Table Of ContentColor profile: Generic CMYK printer profileProLib8/ Hacking Exposed Web Applications / Scambray, Shema / 222438-x/ Front Matter
Composite Default screen
Blind FolioFM:i
HACKING EXPOSED
™
WEB APPLICATIONS
JOEL SCAMBRAY
MIKE SHEMA
McGraw-Hill/Osborne
New York Chicago San Francisco
Lisbon London Madrid Mexico City Milan
New Delhi San Juan Seoul Singapore Sydney Toronto
P:\010Comp\Hacking\438-x\fm.vp
Thursday, May 30, 2002 2:17:19 PM
Color profile: Generic CMYK printer profileProLib8/ Hacking Exposed Web Applications / Scambray, Shema / 222438-x/ Front Matter
Composite Default screen Blind FolioFM:ii
ABOUT THE AUTHORS
Joel Scambray
Joel Scambray is co-author of Hacking Exposed (http://www
.hackingexposed.com),theinternationalbest-sellingInternetsecuritybookthat
reacheditsthirdeditioninOctober2001.HeisalsoleadauthorofHackingEx-
posedWindows2000,thedefinitiveinsider’sanalysisofMicrosoftproductsecurity,
releasedinSeptember2001andnowinitssecondforeignlanguagetranslation.
Joel’spastpublicationshaveincludedhisco-foundingroleasInfoWorld’sSecu-
rity Watch columnist, InfoWorld Test Center Analyst, and inaugural author of
Microsoft’sTechNetAskUsAbout...Securityforum.
Joel’swritingdrawsprimarilyonhisyearsofexperienceasanITsecurity
consultantforclientsrangingfrommembersoftheFortune50tonewlymintedstartups,wherehe
hasgainedextensive,field-testedknowledgeofnumeroussecuritytechnologies,andhasdesigned
andanalyzedsecurityarchitecturesforavarietyofapplicationsandproducts.Joel’sconsultingex-
perienceshavealsoprovidedhimastrongbusinessandmanagementbackground,ashehasper-
sonally managed several multiyear, multinational projects; developed new lines of business
accountingforsubstantialannualrevenues;andsustainednumerousinformationsecurityenter-
prisesofvarioussizesoverthelastfiveyears.Healsomaintainshisowntestlaboratory,wherehe
continuestoresearchthefrontiersofinformationsystemsecurity.
JoelspeakswidelyoninformationsystemsecurityfororganizationsincludingTheComputer
Security Institute, ISSA, ISACA, private companies, and government agencies. He is currently
ManagingPrincipalwithFoundstoneInc.(http://www.foundstone.com),andpreviouslyheldpo-
sitionsatErnst&Young,InfoWorld,andasDirectorofITforamajorcommercialrealestatefirm.
Joel’sacademicbackgroundincludesadvanceddegreesfromtheUniversityofCaliforniaatDavis
andLosAngeles(UCLA),andheisaCertifiedInformationSystemsSecurityProfessional(CISSP).
—Joel Scambray can be reached at joel@webhackingexposed.com.
Mike Shema
MikeShemaisaPrincipalConsultantofFoundstoneInc.wherehehasperformeddozensofWeb
application security reviews for clients including Fortune 100 companies, financial institutions,
andlargesoftwaredevelopmentcompanies.Hehasfield-testedmethodologiesagainstnumerous
Webapplicationplatforms,aswellasdevelopingsupporttoolstoautomatemanyaspectsoftest-
ing.HisworkhasledtothediscoveryofvulnerabilitiesincommercialWebsoftware.Mikehasalso
writtentechnicalcolumnsaboutWebserversecurityforSecurityFocusandDevX.Hehasalsoap-
pliedhissecurityexperienceasaco-authorforTheAnti-HackerToolkit.Inhissparetime,Mikeisan
avidrole-playinggamer.HeholdsB.S.degreesinElectricalEngineeringandFrenchfromPenn
StateUniversity.
—Mike Shema can be reached at mike@webhackingexposed.com.
P:\010Comp\Hacking\438-x\fm.vp
Thursday, May 30, 2002 2:17:19 PM
Color profile: Generic CMYK printer profileProLib8/ Hacking Exposed Web Applications / Scambray, Shema / 222438-x/ Front Matter
Composite Default screen Blind FolioFM:iii
About the Contributing Authors
Yen-Ming Chen
Yen-MingChen(CISSP,MCSE)isaPrincipalConsultantatFoundstone,whereheprovidessecu-
rityconsultingservicetoclients.Yen-Minghasmorethanfouryearsexperienceadministrating
UNIXandInternetservers.Healsohasextensiveknowledgeintheareaofwirelessnetworking,
cryptography, intrusion detection, and survivability. His articles have been published on
SysAdmin, UnixReview, and other technology-related magazines. Prior to joining Foundstone,
Yen-Ming worked in the CyberSecurity Center in CMRI, CMU, where he worked on an
agent-basedintrusiondetectionsystem.Healsoparticipatedactivelyinanopensourceproject,
“snort,”whichisalight-weightednetworkintrusiondetectionsystem.Yen-MingholdshisB.S.of
MathematicsfromNationalCentralUniversityinTaiwanandhisM.S.ofInformationNetworking
from Carnegie Mellon University. Yen-Ming is also a contributing author of Hacking Exposed,
ThirdEdition.
David Wong
DavidisacomputersecurityexpertandisPrincipalConsultantatFoundstone.Hehasperformed
numeroussecurityproductreviewsaswellasnetworkattackandpenetrationtests.Davidhaspre-
viouslyheldasoftwareengineeringpositionatalargetelecommunicationscompanywherehede-
velopedsoftwaretoperformreconnaissanceandnetworkmonitoring.Davidisalsoacontributing
authorofHackingExposedWindows2000andHackingExposed,ThirdEdition.
P:\010Comp\Hacking\438-x\fm.vp
Thursday, May 30, 2002 2:17:20 PM
Color profile: Generic CMYK printer profileProLib8/ Hacking Exposed Web Applications / Scambray, Shema / 222438-x/ Front Matter
Composite Default screen Blind FolioFM:iv
McGraw-Hill/Osborne
2600 Tenth Street
Berkeley, California 94710
U.S.A.
To arrange bulk purchase discounts for sales promotions, premiums, or fund-raisers,
pleasecontactMcGraw-Hill/Osborneattheaboveaddress.Forinformationontransla-
tionsorbookdistributorsoutsidetheU.S.A.,pleaseseetheInternationalContactInfor-
mation page immediately following the index of this book.
Hacking Exposed™ Web Applications
Copyright©2002byJoelScambrayandMikeShema.Allrightsreserved.Printedinthe
UnitedStatesofAmerica.ExceptaspermittedundertheCopyrightActof1976,nopartof
thispublicationmaybereproducedordistributedinanyformorbyanymeans,orstored
inadatabaseorretrievalsystem,withoutthepriorwrittenpermissionofpublisher,with
theexceptionthattheprogramlistingsmaybeentered,stored,andexecutedinacom-
puter system, but they may not be reproduced for publication.
1234567890 FGR FGR 0198765432
ISBN 0-07-222438-X
Publisher Indexer
Brandon A. Nordin Valerie Perry
Vice President & Associate Publisher Computer Designers
Scott Rogers Elizabeth Jang
SeniorAcquisitions Editor Melinda Moore Lytle
Jane Brownlow Illustrators
Project Editor Michael Mueller
Patty Mon Lyssa Wald
Acquisitions Coordinator Series Design
Emma Acker Dick Schwartz
Technical Editor Peter F. Hancik
Yen-Ming Chen Cover Series Design
Copy Editor Dodie Shoemaker
Claire Splan
Proofreader
Paul Tyler
This book was composed with Corel VENTURA™ Publisher.
InformationhasbeenobtainedbyMcGraw-Hill/Osbornefromsourcesbelievedtobereliable.However,becauseofthe
possibilityofhumanormechanicalerrorbyoursources,McGraw-Hill/Osborne,orothers,McGraw-Hill/Osbornedoesnot
guaranteetheaccuracy,adequacy,orcompletenessofanyinformationandisnotresponsibleforanyerrorsoromissionsorthe
resultsobtainedfrom the use of such information.
P:\010Comp\Hacking\438-x\fm.vp
Thursday, May 30, 2002 3:08:11 PM
Color profile: Generic CMYK printer profileProLib8/ Hacking Exposed Web Applications / Scambray, Shema / 222438-x/ Front Matter
Composite Default screen Blind FolioFM:v
Dedication
To those who fight the good fight, every minute, every day.
—Joel Scambray
For Mom and Dad, who opened so many doors for me; and for my brothers, David
and Steven, who are more of an inspiration to me than they realize.
—Mike Shema
P:\010Comp\Hacking\438-x\fm.vp
Thursday, May 30, 2002 2:17:20 PM
Color profile: Generic CMYK printer profileProLib8/ Hacking Exposed Web Applications / Scambray, Shema / 222438-x/ Front Matter
Composite Default screen Blind FolioFM:vi
This page intentionally left blank
P:\010Comp\Hacking\438-x\fm.vp
Thursday, May 30, 2002 2:17:20 PM
Color profile: Generic CMYK printer profileProLib8/ Hacking Exposed Web Applications / Scambray, Shema / 222438-x/ Front Matter
Composite Default screen
AT A GLANCE
Part I Reconnaissance
t 1 Introduction to Web
Applications and Security . . . . . . . . . . 3
t 2 Profiling . . . . . . . . . . . . . . . . . . . . . . 25
t 3 Hacking Web Servers . . . . . . . . . . . . . . 41
t 4 Surveying the Application . . . . . . . . . . . 99
Part II The Attack
t 5 Authentication . . . . . . . . . . . . . . . . . . . 131
t 6 Authorization . . . . . . . . . . . . . . . . . . 161
t 7 Attacking Session State Management . . . . . 177
t 8 Input Validation Attacks . . . . . . . . . . . . 201
t 9 Attacking Web Datastores . . . . . . . . . . . 225
t 10 Attacking Web Services . . . . . . . . . . . . . 243
t 11 Hacking Web Application Management . . . 261
t 12 Web Client Hacking . . . . . . . . . . . . . . . 277
t 13 Case Studies . . . . . . . . . . . . . . . . . . . 299
vii
P:\010Comp\Hacking\438-x\fm.vp
Thursday, May 30, 2002 2:17:21 PM
Color profile: Generic CMYK printer profileProLib8/ Hacking Exposed Web Applications / Scambray, Shema / 222438-x/ Front Matter
Composite Default screen
viii
Hacking Exposed Web Applications
Part III Appendixes
t A Web Site Security Checklist . . . . . . . . . . . 311
t B WebHackingToolsand
TechniquesCribsheet . . . . . . . . . . . . . 317
t C Using Libwhisker . . . . . . . . . . . . . . . . 333
t D UrlScan Installation and Configuration . . . . 345
t E About the Companion Web Site. . . . . . . . . 371
t Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
P:\010Comp\Hacking\438-x\fm.vp
Thursday, May 30, 2002 2:17:21 PM
Color profile: Generic CMYK printer profileProLib8/ Hacking Exposed Web Applications / Scambray, Shema / 222438-x/ Front Matter
Composite Default screen
CONTENTS
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Part I
Reconnaissance
t
1 Introduction to Web Applications and Security . . . . . . . . . . . . . . . . 3
The Web Application Architecture . . . . . . . . . . . . . . . . . . 5
A Brief Word about HTML . . . . . . . . . . . . . . . . . . . 6
Transport: HTTP . . . . . . . . . . . . . . . . . . . . . . . . . 7
The Web Client . . . . . . . . . . . . . . . . . . . . . . . . . . 11
The Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . 12
The Web Application . . . . . . . . . . . . . . . . . . . . . . . 13
The Database . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Complications and Intermediaries . . . . . . . . . . . . . . . 16
The New Model: Web Services . . . . . . . . . . . . . . . . . 18
Potential Weak Spots . . . . . . . . . . . . . . . . . . . . . . . . . . 19
The Methodology of Web Hacking . . . . . . . . . . . . . . . . . . 20
Profile the Infrastructure . . . . . . . . . . . . . . . . . . . . . 20
Attack Web Servers . . . . . . . . . . . . . . . . . . . . . . . . 20
Survey the Application . . . . . . . . . . . . . . . . . . . . . . 20
Attack the Authentication Mechanism . . . . . . . . . . . . . 21
Attack the Authorization Schemes . . . . . . . . . . . . . . . 21
Perform a Functional Analysis . . . . . . . . . . . . . . . . . 21
ix
P:\010Comp\Hacking\438-x\fm.vp
Thursday, May 30, 2002 2:17:21 PM
