Home Page Icon
Home Page
Table of Contents for
Cover
Close
Cover
by Lawrence Landauer, Tom Gallagher, Bryan Jeffries
Hunting Security Bugs
Hunting Security Bugs
Dedication
Foreword
Introduction
Who Is This Book For?
Organization of This Book
System Requirements
Technology Updates
Code Samples and Companion Content
Support for This Book
Questions and Comments
Acknowledgments
1. General Approach to Security Testing
Different Types of Security Testers
An Approach to Security Testing
Understanding Deeply What You Are Testing
Taking It Apart
Thinking Maliciously About Your Target
Callback Verification
Merchandise Returns at a Retail Store
Software Returns
Attacking the Product
Stay Informed About New Attacks
Summary
2. Using Threat Models for Security Testing
Threat Modeling
How Testers Can Leverage a Threat Model
Data Flow Diagrams
Enumeration of Entry Points and Exit Points
Enumeration of Threats
How Testers Should Use a Completed Threat Model
Threats May Be Erroneously Dismissed
Test Cases for the Spam Threat
Test Cases for the Mail Bombing Threat
Test Cases for the Repudiation Threat
Test Cases for Denial of Service and Code Execution Threats
Implementation Rarely Matches the Specification or Threat Model
Summary
3. Finding Entry Points
Finding and Ranking Entry Points
Assessing the Risk of Entry Points
Common Entry Points
Files
Importance to an Attacker
Registered File Types
Unregistered File Types
How to Find This Entry Point
Files Being Accessed by the Application
File Permissions
Filename Extension Information
Sockets
Importance to an Attacker
How to Find This Entry Point
Enumerating the Open Sockets
Monitoring the Network Traffic
HTTP Requests
Importance to an Attacker
How to Find This Entry Point
Named Pipes
Importance to an Attacker
How to Find This Entry Point
Checking the Permissions
Hijacking a Named Pipe
Impersonating the Client
Client Security
Pluggable Protocol Handlers
Importance to an Attacker
How to Find This Entry Point
Malicious Server Responses
Importance to an Attacker
How to Find This Entry Point
Programmatic Interfaces
Importance to an Attacker
How to Find This Entry Point
SQL
Importance to an Attacker
Registry
Importance to an Attacker
How to Find This Entry Point
Determining the Registry Keys Being Accessed
Determining Permissions of Registry Keys
User Interfaces
Importance to an Attacker
How to Find This Entry Point
E-mail
Importance to an Attacker
How to Find This Entry Point
Command-Line Arguments
Importance to an Attacker
How to Find This Entry Point
Environment Variables
Importance to an Attacker
How to Find This Entry Point
Summary
4. Becoming a Malicious Client
Client/Server Interaction
Finding Requests the Server Normally Accepts
Sniffing Network Traffic
Manipulating Network Requests
Using a Proxy to Modify TCP Traffic
Testing HTTP
Understanding a Stateless Protocol
Testing Methods of Receiving Input
Understanding HTML Forms
Form Controls
Tampering with URL Query String Parameters
Tampering with POST Data
Tampering with Cookies
Key Properties of Cookies
How Cookies Are Issued by the Server
Retrieving Cookies
Testing Cookies
Tampering with HTTP Headers
Testing Specific Network Requests Quickly
Testing Tips
Summary
6. Spoofing
Grasping the Importance of Spoofing Issues
Caller ID Spoofing
Spoofing as a Social Engineering Aide
Compromising Voice Mail Using Spoofing
Finding Spoofing Issues
General Spoofing
IP Address Spoofing
TCP
UDP
MAC Address Spoofing
Spoofing Using Network Protocols
Reverse DNS Lookups
SMTP E-mail Messages
HTTP Referer
HTTP User-Agent
User Interface Spoofing
Rewording Dialog Boxes
Reformatting Using Control Characters
Wildcard DNS
Z-Order Spoofing
Misleading URLs and Filenames
Homograph Attacks
URL Redirection Attacks
Username@URL Syntax Attacks
Testing Tips
Summary
7. Information Disclosure
Problems with Information Disclosure
Locating Common Areas of Information Disclosure
Disclosure in Files
Finding Which Files Are Used
Process Explorer
File Monitor
How Files Are Stored
Ensure Data Is Written to a Safe Location
Ensure the Permissions Are Not Weak
Check Predictability of a Filename or Path
Inspecting the Contents of Files
Embedded Metadata
Viewing the Data
Disclosures over a Network
Determine What Data Goes over the Network
Providing Too Much Information
HTTP Referer
Web Beacons
Error Messages
Identifying Interesting Data
Obfuscating Data
Implied Disclosures
Summary
8. Buffer Overflows and Stack and Heap Manipulation
Understanding How Overflows Work
Stack Overflows
Integer Overflows
Heap Overruns
Other Attacks
Testing for Overruns: Where to Look for Cases
Network
Documents and Files
Information Shared Between Users with Higher and Lower Privileges
Programmable Interfaces
Black Box (Functional) Testing
Determining What Data Is Expected
Using Data You Recognize
Knowing the Limits and Bounds
Asking or Reading the Code
Trying the Maximum Intended Allowable Lengths
Using Common Limits
Slowly Growing the Input
Using an Iterative Approach
Maintaining Overall Data Integrity
Encodings/Compression/Encryption
Compound Documents
Offsets/Sizes
References
Fixed-Width Fields
Limited Values (Enumerations)
Dependencies
Delimiters
Strategies for Transforming Normal Data into Overruns
Replacing Null Values
Inserting vs. Overwriting
Adjusting String Lengths
Recognizing Data Structures
Testing Both Primary and Secondary Actions
Prioritizing Test Cases
What to Look For
Crashes
Exceptions
Memory Spikes
Changes in Behavior
Runtime Tools
Bounds Checker
Debugger
Gflags.exe
Fuzzing
White Box Testing
Things to Look For
Data Copying
Duplicate Lengths or Size Data
Parsers
In-Place Expansion of Data
ANSI/OEM to and from Unicode
Relative Path Expansion
Encoding or Decoding
Failing to Null Terminate
Failing to Reset Freed Pointers
Overflow Exploitability
Unicode Data
Filtered Data
Additional Topics
Noncode Execution Overflows Can Be Serious, Too
/GS Compiler Switch
Testing Whether the Binary Was Compiled Using /GS
/GS Information Disclosure Vulnerability
Testing Tips
Summary
9. Format String Attacks
What Are Format Strings?
Understanding Why Format Strings Are a Problem
Anatomy of a printf Call
Misinterpreting the Stack
Overwriting Memory
Testing for Format String Vulnerabilities
Reviewing Code
Black Box Testing
Walkthrough: Seeing a Format String Attack in Action
Finding the Format String Bug
Analyzing Exploitability
Digging Deeper: Working Around Exploitability Problems
Problem: Getting ECX to a Useful Value
Overwriting the Stack Return Address
Problem: Limits on Output per Format Specifier
Problem: No Null Bytes Allowed
Another Format String Specifier Challenge
Building a Simple Payload
The Compiler Is the Payload Coder’s Friend
Draft Exploit Based on WinExec Disassembly
Filling in the Details: What Do You Want to Run Today?
Testing the Payload
Testing Tips
Summary
10. HTML Scripting Attacks
Understanding Reflected Cross-Site Scripting Attacks Against Servers
Example: Reflected XSS in a Search Engine
Understanding Why XSS Attacks Are a Security Concern
Exploiting Server-Reflected XSS Bugs
POSTs Are Exploitable, Too
Example: Exploiting POST Data in helloPostDemo.asp
Getting Victims to Submit Malicious POST Data
Creating a Test to Exploit This Vulnerability
Understanding Persistent XSS Attacks Against Servers
Example: Persistent XSS in a Web Guestbook
Exploiting Persistent XSS Against Servers
Identifying Attackable Data for Reflected and Persistent XSS Attacks
Sometimes More Than the <script> Tag Is Needed
Common Ways Programmers Try to Stop Attacks
HTML-Encoded Data Doesn’t Always Stop the Attack
Stuck in a Script Block
Using Events
Using Styles
Scripting Protocols
Understanding Reflected XSS Attacks Against Local Files
Example: Local HTML File Reflected XSS
Exploiting Reflected XSS Bugs in Local Files
Understanding Why Local XSS Bugs Are an Issue
Using Local XSS Bugs to Run Binaries on the Victim’s Machine
HTML Resources
Finding HTML Resources in Files
Example of Running Script Through HTML Resources
Compiled Help Files
Using HTML Help Workshop to Decompile a CHM File
Example of XSS in a CHM File
Exploiting CHMs Using Protocol Handlers
Finding XSS Bugs in Client-Side Script
Understanding Script Injection Attacks in the My Computer Zone
Example: Script Injection in Winamp Playlist
Non-HTML Files Parsed as HTML
Ways Programmers Try to Prevent HTML Scripting Attacks
Filters
Removing Strings from Input Before Returning It
Blocking Breaking Out of an Attribute by Escaping
Gaining In-Depth Understanding of the Browser’s Parser
Comments in Styles
Character Sets
ASP.NET Built-in Filters
Understanding How Internet Explorer Mitigates XSS Attacks Against Local Files
Links from the Internet to the My Computer Zone Are Blocked
Script Disabled in the My Computer Zone by Default
Identifying HTML Scripting Vulnerabilities
Finding HTML Scripting Bugs Through Code Review
Identifying All Places Content Is Returned to the Web Browser or File System
Determining Whether Output Contains Attacker-Supplied Data
Verifying That Attacker Data Is Properly Validated and/or Encoded
ASP.NET Automatically Encodes the Data... Sometimes
Summary
11. XML Issues
Testing Non-XML Security Issues in XML Input Files
Well-Formed XML
Valid XML
Including Nonalphanumeric Data in XML Input
CDATA
Character References
Testing Really Simple Syndication
Testing XML-Specific Attacks
Entities
Infinite Entity Reference Loops
XML Bombs
External Entities
XML Injection
XML Data Injection
Extensible Stylesheet Language (XSL)
XPath/XQuery Injection
Large File References
Simple Object Access Protocol
Testing SOAP
SOAP Array DoS Attacks
SOAP XML Bombs
Testing Tips
Summary
12. Canonicalization Issues
Understanding the Importance of Canonicalization Issues
Finding Canonicalization Issues
File-Based Canonicalization Issues
Directory Traversal
Defeating Filename Extension Checks
Understanding Filename Extension Precedence
Using Trailing Characters
NTFS Data Streams
When Filename Extensions Do Not Matter
Other Common Mistakes That Lead to Canonicalization Issues
Using Short Filenames vs. Long Filenames
Exploiting Casing Issues
Specifying DOS Device Names
Accessing UNC Shares
Understanding Search Paths
Web-Based Canonicalization Issues
Encoding Issues
Using Hexadecimal Escape Codes
Using Overlong UTF-8 Encoding
Using UCS-2 Unicode Encoding
Selecting Other Character Encodings
Double Encoding Characters
Using HTML Escape Codes
HTML Entities
URL Issues
Handling SSL URLs
Handling Domain Name Parsing
Dotless IP Addresses
IPv6 Formats
Handling Credentials in a URL
Testing Tips
Summary
13. Finding Weak Permissions
Understanding the Importance of Permissions
Finding Permissions Problems
Understanding the Windows Access Control Mechanism
What Is a Securable Object?
What Is a Security Descriptor?
What Is an ACL?
What Is an ACE?
Finding and Analyzing Permissions on Objects
Using the Windows Security Properties Dialog Box
Using AccessEnum
Using Process Explorer
Using ObjSD
Using AppVerifier
Recognizing Common Permissions Problems
Weak DACLs
Giving Everyone Access
Giving Large Groups Access
Giving Too Much Access to the Container
Using a Deny ACE
NULL DACLs
Improper Ordering of ACEs
Object Creator
Accessing Resources Indirectly
Forgetting to Revert Permissions
Squatting Attacks
Exploiting Race Conditions
File Links
Symbolic Links
Junctions
Hard Links
Security Concerns with File Links
Determining the Accessibility of Objects
Remotely Accessible Objects
Windows Services
DCOM Objects
Locally Accessible Objects
Other Permissions Considerations
.NET Permissions
SQL Permissions
SQL Triggers
SQL Security Functions
Global Temporary Stored Procedures
Role-Based Security
Summary
14. Denial of Service Attacks
Understanding Types of DoS Attacks
Finding Implementation Flaws
Application Crashes
Poorly Designed Features
Resource Leaks
DOS Device Names Handling
Connection Timeouts
Finding Resource Consumption Flaws
CPU Consumption
Analyzing Algorithm Costs
Understanding Recursive Calls
Memory Consumption
Disk Space Consumption
Disk Quota
Logging Errors
Decompression Bombs
Bandwidth Consumption
Finding Solutions for a Hard Problem
Testing Tips
Summary
16. SQL Injection
Exactly What Is SQL Injection?
Understanding the Importance of SQL Injection
Assessing the Vulnerability of Applications
Finding SQL Injection Issues
Using a Black Box Testing Approach
Determine Which SQL Statements Are Executed
Determine Whether User-Supplied Data Is Used in SQL Statements
Using Techniques to Break Out of SQL Queries
String Fields
Number Fields
Using SQL Comments
ORDER BY Clause
LIKE Clause
SQL Functions
Using Square Brackets
Using Double Quotation Marks
Injection in Stored Procedures
Injection by Data Truncation
Batch Transactions
Using Code Reviews
Identifying Places That Construct and Execute SQL Statements
Sanitizing User-Supplied Data
Avoiding Common Mistakes About SQL Injection
Escape Single Quotation Marks in Input
Remove Semicolons to Block Multiple Statements
Use Only Stored Procedures
Remove Unwanted Stored Procedures
Place the Computer That Runs SQL Server Behind a Firewall
Understanding Repurposing of SQL Stored Procedures
Example: Backing Up Documents
Hunting for Stored Procedure Repurposing Issues
Recognizing Similar Injection Attacks
Testing Tips
Summary
17. Observation and Reverse Engineering
Observation Without a Debugger or Disassembler
Comparing Output
Output Can Become Input
How Does Comparing Output Help Your Testing?
Using Monitoring Tools
Logger/Log Viewer
Using a Debugger to Trace Program Execution and Change its Behavior
Modifying Execution Flow to Bypass Restrictions
Patching Binaries
Example: Challenging the Robustness of a Copy Protection Check from a Binary
Reading and Modifying Memory Contents Under a Debugger
Example: Setting a Breakpoint on Memory to Understand How User Input Is Used
Using a Decompiler or Disassembler to Reverse Engineer a Program
Understanding Differences Between Native Code and Bytecode Binaries
Spotting Insecure Function Calls Without Source Code
Example: Finding Format String Vulnerabilities Without Source Code
Reverse Engineering Algorithms to Identify Security Flaws
Example: Finding an Implementation Flaw in Authentication Code
Analyzing Security Updates
Testing Tips
Legal Considerations
Summary
18. ActiveX Repurposing Attacks
Understanding ActiveX Controls
Creating ActiveX Controls in Internet Explorer
Initializing and Scripting ActiveX Controls
Repurposing ActiveX Controls
Using ActiveX SiteLock
ActiveX Repurposing: Causes
Understanding the ActiveX Control Security Model
Installation
Instantiation (Instance Creation)
Initialization
Scripting
Using the ActiveX Control Testing Methodology
Discovering How the Control Works
Tools of Interest
Tool: Object Browser
Tool: OLEView
Tool: ActiveX Control Test Container
Tool: COMRaider
Member-Level Threat Modeling
Additional Testing Tricks and Techniques
Exception Handlers: Using try-catch
Return Values
Nested Objects
Control Persistence – Browser Helper Objects (BHOs)
Server Redirection
Bypassing Browser Security Settings
Namespaces and Behaviors
ActiveX Control Testing Walkthrough
Clear
ClipboardCopy
ClipboardPaste
InvokeRTFEditor
How Can an Attacker Specify the Editor InvokeRTFEditor Uses?
Can an Attacker Bypass the Prompt?
Can an Attacker Spoof the Prompt?
How Is the Editor Launched?
Which Component Creates the TomCC9.tmp File?
Where Is the TomCC9.tmp File Stored?
Is Data from the Control Pumped into the Editor? How?
But Wait, There Is More!
LoadRTF
NumChars
RTFEditor Property
RTFEditor PARAM
RTFEditorOverride
Challenge
Testing Tips
Summary
19. Additional Repurposing Attacks
Understanding Document Formats That Request External Data
Common Mitigation for Document Formats Requesting External Data
Testing Document Formats That Request External Data
Web Pages Requesting External Data
CSRF Through Query String URLs
CSRF Through POST Data
Common Ways to Prevent CSRF Attacks
CSRF Through SOAP Data
Testing for CSRF Attacks
Understanding Repurposing of Window and Thread Messages
Testing for Shatter Attacks
Summary
20. Reporting Security Bugs
Reporting the Issue
Contacting the Vendor
What to Expect After Contacting the Vendor
Dealing with Unresponsive Vendors
Public Disclosure
Deciding on the Amount of Detail
Timing the Disclosure
Addressing Security Bugs in Your Product
Communicating with Bug Finders
Identifying the Root Cause
Looking for Related Bugs
Determining Affected Products and Versions
Testing the Fix
Determining Mitigations and Workarounds
Releasing Patches Simultaneously for All Affected Products and Versions
Summary
A. Tools of the Trade
General
ActiveX/COM
Canonicalization
Code Analysis
Debugging
Documents and Binaries
Fuzzers
Memory/Runtime
Network
Permissions
SQL
B. Security Test Cases Cheat Sheet
Network Requests and Responses
Sample Test Cases
Spoofing
Sample Test Cases
Information Disclosures
Sample Test Cases
Buffer Overflows
Sample Test Cases
Format Strings
Sample Test Cases
Cross-Site Scripting and Script Injection
Sample Test Cases
XML
Sample Test Cases
SOAP
Sample Test Cases
Canonicalization Issues
Sample Test Cases
Weak Permissions
Sample Test Cases
Denial of Service
Sample Test Cases
Managed Code
Sample Test Cases
SQL Injection
Sample Test Cases
ActiveX
Sample Test Cases
C.
Tom Gallagher
Bryan Jeffries
Lawrence Landauer
About the Authors
Copyright
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Next
Next Chapter
Hunting Security Bugs
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset