List of Figures

Chapter 1: Hacking Web Apps 101

Figure 1-1: Entering the string ' OR 1=1 -- bypasses the login screen for Foundstone's sample Hacme bank application. Yes, it can be this easy!
Figure 1-2: Using a basic web browser to attack Foundstone's Hacme bank. A simple vertical escalation attack is highlighted with a circle.
Figure 1-3: TamperIE intercepts a POST request and lets the attacker change the price of an order from $1,995 to $5. Who says web hacking doesn't pay!
Figure 1-4: IEWatch performing HTTP analysis on a popular site
Figure 1-5: Firefox LiveHTTPHeaders permits tampering with HTTP data via its Replay feature.
Figure 1-6: Using TamperData to modify a POST request, changing a value to "admin"
Figure 1-7: Paros Proxy traps a HTTP POST request, permitting tampering with a hidden "Cost" field.
Figure 1-8: OWASP WebScarab's HTTP proxy offers on-the-fly decoding/encoding of parameters, as shown in this example using the hidden "Cost" field.
Figure 1-9: Fiddler slashes prices by tampering with HTTP POST data. Here again we've dropped the price from $1,995 to $5.
Figure 1-10: Results from overflow testing using Burp Intruder. Note the transition from HTTP 404 to HTTP 414 "Too Long" responses, suggesting some internal limitation exists in this application.

Chapter 2: Profiling

Figure 2-1: Httprint tool and results
Figure 2-2: A flowchart like this sample can be quite helpful in documenting web application structure.
Figure 2-3: The "_maintain~ShowStatus" parameter output from the wc.dll dynamic page generation component
Figure 2-4: Manipulating the ExeFile parameter to execute arbitrary commands on a victim system.
Figure 2-5: Teleport Pro's many options
Figure 2-6: Black Widow mirrors site contents to the local drive.

Chapter 3: Hacking Web Platforms

Figure 3-1: Playing "Pick your exploit" with Metasploit
Figure 3-2: Metasploit makes hacking so easy a monkey can do it.
Figure 3-3: Exploit successful!
Figure 3-4: A normal IIS error message when seen from the Internet client displays generic information.
Figure 3-5: Removing the IIS extension mapping for the Internet printing protocol on IIS5
Figure 3-6: The CIS tool scores an Apache configuration with a 2.54 out of 10ugh!

Chapter 4: Web Authentication Attacking

Figure 4-1: WebCracker successfully guesses basic authentication credentials.
Figure 4-2: The Brutus password-guessing tool guesses 4,908 HTTP Basic authentication passwords in 19 seconds.
Figure 4-3: Password-guessing attempts against Windows IIS result in these events written to the System Log.
Figure 4-4: A web browser prompts a user for Basic authentication.
Figure 4-5: A standard login form implemented in ASP.NET
Figure 4-6: Brutus' HTML form interpreter parses a login form, highlighting fields for subsequent attack.
Figure 4-7: An overview of the Microsoft Passport single sign-on (SSO) protocol
Figure 4-8: PWNtcha successfully identifying the type of CAPTCHA and the text in the image

Chapter 5: Attacking Web Authorization

Figure 5-1: Offline Explorer Pro lists HTTP status codes in the Download Progress pane, indicating resources that might be ACL'ed
Figure 5-2: Offline Explorer Pro's authentication configuration screen
Figure 5-3: A CookieSpy report
Figure 5-4: Editing a cookie value with CookieSpy
Figure 5-5: Decently randomized ISN values
Figure 5-6: Poorly randomized ISN values
Figure 5-7: The "set up new account" feature is usually available right at the application login screen.
Figure 5-8: Successful account creation
Figure 5-9: Analyzing the self-help account editing interface for our fictitious web shopping application using SPI Dynamics' SPI ToolKit HTTP Editor
Figure 5-10: Success! The information for another account can now be changed .
Figure 5-11: Configuring IIS5 directory security (IIS6 is substantially the same .)

Chapter 7: Attacking Web Datastores

Figure 7-1: Verbose error message
Figure 7-2: Verbose error due to an unexpected cookie value
Figure 7-3: SQL inference example 1
Figure 7-4: SQL inference example 2
Figure 7-5: Application error that reveals database fields
Figure 7-6: Using column placeholders to establish a valid UNION query
Figure 7-7: Successful UNION query displays user id
Figure 7-8: Successful UNION query reveals username

Chapter 8: Attacking XML Web Services

Figure 8-1: A diagram of a stereotypical web services architecture
Figure 8-2: A schematic representation of a SOAP message, showing envelope, body, and headers
Figure 8-3: WebService Studio from www.gotdotnet.com
Figure 8-4: The "publish, find, bind" interaction among UDDI, WSDL, and web services. All arrows represent SOAP communications
Figure 8-5: A SOAP client performing a UDDI search
Figure 8-6: Dumping DISCO information from a remote web service using the ?disco argument

Chapter 9: Attacking Web Application Management

Figure 9-1: Disabling WebDav in IIS 6
Figure 9-2: Removing the extension mapping for the .printer extension in the IIS 5 Admin tool (iis.msc)
Figure 9-3: A web statistics page revealed in a directory-guessing attack
Figure 9-4: Discovering the CVS Entries file can reveal a lot of information about a web app.
Figure 9-5: The Wayback Machine
Figure 9-6: The Duwamish sample web application by Microsoft
Figure 9-7: The ViewState is located in a hidden tag in the form.
Figure 9-8: The ViewState Base64 decoded
Figure 9-9: The hacked request we send to the server

Chapter 10: Hacking Web Clients

Figure 10-1: A phishing e-mail targeted at PayPal customers
Figure 10-2: The msconfig utility enumerates autostart extensibility points on Windows XP. Note the peer-to-peer networking software program highlighted here.
Figure 10-3: Spybot Search & Destroy finds adware and spyware on a system.
Figure 10-4: Blocking "safe for scripting" ActiveX controls using the Internet Options control panel will protect against malicious controls downloaded via hostile web pages.
Figure 10-5: Configuring Outlook to use the Restricted Sites zone when browsing
Figure 10-6: Firefox's configuration interface, with some security- related settings highlighted

Chapter 11: Denial-of-Service (DoS) Attacks

Figure 11-1: A common Distributed denial-of-service (DDoS) attack configuration
Figure 11-2: The three-humped distribution graph that might result from analyzing Web search engine query results.
Figure 11-3: A typical click-fraud scheme
Figure 11-4: A JMeter test

Chapter 12: Full-Knowledge Analysis

Figure 12-1: An example threat modeling schedule mapped to a hypothetical development process
Figure 12-2: Level 0 DFD for our hypothetical shopping cart web application
Figure 12-3: Level 1 DFD
Figure 12-4: Level 1 with Trust boundaries and entry points
Figure 12-5: The web interface to our sample ISAPI DLL
Figure 12-6: Ollydbg
Figure 12-7: Setting a breakpoint on the IsDebuggerPresent function
Figure 12-8: Bypassing the IsDebuggerPresent function
Figure 12-9: Discovering an interesting ASCII string in secet.dll
Figure 12-10: Tracing strcat function
Figure 12-11: Ollydbg displays an access violation in secret.dll while being tested for buffer overflows using Spike Web Proxy.
Figure 12-12: A sample SDL implementation

Chapter 13: Web Application Security Scanners

Figure 13-1: Acunetix Web Vulnerability Scanner looking for XSS
Figure 13-2: Cenzic Hailstorm permits tampering with identified query string parameters.
Figure 13-3: Ecyware GreenBlue Inspector easily permits manual tampering with form input fields.
Figure 13-4: Syhunt Sandcat's web log analysis tool was unique among the commercial tools we tested.
Figure 13-5: SPI Dynamics WebInspect toolkit manually validates an XSS vulnerability.
Figure 13-6: AppScan was one of the only scanners to pass the complex XSS test we designed.
Figure 13-7: AppScan overlooks some Flash files on our test app.
Figure 13-8: N-Stealth's HTML reporting format
Figure 13-9: Burp Intruder's parameter injection flexibility and granularity make it a powerful choice for pen-testers.
Figure 13-10: Compuware DevPartner SecurityChecker reveals poor authorization design in one of our test apps.

Appendix C: URLScan and ModSecurity

Figure C-1: The first screen of the IIS Lockdown wizard prompts the user to select a server template.
Figure C-2: The IIS Lockdown wizard indicates which Internet services will be enabled or disabledremember, if you select "Remove unselected services" here, you won't be able to roll back uninstalled services with IIS Lockdown!
Figure C-3: The script mappings screen from the IIS Lockdown wizard
Figure C-4: The last step in the IIS Lockdown wizardinstalling URLScan
Figure C-5: Using IIS Lockdown in rollback mode
Figure C-6: If UseFastPathReject is set to 1, this is what clients will see for HTTP 404 rejected requests .
Figure C-7: A successfully loaded URLScan ISAPI filter


Hacking Exposed Web Applications
HACKING EXPOSED WEB APPLICATIONS, 3rd Edition
ISBN: 0071740643
EAN: 2147483647
Year: 2006
Pages: 127

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net