[...]... alternative xiii This page intentionally left blank HACKNOTES: THE SERIES M cGraw-Hill/Osborne has created a brand new series of portable reference books for security professionals These are quick-study books kept to an acceptable number of pages and meant to be a truly portable reference The goals of the HackNotes series are ■ To provide quality, condensed security reference information that is easy to access... can have a serious effect xix xx HackNotes Web Security Portable Reference This book should serve as a reference, hopefully dog-eared and lying next to the keyboard It collects a lot of information from security sites, but introduces new techniques and pointers and ties them into a trusted methodology Thus, the Reference Center might be sufficient for the experienced web hacker who lives by the URL... Apache) (IIS) (IIS) (Apache long-slash) openssl s_client -connect host:443 -cipher EXPORT40 openssl s_client -connect host:443 -cipher NULL openssl s_client -connect host:443 -cipher HIGH Nessus plug-in: ssl_ciphers.nes Application Assessment Methodology Checklist Identify all “support” files (.css, htx, etc.) 3 Reference Center Initial Application Discovery RC RC 4 Reference Center Initial Application... getting across the point of the topic Most importantly, so that these handy portable references don’t burden you with unnecessary verbiage to wade through during your busy day, we have kept the writing clear, concise, and to the point xv xvi HackNotes Web Security Portable Reference Whether you are brand new to the information security field and need useful starting points and essential facts without... RC 1 RC 2 Reference Center Application Assessment Methodology Checklist Web Server Enumeration Steps Comments Grab the server banner echo –e “HEAD / HTTP/1.0\n\n” | nc –vv website 80 echo –e “HEAD / HTTP/1.0\n\n” | openssl s_client –quiet –connect website:443 Nikto Use “./nikto.pl -update” to obtain the latest version ./nikto.pl –p 80 –h website –verbose Whisker 2.1 /whisker.pl –p 80 –h website Enumerate... future The HackNotes books were designed specifically with your needs in mind Look to http:// www .hacknotes. com for further information on the series and feel free to send your comments and ideas to feedback @hacknotes. com xvii This page intentionally left blank A SWIFTLY TILTING WEB T he World Wide Web brings together information, commerce, personalities, and more The applications that populate the Web reflect... Reference Center Application Assessment Methodology Checklist RC 2 HTTP Protocol Notes RC 10 Input Validation Tests RC 13 Common Web- Related Ports and Applications Quick -Reference Command Techniques RC 16 RC 18 Application Default Accounts and Configuration Files “Wargling” Search Terms RC 21 RC 22 IIS Metabase Settings and Recommendations RC 23 RC 28 RC 30 Online References... Notes Syntax and Notes POST /uri HTTP/1.1 Host: website Content-Length: N \n \n Instruct the server to accept “” to the requested resource The POST will define the content-length, content-type, and may contain binary data Originally, this was intended to append “” to the resource PUT PUT /uri HTTP/1.1 Host: website Content-Length: N \n \n Instruct the server...x HackNotes Web Security Portable Reference Character Encoding URL Encoding (Escaped Characters) Unicode Alternate Request Methods ... Installing WebGoat Using WebGoat 160 161 Index 165 ■ 159 xi This page intentionally left blank T he first bow must be to the individuals in the security community who have openly contributed tools, techniques, advisories, and educated opinions on web application security While many remain . y0 w0 h0" alt="" HACKNOTES ™ Web Security Portable Reference HackNote / HackNotes Web Security Portable Reference / Shema / 2227842 / blind folio i P:10CompHackNote78 4-2 FM.vp Friday, June. avoid various pitfalls. xvi HackNotes Web Security Portable Reference HackNote / HackNotes Web Security Portable Reference / Shema / 2227842 / FM P:10CompHackNote78 4-2 FM.vp Friday, June 06,. comments and ideas to feedback @hacknotes. com. HackNotes: the Series xvii HackNote / HackNotes Web Security Portable Reference / Shema / 2227842 / FM P:10CompHackNote78 4-2 FM.vp Friday, June 06,