现在Web安全是一个非常大的问题,因为各企业内部都布置了防火墙设备,能够允许通过的数据流通常都控制在Web服务端口,这样,攻击者也就将重点放在了Web应用攻击上,通过一系列的测试技术,如注入,不安全的对象引用,XSS,不安全的异常处理等等方法对目标系统进行测试,从而达到未授权查看、修改、删除数据的目的。严重情况下能够完全控制数据库或者Web服务器,对其进行挂马等操作。
本专题将就Web应用安全的一些测试技术以及相应的一些工具进行详细的举例说明:
本章。。。
这里会对一些常见的错误类型进行说明,以方便大家的理解。
这里推荐两个网站可供参考,后期我也打算直接从这些网站上对一些精辟的解释做一些翻译:
http://www.imperva.com/resources/glossary/adc_glossary.html
http://www.webappsec.org/projects/threat/
http://www.imperva.com/resources/glossary/administrative_interface_access.html
Administrative Interfaces Access is the ultimate goal of any attack whose objective is to gain administrator privilege on a target application server. Administrative Interface Attacks are usually implemented using any number of attack strategies including SQL injections, cross-site scripting, and parameter tampering, etc. Administrative Interface access enables the attacker to gain total control of the application and possibly other parts of the network. It also enables implantation of backdoors for accessing the application in the future.
One of the most overlooked, but important categories of application security vulnerabilities are Remote Administration Flaws. Many products and applications, including security products, rely on the trusted nature of the environment in which they operate to maintain security. The products' designers assume that only authorized systems or users can gain access to the administrative interfaces, so they don't develop code to protect application interfaces from unauthorized access. Administrators who are unaware of this vulnerability, may allow remote access to administrative interfaces through the internet, introducing a significant weakness.
For example, consider a sales reporting application that provides an administrative interface. The administrative interface is accessible through HTTP and does not limit unsuccessful login attempts. If an attacker employs a brute force attack on the password field, it is only a matter of time until the proper administrator's password is found. Once compromised, the administrative interface allows unauthorized access to the application and may even lead to compromise of the entire network.
A compromised administrative interface can also be utilized to implant backdoors in the application or system, allowing an attacker to gain privileged access to the application even after the administrative interface vulnerability has been corrected.
An attacker can use several different attacks to access administrative interfaces: SQL injection, cross-site scripting, parameter tampering, buffer overflow, and others.
| Solution | Blocks access to administrative interface? |
| Imperva SecureSphere | YES |
| Firewalls | No |
| Intrusion Detection Systems | No |
| Intrusion Prevention Systems | No |
With this scenario, the attacker accesses unauthorized Web pages. Intrusion Detection and Prevention Systems which are not Web application oriented cannot tell which Web pages are authorized and which are not. These products regard all pages the same.
In order to be able to tell which pages are authorized, the product must gain the knowledge somehow. There are two ways for gaining that knowledge. You can either configure the product with the name of the allowed pages or the product can learn that automatically from the network traffic. Imperva SecureSphere supports both approaches. During learn mode the product learns which pages are allowed to be accessed from the Internet. You can also manually configure the product with that information. During protect mode the product will alert for any attempt to access unauthorized pages from the Internet.
http://www.webappsec.org/projects/threat/classes/brute_force.shtml
A Brute Force attack is an automated process of trial and error used to guess a person's username, password, credit-card number or cryptographic key.
Many systems will allow the use of weak passwords or cryptographic keys, and users will often choose easy to guess passwords, possibly found in a dictionary. Given this scenario, an attacker would cycle though the dictionary word by word, generating thousands or potentially millions of incorrect guesses searching for the valid password. When a guessed password allows access to the system, the brute force attack has been successful and the attacker is able access the account.
The same trial and error technique is also applicable to guessing encryption keys. When a web site uses a weak or small key size, its possible for an attacker to guess a correct key by testing all possible keys.
Essentially there are two types of brute force attacks, (normal) brute force and reverse brute force. A normal brute force attack uses a single username against many passwords. A reverse brute force attack uses many usernames against one password. In systems with millions of user accounts, the odds of multiple users having the same password dramatically increases. While brute force techniques are highly popular and often successful, they can take hours, weeks or years to complete.
Example Username = Jon Passwords = smith, michael-jordan, [pet names], [birthdays], [car names], Usernames = Jon, Dan, Ed, Sara, Barbara, ..... Password = 12345678
References
"Brute Force Attack", Imperva Glossary
http://www.imperva.com/application_defense_center/glossary/brute_f orce.html
"iDefense: Brute-Force Exploitation of Web Application Session ID's",
By David Endler - iDEFENSE Labs
http://www.cgisecurity.com/lib/SessionIDs.pdf
http://www.webappsec.org/projects/threat/classes/buffer_overflow.shtml
Buffer Overflow exploits are attacks that alter the flow of an application by overwriting parts of memory. Buffer Overflow is a common software flaw that results in an error condition. This error condition occurs when data written to memory exceed the allocated size of the buffer. As the buffer is overflowed, adjacent memory addresses are overwritten causing the software to fault or crash. When unrestricted, properly-crafted input can be used to overflow the buffer resulting in a number of security issues.
A Buffer Overflow can be used as a Denial of Service attack when memory is corrupted, resulting in software failure. Even more critical is the ability of a Buffer Overflow attack to alter application flow and force unintended actions. This scenario can occur in several ways. Buffer Overflow vulnerabilities have been used to overwrite stack pointers and redirect the program to execute malicious instructions. Buffer Overflows have also been used to change program variables.
Buffer Overflow vulnerabilities have become quite common in the information security industry and have often plagued web servers. However, they have not been commonly seen or exploited at the web application layer itself. The primary reason is that an attacker needs to analyze the application source code or the software binaries. Since the attacker must exploit custom code on a remote system, they would have to perform the attack blind, making success very difficult.
Buffer Overflows vulnerabilities most commonly occur in programming languages such as C and C++. A Buffer Overflow can occur in a CGI program or when a web page accesses a C program.
References
"Inside the Buffer Overflow Attack: Mechanism, Method and Prevention", By Mark E. Donaldson - GSEC
http://www.sans.org/rr/code/inside_buffer.php
"w00w00 on Heap Overflows", By Matt Conover - w00w00 Security Team
http://www.w00w00.org/files/articles/heaptut.txt
"Smashing The Stack For Fun And Profit", By Aleph One - Phrack 49
http://www.insecure.org/stf/smashstack.txt
http://www.webappsec.org/projects/threat/classes/information_leakage.shtml
Information Leakage is when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system. Sensitive information may be present within HTML comments, error messages, source code, or simply left in plain sight. There are many ways a web site can be coaxed into revealing this type of information. While leakage does not necessarily represent a breach in security, it does give an attacker useful guidance for future exploitation. Leakage of sensitive information may carry various levels of risk and should be limited whenever possible.
In the first case of information leakage (comments left in the code, verbose error messages, etc.), the leak may give intelligence to the attacker with contextual information of directory structure, SQL query structure, and the names of key processes used by the web site. Often a developer will leave comments in the HTML and script code to help facilitate in debugging or integration. This information can range from simple comments detailing how the script works, to, in the worst cases, usernames and passwords used during the testing phase of development.
Information Leakage also applies to data deemed confidential, which aren't properly protected by the web site. These data may include account numbers, user identifiers (Drivers license number, Passport number, Social Security Numbers, etc.) and user specific data (account balances, address, and transaction history). Insufficient Authentication, Insufficient Authorization, and secure transport encryption also deal with protecting and enforcing proper controls over access to data. Many attacks fall outside the scope of web site protection such as client attacks, the "casual observer" concerns. Information Leakage in this context deals with exposure of key user data deemed confidential or secret that should not be exposed in plain view even to the user. Credit card numbers are a prime example of user data that needs to be further protected from exposure or leakage even with the proper encryption and access controls in place.
Example
There are three main categories of Information Leakage: Comments left in code, verbose error messages and confidential data in plain sight.
Comments left in code: <TABLE border="0" cellPadding="0" cellSpacing="0" height="59" width="591"> <TBODY> <TR> <!--If the image files are missing, restart VADER --> <TD bgColor="#ffffff" colSpan="5" height="17" width="587"> </TD> </TR>
Here we see a comment left by the development/QA personnel indicating what one should do if the image files do not show up. The security breach is the Host name of the server that is mentioned explicitly in the code, "VADER"..
An example of a verbose error message can be the response to an invalid query. A prominent example is the error message associated with SQL queries. SQL Injection attacks typically require the attacker to have prior knowledge of the structure or format used to create SQL queries on the site. The information leaked by a verbose error message can provide the attacker the crucial information on how to construct valid SQL queries for the backend database.
The following was returned when placing an apostrophe into the username filed of a login page:
Verbose error message: An Error Has Occurred. Error Message: System.Data.OleDb.OleDbException: Syntax error (missing operator) in query expression 'username = ''' and password = 'g''. at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling ( Int32 hr) at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult ( tagDBPARAMS dbParams, Object& executeResult) at
In the first error statement a syntax error is reported. The error message reveals the query parameters that are used in the SQL query: username and password. This leaked information is the missing link for an attacker to begin to construct SQL Injection attacks against the site.
References
"Best practices with custom error pages in .Net", Microsoft Support
http://support.microsoft.com/default.aspx?scid=kb;en-us;834452
"Creating Custom ASP Error Pages", Microsoft Support
http://support.microsoft.com/default.aspx?scid=kb;en-us;224070
"Apache Custom Error Pages", Code Style
http://www.codestyle.org/sitemanager/apache/errors-Custom.shtml
"Customizing the Look of Error Messages in JSP", DrewFalkman.com
http://www.drewfalkman.com/resources/CustomErrorPages.cfm
ColdFusion Custom Error Pages
http://livedocs.macromedia.com/coldfusion/6/ Developing_ColdFusion_MX_Applications_with_CFML/Errors6.htm
Obfuscators :
JAVA
http://www.cs.auckland.ac.nz/~cthombor/Students/hlai/hongying.pdf
http://www.webappsec.org/projects/threat/classes/sql_injection.shtml
SQL Injection is an attack technique used to exploit web sites that construct SQL statements from user-supplied input.
Structured Query Language (SQL) is a specialized programming language for sending queries to databases. Most small and industrial- strength database applications can be accessed using SQL statements. SQL is both an ANSI and an ISO standard. However, many database products supporting SQL do so with proprietary extensions to the standard language. Web applications may use user-supplied input to create custom SQL statements for dynamic web page requests.
When a web application fails to properly sanitize user-supplied input, it is possible for an attacker to alter the construction of backend SQL statements. When an attacker is able to modify a SQL statement, the process will run with the same permissions as the component that executed the command. (e.g. Database server, Web application server, Web server, etc.). The impact of this attack can allow attackers to gain total control of the database or even execute commands on the system.
The same advanced exploitation techniques available in LDAP Injection can also be similarly applied to SQL Injection.
Example
A web based authentication form might have code that looks like the following:
SQLQuery = "SELECT Username FROM Users WHERE Username = '" & strUsername & "' AND Password = '" & strPassword & "'" strAuthCheck = GetQueryResult(SQLQuery) In this code, the developer is taking the user-input from the form and embedding it directly into an SQL query. Suppose an attacker submits a login and password that looks like the following: Login: ' OR ''=' Password: ' OR ''=' This will cause the resulting SQL query to become: SELECT Username FROM Users WHERE Username = '' OR ''='' AND Password = '' OR ''='' Instead of comparing the user-supplied data with entries in the Users table, the query compares '' (empty string) to '' (empty string). This will return a True result and the attacker will then be logged in as the first user in the Users table.
There are two commonly known methods of SQL injection: Normal SQL Injection and Blind SQL Injection. The first is vanilla SQL Injection in which the attacker can format his query to match the developer's by using the information contained in the error messages that are returned in the response.
Normal SQL Injection
By appending a union select statement to the parameter, the attacker can test to see if he can gain access to the database:
http://example/article.asp?ID=2+union+all+select+name+from+sysobjects
The SQL server then might return an error similar to this: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists. This tells the attacker that he must now guess the correct number of columns for his SQL statement to work.
Blind SQL Injection
In Blind SQL Injection, instead of returning a database error, the server returns a customer-friendly error page informing the user that a mistake has been made. In this instance, SQL Injection is still possible, but not as easy to detect. A common way to detect Blind SQL Injection is to put a false and true statement into the parameter value.
Executing the following request to a web site:
http://example/article.asp?ID=2+and+1=1
should return the same web page as:
http://example/article.asp?ID=2
because the SQL statement 'and 1=1' is always true.
Executing the following request to a web site:
http://example/article.asp?ID=2+and+1=0
would then cause the web site to return a friendly error or no page at all. This is because the SQL statement "and 1=0" is always false.
Once the attacker discovers that a site is susceptible to Blind SQL Injection, he can exploit this vulnerability more easily, in some cases, than by using normal SQL Injection.
References
"SQL Injection: Are your Web Applications Vulnerable" - SPI Dynamics http://www.spidynamics.com/support/whitepapers/WhitepaperSQLInjection.pdf
"Blind SQL Injection: Are your Web Applications Vulnerable" - SPI Dynamics
http://www.spidynamics.com/support/whitepapers/Blind_SQLInjection.pdf
"Advanced SQL Injection in SQL Server Applications", Chris Anley - NGSSoftware
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
"More advanced SQL Injection", Chris Anley - NGSSoftware
http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
"Web Application Disassembly with ODBC Error Messages", David Litchfield - @stake
http://www.nextgenss.com/papers/webappdis.doc
"SQL Injection Walkthrough"
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
"Blind SQL Injection" - Imperva
http://www.imperva.com/application_defense_center/white_papers/blind_sql_server_injection.html
"SQL Injection Signatures Evasion" - Imperva
http://www.imperva.com/application_defense_center/white_papers/ sql_injection_signatures_evasion.html
"Introduction to SQL Injection Attacks for Oracle Developers" - Integrigy
http://www.net-security.org/dl/articles/IntegrigyIntrotoSQLInjectionAttacks.pdf
Abuse of Functionality: An attack technique that uses the features and functionality of a web site to consume, defraud, or circumvent the site’s access controls. See also “Denial of Service”.
ActiveX controls: A program, called a “control”, developed using ActiveX controls technologies. ActiveX controls controls can be downloaded and executed within technology-enabled Web browsers. ActiveX controls is a set of rules for how applications should share information. ActiveX controls controls can be developed in C, C++, Visual Basic, and Java. See also “Java”, “Java Applets”, “JavaScript”, “Web Browser”.
AJAX: AJAX stands for Asynchronous JavaScript and XML. This browser based technology allows a website to perform additional resource requests without refreshing the user page by utilizing the XMLHttpRequest Javascript object.
Anti-Automation: Security measure that prevents automated programs from exercising web site functionality by administering the Turing Test to a user, which only a human could pass. See also “Visual Verification”.
Application Server: A software server, normally using HTTP, which has the ability to execute dynamic web applications. Also known a middleware, this piece of software is normally installed on or near the web server where it can be called upon. See also “Web Application”, “Web Server”.
Authentication: The process of verifying the identity or location of a user, service or application. Authentication is performed using at least one of three mechanisms: “something you have”, “something you know” or “something you are”. The authenticating application may provide different services based on the location, access method, time of day, etc. See also “Insufficient Authentication”.
Authorization: The determination of what resources a user, service or application has permission to access. Accessible resources can be URL’s, files, directories, servlets, databases, execution paths, etc. See also “Insufficient Authorization”.
Backup File Disclosure: (Obsolete) See “Predictable File Location”.
Basic Authentication: A simple form of client-side authentication supported in HTTP. The http-client sends a request header to the web server containing a Base64 encoded username and password. If the username/password combination is valid, the web server grants the client access to the requested resource. See also “Authentication”, “Insufficient Authentication”.
Brute Force: An automated process of trial and error used to guess the “secret” protecting a system. Examples of these secrets include usernames, passwords or cryptographic keys. See also “Authentication”, “Insufficient Authentication”, “Password Recover System”, “Weak Password Recovery Validation”.
Buffer Overflow: An exploitation technique that alters the flow of an application by overwriting parts of memory. Buffer Overflows are a common cause of malfunctioning software. If the data written into a buffer exceeds its size, adjacent memory space will be corrupted and normally produce a fault. An attacker may be able to utilize a buffer overflow situation to alter an application's process flow. Overfilling the buffer and rewriting memory-stack pointers could be used to execute arbitrary operating-system commands.
CGI Scanner: Automated security program that searches for well-known vulnerabilities in web servers and off-the-shelf web application software. Often CGI Scanners are not very “stateful” in their analysis and only test a series HTTP requests against known CGI strings. See also, “Web Application Vulnerability Scanner.”
CGI Security: (Obsolete) See “Web Application Security”.
Client-Side Scripting: Web browser feature that extends the functionality and interactivity of static HyperText markup language (HTML) web pages. Examples of Client-Side Scripting languages are JavaScript, JScript and VBScript. See also “ActiveX controls”, “Java Applets”.
Common Gateway Interface: (Acronym - CGI) Programming standard for software to interface and execute applications residing on web servers. See also “Web Application”, “Application Server”, “Web Server”.
Configuration File Disclosure: (Obsolete) See “Predictable File Location”.
Content Spoofing: An attack technique used to trick a user into thinking that fake web site content is legitimate data.
Cookie: Small amount of data sent by the web server, to a web client, which can be stored and retrieved at a later time. Typically cookies are used to keep track of a user’s state as they traverse a web site. See also “Cookie Manipulation”.
Cookie Manipulation: Altering or modification of cookie values, on the client’s web browser, to exploit security issues within a web application. Attackers will normally manipulate cookie values to fraudulently authenticate themselves to a web site. This is an example of the problem of trusting the user to provide reasonable input. See also “Cookie”.
Cookie Poisoning: (Obsolete) See “Cookie Manipulation”.
Cross-Site Scripting: (Acronym – XSS) An attack technique that forces a web site to echo client-supplied data, which execute in a user’s web browser. When a user is Cross-Site Scripted, the attacker will have access to all web browser content (cookies, history, application version, etc). See also “Client-Side Scripting”.
Debug Commands: Application debugging features or commands that assist in identifying programming errors during the software development process.
Denial of Service: (Acronym – DoS) An attack technique that consumes all of a web site’s available resources with the intent of rendering legitimate use impossible. Resources include CPU time, memory utilization, bandwidth, disk space, etc. When any of these resources reach full capacity, the system will normally be inaccessible to normal user activity. See also “Abuse of Functionality”.
Directory Browsing: (Obsolete) See “Directory Indexing”.
Directory Enumeration: (Obsolete) See “Predictable File Location”.
Directory Indexing: A feature common to most popular web servers, that exposes contents of a directory when no index page is present. See also “Predictable File Location”.
Directory Traversal: A technique used to exploit web sites by accessing files and commands beyond the document root directory. Most web sites restrict user access to a specific portion of the file-system, typically called the document root directory or CGI root directory. These directories contain the files and executables intended for public use. In most cases, a user should not be able to access any files beyond this point.
DOM Based Cross Site Scrpiting: DOM based cross-site scripting (or "DOM based XSS" in short) is a “cross-site scripting” attack that makes use of insecure Javascript (or in general - client side) programming that takes place in response pages, to effectively incur an XSS condition. In DOM based XSS, the attacker affects the Javascript execution in a target page (in the attacked domain) by providing it with data in the URL or the Referer, which the script insecurely uses. The script may apply the eval() function to the malicious data, or embed it in the DOM (thus making the browser potentially render it as Javascript and run it). This is in contrast to "standard" XSS, where the malicious data is embedded to the page at the server side. In some cases, DOM based XSS can even be conducted in such way that the malicious payload doesn't even reach the server, which makes this attack more unobtrusive.
Encoding Attacks: An exploitation technique that aids an attack by changing the format of user-supplied data to bypass sanity checking filters. See also “Null Injection”.
Extension Manipulation: (Obsolete) See “Filename Manipulation”.
File Enumeration: (Obsolete) See “Predictable File Location”.
Filename Manipulation: An attack technique used to exploit web sites by manipulating URL filenames to cause application errors, discover hidden content, or display the source code of an application. See also “Predictable File Location”.
Filter-Bypass Manipulation: See “Encoding Attacks”.
Forced Browsing: See “Predictable File Location”.
Form Field Manipulation: Altering or modification of HTML Form-Field input values or HTTP post-data to exploit security issues within a web application. See also “Parameter Tampering”, “Cookie Manipulation”.
Format String Attack: An exploit technique that alters the flow of an application by using string formatting library features to access other memory space.
Frame Spoofing: (Obsolete) See “Content Spoofing”.
HyperText Transfer Protocol: (Acronym – HTTP) A protocol scheme used on the World Wide Web. HTTP describes the way a web-client requests data and how a web server responds to those requests. See also “Web Server”, “Web Browser”.
HTTP Request Smuggling: HTTP Request Smuggling works by taking advantage of the discrepancies in parsing when one or more HTTP devices/entities (e.g. cache server, proxy server, web application firewall, etc.) are in the data flow between the user and the web server. HTTP Request Smuggling enables various attacks � “web cache poisoning”, “session hijacking”, “cross-site scripting” as well as the ability to bypass web application firewall protection. The attacker sends multiple specially-crafted HTTP requests that cause the two attacked entities (e.g. a proxy server and a web server, or a firewall and a web server) to see two different sets of requests, allowing the hacker to smuggle a request to one device without the other device being aware of it.
HTTP Response Smuggling: HTTP response smuggling is an enhancement of the basic “HTTP response splitting” technique, which can evade anti- HTTP response splitting measures. HTTP response smuggling makes use of “HTTP request smuggling”-like techniques to exploit the discrepancies between what an anti- HTTP Response Splitting mechanism would consider to be the HTTP response stream, and the response stream as parsed by a proxy server (or a browser). So, while an anti- HTTP response splitting mechanism may consider a particular response stream harmless (single HTTP response), a proxy/browser may still parse it as two HTTP responses, and hence be susceptible to all the outcomes of the original HTTP response splitting technique. For example, some anti- HTTP response splitting mechanisms in use by some application engines forbid the application from inserting a header containing CR+LF to the response. Yet an attacker can force the application to insert a header containing CRs, thereby circumventing the defense mechanism. Some proxy servers may still treat CR (only) as a header (and response) separator, and as such the combination of web server and proxy server will still be vulnerable to an attack that may poison the proxy's cache.
HTTP Response Splitting: An HTTP response splitting attack causes the web server to send out two HTTP responses, where it typically only sends out one HTTP response (hence the name - "response splitting"). This can be described as HTTP response injection, and is typically conducted by injecting malicious data into an HTTP response header, and using CR+LF characters to shape and terminate the first response, and then completely shape and control the additional response. Having this second, "unexpected" response enables the attacker to fool a client that receives this extra response by forcing this client to first emit a second request. The client then matches the second, attacker-controlled response to the second, attacker-controlled request. The net result (looking at the second request-response pair) is that the client is forced to send an arbitrary request to the vulnerable server, and in response, the client receives an arbitrary response crafted by the attacker. This condition enables “cross-site scripting” and “cache poisoning”.
Information Leakage: When a web site reveals sensitive data, such as developer comments or error messages, which aids an attacker in exploiting the system. See also “Verbose Messages”.
Insufficient Authentication: When a web site permits an attacker to access sensitive content or functionality without verifying their identity. See also “Authentication”.
Insufficient Authorization: When a web site permits an attacker to access sensitive content or functionality that should require increased access control restrictions. See also “Authorization”.
Insufficient Process Validation: When a web site permits an attacker to bypass or circumvent the intended flow control of an application.
Java: A popular programming language developed by Sun Microsystems(tm). See also “ActiveX controls”, “Web Browser”, “JavaScript”, “Client-Side Scripting”.
Java Applets: An applet is a program written in the Java programming language that can be included in a web page. When a Java enabled web browser views a page containing an applet, the code is executed by the Java Virtual Machine (JVM). See also “Web Browser”, “Java”, “ActiveX controls”, “JavaScript”, “Client-Side Scripting”.
JavaScript: A popular web browser client-side scripting language used to create dynamic web page content. See also “Active X”, “Java Applets”, “Client-Side Scripting”.
Known CGI file: See “Predictable File Location”.
Known Directory: See “Predictable File Location”.
LDAP Injection: A technique for exploiting a web site by altering backend LDAP statements through manipulating application input. Similarly to the methodology of SQL Injection. See also “Parameter Tampering”, “Form Field Manipulation”.
Meta-Character Injection: An attack technique used to exploit web sites by sending in meta-characters, which have special meaning to a web application, as data input. Meta-characters are characters that have special meaning to programming languages, operating system commands, individual program procedures, database queries, etc. These special characters can adversely alter the behavior of a web application. See also “Null Injection”, “Parameter Tampering”, “SQL Injection”, “LDAP Injection”, “Cross-Site Scripting”.
Null Injection: An exploitation technique used to bypass sanity checking filters by adding URL encoded null-byte characters to user-supplied data. When developers create web applications in a variety of programming languages, these web applications often pass data to underlying lower level C-functions for further processing and functionality. If a user-supplied string contains a null character (\0), the web application may stop processing the string at the point of the null. Null Injection is a form of a meta-character Injection attack. See also “Encoding Attacks”, “Parameter Tampering”, “Meta Character Injection”.
OS Command Injection: See “OS Commanding”.
OS Commanding: An attack technique used to exploit web sites by executing operating-system commands through manipulating application input. See also “Parameter Tampering”, “Form Field Manipulation”.
Page Sequencing: (Obsolete) See “Insufficient Process Validation”.
Parameter Tampering: Altering or modification of the parameter name and value pairs in a URL. Also known as “URL Manipulation”. See also “Uniform Resource Locator”.
Password Recovery System: An automated process that allows a user to recover or reset his password in the event that it has been lost or forgotten. See also “Weak Password Recovery Validation”.
Predictable File Location: A technique used to access hidden web site content or functionality by making educated guesses, manually or automatically, of the names and locations of files. Predictable file locations may include directories, CGI’s, configuration files, backup files, temporary files, etc.
Secure Sockets Layer: (Acronym – SSL) An industry standard public-key protocol used to create encrypted tunnels between two network-connected devices. See also “Transport Layer Security”.
Session Credential: A string of data provided by the web server, normally stored within a cookie or URL, which identifies a user and authorizes them to perform various actions. See also “Session ID”.
Session Fixation: An attack technique that forces a user’s session credential or session ID to an explicit value. See also “Session Credential”, “Session ID”.
Session Forging: See “Session Prediction”.
Session Hi-Jacking: The result of a user’s session being compromised by an attacker. The attacker could reuse this stolen session to masquerade as the user. See also “Session Prediction”, “Session Credential”, “Session ID”.
Session ID: A string of data provided by the web server, normally stored within a cookie or URL. A Session ID tracks a user’s session, or perhaps just his current session, as he traverse the web site.
Session Manipulation: An attack technique used to hi-jack another user’s session by altering a session ID or session credential value. See also “Session Prediction”, “Session Hi-Jacking”, “Session Credential”, “Session ID”.
Session Prediction: An attack technique used to create fraudulent session credentials or guess other user’s current session ID’s. If successful, an attacker could reuse this stolen session to masquerade as another user. See also “Session Credential”, “Session ID”, “Session Hi-Jacking”.
Session Replay: When a web site permits an attacker to reuse old session credentials or session ID’s for authorization. See also “Session ID”, “Session Credential”, “Insufficient Session Expiration”.
Session Tampering: See “Session Manipulation”
SQL Injection: An attack technique used to exploit web sites by altering backend SQL statements through manipulating application input. See also “Parameter Tampering”, “Form Field Manipulation”.
SSI Injection: A server-side exploit technique that allows an attacker to send code into a web application, which will be executed by the web server. See also "Meta-Character Injection", “Parameter Tampering”, “Form Field Manipulation”.
Transport Layer Security: (Acronym – TLS) The more secure successor to SSL. The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. TLS is based on the SSL protocol, but the two systems are not interoperable. See also “Secure Sockets Layer”.
Universal Resource Locator: (Acronym – URL) A standard way of specifying the location of an object, normally a web page, on the Internet. See also “Parameter Tampering”.
Unvalidated Input: When a web application does not properly sanity-check user-supplied data input.
URL Manipulation: Altering or modification of a web applications parameter name and value pairs. Also known as “Parameter Tampering”.
User-Agent Manipulation: A technique used to bypass web site browser requirement restrictions by altering the value sent within an HTTP User-Agent header. See also “Cookie Manipulation”.
Verbose Messages: Detailed pieces of information revealed by a web site, which could aid an attacker in exploiting the system.
Visual Verification: Visual oriented method of anti-automation that prevents automated programs from exercising web site functionality by determining if there is presence of mind. See also “Anti-Automation”.
Weak Password Recovery Validation: When a web site permits an attacker to illegally obtain, change or recover another user’s password. See also “Password Recovery System”.
Web Application: A software application, executed by a web server, which responds to dynamic web page requests over HTTP. See also “Web Server”, “Web Application”, “Web Service”.
Web Application Scanner: See “Web Application Vulnerability Scanner”.
Web Application Security: Science of information security relating to the World Wide Web, HTTP and web application software. Also known as “Web Security”.
Web Application Firewall: An intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack. See also “Web Application Security”, “Web Server”.
Web Application Vulnerability Scanner: An automated security program that searches for software vulnerabilities within web applications. See also “Web Application Security”.
Web Browser: A program used to display HyperText markup language (HTML) web pages sent by a web server. See also “ActiveX controls”, “Cookie”, “Java Applets”, “JavaScript”, “Client-Side Scripting”.
Web (or browser) cache poisoning: The act of adding/overwriting a cache entry (of a caching proxy server, or a browser) with forged and possibly malicious data is called cache poisoning. In its most potent form, an attacker can force an arbitrary entry (URL of choice, page contents of choice) to the cache. In HTTP response splitting [LINK], the attacker can choose the URL's path and query (the host, port and scheme must be the vulnerable host's), and the entire page contents. In HTTP request smuggling, the attacker can choose URL as in HTTP response splitting, but the page contents must be obtained from a URL on the site. At any rate, cache poisoning can be considered a form of defacement, whose scope is determined by the coverage of the cache (i.e. browser - 1 user, forward proxy - 1 ISP/organization, reverse proxy - all users), and the strength of the attack (full page control over /index.html vs. partial control).
Web Security: See “Web Application Security”.
Web Security Assessment: A process of performing a security review of a web application by searching for design flaws, vulnerabilities and inherent weaknesses. See also “Web Application Security”.
Web Security Scanner: See “Web Application Vulnerability Scanner”.
Web Server: A general-purpose software application that handles and responds to HTTP requests. A web server may utilize a web application for dynamic web page content. See also “Web Application”, “Application Server”, “HyperText Transfer Protocol”.
Web Service: A software application that uses Extensible Markup Language (XML) formatted messages to communicate over HTTP. Typically, software applications interact with web services rather than normal users. See also “Web Server”, “Web Application”, “Application Server”, “HyperText Transfer Protocol”.