Shema - Seven Deadliest Web Application Attacks

• Syngress is an imprint of Elsevier.
• 30 Corporate Drive, Suite 400, Burlington, MA 01803, USA

This book is printed on acid-free paper.

2010 Elsevier Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher's permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our Web site: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices

Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods, they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

Library of Congress Cataloging-in-Publication Data

Application submitted

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library.

ISBN: 978-1-59749-543-1

Printed in the United States of America

10 11 12 13 5 4 3 2 1

Elsevier Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively Makers) of this book (the Work) do not guarantee or warrant the results to be obtained from the Work.

For information on all Syngress publications, visit our Web site at www.syngress.com

Typeset by: diacriTech, Chennai, India

Mike Shemais the lead developer for the Web Application Scanning service offered by the vulnerability management company Qualys. The Web scanning service provides automated, accurate tests for most common Web vulnerabilities. Prior to Qualys, Mike gained extensive information security experience based on consulting work while at Foundstone. He has developed and conducted training on topics ranging from network security to wireless assessments to Web application penetration testing. Much of this experience has driven research into various security-related topics that he has presented at conferences in North America, Europe, and Asia, including BlackHat, InfoSec, and RSA.

Mike has also coauthored Anti-Hacker Toolkit, Third Edition and Hacking Exposed: Web Applications, Second Edition. He lives in San Francisco and would like to thank the RPG crew for keeping anachronistic random generators alive.

Adam Ely(CISSP, NSA IAM, MCSE) is Director of Corporate Security for TiVo where he is responsible for IT security and corporate security policies. Adam has held positions with The Walt Disney Company where he was Manager of Information Security Operations for the Walt Disney Interactive Media Group, and Senior Manager of Technology for a Walt Disney acquired business. In addition, Adam was a consultant with Alvarez and Marsal where he led security engagements for clients. Adam's background focuses on application and infrastructure security. Adam has published many application vulnerabilities, application security roadmaps, and other articles.

Information in this Chapter

• Book Overview and Key Learning Points
• Book Audience
• How This Book Is Organized
• Where to Go from Here

Pick your favorite cliche or metaphor you've heard regarding the Web. The aphorism might carry a generic description of Web security or generate a mental image of the threats and risks faced by and emanating from Web sites. This book attempts to cast a brighter light on the vagaries of Web security by tackling seven of the most, er, deadliest vulnerabilities that are exploited by attackers. Some of the attacks will sound very familiar. Other attacks may be unexpected, or seem uncommon simply because they aren't on a top 10 list or don't make headlines. Attackers often go for the lowest common denominator, which is why vulnerabilities such as cross-site scripting (XSS) and Structured Query Language (SQL) injection garner so much attention. Determined attackers also target the logic of a particular Web site exploits that result in significant financial gain but have neither universal applicability from the attacker's perspective nor universal detection mechanisms for the defender.

On the Web, information equals money. Credit cards clearly have value to attackers; underground e-commerce sites have popped up that deal in stolen cards. Yet our personal information, passwords, e-mail accounts, online game accounts, all have value to the right buyer. Then consider economic espionage and state-sponsored network attacks. It should be possible to map just about any scam, cheat, trick, ruse, and other synonyms from real-world conflict between people, companies, and countries to an attack that can be accomplished on the Web. There's no lack of motivation for trying to gain illicit access to the wealth of information on the Web that isn't intended to be public.

Each chapter in this book presents examples of different attacks conducted against Web sites. The methodology behind the attack is explored, as well as showing its potential impact. Then the chapter moves on to address possible countermeasures for different aspects of the attack. Countermeasures are a tricky beast. It's important to understand how an attack works before a good defense can be designed. It's also important to understand the limitations of a countermeasure and how other vulnerabilities might entirely bypass it. Security is an emergent property of the Web site; it's not a summation of individual protections. Some countermeasures will show up several times, and others make only a brief appearance.

Anyone who uses the Web to check e-mail, shop, or work will benefit from knowing how the personal information on those sites might be compromised or even how familiar sites can harbor malicious content. Although most security relies on the site's developers, consumers of Web applications can follow safe browsing practices to help protect their data.