Introduction

Previous page
Table of content
Next page

Introduction

In the grab bag of countless hacking techniques, Web hacking is by far the most elegant (if we dare use such praise). The simplicity and elegance of using a common browser to mount the most devastating attacks is pure brilliance, and they are events to behold. Sometimes difficult to fathom, Web hacking techniques can be trivial yet have devastating consequences. Did you know that a perfectly placed "%%" can blow a gaping hole in the security of your online e-commerce application?

Carrying out a Web hack is like performing microsurgery through a small opening. The operation requires the finest of touches and the most deliberate of actions. The opening is delicate and narrow but the inner workings are those of an enormous and complex system. In addition, the tools that a hacker needs to successfully attack e-commerce systems must be funneled through the same small opening. That minute, pinhole opening is the Uniform Resource Locator (URL), also known as the Uniform Resource Identifier (URI). The URL is sometimes the only mechanism for communicating with the large, complex systems (a.k.a. "juicy targets") lying behind the most secure firewalls.

In Chapter 2, we discussed the fundamentals of HTTP and how the protocol itself works. In this chapter, we take a look at the URL what it is, how it helps the attacker, what it is capable of exposing, and how much damage can be caused by its misuse. Throughout this chapter, we delve into the finer points of the simple URL and examine how Web developers and information technology groups consistently overlook its risk to their environments.

The majority of Web hacks today are quite elegant. The attacker usually starts with simple steps, such as studying how the Web site is laid out (as we discuss in Chapter 6). Every probe of the Web site leads the attacker deeper inside. The elegance of these attacks lies in the fact that the hacker needs only an Internet browser, because the URL is the carrier for most attack payloads.

Concepts covered in this chapter are:

         URL structure

         URL encoding

         ASCII codes represented in hexadecimal and Unicode

         Meta-characters and how they affect an application

         HTML forms and parameter passing

A thorough discussion of HTTP, HTML, and URL specifications is beyond the scope of this book. However, we highlight key concepts here, especially those relevant to Web application security.

If you want to dig deeper into the intricate details of URLs and HTTP, the best resources available are the Internet RFCs. RFC 1738 is the initial draft on URLs, which was superseded by RFCs 1808 and 2396. RFC 1945 describes HTTP v1.0, which was superseded by RFCs 2068 and 2616 for HTTP v1.1. Internet RFCs are available at http://www.ietf.org/rfc/.

 


Previous page
Table of content
Next page
Web Hacking(c) Attacks and Defense
Web Hacking: Attacks and Defense
ISBN: 0201761769
EAN: 2147483647
Year: 2005
Pages: 156
Authors: Stuart McClure, Saumil Shah, Shreeraj Shah
BUY ON AMAZON
Java I/O
Crystal Reports 9 on Oracle (Database Professionals)
Network Security Architectures
File System Forensic Analysis
Junos Cookbook (Cookbooks (OReilly))
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy