How to Break Web Software Functional and Security Testing of Web Applications and Web Services This page intentionally left blank How to Break Web Software Functional and Security Testing of Web Applications and Web Services Mike Andrews James A. Whittaker Upper Saddle River, NJ • Boston • Indianapolis • San Francisco New York • Toronto • Montreal • London • Munich • Paris • Madrid Cape Town • Sydney • Tokyo • Singapore • Mexico City Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals. The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein. The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particu- lar to your business, training goals, marketing focus, and branding interests. For more information, please contact: U.S. Corporate and Government Sales (800) 382-3419 [email protected] For sales outside the United States please contact: International Sales [email protected] Visit us on the Web: www.awprofessional.com Copyright © 2006 Pearson Education, Inc. All rights reserved. Printed in the United States of America. This publication is protected by copy- right, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, write to: Pearson Education, Inc. Rights and Contracts Department 501 Boylston Street, Suite 900 Boston, MA02116 Fax: (617) 671-3447 ISBN-10: 0-321-36944-0 ISBN-13: 978-0-321-36944-4 Text printed in the United States on recycled paper at R.R. Donnelley & Sons in Crawfordsville,IN. Sixth printing, October 2008 Library of Congress Cataloging-in-Publication Data Whittaker, James A., 1965- How to break Web software : functional and security testing of Web applications and Web servic- es / James Whittaker & Mike Andrews. p. cm. ISBN 0-321-36944-0 (pbk. : alk. paper) 1. Computer software—Testing. 2. World Wide Web. 3. Computer networks—Security measures. I. Andrews, Mike. II. Title. QA76.76.T48W485 2006 005.1’4—dc22 2005034913 Dedication To Tara, who gives up so much and accepts so little. —Mike Andrews For all of the fine security testers at Security Innovation who have taught me so much about the joy of breaking things. —James A. Whittaker This page intentionally left blank AFault to Guide Software Testing 010010101011011000100100100101010110110001001001001010101 Preface Numerous times we’ve been asked when the next book in the How to Break…series will come out and what it’s going to be about. The over- whelming request from our readers has been on the subject of Web applica- tions. It seems many testers find they are working in this area and are fac- ing the prospect of testing applications that employ applications’ special- ized protocols and languages that exist on the World Wide Web. Although many of the tests from How to Break Software(Addison- Wesley, 2002) and How to Break Software Security(Addison-Wesley, 2003) are relevant in this environment, applications hosted on the Internet do suffer from some unique problems. This book tackles those problems in the same spirit of its predecessors with a decided slant toward security issues in Web applications. Before we go into what this book is all about, first let us tell you what itisn’tall about. We are not trying to rewrite the Hacking Exposedbooks. Although there is an overlap of subject matter with the hacking literature, our intention is not to show how to exploit a Web server or Web applica- tion. Our focus is about how to test Web applications for common failures that can lead to such exploitation. How to Break Web Softwareis a book written for software developers, testers, managers, and quality assurance professionals to help put the hack- ers out of business. This focus necessarily means knowledge of hacker techniques is included in this book. After all, one needs to understand the techniques of their adversary in order to counter them. But, this book is about testing, not about exploitation. Our focus is to guide testers toward areas of the application that are prone to problems and methods of rooting them out. This book isn’t about creating a correct Web application architecture, nor is it about coding Web applications. There are other published opinions on this and each Web development platform has its own unique challenges that must be considered, which books like Innocent Codedo so well. How to Break Web Software, however, does contain a lot of information about how notto architect and code a Web application. Thus, Web developers would be wise to consider it as part of their reference library on secure Web programming. What this book isabout is pointing the tester toward specific attacks to try on their application to test its defenses. We will be looking at classic examples of malicious input, ways of bypassing validation and authoriza- tion checks, as well as problems inherited from certain configurations/lan- guages/architectures—all in a simple format that will show where to look VIII Preface for the problem, how to test for the problem, and advice on methods of mitigation.How to Break Web Software is intended as a one-stop shop for people to dip into to get information (and inspiration) to test Web-based applications for common problems. Happy Web testing! Mike Andrews, Orange County, California James A. Whittaker, Melbourne, Florida Acknowledgments Mike Andrews: I would like to thank my colleagues at Foundstone Professional Services for the support and intellectual curiosity instilled within the culture. In particular, I would like to thank Kartik Trivedi for his help with the Web services chapter and Carric Dooley for providing the excellent tools appendix within this book. Further thanks have to go to Eric Heitzman, Rudolph Araujo, and Shanit Gupta for batting around ideas of what should (and should not) be part of a Web testing method- ology. I would also like to thank Toby Mikle, (TMCreations.com) for the spider cartoon and fly icons appearing throughout the book. Finally, Scott Chase, Matt Oertle, and Hugh Thompson deserve a mention for planting the seeds and being an inspiration while I was at Florida Tech—I wish you guys continued success. James A. Whittaker: I would like to acknowledge my peers and counter- parts at Security Innovation (SI) and Florida Tech for their countless hours of dedication to the discipline of breaking software. Special thanks go to Hugh Thompson, Florence Mottay, Scott Chase, and Jason Taylor of SI. You guys are virtuosos at this stuff and have found more Web defects than any other group I know. The Web is a safer place because of people like you.