List of Figures

Chapter 1: General Approach to Security Testing

Figure 1-1: Standard combination padlock used to secure possessions

Chapter 2: Using Threat Models for Security Testing

Figure 2-1: High-level data flow diagram for the functionality that enables a user to send a link to a Web page to a specific e-mail address

Chapter 3: Finding Entry Points

Figure 3-1: Using SysInternal™s FileMon to monitor which files and folders are accessed by an application
Figure 3-2: Security properties for a file
Figure 3-3: Output from running FileExtInfo.exe
Figure 3-4: Output from running Netstat.exe to show the current network connections on a machine
Figure 3-5: Monitoring HTTP traffic
Figure 3-6: Breaking an HTTP request into subparts to identify testing needs
Figure 3-7: Using Web Proxy Editor to trap HTTP traffic
Figure 3-8: Output from Pipelist.exe showing all of the pipes created on a particular machine
Figure 3-9: Using Viewplgs.exe to discover the installed protocol handlers and the applications that handle them
Figure 3-10: RegMon monitoring registry access
Figure 3-11: Using Process Explorer to view the command-line arguments used to launch an application
Figure 3-12: Displaying the Environment Variables dialog box
Figure 3-13: Using Process Explorer to view the environment variables for a process

Chapter 4: Becoming a Malicious Client

Figure 4-1: Ethereal showing the list of packets captured (top pane), decoded details of the selected packet (middle pane), and raw packet data (bottom pane)
Figure 4-2: MITM configured to allow modification of telnet client requests
Figure 4-3: Changing the terminal emulation specified in the network request from ansi to anything in MITM
Figure 4-4: The Ethereal decoder, which shows the hex data 00 50 in the request is the client requesting a width of 80
Figure 4-5: Simple HTML form example
Figure 4-6: Sample HTML form that allows ordering a maximum of four tickets
Figure 4-7: Using Web Proxy Editor to modify the number of tickets to reserve to exceed the allowed maximum value
Figure 4-8: Successfully reserving more tickets than allowed by manipulating the normal Web request
Figure 4-9: Ethereal showing two cookies were issued by the server: rootCookie and ASPSESSIONIDAABSATRT
Figure 4-10: Ethereal showing two cookies were sent to the server: rootCookie and ASPSESSIONIDAABSATRT
Figure 4-11: Making custom HTTP requests in WFetch to test many variations of a single request quickly
Figure 4-12: Changing the numeric Ticketcount value to an alphabetic value, which results in a server-side VBScript runtime error

Chapter 5: Becoming a Malicious Server

Figure 5-1: A rogue program listening specifically for requests for IP address 192.168.1.188 on port 8080
Figure 5-2: Binary data sent to the telnet client using NEW-ENVIRON asking the client to send theuser variable named USERDOMAIN
Figure 5-3: XML response from the server that contains files that should be cached by the client

Chapter 6: Spoofing

Figure 6-1: Dialog box asking whether the link to http://www.microsoft.com should be opened
Figure 6-2: A single quotation mark included in the URL to create a confusing UI
Figure 6-3: Reassuring the user with a sentence claiming the link is safe
Figure 6-4: Adding text on a separate line by including a CR/LF in the input
Figure 6-5: Adding so many CR/LFs that some of the text and Yes/No buttons scroll off the bottom of the screen and aren™t viewable. This link actually loads http://www.example.com not http://www.microsoft.com.
Figure 6-6: Log file format
Figure 6-7: Spoofing a log entry using control characters
Figure 6-8: Z-order spoofing, which can help fool the user into clicking Yes in this dialog box
Figure 6-9: Using pop-up windows to cover the normal security warning and insert conflicting text

Chapter 7: Information Disclosure

Figure 7-1: Using Process Explorer to see the handles used by Microsoft Money 2005
Figure 7-3: Output of Filemon while monitoring Microsoft Money 2005
Figure 7-2: Filemon Filter dialog box, which can be used to reduce the amount of information that is monitored
Figure 7-4: PEG metadata from a picture taken with a digital camera
Figure 7-5: Output of Strings on a Word document containing the word world
Figure 7-6: In eDoc, viewing the contents of a Word document that has a text file embedded
Figure 7-7: Viewing the contents of a ZIP file that has the text file included
Figure 7-8: Web site displaying a database error

Chapter 8: Buffer Overflows and Stack and Heap Manipulation

Figure 8-1: A stack just before a function is called
Figure 8-2: The return address placed on the stack
Figure 8-3: The function pushing local variables onto the stack
Figure 8-4: Input copied sequentially into the buffer
Figure 8-5: Overwriting data outside the allocated space
Figure 8-6: Inserting the return address supplied by the attacker
Figure 8-7: Unsigned short data representation
Figure 8-8: Signed short data representation
Figure 8-9: Using an unsigned long data type with only 32 bits of space to process the binary equivalent of 4,295,000,000
Figure 8-10: Problems that can arise when interface or function declarations change over time
Figure 8-11: The Root Entry text
Figure 8-12: Binary data in the format the program expects
Figure 8-13: Inserting data to lengthen the string using a binary editor
Figure 8-14: Overwriting data to lengthen the string using a binary editor
Figure 8-15: Excluding the null byte
Figure 8-16: An exception thrown
Figure 8-17: Gflags.exe output
Figure 8-18: The corrupted variable
Figure 8-19: A binary editor™s view of a sample Meat.Pizza file
Figure 8-20: OverHeated.Pizza, which causes Pizza.exe to crash
Figure 8-21: Changing the content of the input data
Figure 8-22: Example of Unicode data
Figure 8-23: Example of exploited Unicode
Figure 8-24: The value of the /GS security cookie
Figure 8-25: The value of the /GS security cookie and its location in memory
Figure 8-26: Code actually checking the cookie
Figure 8-27: The /GS dialog box

Chapter 9: Format String Attacks

Figure 9-1: Debugging Pickle.exe

Chapter 10: HTML Scripting Attacks

Figure 10-1: HTML output in the Microsoft Windows Help and Support Center user interface
Figure 10-2: Error message returned on a Web site when a search term could not be found
Figure 10-3: An alert displayed on a Web site when a script is included in the query string
Figure 10-4: An XSS bug could be exploited to copy a victim™s cookie to another Web site
Figure 10-5: Entries included in the guestbook
Figure 10-6: Script injected into a guestbook entry
Figure 10-7: Attributes enclosed in single quotation marks, double quotation marks, and no quotation marks
Figure 10-8: Using the Style property of the <input> tag to change the font to Wingdings
Figure 10-9: The local HTML file echoing the data supplied following the hash mark
Figure 10-10: HTML source, which doesn™t contain the user-supplied data in the local XSS exploit
Figure 10-11: A bitmap resource located in shdoclc.dll displayed in Internet Explorer by using the res protocol
Figure 10-12: Nullsoft Winamp displaying the artist and title information in a playlist
Figure 10-13: The Find Window in Spy++
Figure 10-14: The properties of an MP3, which can be modified in Windows Explorer
Figure 10-15: Script included in the MP3 file properties running in the My Computer zone when the HTML playlist is displayed
Figure 10-16: An ASP.NET exception, which is thrown if input that might lead to an HTML scripting attack is encountered
Figure 10-17: The Information bar, which is displayed to warn users about active content attempting to run on their computer

Chapter 11: XML Issues

Figure 11-1: Including angle brackets in content of the Car element, which causes a parser error (not well-formed XML)
Figure 11-2: An easy way to read a WSDL and send custom values when calling SOAP methods in WebService Studio

Chapter 12: Canonicalization Issues

Figure 12-1: Using dir /x to display the short filename form of a file with a long filename
Figure 12-2: Using OverlongUTF to generate the overlong UTF-8 encodings of a character

Chapter 13: Finding Weak Permissions

Figure 13-1: An example of a multiple-stage attack that elevates privilege to the System account
Figure 13-2: Permissions dialog box for a registry key
Figure 13-3: Advanced security settings for a registry key
Figure 13-4: Permissions entry for registry key
Figure 13-5: Results of running AccessEnum on the Program Files directory
Figure 13-6: Viewing the handles of an application in Process Explorer
Figure 13-7: Windows Security warning for a directory that has incorrect ACE order
Figure 13-8: Permissions on testdatabase for the user test
Figure 13-9: How the stored procedure still executes even though permissions are denied for the SELECT command

Chapter 14: Denial of Service Attacks

Figure 14-1: Dr. Watson dialog box for a buggy application that just crashed
Figure 14-2: A graph in Performance Monitor that indicates a leak in a sample application
Figure 14-3: Scatter plot of the data from Table 14-1

Chapter 15: Managed Code Issues

Figure 15-1: User security for an object in unmanaged code
Figure 15-2: User security and code security interacting in managed code
Figure 15-3: Overview of how CAS policy works
Figure 15-4: Intersection of permissions from the four policy levels
Figure 15-5: Example of a full stack walk caused by a demand for Permission X
Figure 15-6: Example of a link demand that succeeds for a fully trusted assembly
Figure 15-7: Example of a link demand that fails for a partially trusted assembly
Figure 15-8: Example of an assembly asserting for Permission X, thus allowing the call to the method to succeed
Figure 15-9: Example of using deny to remove a permission for subsequent callers
Figure 15-10: Example of a deny being reversed because a subsequent caller asserts for the permission
Figure 15-11: Example of how PermitOnly can be used to grant only a single permission
Figure 15-12: Partially trusted assembly calling into an assembly marked APTCA
Figure 15-13: Fully trusted assembly marked APTCA asserts file access permission, allowing partially trusted assemblies to use the File API.
Figure 15-14: Fully trusted assembly using a link demand to check permission is bypassed when an assembly marked APTCA allows a partially trusted assembly to use the File API.
Figure 15-15: APTCA assembly being loaded by a UserControl hosted in a browser, which allows an attacker to write any file to the victim™s machine
Figure 15-16: Using ILDASM to see manifest information for an APTCA assembly

Chapter 16: SQL Injection

Figure 16-1: SQL Server Profiler showing the SQL statements when a stored procedure is executed

Chapter 17: Observation and Reverse Engineering

Figure 17-1: Saving and comparing two documents with a one-character difference, which reveals the string length is stored in the 4 bytes preceding the string
Figure 17-2: Viewing which APIs are called and the parameters used in the call in Log Viewer
Figure 17-3: Error message in Expiration.exe that warns the software cannot be used because the trial period has expired
Figure 17-4: Viewing the Expiration.exe call stack, which quickly reveals that MessageBoxA is used to display the error message
Figure 17-5: CPU window showing the call to MessageBoxA as the cause of the display of the expiration error dialog box
Figure 17-6: An OllyDbg shortcut menu that allows you to navigate easily to code that refers to a selected line of code
Figure 17-7: Successful patching of the binary, which allows the Expiration program to load regardless of the date
Figure 17-8: Registering software by entering a name and serial code
Figure 17-9: Setting breakpoints on APIs in the Command Line window
Figure 17-10: Parameter names automatically matched up with PUSH operations in OllyDbg
Figure 17-11: Setting a breakpoint on a memory location to allow easy runtime discovery of any code that accesses that memory
Figure 17-12: The IDA Functions Window
Figure 17-13: The five calls to the printf function
Figure 17-14: Using the IDA debugger to determine there is a format string bug

Chapter 18: ActiveX Repurposing Attacks

Figure 18-1: The display when the referenced ActiveX control is installed on the machine
Figure 18-2: The display when the referenced ActiveX control is not installed on the machine
Figure 18-3: Object Browser, shown here with the DHTML Edit Control loaded
Figure 18-4: OLEView
Figure 18-5: TypeLib viewer in OLEView
Figure 18-6: A Forms.CommandButton control loaded in the ActiveX Control Test Container tool
Figure 18-7:
Figure 18-8: The control in Internet Explorer
Figure 18-9: The Launch External Editor dialog box
Figure 18-10: A control that launches WordPad
Figure 18-11: Invoking a different editor
Figure 18-12: The cmd.exe window that appears with the Calculator
Figure 18-13: The Launch External Editor dialog box
Figure 18-14: A spoofed Launch External Editor dialog box
Figure 18-15: The Open Document dialog box, which pulls text from the attacker™s Web page
Figure 18-16: The ActiveX control that obtains the HTML source

Chapter 19: Additional Repurposing Attacks

Figure 19-1: Microsoft Excel warns about requests for external data.
Figure 19-2: A warning dialog box that appears when a page on one domain attempts to call a SOAP method in another domain

Chapter 20: Reporting Security Bugs

Figure 20-1: Responsible disclosure process


Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net