"1 YEAR UPGRADE
BUYER PROTECTION PLAN
™
ations Applic ur Web Yo
The Only Way to Stop a Hacker Is to Think Like One
• Step-by-Step Instructions for Developing Secure Web Applications • Hundreds of Tools & Traps and Damage & Defense Sidebars and Security Alerts! • Complete Coverage of How to Hack Your Own Site
Jeff Forristal Julie Traxler Technical Editor
From the authors of the best-selling HACK PROOFING™ YOUR NETWORK
�solutions@syngress.com
With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based service that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. Solutions@syngress.com is an interactive treasure trove of useful information focusing on our book topics and related technologies. The site offers the following features: s One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. s “Ask the Author”™ customer query forms that enable you to post questions to our authors and editors. s Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. s Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening.
www.syngress.com/solutions
��1 YEAR UPGRADE
BUYER PROTECTION PLAN
™
ications b Appl our We Y
The Only Way to Stop a Hacker Is to Think Like One
�Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, and “Career Advancement Through Skill Enhancement®,”are registered trademarks of Syngress Media, Inc. “Ask the Author™,”“Ask the Author UPDATE™,”“Mission Critical™,” and “Hack Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.
KEY 001 002 003 004 005 006 007 008 009 010 SERIAL NUMBER BN837R45G AP9EEF4574 ZPHGJ264G8 BNJ3RG22TS 356YH8LLQ2 CF4H6J8MMX 22D56G7KM6 6B8MDD4G6Z L9MNG542FR BY45MQ98WA
PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370
Hack Proofing Your Web Applications
Copyright © 2001 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1234567890 ISBN: 1-928994-31-8 Technical edit by: Julie Traxler Freelance Editorial Manager: Maribeth Corona-Evans Technical review by: Robert Hansen and Kevin Ziese Copy edit by: Darren Meiss and Beth A. Roberts Co-Publisher: Richard Kristof Index by: Jennifer Coker Developmental Editor: Kate Glennon Page Layout and Art by: Shannon Tozier Acquisitions Editor: Catherine B. Nolan Cover Design by: Michael Kavish Distributed by Publishers Group West in the United States.
�Acknowledgments
We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof and Duncan Anderson of Global Knowledge, for their generous access to the IT industry’s best courses, instructors and training facilities. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Bill Richter, Kevin Votel, and Brittin Clark of Publishers Group West for sharing their incredible marketing experience and expertise. Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan Bunkell, and Klaus Beran of Harcourt International for making certain that our vision remains worldwide in scope. Anneke Baeten, Annabel Dent, and Laurie Giles of Harcourt Australia for all their help. David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Joe Pisco, Helen Moyer, and the great folks at InterCity Press for all their help.
v
��Contributors
Chris Broomes (MCSE, MCT, MCP+I, CCNA) is a Senior Network Analyst at DevonIT (www.devonitnet.com), a leading networking services provider specializing in network security and VPN solutions. Chris has worked in the IT industry for over eight years and has a wide range of technical experience. Chris is Founder and President of Infinite Solutions Group Inc. (www.infinitesols.com), a network consulting firm located in Lansdowne, PA that specializes in network design, integration, security services, technical writing, and training. Chris is currently pursuing the CCDA and CCNP certifications while mastering the workings of Cisco and Netscreen VPN and security devices. Jeff Forristal is the Lead Security Developer for Neohapsis, a Chicago-based security solution/consulting firm. Apart from assisting in network security assessments and application security reviews (including source code review), Jeff is the driving force behind Security Alert Consensus, a joint security alert newsletter published on a weekly basis by Neohapsis, Network Computing, and the SANS Institute. Drew Simonis (CCNA) is a Security Consultant for Fiderus Strategic Security and Privacy Services. He is an information-security specialist with experience in security guidelines, incident response, intrusion detection and prevention, and network and system administration. He has extensive knowledge of TCP/IP data networking and Unix (specifically AIX and Solaris), as well as sound knowledge of routing, switching, and bridging. Drew has been involved in several large-scale Web development efforts for companies such as AT&T, IBM, and several of their customers.This has included both planning and deployment of such efforts as online banking, automated customer care, and an online adaptive insurability assessment used by a major
vii
�national insurance company. Drew helps customers of his current employer with network and application security assessments as well as assisting in ongoing development efforts. Drew is a member of MENSA and holds several industry certifications, including IBM Certified Specialist, AIX 4.3 System Administration, AIX 4.3 Communications, Sun Microsystems Certified Solaris System Administrator, Sun Microsystems Certified Solaris Network Administrator, Checkpoint Certified Security Administrator, and Checkpoint Certified Security Engineer. He resides in Tampa, FL. Brian Bagnall (Sun Certified Java Programmer and Developer) is coauthor of the Sun Certified Programmer for Java 2 Study Guide. He is currently the lead programmer at IdleWorks, a company located in Western Canada. IdleWorks develops distributed processing solutions for large and medium-sized businesses with supercomputing needs. His background includes working for IBM developing client-side applications. Brian is also a key programmer of Lejos, a Java software development kit for Lego Mindstorms. Brian would like to thank his family for their support, and especially his father Herb. Michael Dinowitz hosts CF-Talk, the high-volume ColdFusion mailing list, out of House of Fusion.Com. He publishes and writes articles for the Fusion Authority Weekly News Alert (www.fusionauthority.com/alert). Michael is the author of Fusebox: Methodology and Techniques (ColdFusion Edition) and is the co-author of the bestselling ColdFusion Web Application Construction Kit.Whether it’s researching the lowest levels of ColdFusion functionality or presenting to an audience, Michael’s passion for the language is clear. Outside of Allaire, there are few evangelists as dedicated to the spread of the language and the strengthening of the community. Jay D. Dyson is a Senior Security Consultant for OneSecure Inc., a trusted provider of managed digital security services. Jay also serves as part-time Security Advisor to the National Aeronautics and Space
viii
�Administration (NASA). His extracurricular activities include maintaining Treachery.Net and serving as one of the founding staff members of Attrition.Org. Joe Dulay (MCSD) is the Vice-President of Technology for the IT Age Corporation. IT Age Corporation is a project management and software development firm specializing in customer-oriented business enterprise and e-commerce solutions located in Atlanta, GA. His current responsibilities include managing the IT department, heading the technology steering committee, software architecture, e-commerce product management, and refining development processes and methodologies.Though most of his responsibilities lay in the role of manager and architect, he is still an active participant of the research and development team. Joe holds a bachelor’s degree from the University of Wisconsin in computer science. His background includes positions as a Senior Developer at Siemens Energy and Automation, and as an independent contractor specializing in e-commerce development. Joe would like to thank his family for always being there to help him. Michael Cross (MCSE, MCPS, MCP+I, CNA) is a Microsoft Certified System Engineer, Microsoft Certified Product Specialist, Microsoft Certified Professional + Internet, and a Certified Novell Administrator. Michael is the Network Administrator, Internet Specialist, and a Programmer for the Niagara Regional Police Service. He is responsible for network security and administration, programming applications, and Webmaster of their Web site at www.nrps.com. He has consulted and assisted in computer-related/Internet criminal cases and is part of an Information Technology team that provides support to a user base of over 800 civilian and uniform users. Michael owns KnightWare, a company that provides consulting, programming, networking,Web page design, computer training, and other services. He has served as an instructor for private colleges and technical schools in London, Ontario Canada. He has been a freelance writer for several years and has been published over two dozen times
ix
�in books and anthologies. Michael currently resides in St. Catharines, Ontario, Canada with his lovely fiancée Jennifer. Edgar Danielyan (CCNA) is currently self-employed. Edgar has a diploma in company law from the British Institute of Legal Executives and is a certified paralegal from the University of Southern Colorado. He has been working as a Network Administrator and Manager of a top-level domain of Armenia. He has also worked for the United Nations, the Ministry of Defense, a national telco, a bank, and has been a partner in a law firm. He speaks four languages, likes good tea, and is a member of ACM, IEEE CS, USENIX, CIPS, ISOC, and IPG. David G. Scarbrough is a Senior Developer with Education Networks of America where he is a lead member of the ColdFusion development team. He specializes in developing e-commerce sites. David has ColdFusion 4.5 Master Certification and is also experienced with HTML, JavaScript, PHP,Visual Basic, ActiveX, Flash 4.0, and SQL Server 7. He has also held positions as a Programmer and Computer Scientist. David graduated from Troy State University on Montgomery, AL with a bachelor of science in computer science. He lives in Smyrna,TN.
x
�Technical Editor and Contributor
Julie Traxler is a Senior Software Tester for an Internet software company. Julie has also worked for DecisionOne, EXE Technologies, and TV Guide in positions that include Project Manager, Business Analyst, and Technical Writer. As a systems analyst and designer, Julie establishes quality assurance procedures, builds QA teams, and implements testing processes.The testing plans she has developed include testing for functionality, usability, requirements, acceptance, release, regression, security, integrity, and performance.
Technical Reviewers
Kevin Ziese is a Computer Scientist at Cisco Systems, Inc. Prior to joining Cisco he was a Senior Scientist and Founder of the Wheelgroup Corporation, which was acquired by Cisco Systems in April of 1998. Prior to starting the Wheelgroup Corporation, he was Chief of the Advanced Countermeasures Cell at the Air Force Information Warfare Center. Robert Hansen is a self-taught computer expert residing in Northern California. Robert, known formerly as RSnake and currently as RSenic, has been heavily involved in the hacking and security scene since the mid 1990s and continues to work closely with black and white hats alike. Robert has worked for a major banner advertising company as an Information Specialist and for several start-up companies as Chief Operations Officer and Chief Security Officer. He has
xi
�founded several security sites and organizations, and has been interviewed by many magazines, newspapers, and televisions such as Forbes Online, Computer World, CNN, FOX and ABC News. He sends greets to #hackphreak, #ehap, friends, and family.
xii
�Contents
Foreword
Understand how rogue applets can transmit bad code:
Mobile code applications, in the form of Java applets, JavaScript, and ActiveX controls, are powerful tools for distributing information. They are also powerful tools for transmitting malicious code. Rogue applets do not replicate themselves or simply corrupt data as viruses do, but instead they are most often specific attacks designed to steal data or disable systems.
xxv 1 2 3 4 5 6 9 10 11
12 13 13 16 18 21 22 23 24 26 27 28 29 29 29 30 31
xiii
Chapter 1 Hacking Methodology Introduction Understanding the Terms A Brief History of Hacking Phone System Hacking Computer Hacking What Motivates a Hacker? Ethical Hacking versus Malicious Hacking Working with Security Professionals Associated Risks with Hiring a Security Professional Understanding Current Attack Types DoS/DDoS Virus Hacking Trojan Horses Worms Rogue Applets Stealing Credit Card Theft Theft of Identity Information Piracy Recognizing Web Application Security Threats Hidden Manipulation Parameter Tampering Cross-Site Scripting Buffer Overflow Cookie Poisoning
�xiv
Contents
Preventing Break-Ins by Thinking Like a Hacker Summary Solutions Fast Track Frequently Asked Questions
31 35 36 40
Thinking Creatively When Coding
s
Be aware of outside influences on your code, expect the unexpected! Look for ways to minimize your code; keep the functionality in as small a core as possible. Review, review, review! Don’t try to isolate your efforts or conceal mistakes.
s
s
Chapter 2 How to Avoid Becoming a “Code Grinder” Introduction What Is a Code Grinder? Following the Rules Thinking Creatively When Coding Allowing for Thought Modular Programming Done Correctly Security from the Perspective of a Code Grinder Coding in a Vacuum Building Functional and Secure Web Applications But My Code Is Functional! There Is More to an Application than Functionality Let’s Make It Secure and Functional Summary Solutions Fast Track Frequently Asked Questions Chapter 3 Understanding the Risks Associated with Mobile Code Introduction Recognizing the Impact of Mobile Code Attacks Browser Attacks Mail Client Attacks Malicious Scripts or Macros Identifying Common Forms of Mobile Code Macro Languages:Visual Basic for Applications (VBA) Security Problems with VBA Protecting against VBA Viruses JavaScript JavaScript Security Overview
43 44 45 49 50 53 53 56 58 59 66
68 71 76 77 78
81 82 83 83 84 85 86
87 89 92 93 94
�Contents
xv
Understand how mobile code works for Java applets and ActiveX controls:
Sending Computer HTML E-Mail Containing URL Reference to Code (Java Applet or ActiveX)
Your Computer HTML E-Mail Retrieves Code When Opened
Server Applet or ActiveX
Mobile Code Residing on a Web Server
Security Problems Exploiting Plug-In Commands Web-Based E-Mail Attacks Social Engineering Lowering JavaScript Security Risks VBScript VBScript Security Overview VBScript Security Problems VBScript Security Precautions Java Applets Granting Additional Access to Applets Security Problems with Java Java Security Precautions ActiveX Controls ActiveX Security Overview Security Problems with ActiveX E-Mail Attachments and Downloaded Executables Back Orifice 2000 Trojan Protecting Your System from Mobile Code Attacks Security Applications ActiveX Manager Back Orifice Detectors Firewall Software Web-Based Tools Identifying Bad ActiveX Controls Client Security Updates Summary Solutions Fast Track Frequently Asked Questions
95 96 96 97 97 98 98 99 101 101 102 103 104 105 105 107 110 111 115 115 115 115 119 119 119 120 121 122 123
Chapter 4 Vulnerable CGI Scripts Introduction What Is a CGI Script, and What Does It Do? Typical Uses of CGI Scripts When Should You Use CGI?
125 126 127 129 135
�xvi
Contents
Tools & Traps…Beware of User Input
One of the most common methods of exploiting CGI scripts and programs is used when scripts allow user input, but the data that users are submitting is not checked. Controlling what information users are able to submit will reduce your chances of being hacked through a CGI script dramatically.
CGI Script Hosting Issues Break-Ins Resulting from Weak CGI Scripts How to Write “Tighter” CGI Scripts Searchable Index Commands CGI Wrappers Whisker Languages for Writing CGI Scripts Unix Shell Perl C/C++ Visual Basic Advantages of Using CGI Scripts Rules for Writing Secure CGI Scripts Storing CGI Scripts Summary Solutions Fast Track Frequently Asked Questions
136 137 139 143 144 145 149 150 151 151 152 153 153 157 161 161 165
Chapter 5 Hacking Techniques and Tools Introduction A Hacker’s Goals Minimize the Warning Signs Maximize the Access Damage, Damage, Damage Turning the Tables The Five Phases of Hacking Creating an Attack Map Building an Execution Plan Establishing a Point of Entry Continued and Further Access The Attack Social Engineering Sensitive Information E-Mail or Messaging Services Telephones and Documents Credentials The Intentional “Back Door” Attack
167 168 169 170 172 175 177 178 179 182 183 ..."
|
You need to upgrade your Flash Player , or try to enable javascript in order see this document properly.
|
|
Comments
