The Web Application Hacker’s Handbook potx

Dafydd Stuttard Marcus PintoThe Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws Wiley Publishing, Inc... Dafydd Stuttard Marcus PintoThe Web Application Hacke

Dafydd Stuttard Marcus Pinto

The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Wiley Publishing, Inc.

Dafydd Stuttard Marcus Pinto

The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Wiley Publishing, Inc.

The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws

Published by

Wiley Publishing, Inc.

10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com

Copyright © 2008 by Dafydd Stuttard and Marcus Pinto.

Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada

ISBN: 978-0-470-17077-9 Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form

or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee

to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600 Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty:The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose No warranty may be created or extended by sales or promotional materials The advice and strategies con- tained herein may not be suitable for every situation This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services If professional assistance is required, the services of a competent professional person should be sought Neither the publisher nor the author shall be liable for damages arising herefrom The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make Further, readers should be aware that Internet Websites listed in this work may have changed or disappeared between when this work was written and when

2007029983

Trademarks:Wiley and related trade dress are registered trademarks of Wiley Publishing, Inc., in the United States and other countries, and may not be used without written permission All other trade- marks are the property of their respective owners Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book.

Wiley also publishes its books in a variety of electronic formats Some content that appears in print may not be available in electronic books.

Dafydd Stuttardis a Principal Security Consultant at Next Generation rity Software, where he leads the web application security competency He hasnine years’ experience in security consulting and specializes in the penetrationtesting of web applications and compiled software

Secu-Dafydd has worked with numerous banks, retailers, and other enterprises

to help secure their web applications, and has provided security consulting toseveral software manufacturers and governments to help secure their com-piled software Dafydd is an accomplished programmer in several languages,and his interests include developing tools to facilitate all kinds of softwaresecurity testing

Dafydd has developed and presented training courses at the Black Hat rity conferences around the world Under the alias “PortSwigger,” Dafydd cre-ated the popular Burp Suite of web application hacking tools Dafydd holdsmaster’s and doctorate degrees in philosophy from the University of Oxford

secu-Marcus Pintois a Principal Security Consultant at Next Generation SecuritySoftware, where he leads the database competency development team, andhas lead the development of NGS’ primary training courses He has eightyears’ experience in security consulting and specializes in penetration testing

of web applications and supporting architectures

Marcus has worked with numerous banks, retailers, and other enterprises tohelp secure their web applications, and has provided security consulting to thedevelopment projects of several security-critical applications He has workedextensively with large-scale web application deployments in the financial ser-vices industry

Marcus has developed and presented database and web application ing courses at the Black Hat and other security conferences around the world.Marcus holds a master’s degree in physics from the University of Cambridge

train-About the Authors

Johnna VanHoose Dinse

Anniversary Logo Design

Richard Pacifico

Credits

iv

Acknowledgments xxiii

The Evolution of Web Applications 2

The Core Security Problem: Users Can Submit Arbitrary Input 8

“Reject Known Bad” 21

Enumerating Content and Functionality 62

Transmitting Data via the Client 95

Capturing User Data: HTML Forms 106

Decompiling Java Bytecode 114

Handling Client-Side Data Securely 128

Authentication Technologies 134Design Flaws in Authentication Mechanisms 135

Implementation Flaws in Authentication 156

Chapter 7 Attacking Session Management 175

Weaknesses in Session Token Handling 191

Securing Session Management 206

Attacking Access Controls 224

Injecting into Interpreted Languages 238

The UNION Operator 251

Injecting into Web Scripting Languages 307

Informed XPath Injection 318

Finding and Exploiting Path Traversal Vulnerabilities 335

Preventing Path Traversal Vulnerabilities 344

Example 5: Erasing an Audit Trail 359

Delivery Mechanisms for XSS Attacks 399

Finding and Exploiting Reflected XSS Vulnerabilities 402

Finding and Exploiting DOM-Based XSS Vulnerabilities 417

Finding and Exploiting Session Fixation Vulnerabilities 452

Attacking ActiveX Controls 454

Browsing History 459

Advanced Exploitation Techniques 461

Uses for Bespoke Automation 472Enumerating Valid Identifiers 473

Fuzzing for Common Vulnerabilities 487Putting It All Together: Burp Intruder 491

Gathering Published Information 513

Preventing Information Leakage 516

Buffer Overflow Vulnerabilities 522

Format String Vulnerabilities 531

Shared Hosting and Application Service Providers 542

Chapter 17 Attacking the Web Server 553

Vulnerable Web Server Configuration 553

Vulnerable Web Server Software 566

Microsoft IIS Unicode Path Traversal Vulnerabilities 569

Chapter 18 Finding Vulnerabilities in Source Code 577

Signatures of Common Vulnerabilities 580

OS Command Injection 584

1 Map the Application’s Content 669

2 Analyze the Application 672

3 Test Client-Side Controls 675

4 Test the Authentication Mechanism 679

4.12 Test for Logic Flaws 685

4.13 Exploit Any Vulnerabilities to Gain Unauthorized Access 687

5 Test the Session Management Mechanism 688

7 Test for Input-Based Vulnerabilities 699

8 Test for Function-Specific Input Vulnerabilities 712

9.4 Test Trust Boundaries 719

10 Test for Shared Hosting Vulnerabilities 720

11 Test for Web Server Vulnerabilities 721

Our primary debt is to the directors and our other colleagues at Next tion Security Software, who have provided a creative working environment,promoted sharing of knowledge, and supported us during the months spentproducing this book In particular, we received direct assistance from ChrisAnley, Dave Armstrong, Dominic Beecher, David Litchfield, Adam Matthews,Dave Spencer, and Peter Winter-Smith.

Genera-In addition to our immediate colleagues, we are greatly indebted to thewider community of researchers who have shared their ideas and contributed

to the collective understanding of web application security issues that existstoday Because this is a practical handbook rather than a work of scholarship,

we deliberately avoided filling it with a thousand citations of influential cles, books, and blog postings which spawned the ideas involved We hopethat people whose work we discuss anonymously are content with the generalcredit given here

arti-We are grateful to the people at Wiley, in particular to Carol Long for astically supporting our project from the outset, to Adaobi Obi Tulton for helping

enthusi-to polish our manuscript and coaching us in the quirks of “American English,”and to Christine O’Connor’s team for delivering a first-rate production

A large measure of thanks is due to our respective partners, Becky andSusan, for tolerating the significant distraction and time involved in producing

a book of this size

Both authors are indebted to the people who led us into our unusual line ofwork Dafydd would like to thank Martin Law Martin is a great guy who firsttaught me how to hack, and encouraged me to spend my time developing tech-niques and tools for attacking applications Marcus would like to thank his par-ents for a great many things, a significant one being getting me into computers.I’ve been getting into computers ever since

Acknowledgments

xxiii

This book is a practical guide to discovering and exploiting security flaws inweb applications By “web application” we mean an application that is accessed

by using a web browser to communicate with a web server We examine a widevariety of different technologies, such as databases, file systems, and web ser-vices, but only in the context in which these are employed by web applications

If you want to learn how to run port scans, attack firewalls, or break intoservers in other ways, we suggest you look elsewhere But if you want to knowhow to hack into a web application, steal sensitive data, and perform unau-thorized actions, then this is the book for you There is enough that is interest-ing and fun to say on that subject without straying into any other territory

Overview of This Book

The focus of this book is highly practical While we include sufficient ground and theory for you to understand the vulnerabilities that web applica-tions contain, our primary concern is with the tasks and techniques that youneed to master in order to break into them Throughout the book, we spell outthe specific steps that you need to take to detect each type of vulnerability, andhow to exploit it to perform unauthorized actions We also include a wealth ofreal-world examples, derived from the authors’ many years of experience, illus-trating how different kinds of security flaw manifest themselves in today’s webapplications

back-Security awareness is usually a two-edged sword Just as application opers can benefit from understanding the methods used by attackers, hackers

devel-Introduction

xxv

can gain from knowing how applications can effectively defend themselves Inaddition to describing security vulnerabilities and attack techniques, we alsodescribe in detail the countermeasures that applications can take to thwart anattacker For those of you who perform penetration tests of web applications,this will enable you to provide high-quality remediation advice to the owners

of the applications you compromise

Who Should Read This Book

The primary audience for this book is anyone with a personal or professionalinterest in attacking web applications It is also aimed at anyone responsiblefor developing and administering web applications — knowing how yourenemy operates will help you to defend against them

We assume that the reader is familiar with core security concepts, such aslogins and access controls, and has a basic grasp of core web technologies,such as browsers, web servers, and HTTP However, any gaps in your currentknowledge of these areas will be easy to remedy, through either the explana-tions contained within this book or references elsewhere

In the course of illustrating many categories of security flaws, we providecode extracts showing how applications can be vulnerable These examplesare simple enough to be understood without any prior knowledge of the lan-guage in question but will be most useful if you have some basic experience ofreading or writing code

How This Book Is Organized

This book is organized roughly in line with the dependencies between the ferent topics covered If you are new to web application hacking, you shouldread the book through from start to finish, acquiring the knowledge and under-standing you need to tackle later chapters If you already have some experience

dif-in this area, you can jump straight dif-into any chapter or subsection that larly interests you Where necessary, we have included cross-references to otherchapters, which you can use to fill in any gaps in your understanding

particu-We begin with three context-setting chapters describing the current state ofweb application security and the trends that indicate how it is likely to evolve

in the near future We examine the core security problem affecting web cations and the defense mechanisms that applications implement to addressthis problem We also provide a primer in the key technologies used in today’sweb applications

appli-The bulk of the book is concerned with our core topic — the techniques thatyou can use to break into web applications This material is organized around

the key tasks that you need to perform to carry out a comprehensive attack:from mapping the application’s functionality, scrutinizing and attacking itscore defense mechanisms, to probing for specific categories of security flaws.The book concludes with three chapters that pull together the variousstrands introduced within the book We describe the process of finding vul-nerabilities in an application’s source code, review the tools that can assist youwhen hacking web applications, and present a detailed methodology for per-forming a comprehensive and deep attack against a specific target.

Chapter 1, “Web Application (In)security,” describes the current state ofsecurity in web applications on the Internet today Despite common assur-ances, the majority of applications are insecure and can be compromised insome way with a modest degree of skill Vulnerabilities in web applicationsarise because of a single core problem: users can submit arbitrary input In thischapter, we examine the key factors that contribute to the weak security pos-ture of today’s applications, and describe how defects in web applications canleave an organization’s wider technical infrastructure highly vulnerable toattack

Chapter 2, “Core Defense Mechanisms,” describes the key security nisms that web applications employ to address the fundamental problem thatall user input is untrusted These mechanisms are the means by which anapplication manages user access, handles user input, and responds to attack-ers, and the functions provided for administrators to manage and monitor theapplication itself The application’s core security mechanisms also representits primary attack surface, and you need to understand how these mechanismsare intended to function before you can effectively attack them

mecha-Chapter 3, “Web Application Technologies,” provides a short primer on thekey technologies that you are likely to encounter when attacking web applica-tions This covers all relevant aspects of the HTTP protocol, the technologiescommonly used on the client and server sides, and various schemes used forencoding data If you are already familiar with the main web technologies,then you can quickly skim through this chapter

Chapter 4, “Mapping the Application,” describes the first exercise that youneed to take when targeting a new application, which is to gather as muchinformation as possible about it, in order to map its attack surface and formu-late your plan of attack This process includes exploring and probing the appli-cation to catalogue all of its content and functionality, identifying all of theentry points for user input and discovering the technologies in use

Chapter 5, “Bypassing Client-Side Controls,” describes the first area of

actual vulnerability, which arises when an application relies upon controlsimplemented on the client side for its security This approach is normallyflawed, because any client-side controls can, of course, be circumvented Thetwo main ways in which applications make themselves vulnerable are (a) totransmit data via the client in the assumption that this will not be modified,

and (b) to rely upon client-side checks on user input In this chapter, we ine a range of interesting technologies, including lightweight controls imple-mented within HTML, HTTP, and JavaScript, and more heavyweight controlsusing Java applets, ActiveX controls, and Shockwave Flash objects.

exam-Chapters 6 to 8 examine some of the most important defense mechanismsimplemented within web applications: those responsible for controlling useraccess Chapter 6, “Attacking Authentication,” examines the various functions

by which applications gain assurance of the identity of their users Thisincludes the main login function and also the more peripheral authentication-related functions such as user registration, password changing, and accountrecovery Authentication mechanisms contain a wealth of different vulnerabil-ities, in both design and implementation, which an attacker can leverage togain unauthorized access These range from obvious defects, such as bad pass-words and susceptibility to brute-force attacks, to more obscure problemswithin the authentication logic We also examine in detail the type of multi-stage login mechanisms used in many security-critical applications, anddescribe the new kinds of vulnerability which these frequently contain.Chapter 7, “Attacking Session Management,” examines the mechanism bywhich most applications supplement the stateless HTTP protocol with the con-cept of a stateful session, enabling them to uniquely identify each user acrossseveral different requests This mechanism is a key target when you are attack-ing a web application, because if you can break it, then you can effectivelybypass the login and masquerade as other users without knowing their cre-dentials We look at various common defects in the generation and transmis-sion of session tokens, and describe the steps you can take to discover andexploit these

Chapter 8, “Attacking Access Controls,” examines the ways in which cations actually enforce access controls, relying upon the authentication andsession management mechanisms to do so We describe various ways in whichaccess controls can be broken and the ways in which you can detect andexploit these weaknesses

appli-Chapter 9, “Injecting Code,” covers a large category of related ties, which arise when applications embed user input into interpreted code in

vulnerabili-an unsafe way We begin with a detailed examination of SQL injection abilities, covering the full range of attacks from the most obvious and trivial toadvanced exploitation techniques involving out-of-band channels, inference,and time delays For each kind of vulnerability and attack technique, wedescribe the relevant differences between three common types of databases:MS-SQL, Oracle, and MySQL We then cover several other categories of injec-tion vulnerability, including the injection of operating system commands,injection into web scripting languages, and injection into the SOAP, XPath,SMTP, and LDAP protocols

vulner-Chapter 10, “Exploiting Path Traversal,” examines a small but importantcategory of vulnerabilities that arise when user input is passed to file systemAPIs in an unsafe way, enabling an attacker to retrieve or modify arbitraryfiles on the web server We describe various bypasses that may be effectiveagainst the defenses commonly implemented to prevent path traversalattacks.

Chapter 11, “Attacking Application Logic,” examines a significant, and quently overlooked, area of every application’s attack surface: the internallogic which it carries out to implement its functionality Defects in an applica-tion’s logic are extremely varied and are harder to characterize than commonvulnerabilities like SQL injection and cross-site scripting For this reason, wepresent a series of real-world examples where defective logic has left an appli-cation vulnerable, and thereby illustrate the variety of faulty assumptionsmade by application designers and developers From these different individ-ual flaws, we w derive a series of specific tests that you can perform to locatemany types of logic flaws that often go undetected

fre-Chapter 12, “Attacking Other Users,” covers a large and very topical area ofrelated vulnerabilities which arise when defects within a web application canenable a malicious user of the application to attack other users and compro-mise them in various ways The largest vulnerability of this kind is cross-sitescripting, a hugely prevalent flaw affecting the vast majority of web applica-tions on the Internet We examine in detail all of the different flavors of XSSvulnerabilities, and describe an effective methodology for detecting andexploiting even the most obscure manifestations of these We then look at sev-eral other types of attacks against other users, including redirection attacks,HTTP header injection, frame injection, cross-site request forgery, session fixa-tion, exploiting bugs in ActiveX controls, and local privacy attacks

Chapter 13, “Automating Bespoke Attacks,” does not introduce any newcategories of vulnerability, but instead, describes a crucial technique whichyou need to master to attack web applications effectively Because every webapplication is different, most attacks are bespoke (or custom-made) in someway, tailored to the application’s specific behavior and the ways you have dis-covered to manipulate it to your advantage They also frequently require issu-ing a large number of similar requests and monitoring the application’sresponses Performing these requests manually is extremely laborious and one

is prone to make mistakes To become a truly accomplished web applicationhacker, you need to automate as much of this work as possible, to make yourbespoke attacks easier, faster, and more effective In this chapter, we describe

in detail a proven methodology for achieving this

Chapter 14, “Exploiting Information Disclosure,” examines various ways inwhich applications leak information when under active attack When you areperforming all of the other types of attacks described in this book, you shouldalways monitor the application to identify further sources of information

disclosure that you can exploit We describe how you can investigate alous behavior and error messages to gain a deeper understanding of theapplication’s internal workings and fine-tune your attack We also cover ways

anom-of manipulating defective error handling to systematically retrieve sensitiveinformation from the application

Chapter 15, “Attacking Compiled Applications,” examines a set of tant vulnerabilities which arise in applications written in native code lan-guages like C and C++ These vulnerabilities include buffer overflows, integervulnerabilities, and format string flaws This is a potentially huge topic, and

impor-we focus on ways of detecting these vulnerabilities in impor-web applications, andlook at some real-world examples of how these have arisen and beenexploited

Chapter 16, “Attacking Application Architecture,” examines an importantarea of web application security that is frequently overlooked Many applica-tions employ a tiered architecture, and a failure to segregate different tiersproperly often leaves an application vulnerable, enabling an attacker who hasfound a defect in one component to quickly compromise the entire applica-tion A different range of threats arises in shared hosting environments, wheredefects or malicious code in one application can sometimes be exploited tocompromise the environment itself and other applications running within it.Chapter 17, “Attacking the Web Server,” describes various ways in whichyou can target a web application by targeting the web server on which it isrunning Vulnerabilities in web servers are broadly composed of defects intheir configuration and security flaws within the web server software Thistopic is on the boundary of the scope of this book, because the web server isstrictly a different component in the technology stack However, most webapplications are intimately bound up with the web server on which they run;therefore, attacks against the web server are included in the book because theycan often be used to compromise an application directly, rather than indirectly

by first compromising the underlying host

Chapter 18, “Finding Vulnerabilities in Source Code,” describes a pletely different approach to finding security flaws than those described else-where within this book There are many situations in which it may be possible

com-to perform a review of an application’s source code, not all of which requireany cooperation from the application’s owner Reviewing an application’ssource code can often be highly effective in discovering vulnerabilities thatwould be difficult or time-consuming to detect by probing the running appli-cation We describe a methodology, and provide a language-by-language cheatsheet, to enable you to perform an effective code review even if you have verylimited programming experience yourself

Chapter 19, “A Web Application Hacker’s Toolkit,” pulls together in one placethe various tools described in the course of this book, and which the authors usewhen attacking real-world web applications We describe the strengths and

weaknesses of different tools, explain the extent to which any fully automatedtool can be effective in finding web application vulnerabilities, and providesome tips and advice for getting the most out of your toolkit.

Chapter 20, “A Web Application Hacker’s Methodology,” contains a prehensive and structured collation of all the procedures and techniquesdescribed in this book These are organized and ordered according to the logi-cal dependencies between tasks when you are carrying out an actual attack Ifyou have read and understood all of the vulnerabilities and techniquesdescribed in this book, you can use this methodology as a complete checklistand work plan when carrying out an attack against a web application

com-Tools You Will Need

This book is strongly geared towards the hands-on techniques that you can use

to attack web applications After reading the book, you will understand thespecifics of each individual task, what it involves technically, and why it works

in helping you detect and exploit vulnerabilities The book is emphatically notabout downloading some tool, pointing it at a target application, and believingwhat the tool’s output tells you about the state of the application’s security

That said, there are several tools which you will find useful, and sometimesindispensable, when performing the tasks and techniques that we describe All

of these are easily available on the Internet, and we recommended that youdownload and experiment with each tool at the point where it appears in thecourse of the book

What's on the Web Site

The companion web site for this book at www.wiley.com/go/webhackertains several resources that you will find useful in the course of mastering thetechniques we describe and using them to attack actual applications In partic-ular, the web site contains the following:

con-■■ Source code to some of the scripts we present in the book

■■ A list of current links to all of the tools and other resources discussed inthe book

■■ A handy checklist of the tasks involved in attacking a typical application

■■ Answers to the questions posed at the end of each chapter

■■ A hacking challenge containing many of the vulnerabilities described inthe book

Bring It On

Web application security is a fun and thriving subject We enjoyed writing thisbook as much as we continue to enjoy hacking into web applications on a dailybasis We hope that you will also take pleasure from learning about the differ-ent techniques we describe and how these can be defended against

Before going any further, we should mention an important caveat In mostcountries, attacking computer systems without the owner’s permission isagainst the law The majority of the techniques we describe are illegal if carriedout without consent

The authors are professional penetration testers who routinely attack webapplications on behalf of clients, to help them improve their security In recentyears, numerous security professionals and others have acquired criminalrecords, and ended their careers, by experimenting on or actively attackingcomputer systems without permission We urge you to use the informationcontained in this book only for lawful purposes

There is no doubt that web application security is a current and very worthy subject For all concerned, the stakes are high: for businesses thatderive increasing revenue from Internet commerce, for users who trust webapplications with sensitive information, and for criminals who can make bigmoney by stealing payment details or compromising bank accounts Reputa-tion plays a critical role: few people want to do business with an insecure website, and so few organizations want to disclose details about their own securityvulnerabilities or breaches Hence, it is not trivial to obtain reliable informa-tion about the state of web application security today

news-This chapter takes a brief look at how web applications have evolved and themany benefits they provide We present some metrics about vulnerabilities incurrent web applications, drawn from the authors’ direct experience, demon-strating that the majority of applications are far from secure We describe thecore security problem facing web applications — that users can supply arbi-trary input — and the various factors that contribute to their weak security pos-ture Finally, we describe the latest trends in web application security and theways in which these may be expected to develop in the near future

Web Application (In)security

C H A P T E R

1

The Evolution of Web Applications

In the early days of the Internet, the World Wide Web consisted only of web sites.

These were essentially information repositories containing static documents,and web browsers were invented as a means of retrieving and displaying thosedocuments, as shown in Figure 1-1 The flow of interesting information was one-way, from server to browser Most sites did not authenticate users, because therewas no need to — each user was treated in the same way and presented with thesame information Any security threats arising from hosting a web site relatedlargely to vulnerabilities in web server software (of which there were many) If

an attacker compromised a web server, he would not normally gain access toany sensitive information, because the information held on the server wasalready open to public view Rather, an attacker would typically modify the files

on the server to deface the web site’s contents, or use the server’s storage andbandwidth to distribute “warez.”

Figure 1-1: A traditional web site containing static information

Today, the World Wide Web is almost unrecognizable from its earlier form.The majority of sites on the web are in fact applications (see Figure 1-2) Theyare highly functional, and rely upon two-way flow of information between theserver and browser They support registration and login, financial transactions,search, and the authoring of content by users The content presented to users isgenerated dynamically on the fly, and is often tailored to each specific user.Much of the information processed is private and highly sensitive Security is

therefore a big issue: no one wants to use a web application if they believe theirinformation will be disclosed to unauthorized parties.

Web applications bring with them new and significant security threats Eachapplication is different and may contain unique vulnerabilities Most applica-tions are developed in-house, and many by developers who have little under-standing of the security problems that may arise in the code they areproducing To deliver their core functionality, web applications normallyrequire connectivity to internal computer systems that contain highly sensitivedata and are able to perform powerful business functions Ten years ago, if youwanted to make a funds transfer, you visited your bank and someone per-formed it for you; today, you can visit their web application and perform ityourself An attacker who compromises a web application may be able to stealpersonal information, carry out financial fraud, and perform malicious actionsagainst other users

Figure 1-2 A typical web application

Common Web Application Functions

Web applications have been created to perform practically every useful tion one could possibly implement online Examples of web application func-tions that have risen to prominence in recent years include:

func-■■ Shopping (Amazon)

■■ Social networking (MySpace)

■■ Banking (Citibank)

■■ Web search (Google)

■■ Auctions (eBay)

■■ Gambling (Betfair)

■■ Web logs (Blogger)

■■ Web mail (Hotmail)

■■ Interactive information (Wikipedia)

In addition to the public Internet, web applications have been widelyadopted inside organizations to perform key business functions, includingaccessing HR services and managing company resources They are also fre-quently used to provide an administrative interface to hardware devices such

as printers, and other software such as web servers and intrusion detectionsystems

Numerous applications that predated the rise of web applications have beenmigrated to this technology Business applications like enterprise resourceplanning (ERP) software, which were previously accessed using a proprietarythick-client application, can now be accessed using a web browser Softwareservices such as email, which originally required a separate email client, cannow be accessed via web interfaces like Outlook Web Access This trend is con-tinuing as traditional desktop office applications such as word processors andspreadsheets are migrated to web applications, through services like GoogleApps and Microsoft Office Live

The time is fast approaching when the only client software that most puter users will need is a web browser A hugely diverse range of functionswill have been implemented using a shared set of protocols and technologies,and in so doing will have inherited a distinctive range of common securityvulnerabilities

com-Benefits of Web Applications

It is not difficult to see why web applications have enjoyed such a dramaticrise to prominence Several technical factors have worked alongside the obvi-ous commercial incentives to drive the revolution that has occurred in the way

we use the Internet:

■■ HTTP, the core communications protocol used to access the World WideWeb, is lightweight and connectionless This provides resilience in theevent of communication errors and avoids the need for the server tohold open a network connection to every user as was the case in many

legacy client-server applications HTTP can also be proxied and neled over other protocols, allowing for secure communication in anynetwork configuration.

tun-■■ Every web user already has a browser installed on their computer

Web applications deploy their user interface dynamically to thebrowser, avoiding the need to distribute and manage separate clientsoftware, as was the case with pre-web applications Changes to theinterface only need to be implemented once, on the server, and takeeffect immediately

■■ Today’s browsers are highly functional, enabling rich and satisfyinguser interfaces to be built Web interfaces use standard navigational andinput controls that are immediately familiar to users, avoiding the need

to learn how each individual application functions Client-side scriptingenables applications to push part of their processing to the client side,and browsers’ capabilities can be extended in arbitrary ways usingthick-client components where necessary

■■ The core technologies and languages used to develop web applicationsare relatively simple A wide range of platforms and development toolsare available to facilitate the development of powerful applications byrelative beginners, and a large quantity of open source code and otherresources is available for incorporation into custom-built applications

Web Application Security

As with any new class of technology, web applications have brought withthem a new range of security vulnerabilities The set of most commonlyencountered defects has evolved somewhat over time New attacks have beenconceived that were not considered when existing applications were devel-oped Some problems have become less prevalent as awareness of them hasincreased New technologies have been developed that have introduced newpossibilities for exploitation Some categories of flaws have largely gone away

as the result of changes made to web browser software

Throughout this evolution, compromises of prominent web applicationshave remained in the news, and there is no sense that a corner has been turnedand that these security problems are on the wane Arguably, web applicationsecurity is today the most significant battleground between attackers andthose with computer resources and data to defend, and it is likely to remain sofor the foreseeable future