ebook img

The Basics of Web Hacking. Tools and Techniques to Attack the Web PDF

153 Pages·2013·24.185 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview The Basics of Web Hacking. Tools and Techniques to Attack the Web

i The Basics of Web Hacking iii The Basics of Web Hacking Tools and Techniques to Attack the Web Josh Pauli Scott White, Technical Editor AMSTERDAM (cid:127) BOSTON (cid:127) HEIDELBERG (cid:127) LONDON NEW YORK (cid:127) OXFORD (cid:127) PARIS (cid:127) SAN DIEGO SAN FRANCISCO (cid:127) SINGAPORE (cid:127) SYDNEY (cid:127) TOKYO Syngress is an Imprint of Elsevier Acquiring Editor: Chris Katsaropoulos Editorial Project Manager: Benjamin Rearick Project Manager: Priya Kumaraguruparan Designer: Mark Rogers Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA Copyright © 2013 Elsevier, Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/ permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Pauli, Joshua J. The basics of web hacking : tools and techniques to attack the Web / Josh Pauli. pages cm Includes bibliographical references and index. ISBN 978-0-12-416600-4 1. Web sites–Security measures. 2. Web applications–Security measures. 3. Computer networks– Security measures. 4. Penetration testing (Computer security) 5. Computer hackers. 6. Computer crimes–Prevention. I. Title. TK5105.59.P385 2013 005.8–dc23 2013017240 British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. ISBN: 978-0-12-416600-4 Printed in the United States of America 13 14 15 10 9 8 7 6 5 4 3 2 1 For information on all Syngress publications, visit our website at www.syngress.com. Dedication This book is dedicated to my lovely wife, Samantha, and my two wonderful daughters, Liz and Maddie. I love you all very much. v Acknowledgments HONEY BEAR To my wife, Samantha: We’ve come a long way since being scared teenagers vi expecting a baby! Your support no matter the projects I take on, your under- standing no matter how much I complain, and your composure no matter what comes at our family are legendary and have kept our family chugging along. LIZARD To my oldest daughter, Liz: Your work ethic, attention to detail, and drive to suc- ceed are an inspiration to me. I’m looking forward to the coming years as you take on your next challenges, as I have no doubt you will succeed with flying colors! BABY BIRD To my youngest daughter, Maddie: Your smile and playful nature always pick me up and make me realize how good we have it. If four open-heart surgeries won’t slow you down, what excuse does anybody else have? Keep smiling, playing, and being yourself—we’re all better off that way! FAMILY AND FRIENDS Huge thanks to Merm, Tara, Halverto, Stacy & Steph, Luke & Tracy, David, Dr. B, Crony, my DSU students, and everybody else that I’ve surely forgotten that have provided friendship and support. Salute! And a special note to Dr. Patrick Engebretson, a great friend and colleague, that I’ve shared many beers, fried goodies, stories, car rides, and office visits with. Your assistance through this publishing process has been a tremendous help. Do work, big boy! Last, to my parents, Dr. Wayne and Dr. Crystal Pauli: It appears that those years of twisting my ear, filling my mouth full of soap, and breaking wooden spoons on my butt have finally paid off! (That stuff was allowed in the 1980s and it’s obvious now that I wasn’t the easiest child to raise.) Your love and support have never wavered and I couldn’t ask for better parents. SECURITY COMMUNITY Man, what a group. It doesn’t matter if you’re a complete beginner, a super l33t hacker, or anywhere in between, you’re always welcome if you’re willing to learn Acknowledgments vii and explore. As a South Dakota guy, I have my own personal “Mount Rushmore of Security”: a group that not only is highly skilled in security but also has pro- vided me with a ton support. ■ To Dr. Jared DeMott: You’re one of the finest bug hunters/exploitation gurus in the world, but an even better family man and friend. With all your success it would be easy to forget about us “little people” at Dakota State University, but instead you’ve never been a bigger supporter of our mission and goals. ■ To Dave Kennedy: HUGS! You’re one of the most encouraging security peo- ple that I’ve ever come across. The amount of fun you have working, training, speaking, and just hanging out with the security community is what this is all about. I’m glad our paths crossed and I look forward to many more years of watching you continue to flourish. MORE HUGS! ■ To Eric Smith: I will never forget watching in awe as you dominated as a one- man red team for our security competition at DSU. Your personal story of hard work, dedication, and hours spent perfecting your craft is one that I’ve relayed to my students hundreds of times. Thanks for always making time to come back to Madison, SD, and furthering your demigod status with our students! ■ To Dafydd Stuttard: I blame you for all of this! The Web Application Hacker’s Handbook (WAHH) that you authored with Marcus Pinto was one of the first premiere security books that I really dug into. After attending your classes, being the technical reviewer on the 2nd edition of WAHH, using your Burp Suite web application hacking tool extensively, and exchanging countless e-mails with you, it’s crystal clear that you’re the Godfather of web applica- tion security. I’ve educated over 400 students with WAHH and Burp Suite and hope my book can serve as an on-ramp to your super highway. SCOTT WHITE—TECHNICAL REVIEWER A special thanks to Scott White for doing a tremendous job reviewing and clean- ing up my work. With all the different directions you get pulled and requests for your time, I truly appreciate your expertise, timeliness, and honest feedback. This book is much stronger because of your work! SYNGRESS TEAM To all the fine folks at Syngress that took a chance on me and provided noth- ing but the best in service, feedback, and critiques in an uber-timely manner. Especially, Chris Katsaropoulos and Ben Rearick—your professionalism and tact are greatly appreciated and are the way an organization should operate. MY VICES In no particular order, I’d like to thank corndogs, Patron Silver, HOTEL32 at the Monte Carlo in Las Vegas (especially @JohnnyLasVegas and Patty Sanchez), Mickey’s malt liquor, fantasy football, Pringles, and my 6-iron for helping me recharge. Biography Dr. Josh Pauli received his Ph.D. in software engineering from North Dakota State University (NDSU) and now serves as an associate professor of cyber secu- viii rity at Dakota State University (DSU) in Madison, SD. Dr. Pauli has published nearly 30 international journal and conference papers related to software secu- rity and his work includes invited presentations from DEFCON, Black Hat, and The National Security Agency. He teaches both undergraduate and graduate courses in software security at DSU and is the program director for the DSU Cyber Corps. Dr. Pauli also conducts web application penetration tests for an information security consulting firm. You can keep up with Josh on Twitter by following @CornDogGuy and visiting his DSU homepage at www.homepages. dsu.edu/paulij. Foreword The World Wide Web is a huge and expanding mass of application code. The majority of businesses, governments, and other organizations are now on the web, exposing their systems and data to the world via custom application func- ix tionality. With today’s development frameworks, it is easier than ever to create a functional web application without knowing or doing anything about security. With today’s technologies, that application is likely to be far more complex than those that have come before. Evolving technologies bring with them more attack surface and new types of attack. Meanwhile, old vulnerabilities live on and are reintroduced into new applications by each generation of coders. In the recent past, numerous high-profile organizations have been compro- mised via their web applications. Though their PR departments may claim they were victims of highly sophisticated hackers, in reality the majority of these attacks have exploited simple vulnerabilities that have been well understood for years. Smaller companies that don’t feel under the spotlight may actually be even more exposed. And many who are compromised never know about it. Clearly, the subject of web application security is more critical today than ever before. There is a significant need for more people to understand web applica- tion attacks, both on the offensive side (to test existing applications for flaws) and on the defensive side (to develop more robust code in the first place). If you’re completely new to web hacking, this book will get you started. Assuming no existing knowledge, it will teach you the basic tools and techniques you need to find and exploit numerous vulnerabilities in today’s applications. If your job is to build or defend web applications, it will open your eyes to the attacks that your own applications are probably still vulnerable to and teach you how to pre- vent them from happening. Dafydd Stuttard Creator of Burp Suite Coauthor of The Web Application Hacker’s Handbook Introduction Many of us rely on web applications for so many of our daily tasks, whether at work, at home, or at play, and we access them several times a day from our x laptops, tablets, phones, and other devices. We use these web applications to shop, bank, pay bills, attend online meetings, social network with friends and family, and countless other tasks. The problem is that web applications aren’t as secure as we’d like to think, and most of the time the attacks used to gain access to a web application are relatively straightforward and simple. In fact, anyone can use widely available hacking tools to perform these devastating web attacks. This book will teach you how to hack web applications and what you can do to prevent these attacks. It will walk you through the theory, tools, and tech- niques used to identify and exploit the most damaging web vulnerabilities present in current web applications. This means you will be able to make a web application perform actions it was never intended to perform, such as retrieve sensitive information from a database, bypass the login page, and assume the identity of other users. You’ll learn how to select a target, how to perform an attack, what tools are needed and how to use them, and how to protect against these attacks. ABOUT THIS BOOK This book is designed to teach you the fundamentals of web hacking from the ground up. It’s for those of you interested in getting started with web hacking but haven’t found a good resource. Basically, if you’re a web hacking newbie, this is the book for you! This book assumes you have no previous knowledge related to web hacking. Perhaps you have tinkered around with some of the tools, but you don’t fully understand how or where they fit into the larger picture of web hacking. Top web hacking experts have a firm grasp on programming, cryptography, bug hunting, exploitation development, database layout, data extraction, how network traffic works, and much more. If you don’t have these skills, don’t be discouraged! These knowledge and skills are accumulated over the course of a career, and if you’re just getting started with web hacking, you probably won’t have all of these skills. This book will teach you the theory, tools, and techniques behind some of the most damaging web attacks present in modern web applica- tions. You will gain not only knowledge and skill but also confidence to transi- tion to even more complex web hacking in the future. Introduction xi A HANDS-ON APPROACH This book follows a very hands-on approach to introduce and demonstrate the content. Every chapter will have foundational knowledge so that you know the why of the attack and detailed step-by-step directions so that you know the how of the attack. Our approach to web hacking has three specific targets: the web server, the web application, and the web user. These targets all present different vulnerabilities, so we need to use different tools and techniques to exploit each of them. That’s exactly what this book will do; each chapter will introduce different attacks that exploit these targets’ vulnerabilities. WHAT'S IN THIS BOOK? Each chapter covers the following material: Chapter 1: The Basics of Web Hacking provides an overview of current web vul- nerabilities and how our hands-on approach takes aim at them. Chapter 2: Web Server Hacking takes traditional network hacking methodolo- gies and applies them directly to the web server to not only compromise those machines but also to provide a base of knowledge to use in attacks against the web application and web user. Tools include Nmap, Nessus, Nikto, and Metasploit. Chapter 3: Web Application Recon and Scanning introduces tools, such as web proxies and scanning tools, which set the stage for you to exploit the targeted web application by finding existing vulnerabilities. Tools include Burp Suite (Spider and Intercept) and Zed Attack Proxy (ZAP). Chapter 4: Web Application Exploitation with Injection covers the theory, tools, and techniques used to exploit web applications with SQL injection, operating system command injection, and web shells. Tools include Burp Suite (specifically the functions and features of the Proxy Intercept and Repeater tools), sqlmap, John the Ripper (JtR), custom web shell files, and netcat. Chapter 5: Web Application Exploitation with Broken Authentication and Path Traversal covers the theory, tools, and techniques used to exploit web applica- tions with brute forcing logins, sessions attacks, and forceful browsing. Tools include Burp Suite (Intruder and Sequencer) and various operating system com- mands for nefarious purposes. Chapter 6: Web User Hacking covers the theory, tools, and techniques used to exploit other web users by exploiting web application cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities as well as attacks that require no existing web server or web application vulnerabilities, but instead prey directly on the user’s willingness to complete dangerous actions. The main tool of choice will be Social-Engineer Toolkit (SET). Chapter 7: Fixes covers the best practices available today to prevent all the attacks introduced in the book. Like most things security-related, the hard part is not

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.