| ||
This book is the sum of chapters, each of which describes one aspect of the Hacking Exposed web application attack methodology. This structure forms the backbone of this book, for without a methodology, this would be nothing but a heap of information without context or meaning. It is the map by which we will chart our progress throughout the book.
In this chapter, we take a broad overview of web application hacking tools and techniques while showing concrete examples. Buckle your seatbelt, Dorothy, because Kansas is going bye-bye.
The first step in any methodology is often one of the most critical, and profiling is no exception. This chapter illustrates the process of reconnaissance in prelude to attacking a web application and its associated infrastructure.
No application can be secured if it's built on a web platform that's full of security holesthis chapter describes attacks, detection evasion techniques, and countermeasures for the most popular web platforms, including IIS, Apache, PHP, and ASP.NET.
This chapter covers attacks and countermeasures for common web authentication mechanisms, including password-based, multifactor (e.g., SecureID, Passmark, and CAPTCHA), and online authentication services like Passport.
See how to excise the heart of any web application's access controls through advanced session analysis, hijacking, and fixation techniques.
From Cross-Site Scripting to HTTP Response Splitting, the essence of most web attacks is unexpected application input. In this chapter, we review the classic categories of malicious input, from overlong input (like buffer overflows) to canonicalization attacks (like the infamous dot-dot-slash), and reveal the metacharacters that should always be regarded with suspicion (including angle brackets, quotes, single quote, double dashes, percent, asterisk, underscore , newline, ampersand, pipe, and semicolon), plus stealth-en- coding techniques and input validation/output encoding countermeasures.
SQL Injection is arguably the most devastating web application attack paradigm around, since it strikes at the heart of any web app, the valuable data it stores. This chapter describes basic SQL syntax and how it is commonly abused, and then explores advanced variations on the basic techniques, including Blind SQL injection and platform-specific variations including MySQL and Oracle.
Don't drop the SOAP, because this chapter will reveal how Web Services vulnerabilities are discovered and exploited through techniques including WSDL disclosure, input injection, external entity injection, and XPath injection.
If the front door is locked, try the back! This chapter reveals the most common web application management attacks against remote server management, web content manage- ment/authoring, admin misconfigurations, and developer-driven mistakes.
Did you know that your web browser is actually an effective portal through which unsavory types can enter directly into your homes and offices? Take a tour of the nastiest Firefox and IE exploits around, and then follow our "10 Steps to a Safer Internet Experience" (along with dozens of additional countermeasures listed in this chapter) so you can breathe a little easier when you browse.
The rise of the botnets has elevated DoS from online hooliganism to an effective Internet extortion tool. Furthermore, online business models that seek to capitalize on the distributed scale of the Web have unique exposure to distributed attacks like click fraud. See how DoS has graduated from the old school (infrastructure DoS) to the new ( application-layer DDoS).
We take a brief departure from zero-knowledge/black-box analysis in this chapter to explain the advantages of a robust full-knowledge/white-box web application security assessment methodology, including threat modeling, code review, security testing, and how to integrate security into the overall web application development life cycle.
This chapter is aimed at IT operations staff and managers for medium-to-large enterprises who need to automate our web application assessment methodology so that it is scaleable, consistent, and delivers acceptable return on investment. The majority of this chapter is devoted to a review of the available web app security scanning tools commissioned specifically for this edition.
Last but not least, we cap the book off with a series of useful appendices that include a comprehensive Web Application Security Checklist, our Web Hacking Tools and Techniques Cribsheet, some hands-on deployment advice for the "web server firewalls" URLScan and ModSecurity, and a short description of the resources available on the book's companion web site, http://www.webhackingexposed.com.
Clearly, this book could be read from start to finish for a soup-to-nuts portrayal of web application penetration testing. However, like Hacking Exposed , we have attempted to make each chapter stand on its own so the book can be digested in modular chunks , suitable to the frantic schedules of our target audience.
Moreover, we have strictly adhered to the clear, readable, and concise writing style that readers overwhelmingly responded to in Hacking Exposed . We know you're busy and you need the straight dirt without a lot of doubletalk and needless jargon. As a reader of Hacking Exposed once commented, "Reads like fiction , scares like hell!"
We think you will be just as satisfied reading from beginning to end as you would piece by piece, but it's built to withstand either treatment.
Two features appear at the end of most chapters in this book: a summary and "References and Further Reading" section.
The summary is exactly what it sounds like, a brief synopsis of the major concepts covered in the chapter, with an emphasis on countermeasures. We would expect that if you read each chapter's summary, you would know how to harden a web application to just about any form of attack.
The "References and Further Reading" section in each chapter includes hyperlinks , ISBN numbers , and any other bits of information necessary to locate each and every item referenced in the chapter, including vendor security bulletins and patches, third-party advisories, commercial and freeware tools, web hacking incidents in the news, and general background reading that amplifies or expands on the information presented in the chapter. You will thus find few hyperlinks within the body text of the chapters them- selvesif you need to find something, turn to the end of the chapter, and it will be there. We hope this consolidation of external references into one container improves your overall enjoyment of the book.
As with Hacking Exposed , the basic building blocks of this book are the attacks and countermeasures discussed in each chapter.
The attacks are highlighted here as they are throughout the Hacking Exposed series:
Highlighting attacks like this makes it easy to identify specific penetration-testing tools and methodologies, and points you right to the information you need to convince management to fund your new security initiative.
Each attack is also accompanied by a Risk Rating, scored exactly as in Hacking Exposed , as shown next .
Popularity: | The frequency of use in the wild against live targets, 1 being most rare, 10 being widely used. |
Simplicity: | The degree of skill necessary to execute the attack, 10 being little or no skill, 1 being seasoned security programmer. |
Impact: | The potential damage caused by successful execution of the attack, 1 being revelation of trivial information about the target, 10 being superuser account compromise or equivalent. |
Risk Rating: | The preceding three values are averaged to give the overall risk rating and rounded to the next highest whole number. |
We have also followed the Hacking Exposed line when it comes to countermeasures, which follow each attack or series of related attacks. The countermeasure icon remains the same:
This should be a flag to draw your attention to critical-fix information.
We've also made prolific use of visually enhanced
Note |
|
Tip |
|
Caution |
|
icons to highlight those nagging little details that often get overlooked.
| ||