286 Part II: Developing an Ajax Library^
What They
Want to Know
Why They Want
to Know It How They Determine It Possible Countermeasures
Web
application
framework
To look for bugs
specific to the
development
environment
To look for
sessioning
exploits
To look for
configuration or
admin access
defaults to
administration
of determined
framework
Looking at the file extensions
(.php, .aspx, and so on)
Looking for session cookie
header and vanity X-Powered-
By headers in responses
Seeing if error messages
indicate type, version, and setup
of a framework
Looking for configuration and
Web interface logins
Changing to .html or simply removing
or rewriting file extensions
Modifying session cookie name default
to be generic or masking it. Removing
X- response headers
Deploying sanitized error messages
Moving standard admin locations
and changing default usernames and
passwords
Database
used
To understand
SQL injection
syntax
possibilities
To determine if
known exploits
exists
To see if direct
admin access to
DB can be found
Looking at error messages by
triggering some problem on a
database driven page
Using a network scanner to
see what ports are open to the
database and trying to attach
with an admin tool
Sanitizing your error messages
Setting firewall appropriately and
changing administrator defaults. In
general, avoiding using administrative
accounts for Web application access
Details about
application
structure and
construction
To determine
what inputs
and types are
accepted by the
application to see
if some can be
manipulated for
error, XSS exploit,
or even access
Spidering the site and pulling out
the names of form fields, scripts,
and other inputs
Looking at robots.txt file for
protected areas
Looking for files left on software
with extensions like .bak, .tmp,
.old, or various scratch file
names Web editors use as they
may be fetched in some cases
without execution (for example,
Foo.php.bak)
Using Google to see what they
have indexed
Using nonmeaningful names for fields in
deployed code if not to be scripted
Putting a blank file in or adding in
purposeful tripwire directories that don’t
exist to monitor for access
Removing all scratch files from site. Not
indicating editor used to build pages
in <meta> tags in HTML. Obfuscating
script on server in case it is exposed
accidentally so as not to reveal secrets
like DB access passwords
Making sure you are aware of what
Google indexes.
TABLE 7-1 Web Application Reconnaissance Goals, Methods, and Countermeasures (continued)