From the authors of the best-selling HACK PROOFING ™ YOUR NETWORK Your Web Applications ™ 1YEAR UPGRADE BUYER PROTECTION PLAN Your Web Applications From the authors of the best-selling HACK PROOFING ™ YOUR NETWORK Jeff Forristal Julie Traxler Technical Editor The Only Way to Stop a Hacker Is to Think Like One • Step-by-Step Instructions for Developing Secure Web Applications • Hundreds of Tools & Traps and Damage & Defense Sidebars and Security Alerts! • Complete Coverage of How to Hack Your Own Site 137_hackapps_FC 6/19/01 3:48 PM Page 1 solutions@syngress.com With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. Solutions@syngress.com is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author”™ customer query forms that enable you to post questions to our authors and editors. ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the max- imum value from your investment. We’re listening. www.syngress.com/solutions 137_hackapps_FM 6/19/01 3:28 PM Page i 137_hackapps_FM 6/19/01 3:28 PM Page ii The Only Way to Stop a Hacker Is to Think Like One Your Web Applications ™ 1 YEAR UPGRADE BUYER PROTECTION PLAN Your Web Applications 137_hackapps_FM 6/19/01 3:28 PM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci- dental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, and “Career Advancement Through Skill Enhancement®,”are registered trademarks of Syngress Media, Inc. “Ask the Author™,” “Ask the Author UPDATE™,” “Mission Critical™,” and “Hack Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 BN837R45G 002 AP9EEF4574 003 ZPHGJ264G8 004 BNJ3RG22TS 005 356YH8LLQ2 006 CF4H6J8MMX 007 22D56G7KM6 008 6B8MDD4G6Z 009 L9MNG542FR 010 BY45MQ98WA PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Hack Proofing Your Web Applications Copyright © 2001 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis- tributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-31-8 Technical edit by: Julie Traxler Freelance Editorial Manager: Maribeth Corona-Evans Technical review by: Robert Hansen and Kevin Ziese Copy edit by: Darren Meiss and Beth A. Roberts Co-Publisher: Richard Kristof Index by: Jennifer Coker Developmental Editor: Kate Glennon Page Layout and Art by: Shannon Tozier Acquisitions Editor: Catherine B. Nolan Cover Design by: Michael Kavish Distributed by Publishers Group West in the United States. 137_hackapps_FM 6/19/01 3:28 PM Page iv v Acknowledgments v We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof and Duncan Anderson of Global Knowledge, for their generous access to the IT industry’s best courses, instructors and training facilities. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Bill Richter, Kevin Votel, and Brittin Clark of Publishers Group West for sharing their incredible marketing experience and expertise. Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan Bunkell, and Klaus Beran of Harcourt International for making certain that our vision remains worldwide in scope. Anneke Baeten, Annabel Dent, and Laurie Giles of Harcourt Australia for all their help. David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Joe Pisco, Helen Moyer, and the great folks at InterCity Press for all their help. 137_hackapps_FM 6/19/01 3:28 PM Page v 137_hackapps_FM 6/19/01 3:28 PM Page vi vii Contributors Chris Broomes (MCSE, MCT, MCP+I, CCNA) is a Senior Network Analyst at DevonIT (www.devonitnet.com), a leading net- working services provider specializing in network security and VPN solutions. Chris has worked in the IT industry for over eight years and has a wide range of technical experience. Chris is Founder and President of Infinite Solutions Group Inc. (www.infinitesols.com), a network consulting firm located in Lansdowne, PA that specializes in network design, integration, security services, technical writing, and training. Chris is currently pursuing the CCDA and CCNP certifica- tions while mastering the workings of Cisco and Netscreen VPN and security devices. Jeff Forristal is the Lead Security Developer for Neohapsis, a Chicago-based security solution/consulting firm. Apart from assisting in network security assessments and application security reviews (including source code review), Jeff is the driving force behind Security Alert Consensus, a joint security alert newsletter published on a weekly basis by Neohapsis, Network Computing, and the SANS Institute. Drew Simonis (CCNA) is a Security Consultant for Fiderus Strategic Security and Privacy Services. He is an information-security specialist with experience in security guidelines, incident response, intrusion detection and prevention, and network and system adminis- tration. He has extensive knowledge of TCP/IP data networking and Unix (specifically AIX and Solaris), as well as sound knowledge of routing, switching, and bridging. Drew has been involved in several large-scale Web development efforts for companies such as AT&T, IBM, and several of their customers.This has included both planning and deployment of such efforts as online banking, automated customer care, and an online adaptive insurability assessment used by a major 137_hackapps_FM 6/19/01 3:28 PM Page vii viii national insurance company. Drew helps customers of his current employer with network and application security assessments as well as assisting in ongoing development efforts. Drew is a member of MENSA and holds several industry certifications, including IBM Certified Specialist, AIX 4.3 System Administration, AIX 4.3 Communications, Sun Microsystems Certified Solaris System Administrator, Sun Microsystems Certified Solaris Network Administrator, Checkpoint Certified Security Administrator, and Checkpoint Certified Security Engineer. He resides in Tampa, FL. Brian Bagnall (Sun Certified Java Programmer and Developer) is co- author of the Sun Certified Programmer for Java 2 Study Guide. He is cur- rently the lead programmer at IdleWorks, a company located in Western Canada. IdleWorks develops distributed processing solutions for large and medium-sized businesses with supercomputing needs. His background includes working for IBM developing client-side applica- tions. Brian is also a key programmer of Lejos, a Java software develop- ment kit for Lego Mindstorms. Brian would like to thank his family for their support, and especially his father Herb. Michael Dinowitz hosts CF-Talk, the high-volume ColdFusion mailing list, out of House of Fusion.Com. He publishes and writes articles for the Fusion Authority Weekly News Alert (www.fusionau- thority.com/alert). Michael is the author of Fusebox: Methodology and Techniques (ColdFusion Edition) and is the co-author of the best- selling ColdFusion Web Application Construction Kit.Whether it’s researching the lowest levels of ColdFusion functionality or presenting to an audience, Michael’s passion for the language is clear. Outside of Allaire, there are few evangelists as dedicated to the spread of the lan- guage and the strengthening of the community. Jay D. Dyson is a Senior Security Consultant for OneSecure Inc., a trusted provider of managed digital security services. Jay also serves as part-time Security Advisor to the National Aeronautics and Space 137_hackapps_FM 6/19/01 3:28 PM Page viii ix Administration (NASA). His extracurricular activities include main- taining Treachery.Net and serving as one of the founding staff mem- bers of Attrition.Org. Joe Dulay (MCSD) is the Vice-President of Technology for the IT Age Corporation. IT Age Corporation is a project management and soft- ware development firm specializing in customer-oriented business enterprise and e-commerce solutions located in Atlanta, GA. His cur- rent responsibilities include managing the IT department, heading the technology steering committee, software architecture, e-commerce product management, and refining development processes and method- ologies.Though most of his responsibilities lay in the role of manager and architect, he is still an active participant of the research and devel- opment team. Joe holds a bachelor’s degree from the University of Wisconsin in computer science. His background includes positions as a Senior Developer at Siemens Energy and Automation, and as an inde- pendent contractor specializing in e-commerce development. Joe would like to thank his family for always being there to help him. Michael Cross (MCSE, MCPS, MCP+I, CNA) is a Microsoft Certified System Engineer, Microsoft Certified Product Specialist, Microsoft Certified Professional + Internet, and a Certified Novell Administrator. Michael is the Network Administrator, Internet Specialist, and a Programmer for the Niagara Regional Police Service. He is responsible for network security and administration, program- ming applications, and Webmaster of their Web site at www.nrps.com. He has consulted and assisted in computer-related/Internet criminal cases and is part of an Information Technology team that provides sup- port to a user base of over 800 civilian and uniform users. Michael owns KnightWare, a company that provides consulting, programming, networking,Web page design, computer training, and other services. He has served as an instructor for private colleges and technical schools in London, Ontario Canada. He has been a freelance writer for several years and has been published over two dozen times 137_hackapps_FM 6/19/01 3:28 PM Page ix [...]... Messaging Services Telephones and Documents Credentials The Intentional “Back Door” Attack 13 6 13 7 13 9 14 3 14 4 14 5 14 9 15 0 15 1 15 1 15 2 15 3 15 3 15 7 16 1 16 1 16 5 16 7 16 8 16 9 17 0 17 2 17 5 17 7 17 8 17 9 18 2 18 3 18 4 18 6 18 8 18 8 18 9 19 1 19 3 19 5 13 7 _hackapps_ TOC 6 /19 / 01 3:25 PM Page xvii Contents Answers All Your Questions About Hacking Techniques Q: What should I do if I stumble across a back door in my code base?... Introduction What Is a CGI Script, and What Does It Do? Typical Uses of CGI Scripts When Should You Use CGI? 95 96 96 97 97 98 98 99 10 1 10 1 10 2 10 3 10 4 10 5 10 5 10 7 11 0 11 1 11 5 11 5 11 5 11 5 11 9 11 9 11 9 12 0 12 1 12 2 12 3 12 5 12 6 12 7 12 9 13 5 xv 13 7 _hackapps_ TOC xvi 6 /19 / 01 3:25 PM Page xvi Contents Tools & Traps…Beware of User Input One of the most common methods of exploiting CGI scripts and programs is... 4 71 472 472 473 474 478 478 483 486 487 488 492 493 497 499 500 5 01 502 504 508 510 512 513 514 514 515 516 516 517 518 520 522 523 13 7 _hackapps_ TOC 6 /19 / 01 3:25 PM Page xxiii Contents Security Planning at the Desktop Level Web Application Security Process Summary Solutions Fast Track Frequently Asked Questions 523 524 527 528 530 Appendix Hack Proofing Your Web Applications Fast Track 533 Index 5 61. .. xxvii 13 7 _hackapps_ FRWD 6 /19 / 01 3:26 PM Page xxviii 13 7 _hackapps_ 01 6 /19 / 01 3: 31 PM Page 1 Chapter 1 Hacking Methodology Solutions in this chapter: s A Brief History of Hacking s What Motivates a Hacker? s Understanding Current Attack Types s Recognizing Web Application Security Threats s Preventing Break-Ins by Thinking Like a Hacker Summary Solutions Fast Track Frequently Asked Questions 1 137 _hackapps_ 01. .. Cookie Poisoning xxv 1 2 3 4 5 6 9 10 11 12 13 13 16 18 21 22 23 24 26 27 28 29 29 29 30 31 xiii 13 7 _hackapps_ TOC xiv 6 /19 / 01 3:25 PM Page xiv Contents Preventing Break-Ins by Thinking Like a Hacker Summary Solutions Fast Track Frequently Asked Questions Thinking Creatively When Coding s Be aware of outside influences on your code, expect the unexpected! s Look for ways to minimize your code; keep the... Logical Structure Elements Attributes Well-Formed Documents Valid Document XML and XSL/DTD Documents XSL Use of Templates XSL Use of Patterns DTD Schemas Creating Web Applications Using XML 285 285 289 290 2 91 295 298 3 01 303 305 305 311 315 319 322 323 324 325 326 327 329 3 31 332 332 334 335 336 337 337 339 339 340 344 345 347 xix 13 7 _hackapps_ TOC xx 6 /19 / 01 3:25 PM Page xx Contents The Risks Associated... Fast Track 533 Index 5 61 xxiii 13 7 _hackapps_ TOC 6 /19 / 01 3:25 PM Page xxiv 13 7 _hackapps_ FRWD 6 /19 / 01 3:26 PM Page xxv Foreword Hack Proofing Your Web Applications encourages you to address security issues from the earliest stages of application development onward Our premise is that there is too much at stake to wait for an audit (or worse, a customer) to find flaws or errors in your code.While we acknowledge... challenge People who engage in hacking by using www.syngress.com 3 13 7 _hackapps_ 01 4 6 /19 / 01 3: 31 PM Page 4 Chapter 1 • Hacking Methodology code that they clearly do not understand (script kiddies) or who hack solely for the purpose of breaking into other people’s systems (crackers) are considered by skilled hackers to be no more than vandals In this book, when we refer to “hackers,” we are using it in... Chapter 11 Developing Security-Enabled Applications Introduction The Benefits of Using Security-Enabled Applications Types of Security Used in Applications Digital Signatures Pretty Good Privacy Secure Multipurpose Internet Mail Extension Secure Sockets Layer Server Authentication Client Authentication Digital Certificates 408 410 410 411 414 414 419 425 425 426 427 428 428 430 433 435 438 4 41 444 447... ARPANET gave hackers their first opportunity to discuss common www.syngress.com 13 7 _hackapps_ 01 6 /19 / 01 3: 31 PM Page 5 Hacking Methodology • Chapter 1 goals and common myths and even publish the work of hacker culture and communication standards (The Jargon File, mentioned earlier), which was developed as a collaboration across the net Phone System Hacking A name that is synonymous with phone hacking is . listening. www.syngress.com/solutions 13 7 _hackapps_ FM 6 /19 / 01 3:28 PM Page i 13 7 _hackapps_ FM 6 /19 / 01 3:28 PM Page ii The Only Way to Stop a Hacker Is to Think Like One Your Web Applications ™ 1 YEAR UPGRADE BUYER PROTECTION PLAN Your Web Applications 13 7 _hackapps_ FM. ActiveX 10 7 E-Mail Attachments and Downloaded Executables 11 0 Back Orifice 2000 Trojan 11 1 Protecting Your System from Mobile Code Attacks 11 5 Security Applications 11 5 ActiveX Manager 11 5 Back. Detectors 11 5 Firewall Software 11 9 Web- Based Tools 11 9 Identifying Bad ActiveX Controls 11 9 Client Security Updates 12 0 Summary 12 1 Solutions Fast Track 12 2 Frequently Asked Questions 12 3 Chapter