Copyright © 2011 by Joel Scambray. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. ISBN: 978-0-07-174042-5 MHID: 0-07-174042-2 The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-174064-7, MHID: 0-07-174064-3. All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative please e-mail us at
[email protected]. Trademarks: McGraw-Hill, the McGraw-Hill Publishing logo, Hacking ExposedTM, and related trade dress are trademarks or registered trademarks of The McGraw-Hill Companies and/or its affiliates in the United States and other countries and may not be used without written permission. All other trademarks are the property of their respective owners. The McGraw-Hill Companies is not associated with any product or vendor mentioned in this book. Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information. TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGrawHill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.
ABOUT THE AUTHORS Joel Scambray Joel Scambray is co-founder and CEO of Consciere, provider of strategic security advisory services. He has assisted companies ranging from newly minted startups to members of the Fortune 50 to address information security challenges and opportunities for over a dozen years. Joel’s background includes roles as an executive, technical consultant, and entrepreneur. He has been a Senior Director at Microsoft Corporation, where he led Microsoft’s online services security efforts for three years before joining the Windows platform and services division to focus on security technology architecture. Joel also cofounded security software and services startup Foundstone, Inc., and helped lead it to acquisition by McAfee for $86M. He previously held positions as a manager for Ernst & Young, a security columnist for Microsoft TechNet, Editor at Large for InfoWorld Magazine, and director of IT for a major commercial real-estate firm. Joel is widely recognized as co-author of Hacking Exposed: Network Security Secrets and Solutions, the international best-selling computer security book that first appeared in 1999. He is also lead author of the Hacking Exposed Windows and Hacking Exposed Web Applications series. He has spoken widely on information security at forums including Black Hat, I-4, INTERFACE, and The Asia Europe Meeting (ASEM), as well as organizations including IANS, CERT, The Computer Security Institute (CSI), ISSA, ISACA, SANS, private corporations, and government agencies such as the Korean Information Security Agency (KISA), FBI, and the RCMP. Joel holds a BS from the University of California at Davis, an MA from UCLA, and he is a Certified Information Systems Security Professional (CISSP).
Vincent Liu Vincent Liu, CISSP, is a Managing Partner at Stach & Liu. Before founding Stach & Liu, Vincent led the Attack & Penetration and Reverse Engineering teams for the Global Security unit at Honeywell International. Prior to that, he was a consultant with the Ernst & Young Advanced Security Centers and an analyst at the National Security Agency. Vincent is a sought-after speaker and has presented his research at conferences, including Black Hat, ToorCon, and Microsoft BlueHat. Vincent holds a Bachelor of Science and Engineering from the University of Pennsylvania with a major in Computer Science and Engineering and a minor in Psychology.
Caleb Sima Caleb Sima is the CEO of Armorize Technologies, the Santa Clara–based provider of integrated Web application security solutions. He previously founded SPI Dynamics in 2000 and, as CTO, oversaw the development of WebInspect, a solution that set the bar in Web application security testing tools. When HewlettPackard (HP) acquired SPI Dynamics in 2007, Sima took on the role of Chief
Technologist at HP’s Application Security Center, where he directed the company’s security solutions’ lifecycles and spearheaded development of its cloud-based security service. In this role, he also managed a team of accomplished security experts who successfully identified new security threats and devised advanced countermeasures. Prior to co-founding SPI Dynamics, Caleb worked for Internet Security Systems’ elite X-Force research and development team where he drove enterprise security assessments for the company. A thought leader and technical visionary in the web application security field, Sima holds five patents on web security technology and has co-authored textbooks on the subject, is a frequent media contributor, and regularly speaks at key industry conferences such as RSA and Black Hat. He is a member of ISSA and is one of the founding visionaries of the Application Vulnerability Description Language (AVDL) standard within OASIS, as well as a founding member of the Web Application Security Consortium (WASC).
ABOUT THE CONTRIBUTING AUTHORS Hernan Ochoa is a security consultant and researcher with over 14 years of professional experience. Hernan began his professional career in 1996 with the creation of Virus Sentinel, a signature-based file/memory/mbr/boot sector detection/removal antivirus application with heuristics to detect polymorphic viruses. Hernan also developed a detailed technical virus information database and companion newsletter. He joined Core Security Technologies in 1999 and worked there for 10 years in various roles, including security consultant and exploit writer. As an exploit writer, he performed diverse types of security assessments, developed methodologies, shellcode, and security tools, and contributed new attack vectors. He also designed and developed several lowlevel/kernel components for a multi-OS security system that was ultimately deployed at a financial institution, and he served as “technical lead” for ongoing development and support of the multi-OS system. Hernan has published a number of security tools, including Universal Hooker (runtime instrumentation using dynamic handling routines written in Python), Pass-The-Hash Toolkit for Windows, and WifiZoo. He is currently working as a security consultant/researcher at Amplia Security, performing network, wireless, and web applications penetration tests; standalone/client-server application black-box assessments; source code audits; reverse engineering; vulnerability analysis; and other information security–related services. Justin Hays is a Senior Security Associate at Stach & Liu. Before joining Stach & Liu, Justin served as an enterprise support engineer for PTC Japan where his responsibilities included application debugging, reverse engineering, and mitigating software defects in PTC’s flagship Windchill enterprise server J2EE software. Prior to PTC, Justin held a software development position with Lexmark, Inc., where he designed and implemented web application software in support of internal IT operations. Justin holds a BS from the University of Kentucky with a major in Computer Science and a minor in Mathematics.
Carl Livitt is a Managing Security Associate at Stach & Liu. Prior to joining Stach & Liu, Carl led the network security services group for a well-respected UK security company and provided network security consultancy for several of the largest pharmaceutical companies in the world. Carl has also worked with UK police counterterrorism units, lecturing on technological security issues to specialist law-enforcement agencies. Rob Ragan is a Senior Security Associate at Stach & Liu. Before joining Stach & Liu, Rob served as a software engineer at Hewlett-Packard’s Application Security Center, where he developed web application security testing tools and conducted application penetration testing. Rob actively conducts web application security research and has presented at Black Hat, Defcon, InfoSec World, and Outerz0ne. Rob holds a BS from Pennsylvania State University with a major in Information Sciences and Technology and a focus on System Development.
About the Technical Editor Robert Hensing is a Senior Consultant at Microsoft, where he has worked in various security roles for over 12 years. Robert previously worked with the Microsoft Security Response Center with a focus on providing root cause analysis and identifying mitigations and workarounds for security vulnerabilities to help protect customers from attacks. Prior to working on the MSRC Engineering team, Robert was a senior member of the Customer Support Services Security team, where he helped customers with incident response–related investigations. Robert was also a contributing author on Hacking Exposed Windows: Windows Security Secrets and Solutions, Third Edition.
AT A GLANCE ▼ 1 ▼ 2 ▼ 3 ▼ 4 ▼ 5 ▼ 6 ▼ 7 ▼ 8 ▼ 9 ▼ 10 ▼ A ▼ B ▼
Hacking Web Apps 101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hacking Web Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Attacking Web Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . Attacking Web Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . Input Injection Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Attacking XML Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . Attacking Web Application Management . . . . . . . . . . . . . . . . . Hacking Web Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Enterprise Web Application Security Program . . . . . . . . . Web Application Security Checklist . . . . . . . . . . . . . . . . . . . . . . Web Hacking Tools and Techniques Cribsheet . . . . . . . . . . . . . Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 31 87 123 167 221 267 295 335 371 413 419 429
ix
CONTENTS Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
▼ 1 Hacking Web Apps 101
................................................
1
What Is Web Application Hacking? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . GUI Web Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . URI Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Methods, Headers, and Body . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication, Sessions, and Authorization . . . . . . . . . . . . . . . . . . . . The Web Client and HTML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Why Attack Web Applications? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Who, When, and Where? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Weak Spots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How Are Web Apps Attacked? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Web Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Browser Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTP Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Command-line Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Older Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . References & Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 2 3 4 6 6 7 8 9 11 11 12 13 14 18 25 26 26 27
▼ 2 Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
31
Infrastructure Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Footprinting and Scanning: Defining Scope . . . . . . . . . . . . . . . . . . . . . Basic Banner Grabbing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Advanced HTTP Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Infrastructure Intermediaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
32 32 33 34 38
xi
FOREWORD “If ignorant of both your enemy and yourself, you are certain in every battle to be in peril.” —Sun Tzu, The Art of War There is no escaping the reality that businesses live on the Web today. From banks to bookstores, from auctions to games, the Web is the place where most businesses ply their trade. For consumers, the Web has become the place where they do the majority of their business as well. For example, nearly 50 percent of all retail music sales in the United States happen online today; the market for virtual merchandise in online games will top $1.5B this year; and, by some estimates, over 45 percent of U.S. adults use the Internet exclusively to do their banking. With the growing popularity of web-enabled smart phones, much of this online commerce is now available to consumers anytime and anywhere. By any estimation, business on the Web is an enormous part of the economy and growing rapidly. But along with this growth has come the uncomfortable realization that the security of this segment of commerce is not keeping pace. In the brick and mortar world, business owners have spent decades encountering and learning to mitigate threats. They have had to deal with break-ins, burglary, armed robbery, counterfeit currency, fraudulent checks, and scams of all kinds. In the brick and mortar world, however, businesses have a constrained, easily defined perimeter to their business, and, in most cases, a reasonably constrained population of threats. They have, over time, learned to apply an increasingly mature set of practices, tools, and safeguards to secure their businesses against these threats. On the Web, the story is quite different. Businesses on the Web have been around for less than 20 years, and many of the hard lessons that they’ve learned in the physical world of commerce are only recently beginning to surface for web-based commerce. Just as in the physical world, where there is money or valuable assets, you will always find a certain subset of the population up to no good and attempting to capitalize on those assets. However, unlike in the physical world, in the world of e-commerce, businesses are faced with a dizzying array of technologies and concepts that most leaders find difficult, if not impossible, to comprehend. In addition, the perimeter of their assets is often not well understood, and
xvii
ACKNOWLEDGMENTS This book would not have existed but for the support, encouragement, input, and contributions of many people. We hope we have covered them all here and apologize for any omissions, which are due to our oversight alone. First and foremost, many thanks to our families and friends for supporting us through many months of demanding research and writing. Their understanding and support were crucial to us completing this book. We hope that we can make up for the time we spent away from them to complete yet another book project (really, we promise this time!). Second, we would like to thank our colleagues Hernan Ochoa, Justin Hays, Carl Livitt, and Rob Ragan for their valuable contributions to this book. Robert Hensing also deserves special thanks for his razor-sharp technical review and several substantial contributions of his own. Key contributors to prior editions remain great influencers of the work in this edition and deserve special recognition. Caleb Sima (co-author on the Second and Third Editions) continues to inspire new thinking in the web application security space, and Mike Shema (co-author on the First Edition) continues to work tirelessly on refining many of the ideas herein into automated routines. Of course, big thanks go again to the tireless McGraw-Hill production team who worked on the book, including our acquisitions editor Megg Morin, Hacking Exposed “editor emeritus” Jane Brownlow, acquisitions coordinator Joya Anthony, who kept things on track, art production consultant Melinda Lytle, and project editor LeeAnn Pickrell, who kept a cool head even in the face of weekend page proofing and other injustices that the authors saddled her with. We’d also like to acknowledge the many people who provided input and guidance on the many topics discussed in this book, including Kevin Rich, Kevin Nassery, Tab Pierce, Mike DeLibero, and Cyrus Gray of Consciere. In addition, we extend our heartfelt appreciation to Fran Brown, Liz Lagman, Steve Schwartz, Brenda Larcom, Shyama Rose, and Dan of Stach & Liu for their unflagging support of our efforts. Thanks go also to Chris Peterson for his feedback on the manuscript and his outstanding comments in the Foreword, as well as our colleagues who generously
xix
INTRODUCTION Way back in 1999, the first edition of Hacking Exposed introduced many people to the ease with which computer networks and systems are broken into. Although there are still many today who are not enlightened to this reality, large numbers are beginning to understand the necessity for firewalls, secure operating system configuration, vendor patch maintenance, and many other previously arcane fundamentals of information system security. Unfortunately, the rapid evolution brought about by the Internet has already pushed the goalposts far upfield. Firewalls, operating system security, and the latest patches can all be bypassed with a simple attack against a web application. Although these elements are still critical components of any security infrastructure, they are clearly powerless to stop a new generation of attacks that are increasing in frequency and sophistication all the time. Don’t just take our word for it. Gartner Group says 75 percent of hacks are at the web app level and, that out of 300 audited sites, 97 percent are vulnerable to attack. The WhiteHat Website Security Statistics Report, Fall 2009, says 83 percent of web sites have had at least one serious vulnerability, 64 percent of web sites currently have at least one, and found a 61 percent vulnerability resolution-rate with 8,902 unresolved issues remaining (sample size: 1,364 sites). Headlines for devastating attacks are now commonplace: the Identity Theft Resource Center, ITRC, says there have been at least 301 security breaches resulting in the exposure of more than 8.2 million records throughout the first six months of 2010). The estimated total number of sensitive digital records compromised by security breaches is climbing to stratospheric heights: over 900 million records alone from the sample of over 900 breaches across 6 trailing years in the Verizon Business 2010 Data Breach Investigations Report. We cannot put the horse of Internet commerce back in the barn and shut the door. There is no other choice left but to draw a line in the sand and defend the positions staked out in cyberspace by countless organizations and individuals. For anyone who has assembled even the most rudimentary web site, you know this is a daunting task. Faced with the security limitations of existing protocols like HTTP, as well as the ever-accelerating pace of technological change, including XML Web Services,
xxi
INDEX & (ampersand), 258, 259 * (asterisk), 238 ^ (caret), 255 % (percent sign), 237 _ (underscore), 238 ; (semicolon), 258, 259 < > (angle brackets), 261 ! character, 58 | (pipe) character, 258 3DES key, 290–291
▼ A access control, 107, 262 access control lists. See ACLs access tokens, 168, 170–172 access/session token attacks, 178–195 account lockouts, 126–127, 128, 132, 381 accountability, 401–403, 405 Achilles tool, 26 ACLs (access control lists) attacks on, 177–178 best practices, 211–214 considerations, 111, 168 file disclosure and, 320 NTFS, 111–112 web crawling, 169–170 Acrobat Reader, 346 Active Server Pages. See ASP
ActiveX controls countermeasures, 361–363 vulnerabilities, 347, 348 ActiveX GUIDs, 363 Add-on Manager, 361–362 Address Space Layout Randomization (ASLR), 338, 408 administrators authentication, 203–204 insecure functions, 204 web document roots, 83–84 advanced directory traversal, 228–230 adxmlrpc.php script, 98–100 AJAX (Asynchronous JavaScript and XML), 8, 9 allow_url_fopen option, 119 ampersand (&), 258, 259 AND operator, 252 angle brackets < >, 261 anonymity, 9–10 Anti-Phishing Working Group (APWG), 352, 353 antivirus software, 346 Apache announcements list, 108 Apache Benchmark, 117 Apache hardening, 113–117 Apache modules, 389 Apache patches, 108 Apache Struts Framework, 384 Apache Tomcat, 97–98, 310–311
429
