Hacking Exposed Web Applications.pdf

Hacking Exposed Web Applications

Joel Scambray

Mike Shema

McGraw-Hill/Osborne

New York? Chicago? San Francisco

Lisbon? London? Madrid? Mexico City? Milan

New Delhi? San Juan ?Seoul ?Singapore? Sydney? Toronto

About the Authors

Joel Scambray

Joel Scambray is co-author of Hacking Exposed ( http://www/ .hackingexposed.com), the international best-selling Internet

security book that reached its third edition in October 2001. He is also lead author of Hacking Exposed Windows 2000, the

definitive insider’s analysis of Microsoft product security, released in September 2001 and now in its second foreign

language translation. Joel’s past publications have included his co-founding role as InfoWorld’s Security Watch

columnist, InfoWorld Test Center Analyst, and inaugural author of Microsoft’s TechNet Ask Us About...Security forum.

Joel’s writing draws primarily on his years of experience as an IT security consultant for clients ranging from members

of the Fortune 50 to newly minted startups, where he has gained extensive, field-tested knowledge of numerous security

technologies, and has designed and analyzed security architectures for a variety of applications and products. Joel’s

consulting experiences have also provided him a strong business and management background, as he has personally

managed several multiyear, multinational projects; developed new lines of business accounting for substantial annual

revenues; and sustained numerous information security enterprises of various sizes over the last five years. He also

maintains his own test laboratory, where he continues to research the frontiers of information system security.

Joel speaks widely on information system security for organizations including The Computer Security Institute, ISSA,

ISACA, private companies, and government agencies. He is currently Managing Principal with Foundstone Inc.

( http://www.foundstone.com/ ), and previously held positions at Ernst & Young, InfoWorld, and as Director of IT for a

major commercial real estate firm. Joel’s academic background includes advanced degrees from the University of

California at Davis and Los Angeles (UCLA), and he is a Certified Information Systems Security Professional (CISSP).

—Joel Scambray can be reached at joel@webhackingexposed.com .

Mike Shema

Mike Shema is a Principal Consultant of Foundstone Inc. where he has performed dozens of Web application security

reviews for clients including Fortune 100 companies, financial institutions, and large software development companies. He

has field-tested methodologies against numerous Web application platforms, as well as developing support tools to

automate many aspects of testing. His work has led to the discovery of vulnerabilities in commercial Web software. Mike

has also written technical columns about Web server security for Security Focus and DevX. He has also applied his

security experience as a co-author for The Anti-Hacker Toolkit. In his spare time, Mike is an avid role-playing gamer. He

holds B.S. degrees in Electrical Engineering and French from Penn State University.

—Mike Shema can be reached at mike@webhackingexposed.com .

About the Contributing Authors

Yen-Ming Chen

Yen-Ming Chen (CISSP, MCSE) is a Principal Consultant at Foundstone, where he provides security consulting service to

clients. Yen-Ming has more than four years experience administrating UNIX and Internet servers. He also has extensive

knowledge in the area of wireless networking, cryptography, intrusion detection, and survivability. His articles have been

published on SysAdmin, UnixReview, and other technology-related magazines. Prior to joining Foundstone, Yen-Ming

worked in the CyberSecurity Center in CMRI, CMU, where he worked on an agent-based intrusion detection system. He

also participated actively in an open source project, “snort,” which is a light-weighted network intrusion detection

system. Yen-Ming holds his B.S. of Mathematics from National Central University in Taiwan and his M.S. of Information

Networking from Carnegie Mellon University. Yen-Ming is also a contributing author of Hacking Exposed, Third Edition.

David Wong

David is a computer security expert and is Principal Consultant at Foundstone. He has performed numerous security

product reviews as well as network attack and penetration tests. David has previously held a software engineering position

at a large telecommunications company where he developed software to perform reconnaissance and network monitoring.

David is also a contributing author of Hacking Exposed Windows 2000 and Hacking Exposed, Third Edition.

McGraw-Hill/Osborne

2600 Tenth Street

Berkeley, California 94710

U.S.A.

To arrange bulk purchase discounts for sales promotions, premiums, or fund-raisers, please contact McGraw-Hill/Osborne

at the above address. For information on translations or book distributors outside the U.S.A., please see the International

Contact Information page immediately following the index of this book.

Hacking Exposed? Web Applications

as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or

by any means, or stored in a database or retrieval system, without the prior written permission of publisher, with the

exception that the program listings may be entered, stored, and executed in a computer system, but they may not be

reproduced for publication.

1234567890 FGR FGR 0198765432

ISBN 0-07-222438-X

Publisher

Brandon A. Nordin

Vice President & Associate Publisher

Scott Rogers

Senior Acquisitions Editor

Jane Brownlow

Project Editor

Patty Mon

Acquisitions Coordinator

Emma Acker

Technical Editor

Yen-Ming Chen

Copy Editor

Claire Splan

Proofreader

Paul Tyler

Indexer

Valerie Perry

Computer Designers

Elizabeth Jang

Melinda Moore Lytle

Illustrators

Michael Mueller

Lyssa Wald

Series Design

Dick Schwartz

Peter F. Hancik

Cover Series Design

Dodie Shoemaker

This book was composed with Corel VENTURA? Publisher.

Information has been obtained by McGraw-Hill/Osborne from sources believed to be reliable. However, because of the

possibility of human or mechanical error by our sources, McGraw-Hill/Osborne, or others, McGraw-Hill/Osborne does not

guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or

the results obtained from the use of such information.

Dedication

To those who fight the good fight, every minute, every day.

—Joel Scambray

For Mom and Dad, who opened so many doors for me; and for my brothers, David and Steven, who are more of an

inspiration to me than they realize.

—Mike Shema

Foreword

For the past five years a silent but revolutionary shift in focus has been changing

the information security industry and the hacking community alike. As people

came to grips with technology and process to secure their networks and operating

systems using firewalls, intrusion detection systems, and host-hardening

techniques, the world started exposing its heart and soul on the Internet via a

phenomenon called the World Wide Web. The Web makes access to customers

and prospects easier than was ever imaginable before. Sun, Microsoft, and Oracle

are betting their whole businesses on the Web being the primary platform for

commerce in the 21st century.

But it’s akin to a building industry that’s spent years developing sophisticated

strong doors and locks, only to wake up one morning and realize that glass is see-

through, fragile, and easily broken by the casual house burglar. As security

companies and professionals have been busy helping organizations react to the

network security concerns, little attention has been paid to applications at a time

when they were the fastest and most widely adopted technology being deployed.

When I started moderating the Web application security mailing list at

http://www.securityfocus.com/ two years ago, I think it is safe to say people were

confused about the security dangers on the Web. Much was being made about

malicious mobile code and the dangers of Web-based trojans. These parlor tricks

on users were really trivial compared to the havoc being created by hackers

attacking Web applications. Airlines have been duped into selling transatlantic

tickets for a few dollars, online vendors have exposed millions of customers’

valid credit card details, and hospitals have revealed patients records, to name but

a few. A Web application attack can stop a business in its tracks with one click of

the mouse.

Just as the original Hacking Exposed series revealed the techniques the bad guys

were hiding behind, I am confident Hacking Exposed Web Applications will do

the same for this critical technology. Its methodical approach and appropriate

detail will both enlighten and educate and should go a long way to make the Web

a safer place in which to do business.

—Mark Curphey

Chair of the Open Web Application Security Project

( http://www.owasp.org/ ), moderator of the

“webappsec” mailing list at securityfocus.com, and

the Director for Information Security at one of

Americas largest financial services companies

based in the Bay Area.

Acknowledgments

This book would not have existed if not for the support, encouragement, input,

and contributions of many entities. We hope we have covered them all here and

apologize for any omissions, which are due to our oversight alone.

First and foremost, many special thanks to all our families for once again

supporting us through many months of demanding research and writing. Their

understanding and support was crucial to our completing this book. We hope that

we can make up for the time we spent away from them to complete this project

(really, we promise this time!).

Secondly, we would like to thank all of our colleagues for providing contributions

to this book. In particular, we acknowledge David Wong for his contributions to

Chapter 5 , and Yen-Ming Chen for agile technical editing and the addition of

Appendix A and portions of Chapter 3 .

We’d also like to acknowledge the many people who provided so much help

and guidance on many facets of this book, including the always reliable Chip

Andrews of sqlsecurity.com, Web hacker extraordinaire Arjunna Shunn, Michael

Ward for keeping at least one author in the gym at 6:00 AM even during non-stop

writing, and all the other members of the Northern Consulting Crew who sat side-

by-side with us in the trenches as we waged the war described in these pages.

Special acknowledgement should also be made to Erik Olson and Michael

Howard for their continued guidance on Windows Internet security issues.

Thanks go also to Mark Curphey for his outstanding comments in the Foreword.

As always, we bow profoundly to all of the individuals who wrote the

innumerable tools and proof-of-concept code that we document in this book,

including Rain Forest Puppy, Georgi Gunninski, Roelof Temmingh, Maceo,

NSFocus, eEye, Dark Spyrit, and all of the people who continue to contribute

anonymously to the collective codebase of security each day.

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: