilities 310
Remote File Inclusion 310
Local File Inclusion 311
Finding File Inclusion Vulnerabilities 312
Preventing Script Injection Vulnerabilities 312
Injecting into SOAP 313
Finding and Exploiting SOAP Injection 315
Preventing SOAP Injection 316
Injecting into XPath 316
Subverting Application Logic 317
14. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xi
Contents xi
Informed XPath Injection 318
Blind XPath Injection 319
Finding XPath Injection Flaws 320
Preventing XPath Injection 321
Injecting into SMTP 321
Email Header Manipulation 322
SMTP Command Injection 323
Finding SMTP Injection Flaws 324
Preventing SMTP Injection 326
Injecting into LDAP 326
Injecting Query Attributes 327
Modifying the Search Filter 328
Finding LDAP Injection Flaws 329
Preventing LDAP Injection 330
Chapter Summary 331
Questions 331
Chapter 10 Exploiting Path Traversal 333
Common Vulnerabilities 333
Finding and Exploiting Path Traversal Vulnerabilities 335
Locating Targets for Attack 335
Detecting Path Traversal Vulnerabilities 336
Circumventing Obstacles to Traversal Attacks 339
Coping with Custom Encoding 342
Exploiting Traversal Vulnerabilities 344
Preventing Path Traversal Vulnerabilities 344
Chapter Summary 346
Questions 346
Chapter 11 Attacking Application Logic 349
The Nature of Logic Flaws 350
Real-World Logic Flaws 350
Example 1: Fooling a Password Change Function 351
The Functionality 351
The Assumption 351
The Attack 352
Example 2: Proceeding to Checkout 352
The Functionality 352
The Assumption 353
The Attack 353
Example 3: Rolling Your Own Insurance 354
The Functionality 354
The Assumption 354
The Attack 355
Example 4: Breaking the Bank 356
The Functionality 356
The Assumption 357
The Attack 358
15. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xii
xii Contents
Example 5: Erasing an Audit Trail 359
The Functionality 359
The Assumption 359
The Attack 359
Example 6: Beating a Business Limit 360
The Functionality 360
The Assumption 361
The Attack 361
Example 7: Cheating on Bulk Discounts 362
The Functionality 362
The Assumption 362
The Attack 362
Example 8: Escaping from Escaping 363
The Functionality 363
The Assumption 364
The Attack 364
Example 9: Abusing a Search Function 365
The Functionality 365
The Assumption 365
The Attack 365
Example 10: Snarfing Debug Messages 366
The Functionality 366
The Assumption 367
The Attack 367
Example 11: Racing against the Login 368
The Functionality 368
The Assumption 368
The Attack 368
Avoiding Logic Flaws 370
Chapter Summary 372
Questions 372
Chapter 12 Attacking Other Users 375
Cross-Site Scripting 376
Reflected XSS Vulnerabilities 377
Exploiting the Vulnerability 379
Stored XSS Vulnerabilities 383
Storing XSS in Uploaded Files 385
DOM-Based XSS Vulnerabilities 386
Real-World XSS Attacks 388
Chaining XSS and Other Attacks 390
Payloads for XSS Attacks 391
Virtual Defacement 391
Injecting Trojan Functionality 392
Inducing User Actions 394
Exploiting Any Trust Relationships 394
Escalating the Client-Side Attack 396
16. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xiii
Contents xiii
Delivery Mechanisms for XSS Attacks 399
Delivering Reflected and DOM-Based XSS Attacks 399
Delivering Stored XSS Attacks 400
Finding and Exploiting XSS Vulnerabilities 401
Finding and Exploiting Reflected XSS Vulnerabilities 402
Finding and Exploiting Stored XSS Vulnerabilities 415
Finding and Exploiting DOM-Based XSS Vulnerabilities 417
HttpOnly Cookies and Cross-Site Tracing 421
Preventing XSS Attacks 423
Preventing Reflected and Stored XSS 423
Preventing DOM-Based XSS 427
Preventing XST 428
Redirection Attacks 428
Finding and Exploiting Redirection Vulnerabilities 429
Circumventing Obstacles to Attack 431
Preventing Redirection Vulnerabilities 433
HTTP Header Injection 434
Exploiting Header Injection Vulnerabilities 434
Injecting Cookies 435
Delivering Other Attacks 436
HTTP Response Splitting 436
Preventing Header Injection Vulnerabilities 438
Frame Injection 438
Exploiting Frame Injection 439
Preventing Frame Injection 440
Request Forgery 440
On-Site Request Forgery 441
Cross-Site Request Forgery 442
Exploiting XSRF Flaws 443
Preventing XSRF Flaws 444
JSON Hijacking 446
JSON 446
Attacks against JSON 447
Overriding the Array Constructor 447
Implementing a Callback Function 448
Finding JSON Hijacking Vulnerabilities 449
Preventing JSON Hijacking 450
Session Fixation 450
Finding and Exploiting Session Fixation Vulnerabilities 452
Preventing Session Fixation Vulnerabilities 453
Attacking ActiveX Controls 454
Finding ActiveX Vulnerabilities 455
Preventing ActiveX Vulnerabilities 456
Local Privacy Attacks 458
Persistent Cookies 458
Cached Web Content 458
17. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xiv
xiv Contents
Browsing History 459
Autocomplete 460
Preventing Local Privacy Attacks 460
Advanced Exploitation Techniques 461
Leveraging Ajax 461
Making Asynchronous Off-Site Requests 463
Anti-DNS Pinning 464
A Hypothetical Attack 465
DNS Pinning 466
Attacks against DNS Pinning 466
Browser Exploitation Frameworks 467
Chapter Summary 469
Questions 469
Chapter 13 Automating Bespoke Attacks 471
Uses for Bespoke Automation 472
Enumerating Valid Identifiers 473
The Basic Approach 474
Detecting Hits 474
HTTP Status Code 474
Response Length 475
Response Body 475
Location Header 475
Set-cookie Header 475
Time Delays 476
Scripting the Attack 476
JAttack 477
Harvesting Useful Data 484
Fuzzing for Common Vulnerabilities 487
Putting It All Together: Burp Intruder 491
Positioning Payloads 492
Choosing Payloads 493
Configuring Response Analysis 494
Attack 1: Enumerating Identifiers 495
Attack 2: Harvesting Information 498
Attack 3: Application Fuzzing 500
Chapter Summary 502
Questions 502
Chapter 14 Exploiting Information Disclosure 505
Exploiting Error Messages 505
Script Error Messages 506
Stack Traces 507
Informative Debug Messages 508
Server and Database Messages 509
Using Public Information 511
Engineering Informative Error Messages 512
18. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xv
Contents xv
Gathering Published Information 513
Using Inference 514
Preventing Information Leakage 516
Use Generic Error Messages 516
Protect Sensitive Information 517
Minimize Client-Side Information Leakage 517
Chapter Summary 518
Questions 518
Chapter 15 Attacking Compiled Applications 521
Buffer Overflow Vulnerabilities 522
Stack Overflows 522
Heap Overflows 523
“Off-by-One” Vulnerabilities 524
Detecting Buffer Overflow Vulnerabilities 527
Integer Vulnerabilities 529
Integer Overflows 529
Signedness Errors 529
Detecting Integer Vulnerabilities 530
Format String Vulnerabilities 531
Detecting Format String Vulnerabilities 532
Chapter Summary 533
Questions 534
Chapter 16 Attacking Application Architecture 535
Tiered Architectures 535
Attacking Tiered Architectures 536
Exploiting Trust Relationships between Tiers 537
Subverting Other Tiers 538
Attacking Other Tiers 539
Securing Tiered Architectures 540
Minimize Trust Relationships 540
Segregate Different Components 541
Apply Defense in Depth 542
Shared Hosting and Application Service Providers 542
Virtual Hosting 543
Shared Application Services 543
Attacking Shared Environments 544
Attacks against Access Mechanisms 545
Attacks between Applications 546
Securing Shared Environments 549
Secure Customer Access 549
Segregate Customer Functionality 550
Segregate Components in a Shared Application 551
Chapter Summary 551
Questions 551
19. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xvi
xvi Contents
Chapter 17 Attacking the Web Server 553
Vulnerable Web Server Configuration 553
Default Credentials 554
Default Content 555
Debug Functionality 555
Sample Functionality 556
Powerful Functions 557
Directory Listings 559
Dangerous HTTP Methods 560
The Web Server as a Proxy 562
Misconfigured Virtual Hosting 564
Securing Web Server Configuration 565
Vulnerable Web Server Software 566
Buffer Overflow Vulnerabilities 566
Microsoft IIS ISAPI Extensions 567
Apache Chunked Encoding Overflow 567
Microsoft IIS WebDav Overflow 567
iPlanet Search Overflow 567
Path Traversal Vulnerabilities 568
Accipiter DirectServer 568
Alibaba 568
Cisco ACS Acme.server 568
McAfee EPolicy Orcestrator 568
Encoding and Canonicalization Vulnerabilities 568
Allaire JRun Directory Listing Vulnerability 569
Microsoft IIS Unicode Path Traversal Vulnerabilities 569
Oracle PL/SQL Exclusion List Bypasses 570
Finding Web Server Flaws 571
Securing Web Server Software 572
Choose Software with a Good Track Record 572
Apply Vendor Patches 572
Perform Security Hardening 573
Monitor for New Vulnerabilities 573
Use Defense-in-Depth 573
Chapter Summary 574
Questions 574
Chapter 18 Finding Vulnerabilities in Source Code 577
Approaches to Code Review 578
Black-Box vs. White-Box Testing 578
Code Review Methodology 579
Signatures of Common Vulnerabilities 580
Cross-Site Scripting 580
SQL Injection 581
Path Traversal 582
Arbitrary Redirection 583
20. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xvii
Contents xvii
OS Command Injection 584
Backdoor Passwords 584
Native Software Bugs 585
Buffer Overflow Vulnerabilities 585
Integer Vulnerabilities 586
Format String Vulnerabilities 586
Source Code Comments 586
The Java Platform 587
Identifying User-Supplied Data 587
Session Interaction 589
Potentially Dangerous APIs 589
File Access 589
Database Access 590
Dynamic Code Execution 591
OS Command Execution 591
URL Redirection 592
Sockets 592
Configuring the Java Environment 593
ASP.NET 594
Identifying User-Supplied Data 594
Session Interaction 595
Potentially Dangerous APIs 596
File Access 596
Database Access 597
Dynamic Code Execution 598
OS Command Execution 598
URL Redirection 599
Sockets 600
Configuring the ASP.NET Environment 600
PHP 601
Identifying User-Supplied Data 601
Session Interaction 603
Potentially Dangerous APIs 604
File Access 604
Database Access 606
Dynamic Code Execution 607
OS Command Execution 607
URL Redirection 608
Sockets 608
Configuring the PHP Environment 609
Register Globals 609
Safe Mode 610
Magic Quotes 610
Miscellaneous 611
Perl 611
Identifying User-Supplied Data 612
21. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xviii
xviii Contents
Session Interaction 613
Potentially Dangerous APIs 613
File Access 613
Database Access 613
Dynamic Code Execution 614
OS Command Execution 614
URL Redirection 615
Sockets 615
Configuring the Perl Environment 615
JavaScript 616
Database Code Components 617
SQL Injection 617
Calls to Dangerous Functions 618
Tools for Code Browsing 619
Chapter Summary 620
Questions 621
Chapter 19 A Web Application Hacker’s Toolkit 623
Web Browsers 624
Internet Explorer 624
Firefox 624
Opera 626
Integrated Testing Suites 627
How the Tools Work 628
Intercepting Proxies 628
Web Application Spiders 633
Application Fuzzers and Scanners 636
Manual Request Tools 637
Feature Comparison 640
Burp Suite 643
Paros 644
WebScarab 645
Alternatives to the Intercepting Proxy 646
Tamper Data 647
TamperIE 647
Vulnerability Scanners 649
Vulnerabilities Detected by Scanners 649
Inherent Limitations of Scanners 651
Every Web Application Is Different 652
Scanners Operate on Syntax 652
Scanners Do Not Improvise 652
Scanners Are Not Intuitive 653
Technical Challenges Faced by Scanners 653
Authentication and Session Handling 653
Dangerous Effects 654
Individuating Functionality 655
Other Challenges to Automation 655
22. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xix
Contents xix
Current Products 656
Using a Vulnerability Scanner 658
Other Tools 659
Nikto 660
Hydra 660
Custom Scripts 661
Wget 662
Curl 662
Netcat 663
Stunnel 663
Chapter Summary 664
Chapter 20 A Web Application Hacker’s Methodology 665
General Guidelines 667
1. Map the Application’s Content 669
1.1. Explore Visible Content 669
1.2. Consult Public Resources 670
1.3. Discover Hidden Content 670
1.4. Discover Default Content 671
1.5. Enumerate Identifier-Specified Functions 671
1.6. Test for Debug Parameters 672
2. Analyze the Application 672
2.1. Identify Functionality 673
2.2. Identify Data Entry Points 673
2.3. Identify the Technologies Used 673
2.4. Map the Attack Surface 674
3. Test Client-Side Controls 675
3.1. Test Transmission of Data via the Client 675
3.2. Test Client-Side Controls over User Input 676
3.3. Test Thick-Client Components 677
3.3.1. Test Java Applets 677
3.3.2. Test ActiveX controls 678
3.3.3. Test Shockwave Flash objects 678
4. Test the Authentication Mechanism 679
4.1. Understand the Mechanism 680
4.2. Test Password Quality 680
4.3. Test for Username Enumeration 680
4.4. Test Resilience to Password Guessing 681
4.5. Test Any Account Recovery Function 682
4.6. Test Any Remember Me Function 682
4.7. Test Any Impersonation Function 683
4.8. Test Username Uniqueness 683
4.9. Test Predictability of Auto-Generated Credentials 684
4.10. Check for Unsafe Transmission of Credentials 684
4.11. Check for Unsafe Distribution of Credentials 685
23. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xx
xx Contents
4.12. Test for Logic Flaws 685
4.12.1. Test for Fail-Open Conditions 685
4.12.2. Test Any Multistage Mechanisms 686
4.13. Exploit Any Vulnerabilities to Gain Unauthorized Access 687
5. Test the Session Management Mechanism 688
5.1. Understand the Mechanism 689
5.2. Test Tokens for Meaning 689
5.3. Test Tokens for Predictability 690
5.4. Check for Insecure Transmission of Tokens 691
5.5. Check for Disclosure of Tokens in Logs 692
5.6. Check Mapping of Tokens to Sessions 692
5.7. Test Session Termination 693
5.8. Check for Session Fixation 694
5.9. Check for XSRF 694
5.10. Check Cookie Scope 695
6. Test Access Controls 696
6.1. Understand the Access Control Requirements 696
6.2. Testing with Multiple Accounts 697
6.3. Testing with Limited Access 697
6.4. Test for Insecure Access Control Methods 698
7. Test for Input-Based Vulnerabilities 699
7.1. Fuzz All Request Parameters 699
7.2. Test for SQL Injection 702
7.3. Test for XSS and Other Response Injection 704
7.3.1. Identify Reflected Request Parameters 704
7.3.2. Test for Reflected XSS 705
7.3.3. Test for HTTP Header Injection 705
7.3.4. Test for Arbitrary Redirection 706
7.3.5. Test for Stored Attacks 706
7.4. Test for OS Command Injection 707
7.5. Test for Path Traversal 709
7.6. Test for Script Injection 711
7.7. Test for File Inclusion 711
8. Test for Function-Specific Input Vulnerabilities 712
8.1. Test for SMTP Injection 712
8.2. Test for Native Software Vulnerabilities 713
8.2.1. Test for Buffer Overflows 713
8.2.2. Test for Integer Vulnerabilities 714
8.2.3. Test for Format String Vulnerabilities 714
8.3. Test for SOAP Injection 715
8.4. Test for LDAP Injection 715
8.5. Test for XPath Injection 716
9. Test for Logic Flaws 717
9.1. Identify the Key Attack Surface 717
9.2. Test Multistage Processes 718
9.3. Test Handling of Incomplete Input 718
24. 70779toc.qxd:WileyRed 9/16/07 5:07 PM Page xxi
Contents xxi
9.4. Test Trust Boundaries 719
9.5. Test Transaction Logic 719
10. Test for Shared Hosting Vulnerabilities 720
10.1. Test Segregation in Shared Infrastructures 720
10.2. Test Segregation between ASP-Hosted Applications 721
11. Test for Web Server Vulnerabilities 721
11.1. Test for Default Credentials 722
11.2. Test for Default Content 722
11.3. Test for Dangerous HTTP Methods 722
11.4. Test for Proxy Functionality 723
11.5. Test for Virtual Hosting Misconfiguration 723
11.6. Test for Web Server Software Bugs 723
12. Miscellaneous Checks 724
12.1. Check for DOM-Based Attacks 724
12.2. Check for Frame Injection 725
12.3. Check for Local Privacy Vulnerabilities 726
12.4. Follow Up Any Information Leakage 726
12.5. Check for Weak SSL Ciphers 727
Index 729
26. 70779flast.qxd:WileyRed 9/14/07 3:12 PM Page xxiii
Acknowledgments
Our primary debt is to the directors and our other colleagues at Next Genera-
tion Security Software, who have provided a creative working environment,
promoted sharing of knowledge, and supported us during the months spent
producing this book. In particular, we received direct assistance from Chris
Anley, Dave Armstrong, Dominic Beecher, David Litchfield, Adam Matthews,
Dave Spencer, and Peter Winter-Smith.
In addition to our immediate colleagues, we are greatly indebted to the
wider community of researchers who have shared their ideas and contributed
to the collective understanding of web application security issues that exists
today. Because this is a practical handbook rather than a work of scholarship,
we deliberately avoided filling it with a thousand citations of influential arti-
cles, books, and blog postings which spawned the ideas involved. We hope
that people whose work we discuss anonymously are content with the general
credit given here.
We are grateful to the people at Wiley, in particular to Carol Long for enthusi-
astically supporting our project from the outset, to Adaobi Obi Tulton for helping
to polish our manuscript and coaching us in the quirks of “American English,”
and to Christine O’Connor’s team for delivering a first-rate production.
A large measure of thanks is due to our respective partners, Becky and
Susan, for tolerating the significant distraction and time involved in producing
a book of this size.
Both authors are indebted to the people who led us into our unusual line of
work. Dafydd would like to thank Martin Law. Martin is a great guy who first
taught me how to hack, and encouraged me to spend my time developing tech-
niques and tools for attacking applications. Marcus would like to thank his par-
ents for a great many things, a significant one being getting me into computers.
I’ve been getting into computers ever since.
xxiii
28. 70779flast.qxd:WileyRed 9/14/07 3:12 PM Page xxv
Introduction
This book is a practical guide to discovering and exploiting security flaws in
web applications. By “web application” we mean an application that is accessed
by using a web browser to communicate with a web server. We examine a wide
variety of different technologies, such as databases, file systems, and web ser-
vices, but only in the context in which these are employed by web applications.
If you want to learn how to run port scans, attack firewalls, or break into
servers in other ways, we suggest you look elsewhere. But if you want to know
how to hack into a web application, steal sensitive data, and perform unau-
thorized actions, then this is the book for you. There is enough that is interest-
ing and fun to say on that subject without straying into any other territory.
Overview of This Book
The focus of this book is highly practical. While we include sufficient back-
ground and theory for you to understand the vulnerabilities that web applica-
tions contain, our primary concern is with the tasks and techniques that you
need to master in order to break into them. Throughout the book, we spell out
the specific steps that you need to take to detect each type of vulnerability, and
how to exploit it to perform unauthorized actions. We also include a wealth of
real-world examples, derived from the authors’ many years of experience, illus-
trating how different kinds of security flaw manifest themselves in today’s web
applications.
Security awareness is usually a two-edged sword. Just as application devel-
opers can benefit from understanding the methods used by attackers, hackers
xxv
29. 70779flast.qxd:WileyRed 9/14/07 3:12 PM Page xxvi
xxvi Introduction
can gain from knowing how applications can effectively defend themselves. In
addition to describing security vulnerabilities and attack techniques, we also
describe in detail the countermeasures that applications can take to thwart an
attacker. For those of you who perform penetration tests of web applications,
this will enable you to provide high-quality remediation advice to the owners
of the applications you compromise.
Who Should Read This Book
The primary audience for this book is anyone with a personal or professional
interest in attacking web applications. It is also aimed at anyone responsible
for developing and administering web applications — knowing how your
enemy operates will help you to defend against them.
We assume that the reader is familiar with core security concepts, such as
logins and access controls, and has a basic grasp of core web technologies,
such as browsers, web servers, and HTTP. However, any gaps in your current
knowledge of these areas will be easy to remedy, through either the explana-
tions contained within this book or references elsewhere.
In the course of illustrating many categories of security flaws, we provide
code extracts showing how applications can be vulnerable. These examples
are simple enough to be understood without any prior knowledge of the lan-
guage in question but will be most useful if you have some basic experience of
reading or writing code.
How This Book Is Organized
This book is organized roughly in line with the dependencies between the dif-
ferent topics covered. If you are new to web application hacking, you should
read the book through from start to finish, acquiring the knowledge and under-
standing you need to tackle later chapters. If you already have some experience
in this area, you can jump straight into any chapter or subsection that particu-
larly interests you. Where necessary, we have included cross-references to other
chapters, which you can use to fill in any gaps in your understanding.
We begin with three context-setting chapters describing the current state of
web application security and the trends that indicate how it is likely to evolve
in the near future. We examine the core security problem affecting web appli-
cations and the defense mechanisms that applications implement to address
this problem. We also provide a primer in the key technologies used in today’s
web applications.
The bulk of the book is concerned with our core topic — the techniques that
you can use to break into web applications. This material is organized around
30. 70779flast.qxd:WileyRed 9/14/07 3:12 PM Page xxvii
Introduction xxvii
the key tasks that you need to perform to carry out a comprehensive attack:
from mapping the application’s functionality, scrutinizing and attacking its
core defense mechanisms, to probing for specific categories of security flaws.
The book concludes with three chapters that pull together the various
strands introduced within the book. We describe the process of finding vul-
nerabilities in an application’s source code, review the tools that can assist you
when hacking web applications, and present a detailed methodology for per-
forming a comprehensive and deep attack against a specific target.
Chapter 1, “Web Application (In)security,” describes the current state of
security in web applications on the Internet today. Despite common assur-
ances, the majority of applications are insecure and can be compromised in
some way with a modest degree of skill. Vulnerabilities in web applications
arise because of a single core problem: users can submit arbitrary input. In this
chapter, we examine the key factors that contribute to the weak security pos-
ture of today’s applications, and describe how defects in web applications can
leave an organization’s wider technical infrastructure highly vulnerable to
attack.
Chapter 2, “Core Defense Mechanisms,” describes the key security mecha-
nisms that web applications employ to address the fundamental problem that
all user input is untrusted. These mechanisms are the means by which an
application manages user access, handles user input, and responds to attack-
ers, and the functions provided for administrators to manage and monitor the
application itself. The application’s core security mechanisms also represent
its primary attack surface, and you need to understand how these mechanisms
are intended to function before you can effectively attack them.
Chapter 3, “Web Application Technologies,” provides a short primer on the
key technologies that you are likely to encounter when attacking web applica-
tions. This covers all relevant aspects of the HTTP protocol, the technologies
commonly used on the client and server sides, and various schemes used for
encoding data. If you are already familiar with the main web technologies,
then you can quickly skim through this chapter.
Chapter 4, “Mapping the Application,” describes the first exercise that you
need to take when targeting a new application, which is to gather as much
information as possible about it, in order to map its attack surface and formu-
late your plan of attack. This process includes exploring and probing the appli-
cation to catalogue all of its content and functionality, identifying all of the
entry points for user input and discovering the technologies in use.
Chapter 5, “Bypassing Client-Side Controls,” describes the first area of
actual vulnerability, which arises when an application relies upon controls
implemented on the client side for its security. This approach is normally
flawed, because any client-side controls can, of course, be circumvented. The
two main ways in which applications make themselves vulnerable are (a) to
transmit data via the client in the assumption that this will not be modified,
31. 70779flast.qxd:WileyRed 9/14/07 3:12 PM Page xxviii
xxviii Introduction
and (b) to rely upon client-side checks on user input. In this chapter, we exam-
ine a range of interesting technologies, including lightweight controls imple-
mented within HTML, HTTP, and JavaScript, and more heavyweight controls
using Java applets, ActiveX controls, and Shockwave Flash objects.
Chapters 6 to 8 examine some of the most important defense mechanisms
implemented within web applications: those responsible for controlling user
access. Chapter 6, “Attacking Authentication,” examines the various functions
by which applications gain assurance of the identity of their users. This
includes the main login function and also the more peripheral authentication-
related functions such as user registration, password changing, and account
recovery. Authentication mechanisms contain a wealth of different vulnerabil-
ities, in both design and implementation, which an attacker can leverage to
gain unauthorized access. These range from obvious defects, such as bad pass-
words and susceptibility to brute-force attacks, to more obscure problems
within the authentication logic. We also examine in detail the type of multi-
stage login mechanisms used in many security-critical applications, and
describe the new kinds of vulnerability which these frequently contain.
Chapter 7, “Attacking Session Management,” examines the mechanism by
which most applications supplement the stateless HTTP protocol with the con-
cept of a stateful session, enabling them to uniquely identify each user across
several different requests. This mechanism is a key target when you are attack-
ing a web application, because if you can break it, then you can effectively
bypass the login and masquerade as other users without knowing their cre-
dentials. We look at various common defects in the generation and transmis-
sion of session tokens, and describe the steps you can take to discover and
exploit these.
Chapter 8, “Attacking Access Controls,” examines the ways in which appli-
cations actually enforce access controls, relying upon the authentication and
session management mechanisms to do so. We describe various ways in which
access controls can be broken and the ways in which you can detect and
exploit these weaknesses.
Chapter 9, “Injecting Code,” covers a large category of related vulnerabili-
ties, which arise when applications embed user input into interpreted code in
an unsafe way. We begin with a detailed examination of SQL injection vulner-
abilities, covering the full range of attacks from the most obvious and trivial to
advanced exploitation techniques involving out-of-band channels, inference,
and time delays. For each kind of vulnerability and attack technique, we
describe the relevant differences between three common types of databases:
MS-SQL, Oracle, and MySQL. We then cover several other categories of injec-
tion vulnerability, including the injection of operating system commands,
injection into web scripting languages, and injection into the SOAP, XPath,
SMTP, and LDAP protocols.
32. 70779flast.qxd:WileyRed 9/14/07 3:12 PM Page xxix
Introduction xxix
Chapter 10, “Exploiting Path Traversal,” examines a small but important
category of vulnerabilities that arise when user input is passed to file system
APIs in an unsafe way, enabling an attacker to retrieve or modify arbitrary
files on the web server. We describe various bypasses that may be effective
against the defenses commonly implemented to prevent path traversal
attacks.
Chapter 11, “Attacking Application Logic,” examines a significant, and fre-
quently overlooked, area of every application’s attack surface: the internal
logic which it carries out to implement its functionality. Defects in an applica-
tion’s logic are extremely varied and are harder to characterize than common
vulnerabilities like SQL injection and cross-site scripting. For this reason, we
present a series of real-world examples where defective logic has left an appli-
cation vulnerable, and thereby illustrate the variety of faulty assumptions
made by application designers and developers. From these different individ-
ual flaws, we w derive a series of specific tests that you can perform to locate
many types of logic flaws that often go undetected.
Chapter 12, “Attacking Other Users,” covers a large and very topical area of
related vulnerabilities which arise when defects within a web application can
enable a malicious user of the application to attack other users and compro-
mise them in various ways. The largest vulnerability of this kind is cross-site
scripting, a hugely prevalent flaw affecting the vast majority of web applica-
tions on the Internet. We examine in detail all of the different flavors of XSS
vulnerabilities, and describe an effective methodology for detecting and
exploiting even the most obscure manifestations of these. We then look at sev-
eral other types of attacks against other users, including redirection attacks,
HTTP header injection, frame injection, cross-site request forgery, session fixa-
tion, exploiting bugs in ActiveX controls, and local privacy attacks.
Chapter 13, “Automating Bespoke Attacks,” does not introduce any new
categories of vulnerability, but instead, describes a crucial technique which
you need to master to attack web applications effectively. Because every web
application is different, most attacks are bespoke (or custom-made) in some
way, tailored to the application’s specific behavior and the ways you have dis-
covered to manipulate it to your advantage. They also frequently require issu-
ing a large number of similar requests and monitoring the application’s
responses. Performing these requests manually is extremely laborious and one
is prone to make mistakes. To become a truly accomplished web application
hacker, you need to automate as much of this work as possible, to make your
bespoke attacks easier, faster, and more effective. In this chapter, we describe
in detail a proven methodology for achieving this.
Chapter 14, “Exploiting Information Disclosure,” examines various ways in
which applications leak information when under active attack. When you are
performing all of the other types of attacks described in this book, you should
always monitor the application to identify further sources of information
33. 70779flast.qxd:WileyRed 9/14/07 3:12 PM Page xxx
xxx Introduction
disclosure that you can exploit. We describe how you can investigate anom-
alous behavior and error messages to gain a deeper understanding of the
application’s internal workings and fine-tune your attack. We also cover ways
of manipulating defective error handling to systematically retrieve sensitive
information from the application.
Chapter 15, “Attacking Compiled Applications,” examines a set of impor-
tant vulnerabilities which arise in applications written in native code lan-
guages like C and C++. These vulnerabilities include buffer overflows, integer
vulnerabilities, and format string flaws. This is a potentially huge topic, and
we focus on ways of detecting these vulnerabilities in web applications, and
look at some real-world examples of how these have arisen and been
exploited.
Chapter 16, “Attacking Application Architecture,” examines an important
area of web application security that is frequently overlooked. Many applica-
tions employ a tiered architecture, and a failure to segregate different tiers
properly often leaves an application vulnerable, enabling an attacker who has
found a defect in one component to quickly compromise the entire applica-
tion. A different range of threats arises in shared hosting environments, where
defects or malicious code in one application can sometimes be exploited to
compromise the environment itself and other applications running within it.
Chapter 17, “Attacking the Web Server,” describes various ways in which
you can target a web application by targeting the web server on which it is
running. Vulnerabilities in web servers are broadly composed of defects in
their configuration and security flaws within the web server software. This
topic is on the boundary of the scope of this book, because the web server is
strictly a different component in the technology stack. However, most web
applications are intimately bound up with the web server on which they run;
therefore, attacks against the web server are included in the book because they
can often be used to compromise an application directly, rather than indirectly
by first compromising the underlying host.
Chapter 18, “Finding Vulnerabilities in Source Code,” describes a com-
pletely different approach to finding security flaws than those described else-
where within this book. There are many situations in which it may be possible
to perform a review of an application’s source code, not all of which require
any cooperation from the application’s owner. Reviewing an application’s
source code can often be highly effective in discovering vulnerabilities that
would be difficult or time-consuming to detect by probing the running appli-
cation. We describe a methodology, and provide a language-by-language cheat
sheet, to enable you to perform an effective code review even if you have very
limited programming experience yourself.
Chapter 19, “A Web Application Hacker’s Toolkit,” pulls together in one place
the various tools described in the course of this book, and which the authors use
when attacking real-world web applications. We describe the strengths and