www.sharexxx.net - free books & magazines 363_Web_App_FM.qxd 12/19/06 10:46 AM Page ii 363_Web_App_FM.qxd 12/19/06 10:46 AM Page i Visit us at www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our customers We are also committed to extending the utility of the book you purchase via additional materials available from our Web site SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions Once registered, you can access our solutions@syngress.com Web pages There you may find an assortment of value-added features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s) ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form These e-books are often available weeks before hard copies, and are priced affordably SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations Contact us at sales@syngress.com for more information CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use Contact us at sales@syngress.com for more information 363_Web_App_FM.qxd 12/19/06 10:46 AM Page ii 363_Web_App_FM.qxd 12/19/06 10:47 AM Page iii D e v e l o p e r ’s G u i d e t o Web Application Security Michael Cross 363_Web_App_FM.qxd 12/19/06 10:47 AM Page iv Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) not guarantee or warrant the results to be obtained from the Work There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies KEY 001 002 003 004 005 006 007 008 009 010 SERIAL NUMBER HJIRTCV764 PO9873D5FG 829KM8NJH2 7H298MXDRT CVPLQ6WQ23 VBP965T5T5 HJJJ863WD3E 2987GVTWMK 629MP5SDJT IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc 800 Hingham Street Rockland, MA 02370 Developer’s Guide to Web Application Security Copyright © 2007 by Syngress Publishing, Inc All rights reserved Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication Printed in the United States of America ISBN-10: 1-59749-061-X ISBN-13: 978-1-59749-061-0 Publisher: Andrew Williams Copy Editor: Beth Roberts Cover Designer: Michael Kavish Page Layout and Art: Patricia Lupien Indexer: Nara Wood Distributed by O’Reilly Media, Inc in the United States and Canada For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights, at Syngress Publishing; email matt@syngress.com or fax to 781-681-3585 363_Web_App_FM.qxd 12/19/06 10:47 AM Page v Acknowledgments Syngress would like to acknowledge the following people for their kindness and support in making this book possible Syngress books are now distributed in the United States and Canada by O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible, and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Mark Wilson, Rick Brown,Tim Hinton, Kyle Hart, Sara Winge, Peter Pardo, Leslie Crandell, Regina Aggio Wilkinson, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Kathryn Barrett, John Chodacki, Rob Bullington, Kerry Beck, Karen Montgomery, and Patrick Dirden The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Krista Leppiko, Marcel Koppes, Judy Chappell, Radek Janousek, Rosie Moss, David Lockley, Nicola Haden, Bill Kennedy, Martina Morris, Kai Wuerfl-Davidek, Christiane Leipersberger,Yvonne Grueneklee, Nadia Balavoine, and Chris Reinders for making certain that our vision remains worldwide in scope David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua, Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributors for the enthusiasm with which they receive our books David Scott,Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji,Tonga, Solomon Islands, and the Cook Islands v 363_Web_App_FM.qxd 12/19/06 10:47 AM Page vi 363_Web_App_FM.qxd 12/19/06 10:47 AM Page vii Lead Author Michael Cross (MCSE, MCP+I, CNA, Network+) is an Internet Specialist/Computer Forensic Analyst with the Niagara Regional Police Service (NRPS) He performs computer forensic examinations on computers involved in criminal investigation He also has consulted and assisted in cases dealing with computerrelated/Internet crimes In addition to designing and maintaining the NRPS Web site at www.nrps.com and the NRPS intranet, he has provided support in the areas of programming, hardware, and network administration As part of an information technology team that provides support to a user base of more than 800 civilian and uniform users, he has a theory that when the users carry guns, you tend to be more motivated in solving their problems Michael also owns KnightWare (www.knightware.ca), which provides computer-related services such as Web page design, and Bookworms (www.bookworms.ca), where you can purchase collectibles and other interesting items online He has been a freelance writer for several years, and he has been published more than three dozen times in numerous books and anthologies He currently resides in St Catharines, Ontario, Canada, with his lovely wife, Jennifer, his darling daughter, Sara, and charming son, Jason vii 363_Web_App_FM.qxd 12/19/06 10:47 AM Page viii Contributing Authors Chris Broomes (MCSE, MCT, MCP+I, CCNA) is a Senior Network Analyst at DevonIT, a leading networking services provider specializing in network security and VPN solutions Chris has worked in the IT industry for over eight years and has a wide range of technical experience Chris is Founder and President of Infinite Solutions Group Inc., a network consulting firm located in Lansdowne, PA that specializes in network design, integration, security services, technical writing, and training Chris is currently pursuing the CCDA and CCNP certifications while mastering the workings of Cisco and Netscreen VPN and security devices Jeff Forristal is the Lead Security Developer for Neohapsis, a Chicago-based security solution/consulting firm Apart from assisting in network security assessments and application security reviews (including source code review), Jeff is the driving force behind Security Alert Consensus, a joint security alert newsletter published on a weekly basis by Neohapsis, Network Computing, and the SANS Institute Drew Simonis (CCNA) is a Security Consultant for Fiderus Strategic Security and Privacy Services He is an information-security specialist with experience in security guidelines, incident response, intrusion detection and prevention, and network and system administration He has extensive knowledge of TCP/IP data networking and UNIX (specifically AIX and Solaris), as well as sound knowledge of routing, switching, and bridging Drew has been involved in several large-scale Web development efforts for companies such as AT&T, IBM, and several of their customers.This has included both planning and deployment of such efforts as online banking, automated customer care, and an online adaptive insurability viii 363_Web_App_Ind.qxd 12/19/06 11:27 AM Page 475 Index macro security settings in, 80–82 macro virus in, 75–76 Melissa virus and, 79–80 MIT (Massachusetts Institute of Technology), 4, 5, MITM (man-in-the-middle) attacks, 406–407 Mitnick, Kevin Christmas Day intrusion and, 162 on DoS attack prevention, 12 hacking crimes of, 2, Web site defacing, 176 Mobile and Embedded, 235 mobile code ActiveX controls, 94–99 attacks, import of, 69–72 e-mail attachments, downloaded executables, 99–103 Java applets, 91–94 JavaScript, 83–88 overview of, 68 protection from attacks, 103–109 security concerns of, 18 types of, 72–73 VBScript, 88–91 Visual Basic for Applications, 73–83 MOD (Masters of Deception), Mod_ssl, 422 modular programming, 44–46 monitor.cfm, 386–389 Morris, Robert, 6–7, 142 motivations, of hacker, 7–10 Mozilla Firefox, 85–86 multi-partite virus, 13 475 multipurpose certificate, 430 MunchkinLAN, 392 My Computer Security Zone, 334 N Name Server Lookup (nslookup), 167 National Bureau of Standards, 285 National Infrastructure Protection Center (NIPC), 183 National Science Foundation Network (NSFNet), National Security Agency, 285 native method call, 239, 294 Nessus, 163 NetBus, 15 netcat utility, 173, 175 Netcraft Uptime Survey, 168–169, 170 Netscape JavaScript and plug-ins, 86 JavaScript security issues, 84, 85 Netscape Security Center, 109 network level ActiveX control protection at, 333 security plan at, 449–450 Network Mapper (NMAP), 159, 168 networking/communication streams, 223–224 Newsham,Tim, 212 Nikto acquiring/using, 131–133 363_Web_App_Ind.qxd 476 12/19/06 11:27 AM Page 476 Index for CGI script vulnerability scanning, 114, 129–137 for code-auditing Web application, 57 NIPC (National Infrastructure Protection Center), 183 Nixon, Richard M., 285 NMAP (Network Mapper), 159, 168 NSFNet (National Science Foundation Network), nslookup (Name Server Lookup), 167 N-Stalker, 57, 58 NT Rootkit, 173 O Object Linking and Embedding (OLE) model, 326 object safety settings, 337–338 object-oriented programming (OOP), 44–46, 354 OLE (Object Linking and Embedding) model, 326 online scanners, 108–109 OnTheFly hacker, 16 OOP (object-oriented programming), 44–46, 354 open source, 235 OpenJDK, 235 Opera Security Site, 109 operating system (OS) attack map creation and, 169 CGI script hosting issues, 122–123 NMAP to identify, 159 obscuring, 196 os module, 217 Outlook See Microsoft Outlook Outlook Express See Microsoft Outlook Express output cross-site scripting, 213–214 format string vulnerabilities, 211–213 given to user, checking, 211 P Package and Deployment Wizard, 342, 346 packet sniffer, 284 PacketStorm, 171, 174 param() function, 53 parameter tamping, 24 parasitic virus, 13 password in CGI script, 145 in database CONNECT statement, 53 security plan at network level, 449 patterns, 302–304 payload, 12 P-code, 356 PE Disassembler, 190 peer-to-peer code review, 434, 435–438, 441 performance testing, 423 Perl 363_Web_App_Ind.qxd 477 12/19/06 11:27 AM Page 477 Index for CGI scripts, 141–142, 152 code auditing, 205 Comprehensive Perl Archive Network, 45 cross-site scripting, 213 external objects/libraries, 220 external programs, calling, 218 in feedback form, 119–121 format string vulnerabilities and, 212 functions that take filenames, 216 networking/communication streams, 223 SQL/database queries, checking, 223 tainted variable in, 207 Perl Monks Web site, 43 PERLNIKTO.PL command, 133, 134 permissions CGI script writing rules, 146 JVM policy files, 252–256 Policy Tool and, 256–258 sandbox settings, 240–241 SecurityManager class and, 258–259 persistent cookies, 413 PGP See Pretty Good Privacy PGP Corporation, 397 Phaos Technologies, 394 phone system hacking, 4–5 PHP: Hypertext Preprocessor code auditing, 205 cross-site scripting, 214 external programs, calling, 218, 219 functions that take filenames, 216 networking/communication streams, 223 SQL/database queries, checking, 222 phreaking history of, 4–5 social engineering and, 181 pipe (|) character, 370–372 PKI See Public Key Infrastructure plain text, 70 planning application level security, 450 for coding, 442–443 See also security plan plug-ins BO2K and, 102 JavaScript exploit, 86 JavaScript interaction with, 84 for Nikto, 129 trust in, 112 point of entry establishment of, 171–172 hackers and, 156 policy files in JVM, 252–256 Policy Tool for, 256–258 for RMI protection, 263 security manager for enforcement of, 294 Policy Tool, JVM, 256–258 pop-up, 413 posix module, 217 POST method, 125, 145 Poulsen, Kevin, 5, 363_Web_App_Ind.qxd 478 12/19/06 11:27 AM Page 478 Index pound sign (#), 359–360 preinstalled ActiveX controls, 96–97 Pretty Good Privacy (PGP) description of, 397–400 for security-enabled applications, 397–400 when to use, 429 *printf family of functions, 211–213 printing code auditing, 211 cross-site scripting, 213–214 format string vulnerabilities, 211–213 sensitive information, 214 private key certificates in Java, 274 digital signatures in Java, 268–274 in encryption, 285–287 in JAR signing, 281 public key and, 294 XML digital signature, 319–320 privilege code guidelines, Java, 288 program, tracing through, 200–203 programming coding creatively, 41–46 functional/secure Web applications, 49–61 See also coding programming languages See languages; specific programming language public debugging mechanisms, 214 public key certificates in Java, 274, 276 digital signatures in Java, 268–274 MITM attacks and, 406–407 private key and, 294 XML digital signature, 319–320 public key cryptography digital signatures in Java, 268–274 PKI’s use of, 410 Pretty Good Privacy, 398–400 Public Key Infrastructure (PKI) basics of, 410–415 design of, 429 digital certificates, 408–410 for Web application security, 416 in Web infrastructure, 417–422 Python code auditing, 204–205 external objects/libraries, 220 external programs, calling, 219 functions that take filenames, 217 module functions in, 216 networking/communication streams, 223 Q QAZ Trojan, 15–16 quality assurance (QA) code review by, 438–439 code testing, 439–441 security tasks of, 26–27 queries ColdFusion, 357–358 363_Web_App_Ind.qxd 12/19/06 11:27 AM Page 479 Index ColdFusion, security problems, 369–373 SQL/database queries, checking, 221–223 R Rain Forest Puppy, 57 RDS (Remote Development Services Security), 354, 363–365 read() function, 211 reconnaissance, 160–162 REFind function, 372 registry, 346–347 regular expressions, 372 regulation, 37 relative paths, 366–368 releases, 452 remote administration, 183 Remote Development Services Security (RDS), 354, 363–365 Remote Method Invocation (RMI), 262–263 resources anti-spyware, 106–107 buffer overflow articles, 208 Bugtraq, 64 CGIWrap, 129 client security updates, 109 ColdFusion security information, 392 Comprehensive Perl Archive Network, 45 DefCon, 178 479 format string vulnerabilities, 212 hex editors, 189 HTML validation service, 445 Jargon File, Java communities, 235 Java security issues, 92 Microsoft TechNet, 330 Nikto download, 131 Pretty Good Privacy, 397, 398 for programming, 43 rootkits, 174 SecurityFocus.com, 226 StarTeam, 446 Symantec Security Check, 109 Visual SourceSafe, 446 vulnerability databases, 171 vulnerability scanners, 57–58 Web Hack Control Center, 137 XML Encryption, 313 return values, 42 revenge hacking, 7–8 reverse engineering, 200–203 See also code auditing reviews See code reviews Revocation wizard, 421 Reznor,Trent, 181 Rijndael algorithm, 286 Ringland, Adrian, 157 risks of ActiveX controls, 326–336 of ColdFusion, 382–389 from employees, 65 of hiring security professional, 9–10 of Web-based application, 64 363_Web_App_Ind.qxd 480 12/19/06 11:27 AM Page 480 Index of XML use, 311–313 Rivest Shamir Adleman (RSA) algorithm for digital signatures in Java, 269–270 PGP’s support of, 399 S/MIME’s use of, 401 SSL and, 402 RMI (Remote Method Invocation), 262–263 RMISecurityManager, 263 rogue applets, 17, 18 root CAs, 411 rootkits damage done by, 163–164 definition of, 160 hacker’s use of, 162 list of, 174 router, 11 RSA See Rivest Shamir Adleman (RSA) algorithm rule-based analyzers, 444–445 rules coding, 39–41 for writing secure CGI scripts, 143–148 S “safe for initializing” object safety, 337–338 “safe for scripting” object safety, 98, 337–338 safety settings, 342 sample applications, ColdFusion vulnerability, 361, 362 Sandbox description of, 236–237 Java applets in, 91, 327 in Java protected domains, 250–251 settings, changing, 240–241 scalability, of ColdFusion, 354, 360 *scanf family of functions, 210 ScanMail, 451 scanners for code-auditing Web application, 56–58 Nessus, 163 online scanners for mobile code protection, 108–109 system reconnaissance with, 160–162 scanning See vulnerability scanning scans, hacker, 159 schema functionality of, 306–307 for XML document, 323 XML Encryption, 314–318 for XML Web application, 307–309 script kiddies, 3, 382–383 Scriptlet.Typelib vulnerability, 327–328, 330 sealed JAR file, 289 search, 202 search engines, 160–161 searchable index, 128 363_Web_App_Ind.qxd 12/19/06 11:27 AM Page 481 Index Secure Multipurpose Internet Mail Extensions (S/MIME), 401, 430 Secure Sockets Layer (SSL) for Apache Server, 421–422 for cookies, 415 Internet Explorer settings, 403–404 MITM attack and, 406–407 regulation of, 408 for security-enabled applications, 401–403 when to use, 429 SecureRandom object, 272 security CGI scripts, break-ins from weak, 123–124 CGI scripts, writing tighter, 124–127 CGI searchable index commands, 128 CGI wrappers, 128–129 code grinder environment and, 36–37 code grinder’s perspective of, 46–49 coding creativity for, 41–46 functionality and, 449 hacking threats and, of Java versions, 228–229 Nikto for CGI script scanning, 129–137 thinking like hacker for, 25–27 Web application security process, 451–452 Web development and, 61 481 Web Hack Control Center, 137–138 XML, risks of using, 311–313 See also security-enabled applications security applications ActiveX Manager, 103–104 Back Orifice detectors, 104–108 client security updates, 109 firewall software, 108 for mobile code attack protection, 103–109 online scanners, 108–109 Web-based tools, 108 security features, Java bytecode verifier, 246–250 class loaders, 242–245 Java protected domains, 250–251 Java security manager, 251–252 overview of, 241–242 policy files, 252–256 Policy Tool, 256–258 SecurityManager class, 258–259 security guidelines, Java, 287–290 security manager, JVM, 236, 294 security plan at application level, 450 areas to include in, 448–449 code reviews, 432–438 code vulnerabilities, 438–441 coding, planning, 442–443 coding standards, 442, 443–444 coding tools, 444–448 at desktop level, 450–451 at network level, 449–450 363_Web_App_Ind.qxd 482 12/19/06 11:27 AM Page 482 Index Web application security process, 451–452 security policy, 56 security problems of ActiveX controls, 94–99, 326 of ColdFusion, 360–365 of JavaScript, 84–88 of VBScript, 74–79, 89–91 security professionals risks of, 33 working with, 9–10 security testing, 423 Security Zone settings, 333, 334–336 security-enabled applications benefits of using, 394–395, 429 digital certificates, 408–410 digital signatures, 396–397 man-in-the-middle attacks, 406–407 Outlook/Outlook Express, 400–401 overview of, 394 PKI basics, 410–415 PKI for Web application security, 416 PKI in Web infrastructure, 417–422 Pretty Good Privacy, 397–400 Secure Sockets Layer, 401–403 S/MIME, 401 testing security implementation, 422–424 Transport Layer Security, 403–406, 408 SecurityFocus.com, 226 SecurityManager class, 258–259 self signed certificate, 278–280 semantic attack, 179–180 semicolon (;), 126 sensitive information CGI script writing rules, 144–145 information disclosure, 214–215 social engineering for, 178–179 server authentication,TLS, 404–405 of Back Orifice 2000 Trojan, 100–101 ColdFusion server process, 355–356 DoS attack against Java and, 260–262 Java applet contact of host server, 93 See also Web server server certificate, 351 Server Side Includes (SSIs) code auditing, 204 disabling for security, 145–146 external programs, calling, 219 functions that take filenames, 217 server-side scripting, 153 service identification, 196 session cookies, 412–413 session ID modular programming, 45–46 security from code grinder’s perspective, 46–47 SGML (Standard Generalized Markup Language), 296, 297 Shimomara,Tsutomu, 162 363_Web_App_Ind.qxd 12/19/06 11:27 AM Page 483 Index Shok, 208 Signature element, 319–320 SignatureMethod element, 320 signatures See digital signatures SignedInfo element, 320 signing See control signing Sir Dystic, 102 Smashing the Stack for Fun and Profit (Aleph1), 208 S/MIME (Secure Multipurpose Internet Mail Extensions), 401, 430 Smith, Charles, 41 snail mail, 180 sniffer attack, 164–165 snprintf() function, 210–211 social engineering credentials, 182–183 description of, 178 e-mail/messaging services, 179–180 identity theft via, 21–22 with JavaScript, 87–88 security plan at network level, 450 sensitive information, 178–179 telephones/documents, 180–182 tips to prevent, 197 VBScript for, 89–90 Software Publisher Certificate Test Utility, 338 source code code reviews, 432–438 tracing through program, 200–203 tracking tools, 446–448 483 SourceEdit for code auditing, 224 function of, 202 SourceForge, 129 Sousa, Randy, Spiegelmock, Mischa, 85–86 Spielberg, Steven, 182 sprintf() function, 210 Spybot Search & Destroy, 107 spyware, 102 SQL See Structured Query Language SQL Inject tool, 138 SSIs See Server Side Includes SSL See Secure Sockets Layer stack buffer overflows, 208 Standard Generalized Markup Language (SGML), 296, 297 standards for coding, 442, 443–444 in Web application security process, 452 StarTeam, 446, 447–448, 456 stealing, 17–23 of cookie, 414 credit card theft, 19–21 identity theft, 21–22 information piracy, 22–23 types of, 18–19 stealth scanning, 159 Stein, Lincoln, 226 storage of CGI scripts, 147–148 of cookie, 414–415 str* family of functions, 209 363_Web_App_Ind.qxd 484 12/19/06 11:27 AM Page 484 Index Straitiff, Joe, 41 strcat() function, 142 strcopy() function, 142 string, 301 strn* family of functions, 209 Structured Query Language (SQL) database queries, 202, 221–223 SQL Injection attack, 138–140, 372–373 structured walkthrough, 434–435, 441, 452 style sheet, XSL, 302, 303 subordinate CAs, 411 subseven trojan, 15 Sun Microsystems Java as open source, 235 Java security guidelines, 287–290 Java site, 43, 92 security of Java, 228 switch commands, 133–137 swprintf() function, 210 Symantec Security Check, 109 system, destruction of, 164 system calls, 42 system classes, 243–245 T tagging, Web site, 177 tags CFINCLUDE tag, 365–366 ColdFusion, turning off, 375 of ColdFusion Markup Language, 358–360 DoS attack against ColdFusion, 374–375 elements of XML document, 298–299 well-formed XML document, 300 tainted data filenames with, 215 networking/communication streams, 223–224 SQL/database queries, checking, 221–223 Tcl See Tool Command Language TCP/IP (Transmission Control Protocol/Internet Protocol ), 402 telephone phone system hacking, 4–5 social engineering via, 180–181 temp files, 43 templates, 302 temporary cookies, 412–413 testCalc() method, 248–249 testing CGI scripts, 146 Java Runtime Environment, 230–231 need for, 430 security implementation, 422–424 signature, 351 Web application code, 439–441 in Web application security process, 452 testing environment, 422 text file, 296 363_Web_App_Ind.qxd 12/19/06 11:27 AM Page 485 Index TFTP (Trivial File Transfer Protocol), 173 Thawte, 339 theft of identity, 21–22 third-party Trojan horse attacks, 262–263 thread pooling, 261–262 threads, 92–93 timestamp ActiveX controls, 351 of digital signature, 396 TLS See Transport Layer Security Tool Command Language (Tcl) code auditing, 205 cross-site scripting, 214 external objects/libraries, 220 external programs, calling, 218 functions that take filenames, 217 tools for coding, 444–448 hacking, 156–157, 187–191 rootkits, 174 for source code review, 202 tools, coding debugging/error handling, 445–446 rule-based analyzers, 444–445 version control/source code tracking, 446–448 tracing, through a program, 200–203 tracking, source code, 446–448 tracking cookies, 413 Transmission Control Protocol/Internet Protocol (TCP/IP), 402 485 Transport Layer Security (TLS) for cookies, 415 description of, 403–406 MITM attack and, 406–407 for security-enabled applications, 403–406, 408 trash, 181–182 Tripwire, 175–176, 196 Trivial File Transfer Protocol (TFTP), 173 Trojan horses accidental, 96 Back Orifice 2000 Trojan, 97, 99–103 Back Orifice 2000 Trojan detectors, 104–108 description of, 14–16 executable file, 99 Java, 259, 262–263 trust model of security, 92 trusted root CAs, 411 turnover, 37 U Ultra-Edit, 247 Unicode bug, 172–175 Uniform Resource Locator (URL) Access pipe problem, 370, 371 CGI scripts, writing tighter, 125 code base setting, 255 cross-site scripting and, 213 data validation in ColdFusion, 376–377 363_Web_App_Ind.qxd 486 12/19/06 11:27 AM Page 486 Index social engineering and, 179–180 SQL Injection attack, 373 uninstall, ActiveX controls, 112 unit testing, 434–435 Universal Studios, 182 Unix Perl code auditing, 205 rootkits and, 160 shell for CGI scripts, 141 updates client security updates, 109 ColdFusion, 362 Nikto, 131, 132–133 virus, 334 uploaded files, ColdFusion, 373–374 URL See Uniform Resource Locator usability testing, 441 Usenet groups, 43 Usenet News, 43 user input CGI scripts and, 125–127 CGI searchable index commands, 128 code auditing, 207 limit on/not trusting, 144 user interaction CGI scripts and, 121 limitation of, 144 user output data cross-site scripting, 213–214 format string vulnerabilities, 211–213 username, 145 US-VISIT workstations, 334 V Val() function, 370–371 valid document, XML, 300–301 validity checking, 64–65 variable declaration comments, 444 variables buffer overflow and, 208–211 in ColdFusion, 358–360 data validation in ColdFusion, 376–382 VBA See Visual Basic for Applications VBScript code auditing, 204 file, creation of, 99 functionality of, 88 security overview, 89 security precautions, 90–91 security problems, 89–90 verification, of digital signature, 273–274 VeriSign, 276, 339 version control tools, 446–448 versions of ActiveX controls, 330, 331 of Java Runtime Environment, 230–231 victims, 165 virus hacking, 12–14 virus scanners, 104–105 viruses 363_Web_App_Ind.qxd 12/19/06 11:27 AM Page 487 Index ActiveX controls and, 327–329, 330 end-user virus protection, 14 Melissa virus, 395 updates, importance of, 334 Visual Basic for Applications, 80–83 Visual Basic for CGI scripts, 142–143 VBA vs., 73–74 VBScript and, 89 Visual Basic Editor, 82 Visual Basic for Applications (VBA) Access pipe problem, 370 features of, 73–74 Melissa virus, 79–80 security problems with, 74–79 viruses, protection against, 80–83 Visual SourceSafe, Microsoft, 446–447, 456 voodoo programming, 37–38 vsprintf() function, 210–211 vswprintf() function, 210 vulnerabilities of ActiveX controls, 326–336 code, 438–441 code review, 432–438 of ColdFusion, 360–365 execution plan and, 170–171 exploiting, 186 hackers search for, 156 point of entry, 171–172 tracing through program, 200–203 See also risks 487 vulnerabilities, looking for buffer overflows, 208–211 cross-site scripting, 213–214 data from user, 207 data printing, 211 dynamic code execution, 219 external objects/libraries, 220 external program, checking, 218 external programs, calling, 218–219 file system access/interaction, 215–217 format string vulnerabilities, 211–213 information disclosure, 214–215 networking/communication streams, 223–224 SQL/database queries, 221–223 vulnerability scanning for code-auditing Web application, 56–58 Nessus for, 163 with Nikto, 129–137 Web Hack Control Center, 137–138 W W3C HTML validation service, 445 XML Encryption, 313 warning signs, 158–160 Wbeelsoi, Andrew, 85–86 WDDX packet, 388 weakness 363_Web_App_Ind.qxd 488 12/19/06 11:27 AM Page 488 Index exploiting, 186 Java, 259–263 See also vulnerabilities Web applications PKI implementation, 417–422 PKI to secure, 416 risks of, 64 security, importance of, 32 security needs of, 394 security process, 451–452 security threats, 23–25 XML, creation of, 307–311 XML, risks of using, 311–313 See also security plan; securityenabled applications Web applications, functional/secure code-auditing, 56–58 database password, 55–56 functionality of code, 54–55 Web form, beginning, 49–53 Web form, secure, 58–61 Web browser ActiveX controls and, 94 attacks, 69 CGI scripts and, 116, 122, 152 Java applets in, 92 JavaScript and plug-ins, 86 Security Zone settings in, 335–336 SSL and, 401–403 VBScript and, 88 XSL and, 323 See also Internet Explorer Web form beginning, 49–53 CGI scripts, writing tighter, 124–127 functionality of code, 54–55 secure, 58–61 vulnerability scanners, 56–58 Web Hack Control Center, 137–138 Web Security FAQ (Stein), 226 Web server attack map creation and, 169 break-ins from weak CGI scripts, 123–124 CFINCLUDE tag and, 368–369 CGI script hosting issues, 122–123 CGI scripts and, 114–116 CGI scripts, writing tighter, 124–127 ColdFusion process and, 355 mobile code on, 70, 71 Nikto vulnerability scanning of, 129–137 older servers on Internet, 170 PKI for Apache Server, 421–422 relative paths in ColdFusion, 366–368 storage of CGI scripts, 147–148 Web site defacing, 164, 176–178 Web sites ActiveX controls, risks of, 326, 327 CGI scripts, process of, 114–116 CGI scripts, uses of, 116–121 ColdFusion code, handling of, 358 363_Web_App_Ind.qxd 12/19/06 11:27 AM Page 489 Index cross-site scripting, 24 Web Hack Control Center, 137–138 See also e-commerce sites; resources Web-based e-mail JavaScript attacks, 87 JavaScript security issues, 84, 88 Web-based tools, 108 /WEB-INF/cfclasses directory, 361–362 Webster’s Dictionary, well-formed documents, XML, 300 Whisker, 57 white hat hackers, Windows See Microsoft Windows Windows Defender, 107 Windows Exploder control, 329 Windows Genuine Advantage (WGA), 332 Windows registry, 346–347 women, 181 Word See Microsoft Word work environment, 40–41 worms description of, 16–17 Internet Worm, 6–7, 142 Zotob Worm, 334 Wozniak, Steve, wrapper programs, 128–129 489 X X.507 v3 certificate specification, 408 X.509 certificate format, 275–276 XML See Extensible Markup Language XML Spy, 323 XSL See Extensible Stylesheet Language Y Yellin, Frank, 248 Z Zimmermann, Philip R., 397 Zone-h Web site, 177 Zotob Worm, 334 ... calls” to discuss holes they had discovered in the phone system .To participate in the call, you had to be able to dual tone multi-frequency (DTMF) dialing, which is what we now refer to as touchtone... Creating a Security Plan 448 Security Planning at the Network Level 449 Security Planning at the Application Level 450 Security Planning at the Desktop Level... development tools to assist you in hack proofing your Web applications.This book will give you a basic outline for approaches to secure site management, writing more secure code, implementing security