Visit us at w w w . s y n g r e s s . c o m

  

Syngress is committed to publishing high-quality books for IT Professionals and

delivering those books in media and formats that fit the demands of our cus-

tomers. We are also committed to extending the utility of the book you purchase

via additional materials available from our Web site.

  SOLUTIONS WEB SITE

To register your book, visit www.syngress.com/solutions. Once registered, you can

access our solutions@syngress.com Web pages. There you may find an assortment

of value-added features such as free e-books related to the topic of this book, URLs

of related Web sites, FAQs from the book, corrections, and any updates from the

author(s).

  ULTIMATE CDs

Our Ultimate CD product line offers our readers budget-conscious compilations of

some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration,

CyberCrime Investigation, Open Source Security, and Firewall Configuration, to

name a few.

  DOWNLOADABLE E-BOOKS

For readers who can’t wait for hard copy, we offer most of our titles in download-

able Adobe PDF form. These e-books are often available weeks before hard copies,

and are priced affordably.

  SYNGRESS OUTLET

Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt

books at significant savings.

  SITE LICENSING

Syngress has a well-established program for site licensing our e-books onto servers

in corporations, educational institutions, and large organizations. Contact us at

sales@syngress.com for more information.

  CUSTOM PUBLISHING

Many organizations welcome the ability to combine parts of multiple Syngress

books, as well as their own content, into a single volume for their own internal use.

  Contact us at sales@syngress.com for more information.

  D e v e l o p e r ’s G u i d e t o Web

Application

Security

  Michael Cross

  Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production

(collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from

the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS

IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.

  In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci-

dental or consequential damages arising out from the Work or its contents. Because some states do not allow the

exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to

you.

  

You should always use reasonable care, including backup and other appropriate precautions, when working with

computers, networks, data, and files. Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:The Definition of a Serious Security Library” ™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One ™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

  001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004

  7H298MXDRT 005 CVPLQ6WQ23 006

  VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010

  IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Developer’s Guide to Web Application Security

Copyright © 2007 by Syngress Publishing, Inc. All rights reserved. Except as permitted under the Copyright Act

of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in

a database or retrieval system, without the prior written permission of the publisher, with the exception that the

program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for

publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

ISBN-10: 1-59749-061-X

  ISBN-13: 978-1-59749-061-0 Publisher: Andrew Williams Page Layout and Art: Patricia Lupien Copy Editor: Beth Roberts Indexer: Nara Wood Cover Designer: Michael Kavish Distributed by O’Reilly Media, Inc. in the United States and Canada. For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights, at Syngress Publishing; email matt@syngress.com or fax to 781-681-3585.

  Acknowledgments Syngress would like to acknowledge the following people for their kindness and support in making this book possible. Syngress books are now distributed in the United States and Canada by

O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible,

and we would like to thank everyone there for their time and efforts to bring

Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike

Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Mark Wilson, Rick Brown,Tim Hinton, Kyle Hart, Sara Winge,

Peter Pardo, Leslie Crandell, Regina Aggio Wilkinson, Pascal Honscher, Preston

Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark

Jacobsen, Betsy Waliszewski, Kathryn Barrett, John Chodacki, Rob Bullington,

Kerry Beck, Karen Montgomery, and Patrick Dirden. The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Krista Leppiko, Marcel Koppes, Judy Chappell, Radek Janousek, Rosie Moss, David Lockley, Nicola Haden, Bill Kennedy, Martina Morris, Kai Wuerfl-Davidek, Christiane Leipersberger,Yvonne Grueneklee, Nadia Balavoine, and Chris Reinders for making certain that our vision remains worldwide in scope.

David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai

Hua, Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributors

for the enthusiasm with which they receive our books. David Scott,Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji,Tonga, Solomon Islands, and the Cook Islands. v

  Lead Author Michael Cross (MCSE, MCP+I, CNA, Network+) is an Internet Specialist/Computer Forensic Analyst with the Niagara Regional Police Service (NRPS). He performs computer forensic examina- tions on computers involved in criminal investigation. He also has consulted and assisted in cases dealing with computer- related/Internet crimes. In addition to designing and maintaining the NRPS Web site at www.nrps.com and the NRPS intranet, he has provided support in the areas of programming, hardware, and network administration. As part of an information technology team that provides support to a user base of more than 800 civilian and uniform users, he has a theory that when the users carry guns, you tend to be more motivated in solving their problems.

  Michael also owns KnightWare (www.knightware.ca), which provides computer-related services such as Web page design, and Bookworms (www.bookworms.ca), where you can purchase col- lectibles and other interesting items online. He has been a freelance writer for several years, and he has been published more than three dozen times in numerous books and anthologies. He currently resides in St. Catharines, Ontario, Canada, with his lovely wife,

Jennifer, his darling daughter, Sara, and charming son, Jason.

vii

  Contributing Authors

Chris Broomes (MCSE, MCT, MCP+I, CCNA) is a Senior

Network Analyst at DevonIT, a leading networking services provider

specializing in network security and VPN solutions. Chris has

worked in the IT industry for over eight years and has a wide range of technical experience. Chris is Founder and President of Infinite

Solutions Group Inc., a network consulting firm located in

Lansdowne, PA that specializes in network design, integration, secu- rity services, technical writing, and training. Chris is currently pur- suing the CCDA and CCNP certifications while mastering the

workings of Cisco and Netscreen VPN and security devices.

  Jeff Forristal is the Lead Security Developer for Neohapsis, a

Chicago-based security solution/consulting firm. Apart from

assisting in network security assessments and application security reviews (including source code review), Jeff is the driving force behind Security Alert Consensus, a joint security alert newsletter published on a weekly basis by Neohapsis, Network Computing, and the SANS Institute.

  

Drew Simonis (CCNA) is a Security Consultant for Fiderus Strategic Security and Privacy Services. He is an information-secu-

rity specialist with experience in security guidelines, incident

response, intrusion detection and prevention, and network and system administration. He has extensive knowledge of TCP/IP data

networking and UNIX (specifically AIX and Solaris), as well as sound knowledge of routing, switching, and bridging. Drew has been involved in several large-scale Web development efforts for compa- nies such as AT&T, IBM, and several of their customers.This has included both planning and deployment of such efforts as online banking, automated customer care, and an online adaptive insurability viii assessment used by a major viii national insurance company. Drew helps customers of his current employer with network and applica-

tion security assessments as well as assisting in ongoing development

efforts. Drew is a member of MENSA and holds several industry cer-

tifications, including IBM Certified Specialist, AIX 4.3 System Administration, AIX 4.3 Communications, Sun Microsystems Certified Solaris System Administrator, Sun Microsystems Certified Solaris Network Administrator, Checkpoint Certified Security Administrator, and Checkpoint Certified Security Engineer. He resides in Tampa, FL.

  

Brian Bagnall (Sun Certified Java Programmer and Developer) is

coauthor of the Sun Certified Programmer for Java 2 Study Guide. He is

currently the lead programmer at IdleWorks, a company located in

Western Canada. IdleWorks develops distributed processing solutions

for large and medium-sized businesses with supercomputing needs.

  His background includes working for IBM developing client-side applications. Brian is also a key programmer of Legos, a Java soft- ware development kit for Lego Mindstorms. Brian would like to thank his family for their support, and especially his father Herb.

  Michael Dinowitz hosts CF-Talk, the high-volume ColdFusion

mailing list, out of House of Fusion.Com. He publishes and writes

articles for the Fusion Authority Weekly News Alert. Michael is the

author of Fusebox: Methodology and Techniques (ColdFusion Edition) and is the co-author of the bestselling ColdFusion Web Application Construction Kit. Whether it’s researching the lowest levels of ColdFusion functionality or presenting to an audience, Michael’s passion for the language is clear. Outside of Allaire, there are few evangelists as dedicated to the spread of the language and the strengthening of the community. ix

  

Jay D. Dyson is a Senior Security Consultant for OneSecure Inc.,

a trusted provider of managed digital security services. Jay also serves

as part-time Security Advisor to the National Aeronautics and Space

ix Administration (NASA). His extracurricular activities include

maintaining Treachery.Net and serving as one of the founding staff

members of Attrition.Org.

  

Joe Dulay (MCSD) is the Vice-President of Technology for the IT

Age Corporation. IT Age Corporation is a project management and

software development firm specializing in customer-oriented busi-

ness enterprise and e-commerce solutions located in Atlanta, GA. His current responsibilities include managing the IT department,

heading the technology steering committee, software architecture, e-

commerce product management, and refining development pro-

cesses and methodologies.Though most of his responsibilities lay in

the role of manager and architect, he is still an active participant of

the research and development team. Joe holds a bachelor’s degree from the University of Wisconsin in computer science. His back-

ground includes positions as a Senior Developer at Siemens Energy

and Automation, and as an independent contractor specializing in e-

commerce development. Joe would like to thank his family for always being there to help him.

  

Edgar Danielyan (CCNA) is currently self-employed. Edgar has a

diploma in company law from the British Institute of Legal Executives and is a certified paralegal from the University of Southern Colorado. He has been working as a Network Administrator and Manager of a top-level domain of Armenia. He

has also worked for the United Nations, the Ministry of Defense, a

national telco, a bank, and has been a partner in a law firm. He speaks four languages, likes good tea, and is a member of ACM, IEEE CS, USENIX, CIPS, ISOC, and IPG. x

  David G. Scarbrough is a Senior Developer with Education Networks of America where he is a lead member of the ColdFusion development team. He specializes in developing e-commerce sites.

  David has ColdFusion 4.5 Master Certification and is also experi- enced with HTML, JavaScript, PHP, Visual Basic, ActiveX, Flash 4.0, and SQL Server 7. He has also held positions as a Programmer and Computer Scientist. David graduated from Troy State University on Montgomery, AL with a bachelor of science in computer science. He lives in Smyrna,TN.

  Kevin Ziese is a Computer Scientist at Cisco Systems, Inc. Prior to joining Cisco he was a Senior Scientist and Founder of the Wheelgroup Corporation, which was acquired by Cisco Systems in April of 1998. Prior to starting the Wheelgroup Corporation, he was Chief of the Advanced Countermeasures Cell at the Air Force Information Warfare Center.

  Robert Hansen is a self-taught computer expert residing in Northern California. Robert, known formerly as RSnake and cur- rently as RSenic, has been heavily involved in the hacking and secu- rity scene since the mid 1990s and continues to work closely with black and white hats alike. Robert has worked for a major banner advertising company as an Information Specialist and for several start-up companies as Chief Operations Officer and Chief Security Officer. He has founded several security sites and organizations, and has been interviewed by many magazines, newspapers, and televi- sions such as Forbes Online, Computer World, CNN, FOX and ABC News. He sends greets to #hackphreak, #ehap, friends, and family. xi

  Contents

  

Chapter 1 Hacking Methodology . . . . . . . . . . . . . . . . . . 1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Understanding the Terms . . . . . . . . . . . . . . . . . . . . . . . . .3 A Brief History of Hacking . . . . . . . . . . . . . . . . . . . . . . . . .3 Phone System Hacking . . . . . . . . . . . . . . . . . . . . . . . . . .4 Computer Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 What Motivates a Hacker? . . . . . . . . . . . . . . . . . . . . . . . . . .7 Ethical Hacking versus Malicious Hacking . . . . . . . . . . . .8 Working with Security Professionals . . . . . . . . . . . . . . . .9 Associated Risks with Hiring a Security Professional . .9 Understanding Current Attack Types . . . . . . . . . . . . . . . . . .10 DoS/DDoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 Virus Hacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 End-User Virus Protection . . . . . . . . . . . . . . . . . . . . . .14 Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Rogue Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 Stealing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 Credit Card Theft . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Theft of Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 Information Piracy . . . . . . . . . . . . . . . . . . . . . . . . . .22 Recognizing Web Application Security Threats . . . . . . . . . .23 Hidden Manipulation . . . . . . . . . . . . . . . . . . . . . . . . . .23 Parameter Tampering . . . . . . . . . . . . . . . . . . . . . . . . . . .24 Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 Buffer Overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 Cookie Poisoning . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Preventing Break-Ins by Thinking like a Hacker . . . . . . . . . .25 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .32

Chapter 2 How to Avoid Becoming a Code Grinder . . . 35

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 What Is a Code Grinder? . . . . . . . . . . . . . . . . . . . . . . . . . .37 xiii

  xiv Contents Following the Rules . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Thinking Creatively when Coding . . . . . . . . . . . . . . . . . . .41 Use All Available Resources at Your Disposal . . . . . . . . .43 Allowing for Thought . . . . . . . . . . . . . . . . . . . . . . . . . .44 Modular Programming Done Correctly . . . . . . . . . . . . .44 Security from the Perspective of a Code Grinder . . . . . . . . .46 Coding in a Vacuum . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Building Functional and Secure Web Applications . . . . . . . .49 But My Code Is Functional! . . . . . . . . . . . . . . . . . . . . .54 There Is More to an Application than Functionality . . . .55 You Can Make the Difference! . . . . . . . . . . . . . . . . . . .56 Let’s Make It Secure and Functional . . . . . . . . . . . . . . . .58

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .64

Chapter 3 Understanding the Risk Associated with Mobile Code . . . . . . . . . . . . . . . . . . . . 67 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 Recognizing the Impact of Mobile Code Attacks . . . . . . . . .69 Browser Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69 Mail Client Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . .69 Malicious Scripts or Macros . . . . . . . . . . . . . . . . . . . . . .72 Identifying Common Forms of Mobile Code . . . . . . . . . . .72 Macro Languages: Visual Basic for Applications (VBA) . .73 Security Problems with VBA . . . . . . . . . . . . . . . . . .74 The Melissa Virus . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Protecting against VBA Viruses . . . . . . . . . . . . . . . . .80 JavaScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83 JavaScript Security Overview . . . . . . . . . . . . . . . . . .84 Security Problems . . . . . . . . . . . . . . . . . . . . . . . . . . .84 Exploiting Plug-In Commands . . . . . . . . . . . . . . . . .86 Web-Based E-Mail Attacks . . . . . . . . . . . . . . . . . . . .87 Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . .87 Lowering JavaScript Security Risks . . . . . . . . . . . . . .88 VBScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88 VBScript Security Overview . . . . . . . . . . . . . . . . . .89

  Contents xv

  VBScript Security Problems . . . . . . . . . . . . . . . . . . .89

  VBScript Security Precautions . . . . . . . . . . . . . . . . .90

Java Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

Granting Additional Access to Applets . . . . . . . . . . . .92 Security Problems with Java . . . . . . . . . . . . . . . . . . .92 Background Threads . . . . . . . . . . . . . . . . . . . . . . . . .92 Contacting the Host Server . . . . . . . . . . . . . . . . . . . .93 Java Security Precautions . . . . . . . . . . . . . . . . . . . . . .93

ActiveX Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94

ActiveX Security Overview . . . . . . . . . . . . . . . . . . .94 Security Problems with ActiveX . . . . . . . . . . . . . . . .95 Preinstalled ActiveX Controls . . . . . . . . . . . . . . . . . .96 Buffer Overrun Error . . . . . . . . . . . . . . . . . . . . . . . .97 Intentionally Malicious ActiveX . . . . . . . . . . . . . . . .98 Unsafe for Scripting . . . . . . . . . . . . . . . . . . . . . . . . .98 ActiveX Security Precautions . . . . . . . . . . . . . . . . . .98 Disabling an ActiveX Control . . . . . . . . . . . . . . . . . .98

  

E-Mail Attachments and Downloaded Executables . . . . .99

Back Orifice 2000 Trojan . . . . . . . . . . . . . . . . . . . . .99

Protecting Your System from Mobile Code Attacks . . . . . . .103

Security Applications . . . . . . . . . . . . . . . . . . . . . . . . . .103

  ActiveX Manager . . . . . . . . . . . . . . . . . . . . . . . . . .103 Back Orifice Detectors . . . . . . . . . . . . . . . . . . . . . .104 Firewall Software . . . . . . . . . . . . . . . . . . . . . . . . . .108 Web-Based Tools . . . . . . . . . . . . . . . . . . . . . . . . . . .108 Online Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . .108 Client Security Updates . . . . . . . . . . . . . . . . . . . . .109

  

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .112

Chapter 4 Vulnerable CGI Scripts . . . . . . . . . . . . . . . . 113 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114 What Is a CGI Script, and What Does It Do? . . . . . . . . . .114 Typical Uses of CGI Scripts . . . . . . . . . . . . . . . . . . . . .116 When Should You Use CGI? . . . . . . . . . . . . . . . . . . . .121 CGI Script Hosting Issues . . . . . . . . . . . . . . . . . . . . . .122

  xvi Contents Break-Ins Resulting from Weak CGI Scripts . . . . . . . . . . .123 How to Write “Tighter” CGI Scripts . . . . . . . . . . . . . .124

  Searchable Index Commands . . . . . . . . . . . . . . . . . . . .128 CGI Wrappers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128 Nikto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 Acquiring and Using Nikto . . . . . . . . . . . . . . . . . .131

  Nikto Commands . . . . . . . . . . . . . . . . . . . . . . . . . .133 Web Hack Control Center . . . . . . . . . . . . . . . . . . . . .137 SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . .138 Languages for Writing CGI Scripts . . . . . . . . . . . . . . . . . .140

  UNIX Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141 Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141 C/C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Visual Basic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142

  Advantages of Using CGI Scripts . . . . . . . . . . . . . . . . . . . .143 Rules for Writing Secure CGI Scripts . . . . . . . . . . . . . . . .143 Storing CGI Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . .147 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149

  Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .152

  Chapter 5 Hacking Techniques and Tools . . . . . . . . . . 155 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156 A Hacker’s Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157 Minimize the Warning Signs . . . . . . . . . . . . . . . . . . . .158 Maximize the Access . . . . . . . . . . . . . . . . . . . . . . . . . .160 Damage, Damage, Damage . . . . . . . . . . . . . . . . . . . . . .163 Turning the Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . .165 The Five Phases of Hacking . . . . . . . . . . . . . . . . . . . . . . .166 Creating an Attack Map . . . . . . . . . . . . . . . . . . . . . . . .166 Building an Execution Plan . . . . . . . . . . . . . . . . . . . . .170 Establishing a Point of Entry . . . . . . . . . . . . . . . . . . . .171 Continued and Further Access . . . . . . . . . . . . . . . . . . .172 The Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174 Defacing Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176 Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178 Sensitive Information . . . . . . . . . . . . . . . . . . . . . . . . . .178 E-Mail or Messaging Services . . . . . . . . . . . . . . . . . . .179

  Contents xvii

Telephones and Documents . . . . . . . . . . . . . . . . . . . .180

Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182

  

The Intentional “Back Door” Attack . . . . . . . . . . . . . . . . .183

Hard-Coding a Back Door Password . . . . . . . . . . . . . .184

Exploiting Inherent Weaknesses in Code or Programming

Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186

The Tools of the Trade . . . . . . . . . . . . . . . . . . . . . . . . . . .187

Hex Editors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187

  

Debuggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189

Disassemblers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189

PE Disassembler . . . . . . . . . . . . . . . . . . . . . . . . . . .190 DJ Java Decompiler . . . . . . . . . . . . . . . . . . . . . . . .190 Hackman Disassembler . . . . . . . . . . . . . . . . . . . . . .191

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192

  

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .196

Chapter 6 Code Auditing and Reverse Engineering . . 199 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200 How to Efficiently Trace through a Program . . . . . . . . . . .200 Auditing and Reviewing Selected Programming Languages 203 Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203 Java Server Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204 Active Server Pages . . . . . . . . . . . . . . . . . . . . . . . . . . .204 Server Side Includes . . . . . . . . . . . . . . . . . . . . . . . . . .204 Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204 The Tool Command Language . . . . . . . . . . . . . . . . . . .205 Practical Extraction and Reporting Language . . . . . . . .205 PHP: Hypertext Preprocessor . . . . . . . . . . . . . . . . . . . .205 C/C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205 ColdFusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206 Looking for Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . .206 Getting the Data from the User . . . . . . . . . . . . . . . . . .207 Looking for Buffer Overflows . . . . . . . . . . . . . . . . . . .208 The str* Family of Functions . . . . . . . . . . . . . . . . . . . .209 The strn* Family of Functions . . . . . . . . . . . . . . . . . . .209 The *scanf Family of Functions . . . . . . . . . . . . . . . . . .210 Other Functions Vulnerable to Buffer Overflows . . . . .210

  xviii Contents Checking the Output Given to the User . . . . . . . . . . .211 Format String Vulnerabilities . . . . . . . . . . . . . . . . . . . .211 Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . .213 Information Disclosure . . . . . . . . . . . . . . . . . . . . . . . .214 Checking for File System Access/Interaction . . . . . . . .215 Checking External Program and Code Execution . . . . .218 Calling External Programs . . . . . . . . . . . . . . . . . . . . . .218 Dynamic Code Execution . . . . . . . . . . . . . . . . . . . . . .219 External Objects/Libraries . . . . . . . . . . . . . . . . . . . . . .220 Checking Structured Query Language (SQL)/Database Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221 Checking Networking and Communication Streams . . .223

  Pulling It All Together . . . . . . . . . . . . . . . . . . . . . . . . . . . .224 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .226

Chapter 7 Securing Your Java Code. . . . . . . . . . . . . . . 227 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228 Java Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228 Java Runtime Environment . . . . . . . . . . . . . . . . . . . . .229 Overview of the Java Security Architecture . . . . . . . . . . . .232 The Java Security Model . . . . . . . . . . . . . . . . . . . . . . .233 The Sandbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236 Security and Java Applets . . . . . . . . . . . . . . . . . . . . .238 How Java Handles Security . . . . . . . . . . . . . . . . . . . . . . . .241 Class Loaders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242 The Applet Class Loader . . . . . . . . . . . . . . . . . . . . .243 Adding Security to a Custom Class Loader . . . . . . .243 Bytecode Verifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246 Java Protected Domains . . . . . . . . . . . . . . . . . . . . . . . .250 Java Security Manager . . . . . . . . . . . . . . . . . . . . . . .251 Policy Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252 The SecurityManager Class . . . . . . . . . . . . . . . . . . .258 Potential Weaknesses in Java . . . . . . . . . . . . . . . . . . . . . . . .259 DoS Attack/Degradation of Service Attacks . . . . . . . . .260 Third-Party Trojan Horse Attacks . . . . . . . . . . . . . . . . .262

  Contents xix

Coding Functional but Secure Java Applets . . . . . . . . . . . . .263

Message Digests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264

  

Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . .268

Generating a Key Pair . . . . . . . . . . . . . . . . . . . . . . .270 Obtaining and Verifying a Signature . . . . . . . . . . . .272

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274

X.509 Certificate Format . . . . . . . . . . . . . . . . . . . .275 Obtaining Digital Certificates . . . . . . . . . . . . . . . . .276

  

Protecting Security with JAR Signing . . . . . . . . . . . . .280

Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284

Sun Microsystems Recommendations for Java Security .287

Privileged Code Guidelines . . . . . . . . . . . . . . . . . . .288

  Java Code Guidelines . . . . . . . . . . . . . . . . . . . . . . .288 C Code Guidelines . . . . . . . . . . . . . . . . . . . . . . . . .289

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .293

Chapter 8 Securing XML . . . . . . . . . . . . . . . . . . . . . . . 295 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296 Defining XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296 Logical Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297 Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298 Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299 Well-Formed Documents . . . . . . . . . . . . . . . . . . . .300 Valid Document . . . . . . . . . . . . . . . . . . . . . . . . . . .300 XML and XSL/DTD Documents . . . . . . . . . . . . . . . .301 XSL Use of Templates . . . . . . . . . . . . . . . . . . . . . . . . .302 XSL Use of Patterns . . . . . . . . . . . . . . . . . . . . . . . . . .302 DTD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304 Schemas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306 Creating Web Applications Using XML . . . . . . . . . . . . . . .307 The Risks Associated with Using XML . . . . . . . . . . . . . . .311 Confidentiality Concerns . . . . . . . . . . . . . . . . . . . . . . .312 Securing XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313 XML Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . .313 XML Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . .318

  xx Contents Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .323

  Chapter 9 Building Safe ActiveX Internet Controls . . . 325 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326 Dangers Associated with Using ActiveX . . . . . . . . . . . . . . .326 Avoiding Common ActiveX Vulnerabilities . . . . . . . . . .329 Lessening the Impact of ActiveX Vulnerabilities . . . . . .333 Protection at the Network Level . . . . . . . . . . . . . . .333 Protection at the Client Level . . . . . . . . . . . . . . . . .333 Methodology for Writing Safe ActiveX Controls . . . . . . . .337 Object Safety Settings . . . . . . . . . . . . . . . . . . . . . . . . .337 Securing ActiveX Controls . . . . . . . . . . . . . . . . . . . . . . . .338 Control Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339 Using Microsoft Authenticode . . . . . . . . . . . . . . . . .340 Control Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342 Using Safety Settings . . . . . . . . . . . . . . . . . . . . . . . .342 Using IobjectSafety . . . . . . . . . . . . . . . . . . . . . . . . .343 Marking the Control in the Windows Registry . . . .346 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .351 Chapter 10 Securing ColdFusion . . . . . . . . . . . . . . . . . 353 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354 How Does ColdFusion Work? . . . . . . . . . . . . . . . . . . . . . .355 Using the Benefit of Rapid Development . . . . . . . . . . .356 Understanding ColdFusion Markup Language . . . . . . .358 Scalable Deployment . . . . . . . . . . . . . . . . . . . . . . . . . .360 Preserving ColdFusion Security . . . . . . . . . . . . . . . . . . . . .360 Secure Development . . . . . . . . . . . . . . . . . . . . . . . . . .365 CFINCLUDE . . . . . . . . . . . . . . . . . . . . . . . . . . . .365 Relative Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366 Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369 Uploaded Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373 Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374 Turning Off Tags . . . . . . . . . . . . . . . . . . . . . . . . . .375 Secure Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . .375

  Contents xxi

ColdFusion Application Processing . . . . . . . . . . . . . . . . . .376

Checking for Existence of Data . . . . . . . . . . . . . . . . .376

  

Checking Data Types . . . . . . . . . . . . . . . . . . . . . . . . .378

Data Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381

Risks Associated with Using ColdFusion . . . . . . . . . . . . . .382

Using Error Handling Programs . . . . . . . . . . . . . . . . . .384

  Monitor.cfm Example . . . . . . . . . . . . . . . . . . . . . . .386

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .392

Chapter 11 Developing Security-Enabled Applications 393 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394 The Benefits of Using Security-Enabled Applications . . . . .394 Types of Security Used in Applications . . . . . . . . . . . . . . .395 Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . .396 Pretty Good Privacy . . . . . . . . . . . . . . . . . . . . . . . . . .397 Outlook/Outlook Express . . . . . . . . . . . . . . . . . . . . . .400 Secure Multipurpose Internet Mail Extension . . . . . . . .401 Secure Sockets Layer . . . . . . . . . . . . . . . . . . . . . . . . . .401 Transport Layer Security . . . . . . . . . . . . . . . . . . . . . . .403 Server Authentication . . . . . . . . . . . . . . . . . . . . . . .404 Client Authentication . . . . . . . . . . . . . . . . . . . . . . .405 Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . .408 Reviewing the Basics of PKI . . . . . . . . . . . . . . . . . . . . . . .410 Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412 Certificate Services . . . . . . . . . . . . . . . . . . . . . . . . . . .415 Using PKI to Secure Web Applications . . . . . . . . . . . . . . .416 Implementing PKI in Your Web Infrastructure . . . . . . . . . .417 Microsoft Certificate Services . . . . . . . . . . . . . . . . . . . .417 PKI for Apache Server . . . . . . . . . . . . . . . . . . . . . . . . .421 Testing Your Security Implementation . . . . . . . . . . . . . . . .422 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .426 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .429

  xxii Contents

Chapter 12 Cradle to Grave: Working with a Security Plan . . . . . . . . . . . . . . . . . . . 431 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432 Examining Your Code . . . . . . . . . . . . . . . . . . . . . . . . . . . .433 Code Reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434 Peer-to-Peer Code Reviews . . . . . . . . . . . . . . . . . . . .435 Being Aware of Code Vulnerabilities . . . . . . . . . . . . . . . . .438 Testing,Testing,Testing . . . . . . . . . . . . . . . . . . . . . . . .439 Using Common Sense when Coding . . . . . . . . . . . . . . . . .442 Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .442 Coding Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . .443 Header Comments . . . . . . . . . . . . . . . . . . . . . . . . .443 Variable Declaration Comments . . . . . . . . . . . . . . .444 The Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444 Rule-Based Analyzers . . . . . . . . . . . . . . . . . . . . . . .444 Debugging and Error Handling . . . . . . . . . . . . . . . .445 Version Control and Source Code Tracking . . . . . . .446 Visual SourceSafe . . . . . . . . . . . . . . . . . . . . . . . . . .446 StarTeam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447 Creating a Security Plan . . . . . . . . . . . . . . . . . . . . . . . . . .448 Security Planning at the Network Level . . . . . . . . . . . .449 Security Planning at the Application Level . . . . . . . . . .450 Security Planning at the Desktop Level . . . . . . . . . . . .450 Web Application Security Process . . . . . . . . . . . . . . . . .451 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .453 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .455 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

Chapter 1 Hacking Methodology Solutions in this chapter:

  ■ A Brief History of Hacking

  ■ What Motivates a Hacker?

  ■ Understanding Current Attack Types

  ■

Recognizing Web Application

Security Threats

  ■ Preventing Break-Ins by Thinking like a Hacker Summary Solutions Fast Track Frequently Asked Questions

  1

  2 Chapter 1 • Hacking Methodology Introduction

  You are probably familiar with the attacks of February 2000 on eBay,Yahoo, Amazon, and other major e-commerce and non–e-commerce Web sites.Those attacks were all distributed denial of service (DDoS) attacks, and all occurred at the server level.Those same attacks moved hacking to center stage in the IT community and in the press. With that spotlight comes an increased awareness by information security specialists, project managers, and other IT professionals. More and more companies are looking to tighten up security. As a result, hackers have become more creative and more talented, raising the bar on security from a network administration and applications development standpoint.

  To create a defense, you must try to understand where these attacks could origi- nate, from whom, and why they would target you.Your systems and applications can be targeted or chosen randomly, so your defense strategy must be comprehensive and under constant evaluation. If you can test and evaluate your programs by emulating attacks, you will be more capable of finding vulnerabilities before an uninvited guest does so. Hackers range from inexperienced vandals—just showing off by defacing your site—to master hackers who will compromise your databases for possible finan- cial gain. All of them may attain some kind of public infamy.

  Just say the name “Kevin Mitnick” to those in the Internet world, and they instantly recognize his name. Mitnick served years in prison for hacking crimes and became the media’s poster child for hackers everywhere, while being viewed in the hacker community as the sacrificial lamb.

  Mitnick may have helped to bring hacking to the limelight recently, but he certainly was far from the first to partake in hacking. Due largely in part to the recent increase in the notoriety and popularity of hacking, a misconception per- sists among the general population that hacking is a relatively new phenomenon. Nothing could be further from the truth. The origins of hacking superseded the invention of the Internet, or even the computer for that matter. As we discuss later in this chapter, various types of code breaking and phone technology hacking were important precursors.

  Throughout this book, you will be given development tools to assist you in hack proofing your Web applications.This book will give you a basic outline for approaches to secure site management, writing more secure code, implementing security plans, and helping you learn to think “like a hacker” to better protect your assets, which may include site availability, data privacy, data integrity, and site content.

  Hacking Methodology • Chapter 1

  3 Understanding the Terms