W 2.0 S : EB ECURITY D A , RIA, EFENDING JAX SOA AND S S HREERAJ HAH Charles River Media A part of Course Technology, Cengage Learning Australia • Brazil • Japan • Korea • Mexico • Singapore • Spain • United Kingdom • United States Publisher and General Manager, © 2008 Course Technology, a part of Cengage Learning. Course Technology PTR:Stacy L. Hiquet ALL RIGHTS RESERVED. No part of this work covered by the copyright Associate Director of Marketing: Sarah Panella herein may be reproduced, transmitted, stored, or used in any form or by any means graphic, electronic, or mechanical, including but not limited to Manager of Editorial Services:Heather photocopying, recording, scanning, digitizing, taping, Web distribution, Talbot information networks, or information storage and retrieval systems, except Marketing Manager: Mark Hughes as permitted under Section 107 or 108 of the 1976 United States Copyright Senior Acquisitions Editor:Mitzi Koontz Act, without the prior written permission of the publisher. Project Editor: Karen A. Gill Copy Editor:Ruth Saavedra For product information and technology assistance, contact us at Technical Reviewer:Jaelle Scheuerman Cengage Learning Customer & Sales Support, 1-800-354-9706 CRM Editorial Services Coordinator: Jen Blaney For permission to use material from this text or product, submit all requests online at cengage.com/permissions Interior Layout Tech:Judith Littlefield Further permissions questions can be emailed to Cover Designer:Tyler Creative Services [email protected] CD-ROM Producer:Brandon Penticuff Indexer: Kevin Broccoli Library of Congress Control Number: 2007939356 Proofreader:Sue Boshers ISBN-13: 978-1-58450-550-1 ISBN-10: 1-58450-550-8 eISBN-10: 1-58450-606-7 Course Technology 25 Thomson Place Boston, MA 02210 USA Cengage Learning is a leading provider of customized learning solutions with office locations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan. Locate your local office at: international.cengage.com/region Cengage Learning products are represented in Canada by Nelson Education, Ltd. For your lifelong learning solutions, visit courseptr.com Visit our corporate website at cengage.com Printed in the United States of America 1 2 3 4 5 6 7 11 10 09 08 This book is dedicated to my grandmother (Vasuben), mother (Rekhaben), and sisters (Reena and Rajvee) for their love, support, and guidance. I am deeply thankful for their help through all these years. This page intentionally left blank Contents Acknowledgments xi About the Author xiii Introduction xv 1 Web 2.0 Introduction and Security 1 Web 2.0—An Agent of Change 2 Driving Factors for Web 2.0 and Its Impact on Security 2 Path of Evolution: A Look Back in Time and a Peek Ahead 3 Web 2.0: Technology Vectors and Architecture 4 Web 2.0 Application Information Sources and Flow 7 Real-Life Web 2.0 Application Examples 8 Growing Web 2.0 Security Concerns 9 Web 2.0 Real-Life Security Cases 11 Conclusion 12 2 Overview of Web 2.0 Technologies 13 Web 2.0 Technology Layers: Building Blocks for Next Generation Applications 14 Client Layer 15 Rich Internet Applications 24 Protocol Layer 27 Structure Layer 35 Server Layer 40 Conclusion 45 v vi Contents 3 Web 2.0 Security Threats, Challenges, and Defenses 47 Web 2.0 Security Landscape 47 Web 2.0 Security Cycle and Changing Vectors 49 Web 2.0 Attack Points and Layered Threats 53 Conclusion 70 4 Web 2.0 Security Assessment Approaches, Methods, and Strategies 71 Web 2.0 Security Assessment 71 Web 2.0 Application Assessment Methods 72 Conclusion 77 5 Web 2.0 Application Footprinting 79 Web 2.0 Footprinting Basics 79 Web Services Footprinting 87 Footprinting Countermeasures 92 Conclusion 93 6 Web 2.0 Application Discovery, Enumeration, and Profiling 95 Web 2.0 Application Discovery: Problem Domain 96 Web 2.0 Application Discovery with Protocol Analysis 96 Dynamic DOM Event Manipulation 103 Crawling Ajax-Based Pages 105 Page Profiling and Linkage Analysis 111 Web Services Discovery and Profiling 112 Conclusion 117 7 Cross-Site Scripting with Web 2.0 Applications 119 XSS 120 XSS Basics 120 XSS and Serialization with Applications 128 Conclusion 136 Contents vii 8 Cross-Site Request Forgery with Web 2.0 Applications 137 CSRF Overview 137 CSRF with the POSTMethod 144 Web 2.0 Applications and CSRF 145 CSRF and Getting Cross-Domain Information Access 151 Conclusion 158 9 RSS, Mashup, and Widget Security 159 Cross-Domain Security 160 RSS Security and Attacks 170 Mashup Security 176 Widget Security 179 Conclusion 181 10 Web 2.0 Application Scanning and Vulnerability Detection 183 Fingerprinting Web 2.0 Technologies 184 Ajax Framework and Vulnerabilities 190 Fingerprinting RIA Components 191 Scanning Ajax Code for DOM-Based XSS 194 RIA- and Flash-Based Component Decompilation 200 CSRF Vulnerability Detection with Web 2.0 Applications 202 JavaScript Client-Side Scanning for Entry Points 203 Debugging JavaScript for Vulnerability Detection 207 Conclusion 212 11 SOA and Web Services Security 213 Real-Life Example of SOA 214 SOA Layered Architecture 215 SOA Server-Side Architecture and Code 217 Web Services and SOA Security Framework 218 XML Message: A Torpedo of Web 2.0 Applications 220 viii Contents SOA Threat Framework 221 SOA Security Challenges and Technology Vectors 235 Conclusion 236 12 SOA Attack Vectors and Scanning for Vulnerabilities 237 Profiling and Invoking Web Services 238 Technology Fingerprinting and Enumeration 242 XML Poisoning 245 Parameter Tampering 247 SQL Injection with SOAP Manipulation 256 XPATH Injection 258 LDAP Injection with SOAP 263 Directory Traversal and Filesystem Access Through SOAP 268 Operating System Command Execution Using Vulnerable Web Services 272 SOAP Message Brute Forcing 276 Session Hijacking with Web Services 279 Conclusion 280 13 Web 2.0 Application Fuzzing for Vulnerability Detection and Filtering for Countermeasures 281 Web 2.0 Application Fuzzing 281 Web 2.0 Application Firewall and Filtering 288 Conclusion 303 14 Web 2.0 Application Defenses by Request Signature and Code Scanning 305 Ajax Request Signature for Web 2.0 Applications: Defense Against CSRF and XSS 306 Source Code Review and Vulnerability Identification 312 Conclusion 318 Contents ix 15 Resources for Web 2.0 Security: Tools, Techniques, and References 319 Discovery and Analysis Through a Proxy 320 Browser Plug-Ins for HTTP Traffic 323 JavaScript and Greasemonkey 324 Browser Automation 327 XSS Exploitation 329 Metasploit 3.0 and the Web 2.0 Layer 334 DOM and Developer Tools 336 XSS Attacks and Assistant 337 XSS and CSRF Defense Reference 338 SOAP Clients in Various Languages 340 SOAP Quick Reference 341 WSDL Quick Reference 342 UDDI Quick Reference 343 SOA Technologies 344 Web 2.0–Specific Resource Extensions for Files 344 SOA Checklist 345 Ajax Security Checklist 346 Web 2.0–Related Published Vulnerabilities 347 Index 353