Chapter 2: Profiling

Overview

Profilingthe tactics used to research and pinpoint how web sites are structured and their applications workis a critical, but often overlooked, aspect of web hacking. The most effective attacks are informed by rigorous homework that illuminates as much about the inner-workings of the application as possible, including all of the web pages, applications, and input/output command structures on the site.

The diligence and rigor of the profiling process and the amount of time invested in it are often directly related to the quality of the security issues identified across the entire site, and it frequently differentiates "script- kiddie " assessments that find the " low-hanging fruit," such as simple SQL injection or buffer overflow attacks, from truly revealing penetration of the core business logic of the application.

There are many tools and techniques that are used in web profiling, but after reading this chapter, you'll be well on your way to becoming an expert. Our discussion of profiling is divided into two segments:

• Infrastructure Profiling

• Application Profiling

We've selected this organizational structure because the mindset, approach, and outcome inherent to each type of profiling are somewhat different. Infrastructure profiling focuses on relatively invariant, "off-the-shelf" components of the web application (we use the term off-the-shelf loosely here to include all forms of commonly re-used software, including freeware, open source, and commercial). Usually, vulnerabilities in these components are easy to identify and subsequently exploit. Application profiling, on the other hand, addresses the unique structure and features of an individual, highly customized web application. Application vulnerabilities may be subtle and may take substantial research to detect and exploit. Not surprisingly, our discussion of application profiling thus takes up the bulk of this chapter.

We'll conclude with a brief discussion of general countermeasures against common profiling tactics.