www.it-ebooks.info www.it-ebooks.info Advance Praise for Web Security Testing Cookbook “Paco and Ben understand and explain curl and HTTP concepts in an easygoing but yet technical and exact way They make this book a perfect guide to everyone who wants to understand the ‘bricks’ that web apps consist of, and thus how those bricks can be security tested.” — Daniel Stenberg, author of cURL “I love great food but I’m not a great cook That’s why I depend on recipes Recipes give cooks like me good results quickly They also give me a basis upon which to experiment, learn, and improve Web Security Testing Cookbook accomplishes the same thing for me as a novice security tester The description of free tools including Firefox and it’s security testing extensions, WebScarab, and a myriad of others got me started quickly I appreciate the list, but even more so, the warnings about the tools’ adverse effects if I’m not careful The explanation of encoding lifted the veil from those funny strings I see in URLs and cookies As a tester, I’m familiar with choking applications with large files, but malicious XML and ZIP files are the next generation The “billion laughs” attack will become a classic As AJAX becomes more and more prevalent in web applications, the testing recipes presented will be vital for all testers since there will be so many more potential security loopholes in applications Great real-life examples throughout make the theory come alive and make the attacks compelling.” — Lee Copeland, Program Chair StarEast and StarWest Testing Conferences, and Author of A Practitioner’s Guide to Software Test Design www.it-ebooks.info “Testing web application security is often a time-consuming, repetitive, and unfortunately all too often a manual process It need not be, and this book gives you the keys to simple, effective, and reusable techniques that help find issues before the hackers do.” — Mike Andrews, Author of How to Break Web Software “Finally, a plain-sense handbook for testers that teaches the mechanics of security testing Belying the usabillity of the ‘recipe’ approach, this book actually arms the tester to find vulnerabilities that even some of the best known security tools can’t find.” — Matt Fisher, Founder and CEO Piscis LLC “If you’re wondering whether your organization has an application security problem, there’s no more convincing proof than a few failed security tests Paco and Ben get you started with the best free web application security tools, including many from OWASP, and their simple recipes are perfect for developers and testers alike.” — Jeff Williams, CEO Aspect Security and OWASP Chair “It doesn’t matter how good your programmers are, rigorous testing will always be part of producing secure software Hope and Walther steal web security testing back from the L33T hax0rs and return it to the realm of the disciplined professional.” — Brian Chess, Founder/Chief Scientist Fortify Software www.it-ebooks.info Web Security Testing Cookbook ™ Systematic Techniques to Find Problems Fast Other resources from O’Reilly Related titles oreilly.com Ajax on Rails Learning Perl Learning PHP Practical Unix and Internet Security Ruby on Rails Secure Programming Cookbook for C and C++ Security Power Tools Security Warrior oreilly.com is more than a complete catalog of O’Reilly books You’ll also find links to news, events, articles, weblogs, sample chapters, and code examples oreillynet.com is the essential portal for developers interested in open and emerging technologies, including new platforms, programming languages, and operating systems Conferences O’Reilly brings diverse innovators together to nurture the ideas that spark revolutionary industries We specialize in documenting the latest tools and systems, translating the innovator’s knowledge into useful skills for those in the trenches Visit conferences.oreilly.com for our upcoming events Safari Bookshelf (safari.oreilly.com) is the premier online reference library for programmers and IT professionals Conduct searches across more than 1,000 books Subscribers can zero in on answers to time-critical questions in a matter of seconds Read the books on your Bookshelf from cover to cover or simply flip to the page you need Try it today for free www.it-ebooks.info Web Security Testing Cookbook ™ Systematic Techniques to Find Problems Fast Paco Hope and Ben Walther Beijing • Cambridge • Farnham • Kưln • Sebastopol • Taipei • Tokyo Web Security Testing Cookbook™: Systematic Techniques to Find Problems Fast by Paco Hope and Ben Walther Copyright © 2009 Brian Hope and Ben Walther All rights reserved Printed in the United States of America Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472 O’Reilly books may be purchased for educational, business, or sales promotional use Online editions are also available for most titles (http://safari.oreilly.com) For more information, contact our corporate/ institutional sales department: (800) 998-9938 or corporate@oreilly.com Editor: Mike Loukides Production Editor: Loranah Dimant Production Services: Appingo, Inc Indexer: Seth Maislin Cover Designer: Karen Montgomery Interior Designer: David Futato Illustrator: Jessamyn Read Printing History: October 2008: First Edition Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc Web Security Testing Cookbook, the image of a nutcracker on the cover, and related trade dress are trademarks of O’Reilly Media, Inc Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks Where those designations appear in this book, and O’Reilly Media, Inc was aware of a trademark claim, the designations have been printed in caps or initial caps While every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein ISBN: 978-0-596-51483-9 [M] 1223489784 Table of Contents Foreword xiii Preface xv Introduction 1.1 1.2 1.3 1.4 1.5 14 14 Installing Some Free Tools 17 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 What Is Security Testing? What Are Web Applications? Web Application Fundamentals Web App Security Testing It’s About the How Installing Firefox Installing Firefox Extensions Installing Firebug Installing OWASP’s WebScarab Installing Perl and Packages on Windows Installing Perl and Using CPAN on Linux, Unix, or OS X Installing CAL9000 Installing the ViewState Decoder Installing cURL Installing Pornzilla Installing Cygwin Installing Nikto Installing Burp Suite Installing Apache HTTP Server 17 18 19 20 21 22 22 23 24 24 25 27 28 28 Basic Observation 31 3.1 3.2 3.3 3.4 Viewing a Page’s HTML Source Viewing the Source, Advanced Observing Live Request Headers with Firebug Observing Live Post Data with WebScarab 32 33 36 40 vii 3.5 3.6 3.7 3.8 3.9 3.10 3.11 Recognizing Binary Data Representations Working with Base 64 Converting Base-36 Numbers in a Web Page Working with Base 36 in Perl Working with URL-Encoded Data Working with HTML Entity Data Calculating Hashes Recognizing Time Formats Encoding Time Values Programmatically Decoding ASP.NET’s ViewState Decoding Multiple Encodings 56 58 60 60 61 63 65 67 68 70 71 Tampering with Input 73 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 5.12 5.13 5.14 43 44 47 48 49 51 53 Web-Oriented Data Encoding 55 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 Seeing Hidden Form Fields Observing Live Response Headers with TamperData Highlighting JavaScript and Comments Detecting JavaScript Events Modifying Specific Element Attributes Track Element Attributes Dynamically Conclusion Intercepting and Modifying POST Requests Bypassing Input Limits Tampering with the URL Automating URL Tampering Testing URL-Length Handling Editing Cookies Falsifying Browser Header Information Uploading Files with Malicious Names Uploading Large Files Uploading Malicious XML Entity Files Uploading Malicious XML Structure Uploading Malicious ZIP Files Uploading Sample Virus Files Bypassing User-Interface Restrictions 74 77 78 80 81 84 86 88 91 92 94 96 96 98 Automated Bulk Scanning 101 6.1 6.2 6.3 6.4 6.5 Spidering a Website with WebScarab Turning Spider Results into an Inventory Reducing the URLs to Test Using a Spreadsheet to Pare Down the List Mirroring a Website with LWP viii | Table of Contents 102 104 107 107 108 ... improve Web Security Testing Cookbook accomplishes the same thing for me as a novice security tester The description of free tools including Firefox and it’s security testing extensions, WebScarab,... Web Security Testing Cookbook ™ Systematic Techniques to Find Problems Fast Paco Hope and Ben Walther Beijing • Cambridge • Farnham • Kưln • Sebastopol • Taipei • Tokyo Web Security Testing Cookbook :... 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 What Is Security Testing? What Are Web Applications? Web Application Fundamentals Web App Security Testing It’s About the How Installing Firefox Installing