The Web Application Hacker_'s Handbook(2nd).pdf

Stuttardffirsinddv4-08/17/2011Pagei 感 TheWebApplication lackersHandbook Secondedition FindingandExploitingsecurityFlaws DafvddStuttard Marcuspinto WILEY WileyPublishing,Inc rsinddi e/19/201112:22:33PM Stuttardffirsinddv4-08/17/2011Pageii TheWebapplicationHacker'sHandbook:FindingandExploitingSecurityFlaws,SecondEdition JohnWileySons,Inc. 10475Crosspointboulevard Indianapolis,In46256 www.wiley.com Copyrighto2011byDafyddStuttardandMarcusPinto PublishedbyJohnWileySons,Inc.,Indianapolis,Indiana PublishedsimultaneouslyinCanada ISBN:978-1-118-02647-2 ISBN:978-1-118-17522-4(ebk) ISBN:978-1-118-17524-8(ebk) ISBN:9781-118-17523-1(ebk) ManufacturedintheUnitedStatesofAmerica 10987654321 Nopartofthispublicationmaybereproduced,storedinaretrievalsystemortransmittedinanyformor yanymeans,electronic,mechanical,photocopying,recording,scanningorotherwise,exceptaspermitted underSections107or108ofthe1976UnitedStatesCopyrightAct,withouteitherthepriorwrittenpermis sionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-copyfeetotheCopyright ClearanceCenter,222RosewoodDrive,Danvers,MAO1923,(978)750-8400,fax(978)646-8600Requeststothe PublisherforpermissionshouldbeaddressedtothePermissionsDepartment,JohnWileysons,Inc,111 RiverStreetHoboken,Nj07030,(201)748-6011,fax(201)748-6008,oronlineathttp://www.wiley com/go/permissions. LimitofLiability/DisclaimerofWarranty:Thepublisherandtheauthormakenorepresentationsorwar- rantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisworkandspecificallydisclaimall warranties,includingwithoutlimitationwarrantiesoffitnessforaparticularpurpose.Nowarrantymaybe createdorextendedbysalesorpromotionalmaterials.Theadviceandstrategiescontainedhereinmaynot besuitableforeverysituation.Thisworkissoldwiththeunderstandingthatthepublisherisnotengagedin renderinglegal,accounting,orotherprofessionalservices.Ifprofessionalassistanceisrequired,theservices ofacompetentprofessionalpersonshouldbesought.Neitherthepublishernortheauthorshallbeliablefor damagesarisingherefrom.ThefactthatanorganizationorWebsiteisreferredtointhisworkasacitation theinformationtheorganizationorwebsitemayprovideorrecommendationsitmaymake.Further,readers shouldbeawarethatInternetwebsiteslistedinthisworkmayhavechangedordisappearedbetweenwhen thisworkwaswrittenandwhenitisread orgeneralinformationonourotherproductsandservicespleasecontactourCustomerCareDepartment withintheUnitedStatesat(877)762-2974,outsidetheUnitedStatesat(317)572-3993orfax(317)572-4002 Wileyalsopublishesitsbooksinavarietyofelectronicformatsandbyprint-on-demand.Notallcontent thatisavailableinstandardprintversionsofthisbookmayappearorbepackagedinallbookformats.If youhavepurchasedaversionofthisbookthatdidnotincludemediathatisreferencedbyoraccompanies astandardprintversionyoumayrequestthismediabyvisitinghttp://booksupport.wiley comFormoreinformationaboutWileyproductsvisitusatwww.wiley.com LibraryofCongressControlNumber:2011934639 Trademarks:WileyandtheWileylogoaretrademarksorregisteredtrademarksofJohnWileySons,Inc and/oritsaffiliates,intheUnitedStatesandothercountries,andmaynotbeusedwithoutwrittenpermission Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWileysons,Incisnotassociated withanyproductorvendormentionedinthisbook rsinddⅱ e/19/201112:22:37PM Stuttardffirsinddv4-08/17/2011Pageiii Abouttheauthors Dafyddstuttardisanindependentsecurityconsultant,author,andsoftware developer.Withmorethan10yearsofexperienceinsecurityconsulting,he specializesinthepenetrationtestingofwebapplicationsandcompiledsoft ware.Dafyddhasworkedwithnumerousbanks,retailers,andotherenterprises tohelpsecuretheirwebapplications.Healsohasprovidedsecurityconsultingto severalsoftwaremanufacturersandgovernmentstohelpsecuretheircompiled software.Dafyddisanaccomplishedprogrammerinseverallanguages.Hi interestsincludedevelopingtoolstofacilitateallkindsofsoftwaresecurity testingUnderthealias"PortSwigger,"DafyddcreatedthepopularBurpsuite ofwebapplicationhackingtools;hecontinuestoworkactivelyonBurp'sdevel opment.DafyddisalsocofounderofMDSec,acompanyprovidingtrainingand consultancyoninternetsecurityattackanddefenseDafyddhasdevelopedand presentedtrainingcoursesatvarioussecurityconferencesaroundtheworld, andheregularlydeliverstrainingtocompaniesandgovernments.Heholds master'sanddoctoratedegreesinphilosophyfromtheUniversityofOxford MarcusPintoiscofounderofMDSec,developinganddeliveringtraining coursesinwebapplicationsecurity.Healsoperformsongoingsecuritycon sultancyforfinancial,government,telecom,andretailverticals.His11years ofexperienceintheindustryhavebeendominatedbythetechnicalaspectsof applicationsecurity,fromthedualperspectivesofaconsultingandend-user implementationrole.Marcushasabackgroundinattack-basedsecurityassess- mentandpenetrationtesting.Hehasworkedextensivelywithlarge-scaleweb applicationdeploymentsinthefinancialservicesindustry.Marcushasbeen developingandpresentingdatabaseandwebapplicationtrainingcoursessince 2005atBlackHatandotherworldwidesecurityconferences,andforprivate sectorandgovernmentclients.Heholdsamastersdegreeinphysicsfromthe UniversityofCambridge ndo e/19/201112:22:37PM Stuttardffirsinddv4-08/17/2011Pageiv AbouttheTechnicaleditor Dr.JoshPaulireceivedhisPhDinSoftwareEngineeringfromNorthDakota StateUniversity(NDSU)withanemphasisinsecurerequirementsengineering andnowservesasanassociateProfessorofInformationSecurityatdakota StateUniversity(DSU).Dr.Paulihaspublishednearly20internationaljour nalandconferencepapersrelatedtosoftwaresecurityandhisworkincludes invitedpresentationsfromthedepartmentofHomelandSecurityandblack HatBriefings.Heteachesbothundergraduateandgraduatecoursesinsystem softwaresecurityandwebsoftwaresecurityatdSU.DrPaulialsoconductsweb applicationpenetrationtestsasaseniorpenetrationTesterforanInformation Securityconsultingfirmwherehisdutiesincludedevelopinghands-ontechni calworkshopsintheareaofwebsoftwaresecurityforITprofessionalsinthe financialsector rsinddit e/19/201112:22:37PM Stuttardffirsinddv4-08/17/2011Pagev MDSec:TheAuthorsCompany DafyddandMarcusarecofoundersofMDSec,acompanythatprovidestraining inattackanddefense-basedsecurity,alongwithotherconsultancyservices.If whilereadingthisbookyouwouldliketoputtheconceptsintopractice,and gainhands-onexperienceintheareascovered,youareencouragedtovisitour websitehttp://mdsec.netThiswillgiveyouaccesstohundredsofinteractive vulnerabilitylabsandotherresourcesthatarereferencedthroughoutthebook rsinddv e/19/201112:22:37PM Stuttardffirsinddv4-08/17/2011Pagevi Credits Executiveeditor Vicepresidentandexecutive Carollong Publisher SeniorprojectEditor Neiledde Adaobiobitutor Associatepublisher Technicaleditor Jimmintel JoshPauli ProjectCoordinator,Cover Katiecrock Productioneditor Kathleenwisor Proofreaders Copyeditor SarahKaikini,wordone Gaylejohnson Sheilahledwidge,Wordone EditorialManager Indexer MaryBethWakefield RobertSwanson FreelancerEditorialManager Coverdesigner Rosemariegraham RyanSneed Associatedirectorof CoverImage Marketing Wileyinhousedesign Davidmayhew VerticalWebsitesProjectManager MarketingManager LauraMoss-hollister Ashleyzurcher VerticalWebsitesAssistantProject Businessmanager Manager AmyKnies JennySwisher Productionmanager VerticalWebsitesassociate Producers Timtate Joshfrank VicePresidentandExecutive ShawnPatrick Grouppublisher DougKuhn Richardwadley Marilynhummel ndo e/19/201112:22:37PM Stuttardffirsinddv4-08/17/2011Pagevii Acknowledgments WeareindebtedtothedirectorsandothersatnextgenerationSecuritysoftware whoprovidedtherightenvironmentforustorealizethefirsteditionofthis book.Sincethenourinputhascomefromanincreasinglywidercommunity ofresearchersandprofessionalswhohavesharedtheirideasandcontributed tothecollectiveunderstandingofwebapplicationsecurityissuesthatexists today.Becausethisisapracticalhandbookratherthanaworkofscholarship, wehavedeliberatelyavoidedfillingitwithathousandcitationsofinfluential articles,books,andblogpostingsthatspawnedtheideasinvolved.Wehope thatpeoplewhoseworkwediscussanonymouslyarecontentwiththegeneral creditgivenhere WearegratefultothepeopleatWiley-inparticular,toCarolLongfor enthusiasticallysupportingourprojectfromtheoutset,toAdaobiobifulton forhelpingpolishourmanuscriptandcoachingusinthequirksof"American English,toGaylejohnsonforherveryhelpfulandattentivecopyediting,and toKatieWisorsteamfordeliveringafirst-rateproduction Alargemeasureofthanksisduetoourrespectivepartners,BeckyandAmanda, fortoleratingthesignificantdistractionandtimeinvolvedinproducingabook ofthissize Bothauthorsareindebtedtothepeoplewholedusintoourunusualline ofwork.DafyddwouldliketothankMartinLaw.Martinisagreatguywho firsttaughtmehowtohackandencouragedmetospendmytimedeveloping techniquesandtoolsforattackingapplications.Marcuswouldliketothankhis parentsforeverythingtheyhavedoneandcontinuetodo,includinggettingme intocomputers.I'vebeengettingintocomputerseversince ndo e/19/201112:22:37PM Stuttardffirsinddv4-08/17/2011Pageviii Contentsataglance Introduction Chapter1WebApplication(In)security Chapter2CoreDefenseMechanisms 17 Chapter3WebApplicationTechnologies 39 Chapter4MappingtheApplication 73 Chapter5BypassingClient-SideControls 117 Chapter6AttackingAuthentication 159 Chapter7AttackingSessionManagement 205 Chapter8AttackingAccessControls 257 Chapter9AttackingDataStores 287 Chapter10AttackingBack-EndComponents 357 Chapter11AttackingApplicationLogic 405 Chapter12AttackingUsers:Cross-SiteScripting 431 Chapter13AttackingUsers:OtherTechniques 50l Chapter14AutomatingCustomizedAttacks 571 Chapter15ExploitingInformationDisclosure 615 Chapter16AttackingNativeCompiledApplications 633 Chapter17AttackingApplicationArchitecture 647 Chapter18AttackingtheApplicationServer 669 Chapter19FindingVulnerabilitiesinSourceCode 701 Chapter20AWebApplicationHacker'sToolkit 747 Chapter21AWebApplicationHacker'sMethodology 791 Index 853 ndo e/19/201112:22:38PM