PART II
Chapter 7: Security Concerns 287
Web Application Attack Review
Eventually, whether careful reconnaissance is performed or not, the attack on the Web
application begins. The attack may target many areas, from network protocol issues to
operating system flaws, but we stay focused on application-level intrusions, which in turn
focuses on inputs and outputs. As you well know by now, data is transmitted back and
forth via query strings in GET requests or message bodies in POSTs. Also, headers are used
for data transmission, particularly with the state and authentication of the user preserved
through the use of cookies transmitted via HTTP headers. However, it is also possible that
state information is preserved via hidden form fields transmitted like other data or even
with a URL. No matter what their intent is or what they are called, the potential intruder’s
methods abuse the trust that the site has with its inputs, and the countermeasure is always a
variation of filtering or outright rejection of unexpected input. To drive home the point of
always needing to sanitize input values, consider how an intruder thinks when looking at
the following short XHTML form fragment that might be related to a simple login form:
<form action="/actions/dologin" method="POST">
<input type="hidden" name="SAC" value="20erGFGhhsd" /><br />
<input type="text" name="username" size="20" maxlength="20" /><br />
What They
Want to Know
Why They Want
to Know It How They Determine It Possible Countermeasures
Who built the
site
To understand
what accounts
could be used
for a password
attack
To attack
administrator
elsewhere where
security may be
lower because
credentials such
as passwords are
often reused
To plan some
social engineering
attack
Looking at HTML, CSS, and
JavaScript comments
Studying any mailto: links
Finding “about this site” pages
Looking at WHOIS record or other
public profiles
Removing comments
Using role accounts like
[email protected]
Being aware of readership when
promoting team members on a Web Site
Using role account or specified
individual for all public profiles of site
ownership and construction
How actively
you monitor
To find how
aware you are of
negative activity
to determine how
cautious they
must be in their
attacks
Doing an initial brute force probe
with some tool from another
location to see if there is any
reaction such as IP blocking
Actively monitoring logs and using
an intrusion detection system and
potentially a Web application firewall
in passive mode, considering strong
blocking reaction to suggest to intruder
to move elsewhere
TABLE 7-1 Web Application Reconnaissance Goals, Methods, and Countermeasures (continued)