Understanding Web Languages

The introduction of the Internet has caused an explosion of technology and resulted in a race to see who will provide the dominant web server and backend languages. HTML, the backbone of the web presentation, does not seem to be going away anytime soon, but there is also the race for which web server technology and scripting programmers will use. For example, Microsoft is pushing the Active Server Pages (ASP) and .NET services to aid programmers in dynamic content; however, Sun and IBM are pushing their own engines, too .jhtml and .jsp. With so many possible technologies, as you will see in the rest of the chapter, it is easy to switch from one platform to another without perhaps ever really acquiring a specialist on any single platform. This leaves penetration testers and web hackers with common and predictable website implementations that are not totally secure. Furthermore, penetration testers and web hackers might possibly find sample or demo code on websites, or even poorly designed (and insecure) websites. Every day, websites are defaced and exploited because of lack of total knowledge about web language, design, and server configuration.

This first section covers several of the web languages and some of their history. However, this is only one chapter with a subject that is immense and could easily expand into several detailed books. You should continue to increase your knowledge of the basic languages one by one until you became a well versed web penetration tester. Remember: The more you know, the faster and better you will be able to pick apart a website looking for clues and avenues of entry into the server of the victim.

Table 7-1 lists some of the web extensions you will come across on the web. This should aid you in narrowing what web language a target is using on his back end.

Note

Look at the W3Schools website (http://www.w3schools.com/w3c/default.asp) for great tutorials and information about web technologies and languages.

A basic time line of when each web language or technology started to reach the market also helps to give you an idea of which technologies are new and which are really old (and thus less used today):

• 1960 General Markup Language

• 1969 C Programming

• 1986 Standard Generalized Markup Language (SGML)

• 1987 Perl

• 1989 HTML

• 1991 Java Private to Sun only, Visual Basic 1.0

• 1993 CGI

• 1995 ColdFusion, PHP, JavaScript; Java goes public

• 1996 XML was drafted, JScript, ASP

• 2000 XHTML

Tip

A great location for finding historical information or answers to technology questions is http://www.wikipedia.org/. This site has a free content encyclopedia with thousands of articles.

HTML

HTML is the de facto syntax used today to format web pages. When you open a web page, you see text in different colors, sizes, buttons, list boxes, pictures, and even links to other web pages. All standard web pages are formatted in a predefined structure of HTML. If you open them with a basic editor such as Notepad, you can see the source code used to format the web page. Figure 7-1 shows the source code for a sample web page, called hello.html, within Notepad. If you open the same file within the Internet Explorer or Mozilla Firefox browsers, however, all the element parts are removed and all your eyes see is neat, clean text, as demonstrated in Figure 7-2.

Figure 7-2. HTML Displayed in Browsers

HTML is the syntax used to help give web pages all those pretty colors and features. Originally created in 1989 by Tim Berners-Lee, HTML is based on the slightly older language SGML and on elements. These elements help to tell the formatting program (Mozilla, for example) how to present the data on the screen of the user. For example, look at Figure 7-3.

Figure 7-3. HTML Formatting

The words "This is Wonderful" between the beginning tag <TITLE> and the ending tag </TITLE> are displayed in the title bars of the browsers. Next, you can see the word "Welcome," which is between an opening tag <B> and a closing tag </B>. This tells the browser that all text between these two tags should be bold. HTML was not made to be particularly sophisticated or to provide flashy moving content; rather, it is a static formatting language that has stood the test of time to become a great universal formatter.

As a penetration tester, the better you know HTML and all its ins and outs, the better you will be able to read and understand web pages. You can start to learn the basics at great sites such as these:

http://www.w3.org/MarkUp/

http://www.w3.org/People/Raggett/tidy/

Note

If you want to know more about the history of HTML, always hit the http://www.w3.org website. The World Wide Web Consortium oversees the standard. Also look at http://www.w3.org/People/Berners-Lee/, for notes from the founder of HTML.

DHTML

Dynamic HTML extends standard HTML by allowing control over web pages at the browser of the client. For example, if you go to a website that changes images, launches popup boxes, or has links that change color as you move your mouse over them, that site probably uses DHTML. Within the available elements list for HTML are several that can add tremendous programmer control and flexibility to create Flash animation and powerful web pages. DHTML is used on almost all the bigger websites because it enhances the customer experience.

The DHTML in Example 7-1 demonstrates how to change color from black to yellow when you move your mouse over it. Then in Example 7-2, the DHTML provides two buttons to select all check boxes or deselect all check boxes. It does this by implementing a <SCRIPT> element that describes the use of JavaScript. The JavaScript contains two functions: one to check all boxes and the other to uncheck all boxes. (See Figure 7-4.) These are just a few building block examples of what web developers might use as they create flashy and interactive websites.

Note

You can find an excellent website for tutorials and examples of Dynamic HTML at http://www.w3schools.com/dhtml/.

Example 7-1. Change Color

<HTML>    <HEAD>       <TITLE>Mouse Over Example</TITLE>    </HEAD>    <BODY>       <H1       onmouseover="style.color='yellow'"       onmouseout="style.color='black'">       Mouse over me!       </H1>    </BODY> </HTML>

Example 7-2. Check Box Example

<HTML>    <HEAD>       <TITLE>Check Box Example</TITLE>       <SCRIPT TYPE="text/javascript">          function makeCheck(thisFORM)             {for (i = 0; i < thisFORM.option.length; i++)                 {thisFORM.option[i].checked=true}             }          function makeUncheck(thisFORM)             {for (i = 0; i < thisFORM.option.length; i++)                 {thisFORM.option[i].checked=false}             }       </SCRIPT>    </HEAD>    <BODY>       <FORM NAME="CheckBoxForm">          <INPUT TYPE="button" VALUE="Check"                   onclick="makeCheck(this.form)">          <INPUT TYPE="button" VALUE="Uncheck"                   onclick="makeUncheck(this.form)">          <br />          <INPUT TYPE="checkbox" NAME="option">Hacker<br />          <INPUT TYPE="checkbox" NAME="option">Cracker<br />          <INPUT TYPE="checkbox" NAME="option">Pen tester<br />       </FORM>    </BODY> </HTML>

XML

Like HTML, Extensible Markup Language (XML) was derived from the original SGML standard. It was the next step in the evolution of making data understandable by all types of platforms. Before XML, systems or applications sent data in a specific format that was typically understandable only between the two systems. One sample format was comma-separated value (CSV) files. CSV files were raw data separated by commas or tabs. If you were to open a CSV file that you did not actually create or know a great deal about, you would find it difficult to understand what every data point was. Formats like CSV were easy to make but not expandable or versatile. Then along came the concept of XML, where data can be described and is understandable within the file. XML comes in two parts: the document, which contains data; and the Document Type Definition (DTD), which describes what type of data is stored in the document. Example 7-3 is a DTD called ForSale.dtd that was created for houses for sale.

Example 7-3. Sample DTD

<!ELEMENT ForSale (House*)> <!ELEMENT House ( Year, Bedrooms, Garage, Price, Color)> <!ELEMENT Year (#PCDATA)> <!ELEMENT Bedrooms (#PCDATA)> <!ELEMENT Garage (#PCDATA)> <!ELEMENT Price (#PCDATA)> <!ELEMENT Color (#PCDATA)>

This DTD shows an element called House that contains year, bedrooms, garage, price, and color information. Every house for sale contains this data in that order. Next, look at Example 7-4, which has some data in an XML document that goes with this DTD.

Example 7-4. XML Data Corresponding to the DTD in Example 7-3

<?xml version="1.0" ?> <!DOCTYPE ForSale PUBLIC "." "ForSale.dtd"> <ForSale>    <House>       <Year>1969</Year>       <Bedrooms>4</Bedrooms>       <Garage>2 car</Garage>       <Price>100,000</Price>       <Color>green</Color>    </House>    <House>       <Year>1973</Year>       <Bedrooms>4</Bedrooms>       <Garage>1 car</Garage>       <Price>200,000</Price>       <Color>Blue</Color>     </House>     <House>       <Year>1990</Year>       <Bedrooms>2</Bedrooms>       <Garage>1 car</Garage>       <Price>200,000</Price>       <Color>purple</Color>     </House> </ForSale>

This document stores the data of houses in a verbose way. If you look at it closely enough, you should see three different houses for sale. A simple way to think of XML is that it is just a detailed, longhand way of storing data. One of the greatest features of XML is that it allows you to stylize raw data into other formats. For example, by using XSLT templates, you can convert (style) XML into HTML, Word documents, Excel spreadsheets, or even comma-separated value files.

XHTML

This XML idea for developers took off really well. The W3C has given HTML its final release in HTML 4. The next generation of HTML will be XHTML, which is a combination of XML and HTML. The new structure is still in its early stages but will graduate into a fully functional and adopted technology over the next few years. Keep a lookout for web page changes and new security holes, because new technologies typically contain these in their early days.

JavaScript

JavaScript, originally called LiveScript, is not actually Java. This comes as a surprise to many. Sun Microsystems created Java to be a compiled language. Brendan Eich of Netscape created JavaScript in 1995 as a client-side interpreted language. The only true relationship between the two is the name for marketing hype.

JavaScript has become the standard in client-side scripting for web page developers and browser vendors alike. The language allows the web pages to interact with the users without having to go all the way back to the web server (also known as DHTML). For example, all those nasty popup windows, alert boxes, or forms validating proper e-mail addresses were probably the result of some nice JavaScript coding. As the "DHTML" section demonstrated, JavaScript was used to select all the check boxes or display the time on the web page in the ASP section. It has almost limitless possibilities.

You can write JavaScript directly into the web page, as seen in previous examples and as demonstrated in Example 7-5.

Example 7-5. JavaScript

<HTML>    <HEAD>      <TITLE>JavaScript Example</TITLE>         <SCRIPT language="javascript">             function WelcomePop()             {                 alert("Welcome to JavaScript Hacker!");             }          </SCRIPT>    </HEAD>    <BODY>    Welcome <P>       <FORM>          <INPUT type="button" value="Greeting" onclick="WelcomePop()" />       </FORM>     </BODY> </HTML>

You can also place the code in a completely separate file that is referenced and which usually has the extension of .js. This approach allows developers to share the same JavaScript code across several web pages and is sometimes called "external JavaScript." Example 7-6 demonstrates referencing of a file called js_functions.js, which is displayed in Example 7-7. Several web pages can point to this one file. Also, when developers make bug fixes in one location, all web pages referencing the file are affected.

Example 7-6. Referencing a JavaScript File

<HTML>    <HEAD>       <TITLE>JavaScript Example</TITLE>          <SCRIPT language="javascript" src="/books/3/500/1/html/2/js_functions.js">          </SCRIPT>    </HEAD>    <BODY>    Welcome <P>      <FORM>         <INPUT type="button" value="Greeting" onclick="WelcomePop()" />      </FORM>    </BODY> </HTML>

Example 7-7. js_functions.js File

            function WelcomePop()             {                alert("Welcome to JavaScript Hacker!"); }

For more information about JavaScript and coding examples, check out http://www.w3schools.com/js/default.asp.

Note

JavaScript is on the client side, and hackers can modify it manually. Therefore, when you are hacking a website that is preventing you from sending the data that you want to, make just a simple change to the code on the local web page (if possible) so that you can continue your penetration.

JScript

JScript is the Microsoft version of JavaScript with Internet Explorer. It opens the possibility of using Microsoft ActiveX components and giving developers even more flexibility on the client browser. For more information on JScript, see http://www.microsoft.com.

VBScript

Visual Basic is an easy-to-learn, high-level programming language that has been around since 1991. From Visual Basic, Microsoft created a lightweight interpreted language and called it VBScript. Like JavaScript, VBScript is easy to use and learn and even has massive support groups and websites dedicated to providing free examples and demonstrations on the web. VBScript is used in all things Microsoft, from ASP pages and client-side DHTML to Windows scripting hosts. Even in Windows, new Active Directory .vbs files (VBScript) are being used in place of the common batch files .bat. With all this going for it, VBScript has one small problem: It does not work well on non-Microsoft products. Nevertheless, because Microsoft products dominate the market, this really is not much of an issue.

Perl

Practical Extraction and Report Language (Perl) is one of the oldest scripting languages on the web, dating its creation by Larry Wall back to 1987. Perl is basically a high-level scripting language. Although the language had a slow beginning, it soon evolved into a fantastic scripting language that almost every mainstream operating system today supports:

• Windows

• UNIX and Linux

• MVS by IBM

• Cray supercomputers

• MacOS

• VMS by Digital

• OS/2

• AS/400

Note

Perl.org is a great website to find the latest developments in Perl. It also has a nice time line web page (http://history.perl.org/PerlTimeline.html) that makes an interesting read.

Another useful resource for Perl information is http://www.cpan.com (Comprehensive Perl Archive Network). The site slogan is "Here you will find All Things Perl."

Like VBScript and JavaScript, Perl is typically an interpreted language that you compile on the fly. You can compile it to some degree, however, in the effort to hide source code. The language is extremely powerful and versatile, and you can use it for just about anything from web server-side CGI scripting to hacking tools such as Whisker or even standalone applications.

Note

Because Perl is interpreted, you have to install an interpreter such as ActivePerl from http://www.activestate.com to enable the computer to understand your .pl scripts.

You can also compile Perl scripts into .exe programs by using third-party products such as Perl2Exe. You can locate Perl2Exe at http://www.indigostar.com/perl2exe.htm.

If you are familiar with coding C or UNIX shell style languages, you will notice similarities. In Example 7-8, the Perl script is expecting arguments that will be inserted into new variables called @myvalue. This variable will contain an array of arguments passed into the script for later use. Next, the print statements will create the output shown in Example 7-9.

Example 7-8. Perl Script Code

# This is a comment # The script will print the two arguments @myvalue = @ARGV; print "First: @myvalue[0] \n"; print "Second: @myvalue[1]\n\n"; print @myvalue[0].@myvalue[1];

Example 7-9. Perl Script Output

C:\PerlExample.pl "DAWN" "Security" First: DAWN Second: Security DAWNSecurity C:\

Perl has been around for a long time, and it continually grows in popularity. Several hacking tools/scripts and the like have been built using this free language. Therefore, always keep Perl learning a priority, and watch for it on the web and in your hacking toolsets. Perl is everywhere, so search for great tutorials like http://www.sthomas.net/roberts-perl-tutorial.htm to get you started.

ASP

ASP provides the capability to create truly dynamic content, which neither HTML nor DHTML could ever do. ASP is one of several server-side technologies that allow web servers to dynamically create pages on the fly based on user requests. For example, if you send a search engine a parameter of "cow," it goes to a results page that displays cow information. Now, if a different person goes to the same page but sends "dog," data about dogs comes back on the same requested page. This is classic server-side scripting, which you will see again with CGI, PHP, JSP, JHTML, and CFM. All of these technologies behave similarly to ASP. The server contains a page with the designated extension in this case .asp. This page contains programming code embedded within the HTML text. As the web server processes the page, it removes the code, creates HTML-type content, and returns it to the requester.

Figure 7-5 provides the basis for the following step-by-step example:

Figure 7-5. Basic Server-Side Processing

This is the basic flow of most server-side applications. Now consider a simple ASP-specific example. ASP uses special identifiers such as <% and %> in a web page to notify what is and what is not server-side code. Everything between the two symbols is executed on the web server and then removed before returning the page to the client. Any client-side code such as JavaScript or VBScript then executes at the client browser.

Review the code section in Example 7-10. In this page, you can see some raw ASP code designated by the <% %> symbols. This is what is on the hard disk of the web server. The first section of <%@ language="VBScript" %> tells the web server that the server-side code within this ASP page is VBScript and not JavaScript. The next section

<% response.write now() %> gets the server time (now) and writes it into the HTML web page. The remainder of the text remains unchanged until it reaches the client web browser.

Example 7-10. ASP Code in the Raw Page

<%@ language="VBScript" %> <HTML>    <HEAD>       <TITLE>ASP Example</TITLE>    </HEAD>    <BODY>       Welcome <P>       <B>Server Date and Time is:</B> <% response.write now() %> <P>       <SCRIPT TYPE="text/javascript"><!--          document.write("<B>Client Date and Time is:</B> ")          document.write(new Date())        //-->       </SCRIPT>    </BODY> </HTML>

Example 7-11 shows what the client sees as the source code for the web page that is returned. Notice that all the ASP server-side code has been removed and the now() function has been replaced with the time of the web server at the point of creating the web page. Figure 7-6 displays what the end client browser displays.

Example 7-11. ASP Page Output

<HTML>    <HEAD>       <TITLE>ASP Example</TITLE>    </HEAD>    <BODY>       Welcome <P>       <B>Server Date and Time is:</B> 02/01/2005 19:58:12 <P>       <SCRIPT TYPE="text/javascript"><!--          document.write("<B>Client Date and Time is:</B> ")          document.write(new Date())    //-->      </SCRIPT>    </BODY> </HTML>

ASP as a server-side scripting engine is quite easy to use and contains a powerful set of capabilities. It is flexible enough to accommodate VBScript or JavaScript programmers and is fully supported with a wealth of demos and free scripting examples all over the Internet. To learn more about ASP and sample code, go to http://www.asp101.com.

Note

ASP is typically used on Microsoft IIS server; however, Apache Web servers can also execute ASP pages if you install Sun Java System Active Server Pages, which was formally known as Chilisoft ASP (http://www.sun.com/software/chilisoft/index.xml). If you like ASP but do not like IIS, give this a try.

CGI

Common Gateway Interface (CGI) was just about the first server-side dynamically generating content engine around. It used not VBScript or JavaScript to create pages but typically two older languages: Perl or C. However, CGI could use any of the following languages:

• Any of the UNIX shells

• AppleScript

• C or C++

• Fortran

• Perl

• TCL

• Visual Basic

CGI commonly relied on a directory called cgi-bin as its indicator to determine when to execute code before returning the content to the client. CGI itself is not actually a language but a guideline engine on how to use other languages to create content. Perl was probably the most common language that CGI used. Programmers would create Perl code files, give them the extension of .pl, and then place them in the cgi-bin directory. When the .pl file was requested, the web server would execute it as long as it was located in the cgi-bin folder. For more information about CGI, check out http://www.w3.org and http://hoohoo.ncsa.uiuc.edu/cgi/intro.html.

PHP Hypertext Preprocessor

PHP was originally called Personal Home Page and created by Rasmus Lerdorf back in 1995 when he wanted to know how many times people were visiting his online resume. He created an engine using C and Perl as the back-end and embedded inline code into HTML web pages (similar to ASP or ColdFusion). This allowed his pages to have dynamic content on them. His little project took off and exploded into a free open source cross-platform server-side scripting language that is one of the most highly used server-side engines today. PHP is commonly combined with MySQL and Apache to make a totally free web server solution that you see everywhere on the web today (.php). PHP is now called Hypertext Preprocessor. Up to version 4 is running on the Zend parsing engine.

Like ASP, PHP has tags (symbols) that surround the code embedded within the HTML page. The tags are "<?php" at the start of the code section and "?>" at the end. Example 7-12 shows the same server-side time as done in Example 7-10 for ASP. However, look closely, and you will see PHP code being used instead. The code <?php echo date("r"); ?> uses the echo command to print the results of the date function.

Note

A great place to learn PHP coding is at http://www.php.net or http://www.w3schools.com/php/php_intro.asp.

Example 7-12. PHP Code Output

<HTML>    <HEAD>       <TITLE>PHP Example</TITLE>    </HEAD>    <BODY>       Welcome <P>       <B>Server Date and Time is:</B> <?php echo date("r"); ?> <P>       <SCRIPT TYPE="text/javascript"><!--          document.write("<B>Client Date and Time is:</B> ")          document.write(new Date())       //-->      </SCRIPT>    </BODY> </HTML>

ColdFusion

Back in 1995, two brothers, J.J. and Jeremy Allaire, started a company called Allaire.com. This company went on to create a server-side dynamic web page product called ColdFusion. ColdFusion uses a language called the ColdFusion Markup Language (CFML) to place tags inside the HTML, similar to ASP and PHP. When the server reads the .cfm page from disk, it looks for any tags that start with "<CF" and processes the code within. Example 7-13 shows how to capture the server time using CFML.

Example 7-13. ColdFusion Code

<HTML>    <HEAD>       <TITLE>ColdFusion Example</TITLE>    </HEAD>    <BODY>       Welcome <P>       <B>Server Date and Time is:</B> <cfoutput>Now()</cfoutput> <P>       <SCRIPT TYPE="text/javascript"><!--          document.write("<B>Client Date and Time is:</B> ")          document.write(new Date())       //-->      </SCRIPT>    </BODY> </HTML>

CFML is easy to use and integrates with back-end databases. ColdFusion comes with a powerful developer product called Studio MX. Studio MX is now matched with Macromedia and Flash, making it a nice piece of software to develop websites with. However, ColdFusion has not grown quite as fast as other languages, mainly because it is not free. You have to pay for the Application server and the Studio product for production environments. However, do not lose hope; a development package is free.

The help, wizard, and demos included with ColdFusion are exceptional. With a firm grasp of ColdFusion, you can possibly exploit anyone using the exact demo code or cookie-generated makers. This is not by any means a flaw with ColdFusion; rather, it is the lack of knowledge in implementation of the developer that makes the hole.

Java Once Called Oak

The language formerly called Oak, now called Java, is the famous language that was to solve all portability issues. It has been around for a long time but still has not really taken over the world just yet, as Sun had hoped. The language, created by James Gosling at Sun Microsystems in 1991, was to be the language of the future, giving developers the ability to create Java applications that could run on almost any other platform. The concept is fantastic, and to a degree Java has almost accomplished this goal. However, Java code still suffers from minor compatibility issues during compile time and had been plagued with the stigma of being very slow.

Java is an object-oriented language that has made its way into the Internet and is used in thousands of e-commerce websites. The language, as discussed in the sections that follow, has two main parts: client-based Java and server-based Java.

Client-Based Java

Client-based is the same as saying client-side as in VBScript and JavaScript. Java code is created into a file with a .java extension. Then the file is compiled into bytecode and given an extension of .class. Finally, the code is referenced within HTML by using an <Applet> tag. When a client browser opens the web page, the code is downloaded and ready to be executed if needed. One advantage of client-based Java is that the code in the .class file is obfuscated within bytecode, making it harder to understand the functionality of the code. Although this security through obscurity provides some advantages, a disadvantage is that the clients who want to execute the code must download and install a Java Virtual Machine to compile and execute Java code.

Server-Based Java

Server-based Java is almost exactly the same model used with other server-side systems such as ASP, PHP, and ColdFusion. When the extension .jsp is read, the file is sent to the application server and the servlet is then executed, returning the result to the client browser. Several different application servers are on the market today, but five hold most of the market share:

• JRun 4 by Macromedia

• WebLogic by BEA

• JDeveloper by Oracle

• Java Web Server by Sun

• WebSphere by IBM

Because you can compile Java into bytecode, most developers and system administrators initially considered it to be quite secure. However, you can reverse bytecode using programs called decompilers. One of the fastest and most famous is Java Decompiler (Jad) by Pavel Kouznetsov. (See http://www.kpdus.com/jad.html.) JAD is a command-line decompiler. If you are a Windows GUI guy, download Martin Cowley's Front End Plus from Kouznetsov's website. In the example that follows, a bytecode compiled class called PictureClock.class was put into Jad/Front End Plus and decompiled in less than a second. You can now view all the source code and even recompile it if you like.

Decompiling a Java applet is quite easy:

Step 1.	Find a site that has an applet tag. (See Figure 7-7.) Figure 7-7. Looking for the <applet> Tag
Step 2.	View the source and find the actual name of the applet.
Step 3.	Put the path and name back into a browser. (See Figure 7-8.) Figure 7-8. Downloading the Java Bytecode Class
Step 4.	Download the class.
Step 5.	Start Jade-Front End Plus and decompile the bytecode class. (See Figure 7-9.) Figure 7-9. Decompiling the Class Back to Java
Step 6.	Read through the code for vulnerabilities.