www.it-ebooks.info Hacking Exposed ™ Web 2.0 Reviews “In the hectic rush to build Web 2.0 applications, developers continue to forget about security or, at best, treat it as an afterthought. Don’t risk your customer data or the integrity of your product; learn from this book and put a plan in place to secure your Web 2.0 applications.” —Michael Howard Principal Security Program Manager, Microsoft Corp. “This book concisely identifies the types of attacks which are faced daily by Web 2.0 sites. The authors give solid, practical advice on how to identify and mitigate these threats. This book provides valuable insight not only to security engineers, but to application developers and quality assurance engineers in your organization.” —Max Kelly, CISSP, CIPP, CFCE Sr. Director, Security Facebook “This book could have been titled Defense Against the Dark Arts as in the Harry Potter novels. It is an insightful and indispensable compendium of the means by which vulnerabilities are exploited in networked computers. If you care about security, it belongs on your bookshelf.” —Vint Cerf Chief Internet Evangelist, Google “Security on the Web is about building applications correctly, and to do so developers need knowledge of what they need to protect against and how. If you are a web developer, I strongly recommend that you take the time to read and understand how to apply all of the valuable topics covered in this book.” —Arturo Bejar Chief Security Officer at Yahoo! “This book gets you started on the long path toward the mastery of a remarkably complex subject and helps you organize practical and in-depth information you learn along the way.” —From the Foreword by Michal Zalewski, White Hat Hacker and Computer Security Expert www.it-ebooks.info This page intentionally left blank www.it-ebooks.info HACKING EXPOSED ™ WEB 2.0: WEB 2.0 SECURITY SECRETS AND SOLUTIONS RICH CANNINGS HIMANSHU DWIVEDI ZANE LACKEY New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto www.it-ebooks.info Copyright © 2008 by The McGraw-Hill Companies. All rights reserved. Manufactured in the United States of America. Except as permit- ted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. 0-07-159548-1 The material in this eBook also appears in the print version of this title: 0-07-149461-8. All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. For more information, please contact George Hoare, Special Sales, at george_hoare@mcgraw-hill.com or (212) 904-4069. TERMS OF USE This is a copyrighted work and The McGraw-Hill Companies, Inc. (“McGraw-Hill”) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. DOI: 10.1036/0071494618 www.it-ebooks.info We hope you enjoy this McGraw-Hill eBook! If you’d like more information about this book, its author, or related books and websites, please click here. Professional Want to learn more? www.it-ebooks.info I dedicate this book to sprout! <3 —Rich Cannings This book is dedicated to my daughter, Sonia Raina Dwivedi, whose neverending smiles are the best thing a Dad could ask for. —Himanshu Dwivedi To my parents, who always encouraged me and taught me everything I know about cheesy dedications. —Zane Lackey www.it-ebooks.info ABOUT THE AUTHORS Rich Cannings Rich Cannings is a senior information security engineer at Google. Prior to working for Google, Rich was an independent security consultant and OpenBSD hacker. Rich holds a joint MSc. in theoretical mathematics and computer science from the University of Calgary. Himanshu Dwivedi Himanshu Dwivedi is a founding partner of iSEC Partners, an information security organization. Himanshu has more than 12 years’ experience in security and information technology. Before forming iSEC, Himanshu was the technical director of @stake’s Bay Area practice. Himanshu leads product development at iSEC Partners, which includes a repertoire of SecurityQA products for web applications and Win32 programs. In addition to his product development efforts, he focuses on client management, sales, and next genera- tion technical research. He has published five books on security, including Hacking Exposed: Web 2.0 (McGraw-Hill), Hacking VoIP (No Starch Press), Hacker’s Challenge 3 (McGraw-Hill), Securing Storage (Addison Wesley Publishing), and Implementing SSH (Wiley Publishing). Himanshu also has a patent pending on a storage design architecture in Fibre Channel SANs VoIP. Zane Lackey Zane Lackey is a senior security consultant with iSEC Partners, an information security organization. Zane regularly performs application penetration testing and code reviews for iSEC. His research focus includes AJAX web applications and VoIP security. Zane has spoken at top security conferences including BlackHat 2006/2007 and Toorcon. Additionally, he is a coauthor of Hacking Exposed: Web 2.0 (McGraw-Hill) and contributing author of Hacking VoIP (No Starch Press). Prior to iSEC, Zane focused on Honeynet research at the University of California, Davis, Computer Security Research Lab, under noted security researcher Dr. Matt Bishop. ABOUT THE CONTRIBUTING AUTHORS Chris Clark Chris Clark possesses several years of experience in secure application design, penetra- tion testing, and security process management. Most recently, Chris has been working for iSEC Partners performing application security reviews of Web and Win32 applications. Chris has extensive experience in developing and delivering security training for large organizations, software engineering utilizing Win32 and the .Net Framework, and ana- lyzing threats to large scale distributed systems. Prior to working for iSEC Partners, Chris worked at Microsoft, assisting several product groups in following Microsoft’s Secure Development Lifecycle. www.it-ebooks.info Alex Stamos Alex Stamos is a founder and VP of professional services at iSEC Partners, an information security organization. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and he has taught multiple classes in network and application security. He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as Black Hat, CanSecWest, DefCon, Syscan, Microsoft BlueHat, and OWASP App Sec. He holds a BSEE from the University of California, Berkeley. ABOUT THE TECHNICAL EDITOR Jesse Burns Jesse Burns is a founding partner and VP of research at iSEC Partners, where he performs penetration tests, writes tools, and leads research. Jesse has more than a decade of experience as a software engineer and security consultant, and he has helped many of the industry’s largest and most technically-demanding companies with their application security needs. He has led numerous development teams as an architect and team lead; in addition, he designed and developed a Windows-delegated enterprise directory management system, produced low-level security tools, built trading and support systems for a major US brokerage, and architected and built large frameworks to support security features such as single sign-on. Jesse has also written network applications such as web spiders and heuristic analyzers. Prior to iSEC, Jesse was a managing security architect at @stake. Jesse has presented his research throughout the United States and internationally at venues including the Black Hat Briefings, Bellua Cyber Security, Syscan, OWASP, Infragard, and ISACA. He has also presented custom research reports for his many security consulting clients on a wide range of technical issues, including cryptographic attacks, fuzzing techniques, and emerging web application threats. www.it-ebooks.info This page intentionally left blank www.it-ebooks.info [...]... the web, Web 2.0 is constantly being overloaded and can mean different things to different topics For the purposes of the book, we focus on the application frameworks, protocols, and development environments that Web 2.0 brings to the Internet Web 2.0 s Impact on Security The security impact on Web 2.0 technologies includes all the issues on Web 1.0 as well an expansion of the same issues on new Web 2.0. .. purposes of this book, Web 2.0 xix www.it-ebooks.info xx Hacking Exposed Web 2.0 addresses the new web technologies that are used to bring more interactivity to web applications, such as Google Maps and Live.com Technologies such as Asynchronous JavaScript XML (AJAX), Cascading Style Sheets (CSS), Flash, XML, advanced usage of existing JavaScript, Net, and ActiveX all fit under the Web 2.0 technology umbrella... solutions for Web 2.0 security risks This introduction will cover some basics on how Web 2.0 works, to help ensure that the chapters in the rest of the book are clear to all individuals What Is Web 2.0? Web 2.0 is an industry buzz word that gets thrown around quite often The term is often used for new web technology or comparison between products/services that extend from the initial web era to the... involving AJAX and CSRF, a relatively new attack class that impacts both Web 1.0 and Web 2.0 applications Chapter 4 focuses on the ways to abuse JavaScript, including Web 2.0 applications using AJAX as well as Web 1.0 applications using powerful JavaScript functions This chapter shows www.it-ebooks.info xxiii xxiv Hacking Exposed Web 2.0 that the things that make AJAX and JavaScript attractive for developers,... injection issues prevalent in Web 2.0, such as XPath and XXE (XML eXternal Entity) attacks XXE attacks attempt to exploit RSS document and feeds in web applications, a common theme in Web 2.0 Chapter 2 discusses Cross-Site Scripting (XSS), which has been around for a long while, but has evolved in Web 2.0 This chapter shows how to take the existing XSS attack class and apply it to Web 2.0 technologies, such... features of interactive web sites, rather than just visual effects Additionally, Web 2.0 also includes a behavioral shift on the web, where users are encouraged to customize their own content on web applications rather than view static/ generic content supplied by an organization For example, YouTube.com, MySpace.com, and blogging are a few examples of the Web 2.0 era, where these web applications are... the same issues on new Web 2.0 frameworks Thus, Web 2.0 simply adds to the long list of security issues that may exist on web applications Cross-site scripting (XSS) is a very prevalent attack with Web 1.0 applications In Web 2.0, there can actually be more opportunities for XSS attacks due to rich attack surfaces present with AJAX For example, with Web 2.0 AJAX applications, inserting XSS attacks in... technology, but is now often used in Web 2.0 applications For example, many Web 2.0 applications are offering more functionality to users with the client-server model In the case of Web 2.0, the client is delivered using an ActiveX control and the server is the web application itself Users obtain more functionality by having a Win32 client on their desktop that interacts with the web applications, but also open... technologies being used on the web Some of them fall into the Web 2.0 umbrella, such as AJAX, and some of them don’t, such as ActiveX Either way, the authors have attempted to discuss many next-generation web technologies to give readers an understanding of the new attack classes on the web as well as the older attack classes with updated Web 2.0 content www.it-ebooks.info I ing ack Att 2.0 eb W www.it-ebooks.info... cross-domain attacks Cross-domain attacks allow attackers to publish malicious content to web users without users’ knowledge or permission While XHR specifically prevents cross-domain www.it-ebooks.info xxi xxii Hacking Exposed Web 2.0 interaction, much to the developer’s dismay, there is some flexibility in certain Web 2.0 technologies For example, Flash has XHR restrictions, but it has a method to support . AJAX web applications and VoIP security. Zane has spoken at top security conferences including BlackHat 20 06 / 20 07 and Toorcon. Additionally, he is a coauthor of Hacking Exposed: Web 2. 0 (McGraw-Hill). . . . . . . . . . . . 22 5 Security Policy Stored Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 6 www.it-ebooks.info xiv Hacking Exposed Web 2. 0 Flash Hacking Tools . . . www.it-ebooks.info Hacking Exposed ™ Web 2. 0 Reviews “In the hectic rush to build Web 2. 0 applications, developers continue to forget about security