Testing Web Security-Assessing the Security of Web Sites and Applications Steven Splaine Wiley Publishing, Inc. Publisher: Robert Ipsen Editor: Carol Long Developmental Editor: Scott Amerman Managing Editor: John Atkins New Media Editor: Brian Snapp Text Design & Composition: Wiley Composition Services Designations used by companies to distinguish their products are often claimed as trademarks. In all instances where Wiley Publishing, Inc., is aware of a claim, the product names appear in initial capital or ALL CAPITAL LETTERS. Readers, however, should contact the appropriate companies for more complete information regarding trademarks and registration. This book is printed on acid-free paper. Copyright © 2002 by Steven Splaine. ISBN:0471232815 All rights reserved. Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspointe Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, Email: <[email protected]>. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Cataloging-in-Publication Data: 0-471-23281-5 Printed in the United States of America 10 9 8 7 6 5 4 3 2 1 To my wife Darlene and our sons, Jack and Sam, who every day remind me of just how fortunate I am. To the victims and heroes of September 11, 2001, lest we forget that freedom must always be vigilant. Acknowledgments The topic of Web security is so large and the content is so frequently changing that it is impossible for a single person to understand every aspect of security testing. For this reason alone, this book would not have been possible without the help of the many security consultants, testers, webmasters, project managers, developers, DBAs, LAN administrators, firewall engineers, technical writers, academics, and tool vendors who were kind enough to offer their suggestions and constructive criticisms, which made this book more comprehensive, accurate, and easier to digest. Many thanks to the following team of friends and colleagues who willingly spent many hours of what should have been their free time reviewing this book and/or advising me on how best to proceed with this project. James Bach Joey Maier Rex Black Brian McCaughey Ross Collard Wayne Middleton Rick Craig Claudette Moore Dan Crawford David Parks Yves de Montcheuil Eric Patel Mickey Epperson Roger Rivest Danny Faught Martin Ryan Paul Gerrard John Smentowski Stefan Jaskiel John Splaine Jeff Jones Herbert Thompson Philip Joung Michael Waldmann A special thank-you goes to my wife Darlene and our sons Jack and Sam, for their love and continued support while I was writing this book. I would especially like to thank Jack for understanding why Daddy couldn't go play ball on so many evenings. Professional Acknowledgment I would like to thank everyone who helped me create and then extend Software Quality Engineering's Web Security Testing course (www.sqe.com), the source that provided much of the structure and content for this book. Specifically, many of SQE's staff, students, and clients provided me with numerous suggestions for improving the training course, many of which were subsequently incorporated into this book. STEVEN SPLAINE is a chartered software engineer with more than twenty years of experience in project management, software testing and product development. He is a regular speaker at software testing conferences and lead author of The Web Testing Handbook. Foreword As more and more organizations move to Internet-based and intranet-based applications, they find themselves exposed to new or increased risks to system quality, especially in the areas of performance and security. Steven Splaine's last book, The Web Testing Handbook, provided the reader with tips and techniques for testing performance along with many other important considerations for Web testing, such as functionality. Now Steve takes on the critical issue of testing Web security. Too many users and even testers of Web applications believe that solving their security problems merely entails buying a firewall and connecting the various cables. In this book, Steve identifies this belief as the firewall myth, and I have seen victims of this myth in my own testing, consulting, and training work. This book not only helps dispel this myth, but it also provides practical steps you can take that really will allow you to find and resolve security problems throughout the network. Client-side, server-side, Internet, intranet, outside hackers and inside jobs, software, hardware, networks, and social engineering, it's all covered here. How should you run a penetration test? How can you assess the level of risk inherent in each potential security vulnerability, and test appropriately? When confronted with an existing system or building a new one, how do you keep track of everything that's out there that could conceivably become an entryway for trouble? In a readable way, Steve will show you the ins and outs of Web security testing. This book will be an important resource for me on my next Web testing project. If you are responsible for the testing or security of a Web system, I bet it will be helpful to you, too. Rex Black Rex Black Consulting Bulverde, Texas Preface As the Internet continues to evolve, more and more organizations are replacing their placeholder or brochureware Web sites with mission-critical Web applications designed to generate revenue and integrate with their existing systems. One of the toughest challenges facing those charged with implementing these corporate goals is ensuring that these new storefronts are safe from attack and misuse. Currently, the number of Web sites and Web applications that need to be tested for security vulnerabilities far exceeds the number of security professionals who are sufficiently experienced to carry out such an assessment. Unfortunately, this means that many Web sites and applications are either inadequately tested or simply not tested at all. These organizations are, in effect, playing a game of hacker roulette, just hoping to stay lucky. A significant reason that not enough professionals are able to test the security of a Web site or application is the lack of introductory-level educational material. Much of the educational material available today is either high-level/strategic in nature and aimed at senior management and chief architects who are designing the high-level functionality of the system, or low-level/extremely technical in nature and aimed at experienced developers and network engineers charged with implementing these designs. Testing Web Security is an attempt to fill the need for a straightforward, easy-to-follow book that can be used by anyone who is new to the security-testing field. Readers of my first book that I coauthored with Stefan Jaskiel will find I have retained in this book the checklist format that we found to be so popular with The Web Testing Handbook (Splaine and Jaskiel, 2001) and will thereby hopefully make it easier for security testers to ensure that the developers and network engineers have implemented a system that meets the explicit (and implied) security objectives envisioned by the system's architects and owners. Steven Splaine Tampa, Florida Table of Contents Testing Web Security—Assessing the Security of Web Sites and Applications Foreword Preface Part I - An Introduction to the Book Chapter 1 - Introduction Part II - Planning the Testing Effort Chapter 2 - Test Planning Part III - Test Design Chapter 3 - Network Security Chapter 4 - System Software Security Chapter 5 - Client-Side Application Security Chapter 6 - Server-Side Application Security Sneak Attacks: Guarding Against the Less- Chapter 7 - Thought-of Security Threats Intruder Confusion, Detection, and Chapter 8 - Response Part IV - Test Implementation Chapter 9 - Assessment and Penetration Options Chapter 10 - Risk