Index ■ S–T 735
shared hosting, 542–543
virtual hosting, 543
vulnerabilities
segregation between ASP-
hosted applications, 721
segregation in shared
infrastructures, 720
Shockwave Flash objects, 123–124
signedness errors, 529–530
SiteMesh, Presentation Layer, 49
smartcards, authentication and,
176
SMTP, code injection, 321–322
command injection, 323–324
email header manipulation,
322–323
flaws, 324–325
preventing, 325–326
SMTP injection, testing for,
712–713
SOAP
code injection, 313–316
injection, testing for, 715
software
native bugs
buffer overflow
vulnerabilities, 585–586
format string vulnerabilities,
586
integer vulnerabilities, 586
security hardening, 573
source code, comments, 586–587
spidering. See web spidering
SQL (Structured Query
Language)
code injection, 240–241
bugs, 244–247
bypassing login, 243–244
DELETE statements, 250
exploiting a basic
vulnerability, 241–243
INSERT statements, 248–249
preventing, 296–300
SELECT statements, 248
UNION operator, 250–255
UPDATE statements, 249–250
comments, bypassing filters
and, 268
error messages, 292–295
injection, 6, 581–582
testing for, 702–704
syntax reference, 289–291
SSL (Secure Socket Layer), 6, 7
ciphers, weak, 727
session tokens and, 192
stack overflows, 522–523
stack traces, 507–508
state, 55, 176–177
sessionless state mechanisms,
179
static files, 222–223
status codes, HTTP responses,
44–45
stored attacks, testing for,
706–707
T
Tapestry, Presentation Layer, 49
termination, sessions, 200–201
testing access controls
insecure access control
methods, 698
limited access, 697–698
multiple accounts, 697
requirements, 696–697
testing authentication mechanism
account recovery function, 682
check for unsafe distribution of
credentials, 685
check for unsafe transmission
of credentials, 684–685
exploit any vulnerabilities to
gain unauthorized access,
687–688
impersonation function, 683
logic flaws, fail-open
conditions, 685–686
multistage mechanisms,
686–687
password quality, 680
predictability of auto-generated
credentials, 684
remember me function, 682–683
resilience to password
guessing, 681
understand mechanism, 680
username enumeration,
680–681
username uniqueness, 683–684
testing client-side controls
client-side controls over user
input, 676
thick-client components
ActiveX controls, 678
Java applets, 677
Shockwave Flash objects,
678–679
transmission of data via the
client, 675–676
testing for function-specific input
vulnerabilities
LDAP injection, 715–716
native software vulnerabilities,
713–714
SMTP injection, 712–713
SOAP injection, 715
XPath injection, 716–717
testing for input-based
vulnerabilities
fuzz all request parameters,
699–702
test for file inclusion, 711
test for OS command injection,
707–708
test for path traversal, 709–710
test for script injection, 711
test for SQL injection, 702–704
test for XSS injection
arbitrary redirection, 706
HTTP header injection,
705–706
reflected request parameters,
704
reflected XSS, 705
stored attacks, 706–707
testing for logic flaws
handling of incomplete input,
718–719
key attack surface, 717
multistage processes, 718
transaction logic, 719–720
trust boundaries, 719
testing session management
mechanism, 688
check cookie scope, 695–696
check for disclosure of tokens
in logs, 692
check for insecure transmission
of tokens, 691–692
check for session fixation, 694
check for XSRF, 694–695
check mapping of tokens to
sessions, 692–693
test session termination,
693–694
test tokens for meaning,
689–690
test tokens for predictability,
690–691
understanding mechanism, 689
thick-client components, 54–55,
111–112
ActiveX controls, 119–120
decompiling managed code,
124
exported functions, 122
inputs, fixing, 123–124
reverse engineering, 120–122
Java applets, 112–114
bytecode obfuscation, 117–119
decompiling Java bytecode,
114–117
third-party code components,
87–88
tiered architectures, 535–536
attacking
attacking tiers, 539–540
exploiting trust relationships
between tiers, 537–538
subverting tiers, 538–539
securing
applying defense in depth,
542
minimizing trust
relationships, 540–541
segregating different
components, 541–542
tokens. See session tokens
disclosure in logs, 692
insecure transmission, 691–692
mapping to sessions, 692–693
strong, session management
and, 206–208
testing for meaning, 689–690
testing for predictability,
690–691
transmitting, HTTPS, 208–209
70779bindex.qxd:WileyRed 9/14/07 3:16 PM Page 735