THE METHODOLOGY OF WEB HACKING
The central goal of this post is to set forth a Web application security review methodology
that is comprehensive, approachable, and repeatable by readers who wish to apply the
wisdom we’ve gained over years of performing them professionally. The basic steps in
the methodology are
The first step in the methodology is to glean a high-level understanding of the target Web
infrastructure. Each component of Figure 1-1 should be reviewed: Is there a special client
necessary to connect to the application? What transports does it use? Over which ports?
How many servers are there? Is there a load balancer? What is the make and model of the
Web server(s)? Are external sites relied on for some functionality?
Attack Web Servers
The sheer number of Web server software vulnerabilities that have been published
makes this one of the first and usually most fruitful areas of research for a Web hacker. If
site administration is sloppy, you may hit the jackpot here
If no serious vulnerabilities have been found yet, good for the application designers (or
maybe they’re just lucky). Now attention turns to a more granular examination of the components of the application itself—what sort of content runs on the server? Surveying
a Web application attempts to discern what application technologies are deployed (ASP,
ISAPI, Java, CGI, others?), the directory structure and file composition of the site, any authenticated
content and the types of authentication used, external linkage (if any), and the
nature of back-end datastores (if any). This is probably one of the most important steps in
the methodology, as oversights here can have significant effects on the overall accuracy
and reliability of the entire application review
Attack the Authentication Mechanism
If any authenticated content is discovered in the previous step, it should be thoroughly
analyzed, as it most likely protects sensitive areas of a site. Techniques for assessing the
strength of authentication features include automated password guessing attacks, spoofing
tokens within a cookie, and so on.
Attack the Authorization Schemes
Once a user is authenticated, the next step is to attack access to files and other objects. This
can be accomplished in various ways—through directory traversal techniques, changing
the user principle (for example, by altering form or cookie values), requesting hidden objects
with guessable names, attempting canonicalization attacks, escalating privileges,
and tunneling privileged commands to the SQL server.
Next post ......................
The central goal of this post is to set forth a Web application security review methodology
that is comprehensive, approachable, and repeatable by readers who wish to apply the
wisdom we’ve gained over years of performing them professionally. The basic steps in
the methodology are
- Profile the infrastructure
- Attack Web servers
- Survey the application
- Attack the authentication mechanism
- Attack the authorization schemes
- Perform a functional analysis
- Exploit the data connectivity
- Attack the management interfaces
- Attack the client
- Launch a denial-of-service attack
The first step in the methodology is to glean a high-level understanding of the target Web
infrastructure. Each component of Figure 1-1 should be reviewed: Is there a special client
necessary to connect to the application? What transports does it use? Over which ports?
How many servers are there? Is there a load balancer? What is the make and model of the
Web server(s)? Are external sites relied on for some functionality?
Attack Web Servers
The sheer number of Web server software vulnerabilities that have been published
makes this one of the first and usually most fruitful areas of research for a Web hacker. If
site administration is sloppy, you may hit the jackpot here
If no serious vulnerabilities have been found yet, good for the application designers (or
maybe they’re just lucky). Now attention turns to a more granular examination of the components of the application itself—what sort of content runs on the server? Surveying
a Web application attempts to discern what application technologies are deployed (ASP,
ISAPI, Java, CGI, others?), the directory structure and file composition of the site, any authenticated
content and the types of authentication used, external linkage (if any), and the
nature of back-end datastores (if any). This is probably one of the most important steps in
the methodology, as oversights here can have significant effects on the overall accuracy
and reliability of the entire application review
Attack the Authentication Mechanism
If any authenticated content is discovered in the previous step, it should be thoroughly
analyzed, as it most likely protects sensitive areas of a site. Techniques for assessing the
strength of authentication features include automated password guessing attacks, spoofing
tokens within a cookie, and so on.
Attack the Authorization Schemes
Once a user is authenticated, the next step is to attack access to files and other objects. This
can be accomplished in various ways—through directory traversal techniques, changing
the user principle (for example, by altering form or cookie values), requesting hidden objects
with guessable names, attempting canonicalization attacks, escalating privileges,
and tunneling privileged commands to the SQL server.
Next post ......................
No comments:
Post a Comment