A different range of threats arises in shared hosting environments, where defects or malicious code in one application can sometimes be exploited to compromise the environment itself and other applications running within it. Of all the attacks described in this book, those against other users are evolving the most quickly, and are the focus of most current research. The means of generating passwords may enable an attacker to predict the passwords of other application users. Vulnerabilities in web applications arise because of a single core problem: users can submit arbitrary input. For example, an application may attempt to defend against some cross-site scripting attacks by stripping the expression from any user-supplied data. Understand the Access Control Requirements 6.
Hence, while it is often extremely effective, the white-list-based approach does not represent an all-purpose solution to the problem of handling user input. What's on the Web Site The companion web site for this book at www. In other cases, the application must tolerate a wider range of possible input. Authenticating a user involves establishing that the user is in fact who he claims to be. A malicious attacker can leverage a benign but vulnerable web application to attack any user who visits it. You can then go on to perform manual testing of multiple parameters simultaneously, based on the results of the fuzz testing and your understanding of the role of each parameter.
This must be the same or a parent of the domain from which the cookie is received. See Chapter 16 for more information about virtually hosted web sites. The set of most commonly encountered defects has evolved somewhat over time. This appears to be a Boolean flag specifying whether the search query should include content which is expired. When you send the message to the server or client, Burp sends your updated ViewState, and, in the present example, enables you to change the price of the item being purchased. However, if we map the application in terms of functional paths, we can obtain a much more informative and useful catalog of its functionality. Design Flaws in Authentication Mechanisms Authentication functionality is subject to more design weaknesses than any other security mechanism commonly employed in web applications.
For example, before looking up a requested product code in the database, an application might validate that it contains only alphanumeric characters and is exactly six characters long. One approach you may consider is to harvest a large number of scores together with their obfuscated equivalents, and attempt to reverse engineer the obfuscation algorithm. Who Should Read This Book The primary audience for this book is anyone with a personal or professional interest in attacking web applications. Note that thirdparty components may look and feel quite different in each implementation, due to branding customizations, but the core functionality, including script and parameter names, is often the same. Record every piece of data submitted to the application using your intercepting proxy. It includes large lists of directory names that have been found in the wild, ordered by frequency of occurrence. The browser may use the cached copy of this resource until this time.
Figure 4-6: Httprint fingerprinting various different web servers The screenshot also illustrates how Httprint can defeat other kinds of attempts to mislead about the web server software being used. When users followed hyperlinks, c04. Check any third-party code against public vulnerability databases such as www. If this process is not handled carefully, then an attacker may be able to construct crafted input that succeeds in smuggling malicious data through the validation mechanism. Figure 6-2 demonstrates a successful password guessing attack against a single account using Burp Intruder.
A page residing on one domain can load a script from another domain and execute this within its own context. Virtually all web applications meet this requirement by creating a session for each user and issuing the user a token that identifies the session. See Chapter 14 for more details of these measures. After about 10 failed logins, if the application has not returned a message about account lockout, attempt to log in correctly. The diagnostic function could validate this to confirm that the user has a session on the main application. For all concerned, the stakes are high: for businesses that derive increasing revenue from Internet commerce, for users who trust web applications with sensitive information, and for criminals who can make big money by stealing payment details or compromising bank accounts.
Test for Debug Parameters 2. If time permits, you can also go on to perform more elaborate fuzzing, changing multiple parameters simultaneously using different permutations of payloads. Without this facility, the application would need to treat all users as anonymous — the lowest possible level of trust. If an application-aware spider is used, great damage can be done if the spider discovers and uses sensitive functionality. If an automated spider were run against this site, it would find the edit function and begin sending arbitrary data, resulting in the main web site being defaced in real time while the spider was running.
We describe the core security problem facing web applications — that users can supply arbitrary input — and the various factors that contribute to their weak security posture. The parameters to the request are used to tell the application what function to perform by naming the Java servlet and method to invoke. A list of enumerated usernames can be used as the basis for various subsequent attacks, including password guessing, attacks on user data or sessions, or social engineering. As the expectations placed on web application functionality have rapidly evolved, the technologies used to implement this functionality have lagged behind the curve, with old technologies stretched and adapted to meet new requirements. Given the multitude of intercepting proxy tools that are freely available, any amateur hacker who targets an application can change all request data with ease.
Transmitting Data via the Client Many applications leave themselves exposed because they transmit critical data such as product prices and discount rates via the client in an unsafe manner. Each different component may handle errors including requests for nonexistent content in a different way. Correspondingly, the new security perimeter imposes a duty of care on all application owners to protect their users from attacks against them delivered via the application. Test for Shared Hosting Vulnerabilities 10. Individual users may be permitted to access a subset of the total data held within the application.
For those of you who perform penetration tests of web applications, this will enable you to provide high-quality remediation advice to the owners of the applications you compromise. In some cases, search engine caches contain resources that cannot be directly accessed in the application without authentication or payment. When the user later views the contents of her cart, data from the session is used to return the correct information to the user. This can have any value and is not used for any purpose by current browsers. When you are attacking a web application, you will frequently need to encode data using a relevant c03.