Web Security Testing Cookbook*

Size: px

Start display at page:

Download "Web Security Testing Cookbook*"

Veronica Stevens
10 years ago
Views:

1 Web Security Testing Cookbook* Systematic Techniques to Find Problems Fast Paco Hope and Ben Walther O'REILLY' Beijing Cambridge Farnham Koln Sebastopol Tokyo

2 Table of Contents Foreword Preface xiii xv 1. Introduction What Is Security Testing? What Are Web Applications? Web Application Fundamentals Web App Security Testing It's About the How Installing Some Free Tools 2.1 Installing Firefox 2.2 Installing Firefox Extensions 2.3 Installing Firebug 2.4 Installing OWASP's WebScarab 2.5 Installing Perl and Packages on Windows 2.6 Installing Perl and Using CPAN on Linux, Unix, or OS X 2.7 Installing CAL Installing the ViewState Decoder 2.9 Installing curl 2.10 Installing Pornzilla 2.11 Installing Cygwin 2.12 Installing Nikto Installing Burp Suite 2.14 Installing Apache HTTP Server Basic Observation 3.1 Viewing a Page's HTML Source 3.2 Viewing the Source, Advanced 3.3 Observing Live Request Headers with Firebug 3.4 Observing Live Post Data with WebScarab vii

5 Installing Perl and Packages on Windows 2.6 Installing Perl and Using CPAN on Linux, Unix, or OS X 2.7 Installing CAL9000 2.8 Installing the ViewState Decoder 2.9 Installing curl 2.

3 3.5 Seeing Hidden Form Fields Observing Live Response Headers with TamperData Highlighting JavaScript and Comments Detecting JavaScript Events Modifying Specific Element Attributes Track Element Attributes Dynamically Conclusion Web-Oriented Data Encoding Recognizing Binary Data Representations Working with Base Converting Base-36 Numbers in a Web Page Working with Base 36 in Perl Working with URL-Encoded Data Working with HTML Entity Data Calculating Hashes Recognizing Time Formats Encoding Time Values Programmatically Decoding ASP.NET's ViewState Decoding Multiple Encodings Tampering with Input Intercepting and Modifying POST Requests Bypassing Input Limits Tampering with the URL Automating URL Tampering Testing URL-Length Handling Editing Cookies Falsifying Browser Header Information Uploading Files with Malicious Names Uploading Large Files Uploading Malicious XML Entity Files Uploading Malicious XML Structure Uploading Malicious ZIP Files Uploading Sample Virus Files Bypassing User-Interface Restrictions Automated Bulk Scanning Spidering a Website with WebScarab Turning Spider Results into an Inventory Reducing the URLs to Test Using a Spreadsheet to Pare Down the List Mirroring a Website with LWP 108 viii I Table of Contents

2 Working with Base 64 58 4.3 Converting Base-36 Numbers in a Web Page 60 4.4 Working with Base 36 in Perl 60 4.5 Working with URL-Encoded Data 61 4.6 Working with HTML Entity Data 63 4.

4 6.6 Mirroring a Website with wget Mirroring a Specific Inventory with wget Scanning a Website with Nikto Interpretting Nikto's Results Scan an HTTPS Site with Nikto Using Nikto with Authentication Start Nikto at a Specific Starting Point Using a Specific Session Cookie with Nikto Testing Web Services with WSFuzzer Interpreting WSFuzzer's Results Automating Specific Tasks with curl Fetching a Page with curl Fetching Many Variations on a URL Following Redirects Automatically Checking for Cross-Site Scripting with curl Checking for Directory Traversal with curl Impersonating a Specific Kind of Web Browser or Device Interactively Impersonating Another Device Imitating a Search Engine with curl Faking Workflow by Forging Referer Headers Fetching Only the HTTP Headers POSTing with curl Maintaining Session State Manipulating Cookies Uploading a File with curl Building a Multistage Test Case Conclusion Automating with LibWWWPerl Writing a Basic Perl Script to Fetch a Page Programmatically Changing Parameters Simulating Form Input with POST Capturing and Storing Cookies Checking Session Expiration Testing Session Fixation Sending Malicious Cookie Values Uploading Malicious File Contents Uploading Files with Malicious Names Uploading Viruses to Applications Parsing for a Received Value with Perl Editing a Page Programmatically Using Threading for Performance 175 Table of Contents I ix

14 Testing Web Services with WSFuzzer 119 6.15 Interpreting WSFuzzer's Results 121 7. Automating Specific Tasks with curl 125 7.1 Fetching a Page with curl 126 7.

5 9. Seeking Design Flaws Bypassing Required Navigation Attempting Privileged Operations Abusing Password Recovery Abusing Predictable Identifiers Predicting Credentials Finding Random Numbers in Your Application Testing Random Numbers Abusing Repeatability Abusing High-Load Actions Abusing Restrictive Functionality Abusing Race Conditions Attacking AJAX Observing Live AJAX Requests Identifying JavaScript in Applications Tracing AJAX Activity Back to Its Source Intercepting and Modifying AJAX Requests Intercepting and Modifying Server Responses Subverting AJAX with Injected Data Subverting AJAX with Injected XML Subverting AJAX with Injected JSON Disrupting Client State Checking for Cross-Domain Access Reading Private Data via JSON Hijacking Manipulating Sessions Finding Session Identifiers in Cookies Finding Session Identifiers in Requests Finding Authorization Headers Analyzing Session ID Expiration Analyzing Session Identifiers with Burp Analyzing Session Randomness with WebScarab Changing Sessions to Evade Restrictions Impersonating Another User Fixing Sessions Testing for Cross-Site Request Forgery Multifaceted Tests Stealing Cookies Using XSS Creating Overlays Using XSS Making HTTP Requests Using XSS Attempting DOM-Based XSS Interactively 242 x I Table of Contents

10 Abusing Restrictive Functionality 194 9.11 Abusing Race Conditions 195 10. Attacking AJAX 197 10.1 Observing Live AJAX Requests 199 10.2 Identifying JavaScript in Applications 200 10.

6 12.5 Bypassing Field Length Restrictions (XSS) Attempting Cross-Site Tracing Interactively Modifying Host Headers Brute-Force Guessing Usernames and Passwords Attempting PHP Include File Injection Interactively Creating Decompression Bombs Attempting Command Injection Interactively Attempting Command Injection Systematically Attempting XPath Injection Interactively Attempting Server-Side Includes (SSI) Injection Interactively Attempting Server-Side Includes (SSI) Injection Systematically Attempting LDAP Injection Interactively Attempting Log Injection Interactively 266 Index 269 Table of Contents I xi

11 Attempting Command Injection Interactively 254 12.12 Attempting Command Injection Systematically 256 12.13 Attempting XPath Injection Interactively 258 12.

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1: