Many of the web applications out there today explain that they are secure. According to the Web Hacker's Handbook, many sites tout their SSL as their claim to be secure. Of course, SSL is good - it prevents eavesdropping and keeps your content safe between browser and server over the Internet.
The fundamental security problem with most web applications is that the input is not under direct control of the application. Users all over the world can submit any arbitrary inputs to the application. The developers of the target application must therefore assume that each piece of input is malicious. The list of the Top 25 Most Dangerous Programming Errors compiled by the SANS institute and the MITRE organization in January 2009 describe the top 2 errors that revolve around malicious input and improper escaping of outputs.
The simple fact is that any user anywhere in the world can craft a special string to any publically accessible application that can wreak havoc for the organization. Couple that with the fact that the user doesn't have to use a web browser to interact with the application. There are numerous tools out there that are freely downloadable that can interact with web applications, even trapping the request from the client before it gets to the server and provides the attacker the ability to modify certain parameters that can totally bypass any validations.
Next post will get into the beginnings of how to use tools to completely map a target application.
Sunday, June 28, 2009
Tuesday, June 16, 2009
Changing direction....
I decided that I needed to stop the Metasploit experimentation and go back to the basics of web application security. The Raleigh OWASP chapter got together this June to talk about how to use certain software that is useful in performing network penetration testing and I thought that would be a great place to start. I am going to start a blog series on using these tools and techniques to try and break your or someone else's web application defenses.
On our OWASP listserv someone mentioned a book that I looked into and as a newbie I think it is pretty awesome. It is called The Web Application Hacker's Handbook. Here is the information from Amazon:
I didn't buy it from Amazon but I was able to utilize my Safari Books online account to start reading the book. According to the book's introduction, this book is a practical guide to discovering and exploiting security flaws within web applications.
What I like about this book is the way the authors describe the process of hacking into logical steps. They start out by telling you why mapping your target application is important. Then they tell you in detailed steps how to do it. In addition, they list the tools that assist you in performing the tasks. The more experienced members of the OWASP group have told me about these same tools as listed in the book so they seem to be up to date and topical.
In more postings, I will get into how I started using this book and which tools that I have downloaded and installed. Hopefully, Metasploit will make more sense to me once I have a chance to get through this book!
In a related note, I thought it would be a good idea to spend the summer before school starts this semester studying for the CISSP certification exam. It costs around $500 to sit and the next test is for November. I would have to take the associate exam since I don't have the required professional security experience but it would be good for my career to pass it. Stay tuned.
On our OWASP listserv someone mentioned a book that I looked into and as a newbie I think it is pretty awesome. It is called The Web Application Hacker's Handbook. Here is the information from Amazon:
I didn't buy it from Amazon but I was able to utilize my Safari Books online account to start reading the book. According to the book's introduction, this book is a practical guide to discovering and exploiting security flaws within web applications.
What I like about this book is the way the authors describe the process of hacking into logical steps. They start out by telling you why mapping your target application is important. Then they tell you in detailed steps how to do it. In addition, they list the tools that assist you in performing the tasks. The more experienced members of the OWASP group have told me about these same tools as listed in the book so they seem to be up to date and topical.
In more postings, I will get into how I started using this book and which tools that I have downloaded and installed. Hopefully, Metasploit will make more sense to me once I have a chance to get through this book!
In a related note, I thought it would be a good idea to spend the summer before school starts this semester studying for the CISSP certification exam. It costs around $500 to sit and the next test is for November. I would have to take the associate exam since I don't have the required professional security experience but it would be good for my career to pass it. Stay tuned.
Subscribe to:
Posts (Atom)