DOCSLIB.ORG

161 and 162 Simple Network Management Protocol (SNMP) 194 Internet Relay Chat (IRC) 443 Hypertext Transfer Protocol Over Secure Socket Layer (HTTPS)

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
161 and 162 Simple Network Management Protocol (SNMP) 194 Internet Relay Chat (IRC) 443 Hypertext Transfer Protocol Over Secure Socket Layer (HTTPS) Testing Web Security-Assessing the Security of Web Sites and Applications Steven Splaine Wiley Publishing, Inc. Publisher: Robert Ipsen Editor: Carol Long Developmental Editor: Scott Amerman Managing Editor: John Atkins New Media Editor: Brian Snapp Text Design & Composition: Wiley Composition Services Designations used by companies to distinguish their products are often claimed as trademarks. In all instances where Wiley Publishing, Inc., is aware of a claim, the product names appear in initial capital or ALL CAPITAL LETTERS. Readers, however, should contact the appropriate companies for more complete information regarding trademarks and registration. This book is printed on acid-free paper. Copyright © 2002 by Steven Splaine. ISBN:0471232815 All rights reserved. Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspointe Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, Email: <[email protected]>. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Cataloging-in-Publication Data: 0-471-23281-5 Printed in the United States of America 10 9 8 7 6 5 4 3 2 1 To my wife Darlene and our sons, Jack and Sam, who every day remind me of just how fortunate I am. To the victims and heroes of September 11, 2001, lest we forget that freedom must always be vigilant. Acknowledgments The topic of Web security is so large and the content is so frequently changing that it is impossible for a single person to understand every aspect of security testing. For this reason alone, this book would not have been possible without the help of the many security consultants, testers, webmasters, project managers, developers, DBAs, LAN administrators, firewall engineers, technical writers, academics, and tool vendors who were kind enough to offer their suggestions and constructive criticisms, which made this book more comprehensive, accurate, and easier to digest. Many thanks to the following team of friends and colleagues who willingly spent many hours of what should have been their free time reviewing this book and/or advising me on how best to proceed with this project. James Bach Joey Maier Rex Black Brian McCaughey Ross Collard Wayne Middleton Rick Craig Claudette Moore Dan Crawford David Parks Yves de Montcheuil Eric Patel Mickey Epperson Roger Rivest Danny Faught Martin Ryan Paul Gerrard John Smentowski Stefan Jaskiel John Splaine Jeff Jones Herbert Thompson Philip Joung Michael Waldmann A special thank-you goes to my wife Darlene and our sons Jack and Sam, for their love and continued support while I was writing this book. I would especially like to thank Jack for understanding why Daddy couldn't go play ball on so many evenings. Professional Acknowledgment I would like to thank everyone who helped me create and then extend Software Quality Engineering's Web Security Testing course (www.sqe.com), the source that provided much of the structure and content for this book. Specifically, many of SQE's staff, students, and clients provided me with numerous suggestions for improving the training course, many of which were subsequently incorporated into this book. STEVEN SPLAINE is a chartered software engineer with more than twenty years of experience in project management, software testing and product development. He is a regular speaker at software testing conferences and lead author of The Web Testing Handbook. Foreword As more and more organizations move to Internet-based and intranet-based applications, they find themselves exposed to new or increased risks to system quality, especially in the areas of performance and security. Steven Splaine's last book, The Web Testing Handbook, provided the reader with tips and techniques for testing performance along with many other important considerations for Web testing, such as functionality. Now Steve takes on the critical issue of testing Web security. Too many users and even testers of Web applications believe that solving their security problems merely entails buying a firewall and connecting the various cables. In this book, Steve identifies this belief as the firewall myth, and I have seen victims of this myth in my own testing, consulting, and training work. This book not only helps dispel this myth, but it also provides practical steps you can take that really will allow you to find and resolve security problems throughout the network. Client-side, server-side, Internet, intranet, outside hackers and inside jobs, software, hardware, networks, and social engineering, it's all covered here. How should you run a penetration test? How can you assess the level of risk inherent in each potential security vulnerability, and test appropriately? When confronted with an existing system or building a new one, how do you keep track of everything that's out there that could conceivably become an entryway for trouble? In a readable way, Steve will show you the ins and outs of Web security testing. This book will be an important resource for me on my next Web testing project. If you are responsible for the testing or security of a Web system, I bet it will be helpful to you, too. Rex Black Rex Black Consulting Bulverde, Texas Preface As the Internet continues to evolve, more and more organizations are replacing their placeholder or brochureware Web sites with mission-critical Web applications designed to generate revenue and integrate with their existing systems. One of the toughest challenges facing those charged with implementing these corporate goals is ensuring that these new storefronts are safe from attack and misuse. Currently, the number of Web sites and Web applications that need to be tested for security vulnerabilities far exceeds the number of security professionals who are sufficiently experienced to carry out such an assessment. Unfortunately, this means that many Web sites and applications are either inadequately tested or simply not tested at all. These organizations are, in effect, playing a game of hacker roulette, just hoping to stay lucky. A significant reason that not enough professionals are able to test the security of a Web site or application is the lack of introductory-level educational material. Much of the educational material available today is either high-level/strategic in nature and aimed at senior management and chief architects who are designing the high-level functionality of the system, or low-level/extremely technical in nature and aimed at experienced developers and network engineers charged with implementing these designs. Testing Web Security is an attempt to fill the need for a straightforward, easy-to-follow book that can be used by anyone who is new to the security-testing field. Readers of my first book that I coauthored with Stefan Jaskiel will find I have retained in this book the checklist format that we found to be so popular with The Web Testing Handbook (Splaine and Jaskiel, 2001) and will thereby hopefully make it easier for security testers to ensure that the developers and network engineers have implemented a system that meets the explicit (and implied) security objectives envisioned by the system's architects and owners. Steven Splaine Tampa, Florida Table of Contents Testing Web Security—Assessing the Security of Web Sites and Applications Foreword Preface Part I - An Introduction to the Book Chapter 1 - Introduction Part II - Planning the Testing Effort Chapter 2 - Test Planning Part III - Test Design Chapter 3 - Network Security Chapter 4 - System Software Security Chapter 5 - Client-Side Application Security Chapter 6 - Server-Side Application Security Sneak Attacks: Guarding Against the Less- Chapter 7 - Thought-of Security Threats Intruder Confusion, Detection, and Chapter 8 - Response Part IV - Test Implementation Chapter 9 - Assessment and Penetration Options Chapter 10 - Risk
Load more

Recommended publications
  • Zerohack Zer0pwn Youranonnews Yevgeniy Anikin Yes Men
    Zerohack Zer0Pwn YourAnonNews Yevgeniy Anikin Yes Men YamaTough Xtreme x-Leader xenu xen0nymous www.oem.com.mx www.nytimes.com/pages/world/asia/index.html www.informador.com.mx www.futuregov.asia www.cronica.com.mx www.asiapacificsecuritymagazine.com Worm Wolfy Withdrawal* WillyFoReal Wikileaks IRC 88.80.16.13/9999 IRC Channel WikiLeaks WiiSpellWhy whitekidney Wells Fargo weed WallRoad w0rmware Vulnerability Vladislav Khorokhorin Visa Inc. Virus Virgin Islands "Viewpointe Archive Services, LLC" Versability Verizon Venezuela Vegas Vatican City USB US Trust US Bankcorp Uruguay Uran0n unusedcrayon United Kingdom UnicormCr3w unfittoprint unelected.org UndisclosedAnon Ukraine UGNazi ua_musti_1905 U.S. Bankcorp TYLER Turkey trosec113 Trojan Horse Trojan Trivette TriCk Tribalzer0 Transnistria transaction Traitor traffic court Tradecraft Trade Secrets "Total System Services, Inc." Topiary Top Secret Tom Stracener TibitXimer Thumb Drive Thomson Reuters TheWikiBoat thepeoplescause the_infecti0n The Unknowns The UnderTaker The Syrian electronic army The Jokerhack Thailand ThaCosmo th3j35t3r testeux1 TEST Telecomix TehWongZ Teddy Bigglesworth TeaMp0isoN TeamHav0k Team Ghost Shell Team Digi7al tdl4 taxes TARP tango down Tampa Tammy Shapiro Taiwan Tabu T0x1c t0wN T.A.R.P. Syrian Electronic Army syndiv Symantec Corporation Switzerland Swingers Club SWIFT Sweden Swan SwaggSec Swagg Security "SunGard Data Systems, Inc." Stuxnet Stringer Streamroller Stole* Sterlok SteelAnne st0rm SQLi Spyware Spying Spydevilz Spy Camera Sposed Spook Spoofing Splendide
    [Show full text]
  • Symantec Corporation 2007 Annual Report TWO YEAR SUMMARY of FINANCIAL RESULTS RECONCILIATION of GAAP to NON-GAAP FINANCIALS
    Symantec Corporation 2007 Annual Report TWO YEAR SUMMARY OF FINANCIAL RESULTS RECONCILIATION OF GAAP TO NON-GAAP FINANCIALS Fiscal Year The non-GAAP information reflects the com- ($ in millions, except per share amounts) 2007 2006 bined results of Symantec and Veritas Soft- ware, including adjustments based on the fair Revenue values of assets acquired and liabilities GAAP Revenue $5,199 $4,143 assumed by Symantec as of the actual acqui- Veritas revenue — 559 sition date of July 2, 2005. For comparative Fair value adjustment to Veritas deferred revenue 53 302 purposes, the information presented assumes Non-GAAP Revenue $5,253 $5,004 that the acquisition took place on April 1, 2004. Symantec’s fiscal years ended March 31st Gross Profit whereas Veritas’ fiscal years ended Decem- GAAP Gross Profit $3,984 $3,162 ber 31st. The 2006 fiscal amounts combine Veritas gross profit — 398 Symantec’s 2006 fiscal results with Veritas’ Fair value adjustment to Veritas deferred revenue 53 302 Integration planning — 1 historical results for the three months ended Amortization of acquired product rights 342 386 March 31, 2005. Additional non-GAAP adjust- Amortization of deferred stock-based compensation 16 1 ments consist of: non-cash charges related to Non-GAAP Gross Profit $4,396 $4,250 acquisitions, such as the amortization of intan- gibles and stock-based compensation Operating Expenses expense, and the write-off of in-process GAAP Operating Expenses $3,464 $2,888 research and development; restructuring Veritas operating expenses — 400 charges; integration planning costs; and the Amortization of other intangible assets (202) (196) impact of other special items, such as other Amortization of deferred stock-based compensation (137) (43) stock-based compensation expense, litigation Acquired in-process research and development — (285) matters, gain/loss on investments and related Restructuring (70) (25) Integration planning (1) (27) adjustments to the provision for income taxes, Patent settlement — (2) on our operating results.
    [Show full text]
  • Annual Report 2006 Two Year Summary of Financial Results Reconciliation of Gaap to Non-Gaap Financials
    ANNUAL REPORT 2006 TWO YEAR SUMMARY OF FINANCIAL RESULTS RECONCILIATION OF GAAP TO NON-GAAP FINANCIALS (in millions, except per share amounts) 2006 2005 The non-GAAP information reflects the combined results of Symantec and Veritas Revenue Software, including adjustments based on the fair values of assets acquired and GAAP Revenue $ 4,143 $ 2,583 liabilities assumed by Symantec as of Veritas revenue 559 2,042 the actual acquisition date of July 2, 2005. Fair value adjustment to Veritas deferred revenue 302 - For comparative purposes, the information Non-GAAP Revenue $ 5,004 $ 4,625 presented assumes that the acquisition took place on April 1, 2004. Symantec’s Gross Profit fiscal years ended March 31st whereas GAAP Gross Profit $ 3,162 $ 2,131 Veritas’ fiscal years ended December 31st. Veritas gross profit 398 1,396 The 2005 fiscal year amounts combine Symantec’s 2005 fiscal year with Veritas’ Fair value adjustment to Veritas deferred revenue 302 - 2004 fiscal year. The 2006 fiscal amounts Integration planning 1 - combine Symantec’s 2006 fiscal results Amortization of acquired product rights 386 383 with Veritas’ historical results for the three Amortization of deferred stock-based compensation 1 4 months ended March 31, 2005. Additional Non-GAAP Gross Profit $ 4,250 $ 3,914 non-GAAP adjustments consist of: non-cash charges related to acquisitions, such as Operating Expenses the amortization of intangibles and stock- based compensation expense, and the GAAP Operating Expenses $ 2,888 $ 1,311 write-off of in-process research and devel- Veritas operating expenses 400 1,338 opment; restructuring charges; integration Amortization of other intangible assets (196) (193) planning costs; and the impact of other Amortization of deferred stock-based compensation (43) (24) special items, such as other stock-based Acquired in-process research and development (285) (3) compensation expense, litigation mat- Restructuring (25) 7 ters, gain / loss on investments and related Integration planning (27) (3) adjustments to provision for income taxes, on our operating results.
    [Show full text]
  • Imagine the Possibilities
    2003 ANNUAL REPORT IMAGINE THE POSSIBILITIES Company Profile Symantec, the world leader in Internet security technology, provides a broad range of content and network security software and appliance solutions to individuals, enterprises, and service providers. The company is a leading provider of client, gateway, and server security solutions for virus protection, firewall and virtual private network, vulnerability management, intrusion detection, Internet content and email filtering, remote management tech- nologies, and security services to enterprises and service providers around the world. Symantec’s Norton brand of consumer security products is a leader in worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide operations in 36 countries. For more information, please visit www.symantec.com. Financial Highlights Fiscal Year Ended (IN MILLIONS, EXCEPT PER SHARE AMOUNTS) 2003 2002 2001 Reported: Revenues $1,407 $1,071 $854 Operating income $342 $8 $110 Net income (loss) $248 ($28) $64 Diluted earnings (loss) per share $1.54 ($0.20) $0.47 Adjusted:* Operating income $390 $258 $215 Net income $280 $201 $184 Diluted earnings per share $1.72 $1.30 $1.17 Reconciliation: Axent net loss n/a n/a $6 Cost of sales – amortization of other intangibles ($30) ($30) ($16) Operating expenses – amortization of goodwill and other intangibles, acquired in-process R&D, and restructuring and site closures ($19) ($219) ($99) Other expense n/a n/a ($24) Income tax benefit $17 $20 $13 Other Information: Cash flow from operations $584 $511 $325 Total assets $3,266 $2,503 $1,792 Stockholders’ equity $1,764 $1,320 $1,377 Employees 4,344 3,910 3,781 *In addition to reporting financial results in accordance with generally accepted accounting principles, or GAAP, we include non-GAAP financial results in our earnings releases and presentations to investors.
    [Show full text]
  • SYMANTEC 2004 ANNUAL REPOR Ensuring Information Integrity
    SYMANTEC 2004 ANNUAL REPOR Ensuring Information Integrity SYMANTEC 2004 ANNUAL REPORT T Corporate Information N Board of Directors Tania Amochaev Donald E. Frischmann Rowan M. Trollope Former Chief Executive Officer Senior Vice President, Vice President, QRS Corporation Communications and Brand Management Security Management Solutions William T. Coleman III Dieter Giesbrecht Giuseppe Verrini Founder, Chairman and Senior Vice President, Vice President, Sales and Marketing, Chief Executive Officer Enterprise Administration Europe, Middle East, and Africa Cassatt Corporation Gail E. Hamilton Arthur W. Wong Franciscus Lion Executive Vice President, Vice President, Security Response Former Board Advisor and Global Services and Support Senior Executive Vice President N Investor Information ABN Amro Bank Thomas W. Kendra Senior Vice President, Worldwide Sales Annual Meeting David L. Mahoney The annual meeting of shareholders will be Former Co-Chief Executive Officer Rebecca A. Ranninger held on Wednesday, September 15, 2004 at McKesson HBOC Senior Vice President, Human Resources 8 a.m. at Symantec’s worldwide headquarters: 20330 Stevens Creek Blvd. Robert S. Miller Enrique T. Salem Senior Vice President, Gateway Solutions Cupertino, CA 95014 Former Chairman of the Board and (408) 517 8000 Chief Executive Officer Bethlehem Steel N Other Senior Executives Stock Exchange Listing Cosmo P. Battinelli Symantec’s common stock trades on George Reyes Vice President, Global Support the Nasdaq under the symbol SYMC. Chief Financial Officer Google Robert A. Clyde Transfer Agent Vice President, Chief Technology Officer EquiServe Trust Company, N.A. Daniel H. Schulman P.O. Box 219045 Chief Executive Officer Lily T. De Los Rios Kansas City, MO 64121 Virgin Mobile USA Vice President, Client Solutions www.equiserve.com (816) 843 4299 John W.
    [Show full text]
  • SYMANTEC CORPORATION (Exact Name of the Registrant As Speciñed in Its Charter) Delaware 77-0181864 (State Or Other Jurisdiction of (I.R.S
    UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C. 20549 Form 10-K (Mark One) ¥ ANNUAL REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 For the Fiscal Year Ended April 1, 2005 OR n TRANSITION REPORT PURSUANT TO SECTION 13 OR 15(d) OF THE SECURITIES EXCHANGE ACT OF 1934 For the Transition Period from to . Commission File Number 0-17781 SYMANTEC CORPORATION (Exact name of the registrant as speciÑed in its charter) Delaware 77-0181864 (State or other jurisdiction of (I.R.S. Employer incorporation or organization) IdentiÑcation No.) 20330 Stevens Creek Blvd., 95014-2132 Cupertino, California (zip code) (Address of principal executive oÇces) Registrant's telephone number, including area code: (408) 517-8000 Securities registered pursuant to Section 12(b) of the Act: None None (Title of each class) (Name of each exchange on which registered) Securities registered pursuant to Section 12(g) of the Act: Common Stock, par value $0.01 per share, and Related Stock Purchase Rights (Title of class) Indicate by check mark whether the registrant (1) has Ñled all reports required to be Ñled by Section 13 or 15(d) of the Securities Exchange Act of 1934 during the preceding 12 months (or for such shorter period that the registrant was required to Ñle such reports), and (2) has been subject to such Ñling requirements for the past 90 days. Yes ¥ No n Indicate by check mark if disclosure of delinquent Ñlers pursuant to Item 405 of Regulation S-K is not contained herein, and will not be contained, to the best of registrant's knowledge, in deÑnitive proxy or information statements incorporated by reference in Part III of this Form 10-K or any amendment to this Form 10-K.
    [Show full text]
  • 2002 Annual Report
    symantec annual report 2002 new game new rules SELECTED FINANCIAL HIGHLIGHTS revenue net income earnings per in millions in millions diluted share $200.7 $1,071.4 $1.37 $1,071.4 $1.30 $184.2 $944.2 $1.17 $170.1 $853.6 $826.6 $142.5 $745.7 $0.94 $632.2 $592.6 $97.6 $0.67 $0.47 $63.9 $0.43 $50.2 ($28.2) ($0.20) GAAP pro forma 99 00 01 02 99 00 01 02 99 00 01 02 GAAP pro forma revenue by segment FY 2001 FY 2002 FY 2001 FY 2002 enterprise security 33% 42% 37% 42% consumer products 39% 35% 35% 35% enterprise administration 27% 21% 25% 21% services 0% 1% 1% 1% other 1% 1% 2% 1% US/international 52/48% 53/47% 53/47% 53/47% The pro forma financial information includes operating results of AXENT Technologies as if the acquisition had occurred at the beginning of fiscal year 1999 and excludes operating results from Visual Café and ACT! product lines divested on December 31, 1999, one-time charges and acquisition-related amortization charges. This annual report should be read in conjunction with Symantec Corporation’s previously filed Form 10-K for the period ended March 31, 2002. LETTER TO SHAREHOLDERS SYMANTEC ANNUAL REPORT 2002 1 Dear shareholders Despite a challenging economic environment, fiscal 2002 was a year of remarkable accomplishments for our worldwide team. During one of the most destructive malicious code environments in the history of the security industry, a growing number of cus- tomers worldwide turned to Symantec as their trusted partner.
    [Show full text]
  • Copyrighted Material
    4127idx.qxd 6/19/02 5:53 PM Page 503 INDEX Note to the Reader: Throughout this index boldfaced page numbers indicate primary discus- sions of a topic. Italicized page numbers indicate illustrations. Symbols & Numbers ADfilter, 475 ADinf, 146 @nonymouse.com, 409 Adleman, Len, 7 9/11 Contributions hoax, 456 Adleman, Leonard M., 393 “100% Done! Safe recovery successful!” administrator account, attack using, 228 message, 119 ADP file extension, 26, 57 419 Fraud, 350 AdsGone, 470, 475 666test virus, 70, 110 AdSubtract, 470, 475 777 virus, 70 Advanced Rule Settings dialog box (Sygate 2014 virus, 52 Personal Firewall), 294–295, 295 Advanced Settings dialog box (Internet A Connection Firewall), 287, 287 advertising AAAZAO macro, 62 pop-up windows for, 466–472 AAAZFS macro, 62 removing banner and other from Web page, Aadcom, 368 473–476 ABC Banners, 474 spyware for, 366–368 Achilles’Shield and MailDefense, 146 Advertising Killer, 470, 475 Acoragil virus, 118 adware, 259–260, 366–368, 493 ActiveX, 10, 22, 68–69 companies, 368 configuration to prevent auto-run, 76–78 and P2P file swapping, 367 disabling scripting, 184 AIM (AOL Instant Messenger), 124 McAfee to block, 161 AirSnort, 272 from Web page, 29 algorithm, 493 Activis, 117 AltaVista AV Family Filter, 489 Ad-aware, 372, 373, 373–374 Altnet SecureInstall, 260 Ad Extinguisher, 475 COPYRIGHTED MATERIALuninstalling, 261 Ad Muncher, 475 Amazon.com AdDelete, 475, 476 attack on, 208 AdDesigner.com, 474 privacy policy, 315–316 address book user profiling, 312 digital IDs in, 395 America Online, e-mail
    [Show full text]