Chapter 17 - Web Applications
blog December 19th, 2006
Overview
You can’t do professional software security assessment for very long before you’re required to analyze web software. We wanted to write a chapter that could teach a technical reader the fundamentals of web technology and auditing web applications. This chapter tries to be somewhat platform-agnostic, and tries to teach the core skills and knowledge necessary without getting too mired in the details of specific web frameworks. We essentially tried to write a chapter that we would have found useful when we first started auditing web software.
Security experts have to be able to roll with the punches, and confidently approach technology with which they don’t possess much familiarity. The web landscape is so vast and complex that you could easily completely dedicate your career to web security and still run into unfamiliar technology on a regular basis.
External Resources
RFC 2616 - HTTP 1.1
RFC 2396 - Uniform Resource Identifiers (URI): Generic Syntax
Various CGI Standards
The SecurityFocus Portal
The packet storm Database
The Paros Proxy
The SPIKE Proxy
NextGenSS White Papers
SPI Dynamics White Papers
The cgisecurity.net Database
External References
Jesse Burns’ XSFR Paper, "Cross Site Reference Forgery." (Page 1032)
Eric Johanson’s IDN Homograph attack. (Page 1060)
Samy’s MySpace worm. (Page 1074)
The JAD Java decompiler. (Page 1078)
Relevant Blog Posts
Copy Editors are scary
Stored Procedure SQL Injection Cheat Sheet
SQL Injection/Truncation in Stored Procedures
Further Reading and Discussion
The OWASP site is probably very useful. At a minimum, you should know what the OWASP top ten are so that you can misrepresent your IPS product or XML firewall as covering them. ;>
We need an explanation of the browser security model to really solidify the XSS discussion, and talk about XSRF and other similar attacks. This will make for a good blog post for Dr. Schuh.
One thing we’ve been finding a lot of recently is SQL injection inside stored procedures, which is something we don’t cover well enough. So, look for a blog post about this too, which will also cover T-SQL SQL truncation.
Session fixation, XSRF, and LDAP injection are all issues that could use some more exposition. We’ll try to collect some links and revisit this section.
There are a few web sites we forgot to mention in the chapter. Whitehat Security has some good articles, and Jeremiah Grossman’s blog is excellent web-reading. Stephen Kost at Integrigy has put together some good articles. There are plenty more, which we’ll add shortly. Please feel free to send in links to resources you find useful!
Matt Fisher has noted that MS SQL Server has a neat feature when it does implicit conversions of types - it executes SQL statements stored in the type as if they were used in a convert statement.