PART II
Chapter 7: Security Concerns 287
Web Application Attack Review
Eventually, whether careful reconnaissance is performed or not, the attack on the Web
application begins. The attack may target many areas, from network protocol issues to
operating system flaws, but we stay focused on application-level intrusions, which in turn
focuses on inputs and outputs. As you well know by now, data is transmitted back and
forth via query strings in GET requests or message bodies in POSTs. Also, headers are used
for data transmission, particularly with the state and authentication of the user preserved
through the use of cookies transmitted via HTTP headers. However, it is also possible that
state information is preserved via hidden form fields transmitted like other data or even
with a URL. No matter what their intent is or what they are called, the potential intruder’s
methods abuse the trust that the site has with its inputs, and the countermeasure is always a
variation of filtering or outright rejection of unexpected input. To drive home the point of
always needing to sanitize input values, consider how an intruder thinks when looking at
the following short XHTML form fragment that might be related to a simple login form:<form action="/actions/dologin" method="POST">
<input type="hidden" name="SAC" value="20erGFGhhsd" /><br />
<input type="text" name="username" size="20" maxlength="20" /><br />What They
Want to KnowWhy They Want
to Know It How They Determine It Possible Countermeasures
Who built the
siteTo understand
what accounts
could be used
for a password
attackTo attack
administrator
elsewhere where
security may be
lower because
credentials such
as passwords are
often reusedTo plan some
social engineering
attackLooking at HTML, CSS, and
JavaScript commentsStudying any mailto: linksFinding “about this site” pagesLooking at WHOIS record or other
public profilesRemoving commentsUsing role accounts like
[email protected]Being aware of readership when
promoting team members on a Web SiteUsing role account or specified
individual for all public profiles of site
ownership and constructionHow actively
you monitorTo find how
aware you are of
negative activity
to determine how
cautious they
must be in their
attacksDoing an initial brute force probe
with some tool from another
location to see if there is any
reaction such as IP blockingActively monitoring logs and using
an intrusion detection system and
potentially a Web application firewall
in passive mode, considering strong
blocking reaction to suggest to intruder
to move elsewhereTABLE 7-1 Web Application Reconnaissance Goals, Methods, and Countermeasures (continued)