Web Security Testing Cookbook

Systematic Techniques to Find Problems Fast

Larger Cover

Systematic Techniques to Find Problems Fast

By Paco Hope, Ben Walther

Publisher: O'Reilly Media

Released: October 2008

Pages: 320

Among the tests you perform on web applications, security testing is perhaps the most important, yet it's often the most neglected. The recipes in the Web Security Testing Cookbook demonstrate how developers and testers can check for the most common web security issues, while conducting unit tests, regression tests, or exploratory tests. Unlike ad hoc security assessments, these recipes are repeatable, concise, and systematic-perfect for integrating into your regular test suite.

Recipes cover the basics from observing messages between clients and servers to multi-phase tests that script the login and execution of web application features. By the end of the book, you'll be able to build tests pinpointed at Ajax functions, as well as large multi-step tests for the usual suspects: cross-site scripting and injection attacks. This book helps you:

Obtain, install, and configure useful-and free-security testing tools
Understand how your application communicates with users, so you can better simulate attacks in your tests
Choose from many different methods that simulate common attacks such as SQL injection, cross-site scripting, and manipulating hidden form fields
Make your tests repeatable by using the scripts and examples in the recipes as starting points for automated tests

Don't live in dread of the midnight phone call telling you that your site has been hacked. With Web Security Testing Cookbook and the free tools used in the book's examples, you can incorporate security coverage into your test suite, and sleep in peace.

Chapter 1 Introduction
1. What Is Security Testing?
2. What Are Web Applications?
3. Web Application Fundamentals
4. Web App Security Testing
5. It’s About the How
Chapter 2 Installing Some Free Tools
1. Installing Firefox
2. Installing Firefox Extensions
3. Installing Firebug
4. Installing OWASP’s WebScarab
5. Installing Perl and Packages on Windows
6. Installing Perl and Using CPAN on Linux, Unix, or OS X
7. Installing CAL9000
8. Installing the ViewState Decoder
9. Installing cURL
10. Installing Pornzilla
11. Installing Cygwin
12. Installing Nikto 2
13. Installing Burp Suite
14. Installing Apache HTTP Server
Chapter 3 Basic Observation
1. Viewing a Page’s HTML Source
2. Viewing the Source, Advanced
3. Observing Live Request Headers with Firebug
4. Observing Live Post Data with WebScarab
5. Seeing Hidden Form Fields
6. Observing Live Response Headers with TamperData
7. Highlighting JavaScript and Comments
8. Detecting JavaScript Events
9. Modifying Specific Element Attributes
10. Track Element Attributes Dynamically
11. Conclusion
Chapter 4 Web-Oriented Data Encoding
1. Recognizing Binary Data Representations
2. Working with Base 64
3. Converting Base-36 Numbers in a Web Page
4. Working with Base 36 in Perl
5. Working with URL-Encoded Data
6. Working with HTML Entity Data
7. Calculating Hashes
8. Recognizing Time Formats
9. Encoding Time Values Programmatically
10. Decoding ASP.NET’s ViewState
11. Decoding Multiple Encodings
Chapter 5 Tampering with Input
1. Intercepting and Modifying POST Requests
2. Bypassing Input Limits
3. Tampering with the URL
4. Automating URL Tampering
5. Testing URL-Length Handling
6. Editing Cookies
7. Falsifying Browser Header Information
8. Uploading Files with Malicious Names
9. Uploading Large Files
10. Uploading Malicious XML Entity Files
11. Uploading Malicious XML Structure
12. Uploading Malicious ZIP Files
13. Uploading Sample Virus Files
14. Bypassing User-Interface Restrictions
Chapter 6 Automated Bulk Scanning
1. Spidering a Website with WebScarab
2. Turning Spider Results into an Inventory
3. Reducing the URLs to Test
4. Using a Spreadsheet to Pare Down the List
5. Mirroring a Website with LWP
6. Mirroring a Website with wget
7. Mirroring a Specific Inventory with wget
8. Scanning a Website with Nikto
9. Interpretting Nikto’s Results
10. Scan an HTTPS Site with Nikto
11. Using Nikto with Authentication
12. Start Nikto at a Specific Starting Point
13. Using a Specific Session Cookie with Nikto
14. Testing Web Services with WSFuzzer
15. Interpreting WSFuzzer’s Results
Chapter 7 Automating Specific Tasks with cURL
1. Fetching a Page with cURL
2. Fetching Many Variations on a URL
3. Following Redirects Automatically
4. Checking for Cross-Site Scripting with cURL
5. Checking for Directory Traversal with cURL
6. Impersonating a Specific Kind of Web Browser or Device
7. Interactively Impersonating Another Device
8. Imitating a Search Engine with cURL
9. Faking Workflow by Forging Referer Headers
10. Fetching Only the HTTP Headers
11. POSTing with cURL
12. Maintaining Session State
13. Manipulating Cookies
14. Uploading a File with cURL
15. Building a Multistage Test Case
16. Conclusion
Chapter 8 Automating with LibWWWPerl
1. Writing a Basic Perl Script to Fetch a Page
2. Programmatically Changing Parameters
3. Simulating Form Input with POST
4. Capturing and Storing Cookies
5. Checking Session Expiration
6. Testing Session Fixation
7. Sending Malicious Cookie Values
8. Uploading Malicious File Contents
9. Uploading Files with Malicious Names
10. Uploading Viruses to Applications
11. Parsing for a Received Value with Perl
12. Editing a Page Programmatically
13. Using Threading for Performance
Chapter 9 Seeking Design Flaws
1. Bypassing Required Navigation
2. Attempting Privileged Operations
3. Abusing Password Recovery
4. Abusing Predictable Identifiers
5. Predicting Credentials
6. Finding Random Numbers in Your Application
7. Testing Random Numbers
8. Abusing Repeatability
9. Abusing High-Load Actions
10. Abusing Restrictive Functionality
11. Abusing Race Conditions
Chapter 10 Attacking AJAX
1. Observing Live AJAX Requests
2. Identifying JavaScript in Applications
3. Tracing AJAX Activity Back to Its Source
4. Intercepting and Modifying AJAX Requests
5. Intercepting and Modifying Server Responses
6. Subverting AJAX with Injected Data
7. Subverting AJAX with Injected XML
8. Subverting AJAX with Injected JSON
9. Disrupting Client State
10. Checking for Cross-Domain Access
11. Reading Private Data via JSON Hijacking
Chapter 11 Manipulating Sessions
1. Finding Session Identifiers in Cookies
2. Finding Session Identifiers in Requests
3. Finding Authorization Headers
4. Analyzing Session ID Expiration
5. Analyzing Session Identifiers with Burp
6. Analyzing Session Randomness with WebScarab
7. Changing Sessions to Evade Restrictions
8. Impersonating Another User
9. Fixing Sessions
10. Testing for Cross-Site Request Forgery
Chapter 12 Multifaceted Tests
1. Stealing Cookies Using XSS
2. Creating Overlays Using XSS
3. Making HTTP Requests Using XSS
4. Attempting DOM-Based XSS Interactively
5. Bypassing Field Length Restrictions (XSS)
6. Attempting Cross-Site Tracing Interactively
7. Modifying Host Headers
8. Brute-Force Guessing Usernames and Passwords
9. Attempting PHP Include File Injection Interactively
10. Creating Decompression Bombs
11. Attempting Command Injection Interactively
12. Attempting Command Injection Systematically
13. Attempting XPath Injection Interactively
14. Attempting Server-Side Includes (SSI) Injection Interactively
15. Attempting Server-Side Includes (SSI) Injection Systematically
16. Attempting LDAP Injection Interactively
17. Attempting Log Injection Interactively

Colophon

Title:

Web Security Testing Cookbook

By:

Paco Hope, Ben Walther

Publisher:

O'Reilly Media

Formats:

Print
Ebook
Safari Books Online

Print:

October 2008

Ebook:

October 2008

Pages:

320

Print ISBN:

978-0-596-51483-9

| ISBN 10:

0-596-51483-2

Ebook ISBN:

978-0-596-15588-9

| ISBN 10:

0-596-15588-3

Paco Hope

Paco Hope is a Technical Manager at Cigital, Inc. and co-author of Mastering FreeBSD and OpenBSD Security (April 2005, O'Reilly, ISBN 0596006268). Mr. Hope has also published articles on Misuse and Abuse Cases and PKI. He has been invited to conferences to speak on topics such as software security re-quirements, web application security, and embedded system security. At Cigi-tal, he has served as a subject matter expert to MasterCard International for security policies and has assisted a Fortune 500 hospitality company in writ-ing software security policy. He also trains software developers and testers in the fundamentals of software security. In the gaming and mobile communica-tions industries he has advised several companies on software security. Mr. Hope majored in Computer Science and English at The College of William and Mary and received an M.S. in Computer Science from the University of Virginia.

View Paco Hope's full profile page.
Ben Walther

Ben Walther is a consultant at Cigital and contributor to the Edit Cookies tool. He has a hand in both normal Quality Assurance and Software Security. Day to day, he designs and executes tests - and so he understands the need for simple recipes, in the hectic QA world. Yet he has also given talks on web ap-plication testing tools to members of the Open Web Application Security Pro-ject (OWASP). Through Cigital, he tests systems ranging from financial data processing to slot machines. Mr. Walther has a B.S. in Information Science from Cornell University.

View Ben Walther's full profile page.

Description

Table of Contents

Product Details

About the Author

Recommended for You

Recently Viewed

Learning JavaScript, 2nd Edition

Add Sparkle and Life to Your Web Pages

By Shelley Powers

December 2008

Ebook: $27.99

Print & Ebook: $38.49

Print: $34.99

Effective UI

The Art of Building Great User Experience in Software

By Jonathan Anderson, John McRee, Robb Wilson, The EffectiveUI Team

January 2010

Ebook: $35.99

Print & Ebook: $49.49

Print: $44.99

PC Hacks

100 Industrial-Strength Tips & Tools

By Jim Aspinwall

October 2004

Ebook: $19.99

Print & Ebook: $27.45

Print: $24.95

Customer Reviews

REVIEW SNAPSHOT®

by PowerReviews

O'Reilly Media Web Security Testing Cookbook

5.0

(based on 1 review)

Reviews

Reviewed by 1 customer

Displaying review 1

7/31/2009

(3 of 3 customers found this review helpful)

5.0

Excellent - Very Practical, Comprehensive

By jdruin

from Undisclosed

Comments about O'Reilly Media Web Security Testing Cookbook:

As to practical, real-world web testing, this is the best so far.

This book is one of the first I have seen that combines 3 aspects of web testing to make it practical for real-world use.

1) Comprehensiveness

The book covers several types of web testing that hit all the high points.

Tools to use

Initial page analysis (source, input fields, etc)

Encodings

Modification of input

Automated scanning and pen testing

AJAX

Sessions

2) Repeatable

The methods used are repeatable. A pen tester can utilize the steps and the order to build up a practical testing methodology that can be used on many different web applications.

3) Automatable

The authors have many scripts included in the text that testers can use immediately to help automate the testing. The scripts are written in Perl and other common scripting languages that are all free of charge. The scripts all appear to be relatively easy to modify to suit various needs.

The material is presented in an easy to read format. The authors keep it simple and to the point. That being said, they do assume the reader knows basic concepts of how web applications and browsers work but non-techies should have no trouble following the examples.

That being said, the book is relatively short (~250+ pages). The material is covered well without wasting pages on filler, yet still highlights the key areas of web apps that need to be checked.

Displaying review 1

Save a Tree - Go Digital what is this?

Ebook: $31.99

Formats: DAISY, ePub, Mobi, PDF

Print & Ebook: $43.99

Print: $39.99

Safari Books Online - Read now >

Chapter 1 Introduction

What Is Security Testing?

What Are Web Applications?

Web Application Fundamentals

Web App Security Testing

It’s About the How

Chapter 2 Installing Some Free Tools

Installing Firefox

Installing Firefox Extensions

Installing Firebug

Installing OWASP’s WebScarab

Installing Perl and Packages on Windows

Installing Perl and Using CPAN on Linux, Unix, or OS X

Installing CAL9000

Installing the ViewState Decoder

Installing cURL

Installing Pornzilla

Installing Cygwin

Installing Nikto 2

Installing Burp Suite

Installing Apache HTTP Server

Chapter 3 Basic Observation

Viewing a Page’s HTML Source

Viewing the Source, Advanced

Observing Live Request Headers with Firebug

Observing Live Post Data with WebScarab

Seeing Hidden Form Fields

Observing Live Response Headers with TamperData

Highlighting JavaScript and Comments

Detecting JavaScript Events

Modifying Specific Element Attributes

Track Element Attributes Dynamically

Conclusion

Chapter 4 Web-Oriented Data Encoding

Recognizing Binary Data Representations

Working with Base 64

Converting Base-36 Numbers in a Web Page

Working with Base 36 in Perl

Working with URL-Encoded Data

Working with HTML Entity Data

Calculating Hashes

Recognizing Time Formats

Encoding Time Values Programmatically

Decoding ASP.NET’s ViewState

Decoding Multiple Encodings

Chapter 5 Tampering with Input

Intercepting and Modifying POST Requests

Bypassing Input Limits

Tampering with the URL

Automating URL Tampering

Testing URL-Length Handling

Editing Cookies

Falsifying Browser Header Information

Uploading Files with Malicious Names

Uploading Large Files

Uploading Malicious XML Entity Files

Uploading Malicious XML Structure

Uploading Malicious ZIP Files

Uploading Sample Virus Files

Bypassing User-Interface Restrictions

Chapter 6 Automated Bulk Scanning

Spidering a Website with WebScarab

Turning Spider Results into an Inventory

Reducing the URLs to Test

Using a Spreadsheet to Pare Down the List

Mirroring a Website with LWP

Mirroring a Website with wget

Mirroring a Specific Inventory with wget

Scanning a Website with Nikto

Interpretting Nikto’s Results

Scan an HTTPS Site with Nikto

Using Nikto with Authentication

Start Nikto at a Specific Starting Point

Using a Specific Session Cookie with Nikto

Testing Web Services with WSFuzzer

Interpreting WSFuzzer’s Results

Chapter 7 Automating Specific Tasks with cURL

Fetching a Page with cURL

Fetching Many Variations on a URL

Following Redirects Automatically