You are on page 1of 20

18 Cbagter 2  Core 0efense Mecbanisms

appIicalions offoclivoIy. If you aro nov lo lacIing vob appIicalions (and ovon
if you aro nol), you slouId bo suro lo laIo limo lo undorsland lov lloso coro
moclanisms vorI in oacl of llo appIicalions you oncounlor, and idonlify llo
voaI poinls llal Ioavo llom vuInorabIo lo allacI.
HandIing User Access
A conlraI socurily roquiromonl llal virluaIIy any appIicalion noods lo mool is
conlroIIing usors' accoss lo ils dala and funclionaIily. A lypicaI silualion las
sovoraI difforonl calogorios of usor, sucl as anonymous usors, ordinary aullonli-
calod usors, and adminislralivo usors. Iurllormoro, in many silualions difforonl
usors aro pormillod lo accoss a difforonl sol of dala. Ior oxampIo, usors of a vob
maiI appIicalion slouId bo abIo lo road lloir ovn o-maiI bul nol ollor poopIo's.
Mosl vob appIicalions landIo accoss using a lrio of inlorroIalod socurily
moclanisms:
  Aullonlicalion
  Sossion managomonl
  Accoss conlroI
Iacl of lloso moclanisms roprosonls a signihcanl aroa of an appIicalion's
allacI surfaco, and oacl is fundamonlaI lo an appIicalion's ovoraII socurily
posluro. Bocauso of lloir inlordopondoncios, llo ovoraII socurily providod by
llo moclanisms is onIy as slrong as llo voaIosl IinI in llo clain. A dofocl in
any singIo compononl may onabIo an allacIor lo gain unroslriclod accoss lo llo
appIicalion's funclionaIily and dala.
Authentication
Tlo aullonlicalion moclanism is IogicaIIy llo mosl basic dopondoncy in an
appIicalion's landIing of usor accoss. Aullonlicaling a usor invoIvos oslabIisling
llal llo usor is in facl vlo lo cIaims lo bo. Willoul llis faciIily, llo appIicalion
vouId nood lo lroal aII usors as anonymous ÷ llo Iovosl possibIo IovoI of lrusl.
Tlo majorily of loday's vob appIicalions ompIoy llo convonlionaI aullon-
licalion modoI, in vlicl llo usor submils a usornamo and passvord, vlicl
llo appIicalion clocIs for vaIidily. Iiguro 2-1 slovs a lypicaI Iogin funclion.
In socurily-crilicaI appIicalions sucl as lloso usod by onIino banIs, llis basic
modoI is usuaIIy suppIomonlod by addilionaI crodonliaIs and a muIlislago Iogin
procoss. Wlon socurily roquiromonls aro liglor sliII, ollor aullonlicalion mod-
oIs may bo usod, basod on cIionl corlihcalos, smarlcards, or claIIongo-rosponso
loIons. In addilion lo llo coro Iogin procoss, aullonlicalion moclanisms oflon
ompIoy a rango of ollor supporling funclionaIily, sucl as soIf-rogislralion,
accounl rocovory, and a passvord clango faciIily.
Cbagter 2  Core 0efense Mecbanisms 19
Figure 2-1: A typical login function
Dospilo lloir suporhciaI simpIicily, aullonlicalion moclanisms suffor from a
vido rango of dofocls in boll dosign and impIomonlalion. Common probIoms
may onabIo an allacIor lo idonlify ollor usors' usornamos, guoss lloir pass-
vords, or bypass llo Iogin funclion by oxpIoiling dofocls in ils Iogic. Wlon
you aro allacIing a vob appIicalion, you slouId invosl a signihcanl amounl of
allonlion lo llo various aullonlicalion-roIalod funclions il conlains. SurprisingIy
froquonlIy, dofocls in llis funclionaIily onabIo you lo gain unaullorizod accoss
lo sonsilivo dala and funclionaIily.
5ession Management
Tlo noxl IogicaI lasI in llo procoss of landIing usor accoss is lo manago llo
aullonlicalod usor's sossion. Aflor succossfuIIy Iogging in lo llo appIicalion, llo
usor accossos various pagos and funclions, maIing a sorios of HTTI roquosls from
lis brovsor. Al llo samo limo, llo appIicalion rocoivos counlIoss ollor roquosls
from difforonl usors, somo of vlom aro aullonlicalod and somo of vlom aro
anonymous. To onforco offoclivo accoss conlroI, llo appIicalion noods a vay lo
idonlify and procoss llo sorios of roquosls llal originalo from oacl uniquo usor.
VirluaIIy aII vob appIicalions mool llis roquiromonl by croaling a sossion for
oacl usor and issuing llo usor a loIon llal idonlihos llo sossion. Tlo sossion
ilsoIf is a sol of dala slrucluros loId on llo sorvor llal lracI llo slalo of llo usor's
inloraclion vill llo appIicalion. Tlo loIon is a uniquo slring llal llo appIica-
lion maps lo llo sossion. Wlon a usor rocoivos a loIon, llo brovsor aulomali-
caIIy submils il bacI lo llo sorvor in oacl subsoquonl HTTI roquosl, onabIing
llo appIicalion lo associalo llo roquosl vill llal usor. HTTI cooIios aro llo
slandard mollod for lransmilling sossion loIons, aIllougl many appIicalions
uso liddon form hoIds or llo URI quory slring for llis purposo. If a usor doos
nol maIo a roquosl for a corlain amounl of limo, llo sossion is idoaIIy oxpirod,
as slovn in Iiguro 2-2.
20 Cbagter 2  Core 0efense Mecbanisms
Figure 2-2: An application enforcing session timeout
In lorms of allacI surfaco, llo sossion managomonl moclanism is liglIy
dopondonl on llo socurily of ils loIons. Tlo majorily of allacIs againsl il sooI lo
compromiso llo loIons issuod lo ollor usors. If llis is possibIo, an allacIor can
masquorado as llo viclim usor and uso llo appIicalion jusl as if lo lad acluaIIy
aullonlicalod as llal usor. Tlo principaI aroas of vuInorabiIily ariso from dofocls
in lov loIons aro gonoralod, onabIing an allacIor lo guoss llo loIons issuod lo
ollor usors, and dofocls in lov loIons aro subsoquonlIy landIod, onabIing an
allacIor lo capluro ollor usors' loIons.
A smaII numbor of appIicalions disponso vill llo nood for sossion loIons by
using ollor moans of roidonlifying usors across muIlipIo roquosls. If HTTI's
buiIl-in aullonlicalion moclanism is usod, llo brovsor aulomalicaIIy rosubmils
llo usor's crodonliaIs vill oacl roquosl, onabIing llo appIicalion lo idonlify llo
usor diroclIy from lloso. In ollor casos, llo appIicalion sloros llo slalo infor-
malion on llo cIionl sido rallor llan llo sorvor, usuaIIy in oncryplod form lo
provonl lamporing.
Access ControI
Tlo hnaI IogicaI slop in llo procoss of landIing usor accoss is lo maIo and onforco
corrocl docisions aboul vlollor oacl individuaI roquosl slouId bo pormillod or
doniod. If llo moclanisms jusl doscribod aro funclioning corroclIy, llo appIica-
lion Inovs llo idonlily of llo usor from vlom oacl roquosl is rocoivod. On llis
basis, il noods lo docido vlollor llal usor is aullorizod lo porform llo aclion,
or accoss llo dala, llal lo is roquosling, as slovn in Iiguro 2-3.
Tlo accoss conlroI moclanism usuaIIy noods lo impIomonl somo hno-grainod
Iogic, vill difforonl considoralions boing roIovanl lo difforonl aroas of llo
appIicalion and difforonl lypos of funclionaIily. An appIicalion migll supporl
numorous usor roIos, oacl invoIving difforonl combinalions of spocihc priviIogos.
IndividuaI usors may bo pormillod lo accoss a subsol of llo lolaI dala loId villin
llo appIicalion. Spocihc funclions may impIomonl lransaclion Iimils and ollor
clocIs, aII of vlicl nood lo bo proporIy onforcod basod on llo usor's idonlily.
Bocauso of llo compIox naluro of lypicaI accoss conlroI roquiromonls, llis
moclanism is a froquonl sourco of socurily vuInorabiIilios llal onabIo an allacIor
39
  

Web AppIication IechnoIogies
Wob appIicalions ompIoy a myriad of loclnoIogios lo impIomonl lloir funclion-
aIily. Tlis claplor is a slorl primor on llo Ioy loclnoIogios llal you aro IiIoIy
lo oncounlor vlon allacIing vob appIicalions. Wo viII oxamino llo HTTI
prolocoI, llo loclnoIogios commonIy ompIoyod on llo sorvor and cIionl sidos,
and llo oncoding sclomos usod lo roprosonl dala in difforonl silualions. Tloso
loclnoIogios aro in gonoraI oasy lo undorsland, and a grasp of lloir roIovanl
foaluros is Ioy lo porforming offoclivo allacIs againsl vob appIicalions.
If you aro aIroady famiIiar vill llo Ioy loclnoIogios usod in vob appIicalions,
you can sIim llrougl llis claplor lo conhrm llal il offors you nolling nov. If
you aro sliII Ioarning lov vob appIicalions vorI, you slouId road llis claplor
boforo conlinuing lo llo Ialor claplors on spocihc vuInorabiIilios. Ior furllor
roading on many of llo aroas covorod, vo rocommond H11P: 1|c Dcµniiitc
Gui!c by David GourIoy and Brian Tolly (O'RoiIIy, 2002), and aIso llo vobsilo
of llo WorId Wido Wob Consorlium al www.w2.org.
Ihe HIIP ProtocoI
Hyporloxl lransfor prolocoI (HTTI) is llo coro communicalions prolocoI usod lo
accoss llo WorId Wido Wob and is usod by aII of loday's vob appIicalions. Il is
a simpIo prolocoI llal vas originaIIy dovoIopod for rolrioving slalic loxl-basod
rosourcos. Il las sinco boon oxlondod and Iovoragod in various vays lo onabIo
il lo supporl llo compIox dislribulod appIicalions llal aro nov commonpIaco.
40 Cbagter 3  Web Agglication Iecbnologies
HTTI usos a mossago-basod modoI in vlicl a cIionl sonds a roquosl mos-
sago and llo sorvor rolurns a rosponso mossago. Tlo prolocoI is ossonliaIIy
connoclionIoss: aIllougl HTTI usos llo slalofuI TCI prolocoI as ils lransporl
moclanism, oacl oxclango of roquosl and rosponso is an aulonomous lransac-
lion and may uso a difforonl TCI connoclion.
HIIP kequests
AII HTTI mossagos (roquosls and rosponsos) consisl of ono or moro loadors,
oacl on a soparalo Iino, foIIovod by a mandalory bIanI Iino, foIIovod by an
oplionaI mossago body. A lypicaI HTTI roquosl is as foIIovs:
GFT /auth/488/YourDetails.ashx?uid=129 HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml,
image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-
flash, */*
Referer: https://mdsec.net/auth/488/Home.ashx
Accept-Language: en-GB
User-Agent: Mozilla/4.0 (compatible; MSIF 8.0; Windows NT 6.1; WOW64;
Trident/4.0; SLCC2; .NFT CLR 2.0.50727; .NFT CLR 2.5.20729; .NFT CLR
2.0.20729; .NFT4.0C; InfoPath.2; .NFT4.0F; FDM; .NFT CLR 1.1.4222)
Accept-Fncoding: gzip, deflate
Host: mdsec.net
Connection: Keep-Alive
Cookie: SessionId=5B70C71F2FD4968925CDB6682F545476
Tlo hrsl Iino of ovory HTTI roquosl consisls of llroo iloms, soparalod by spacos:
  A vorb indicaling llo HTTI mollod. Tlo mosl commonIy usod mollod
is GFT, vloso funclion is lo rolriovo a rosourco from llo vob sorvor. GFT
roquosls do nol lavo a mossago body, so no furllor dala foIIovs llo bIanI
Iino aflor llo mossago loadors.
  Tlo roquoslod URI. Tlo URI lypicaIIy funclions as a namo for llo rosourco
boing roquoslod, logollor vill an oplionaI quory slring conlaining param-
olors llal llo cIionl is passing lo llal rosourco. Tlo quory slring is indicalod
by llo ? claraclor in llo URI. Tlo oxampIo conlains a singIo paramolor
vill llo namo uid and llo vaIuo 129.
  Tlo HTTI vorsion boing usod. Tlo onIy HTTI vorsions in common uso
on llo Inlornol aro 1.0 and 1.1, and mosl brovsors uso vorsion 1.1 by
dofauIl. Tloro aro a fov difforoncos bolvoon llo spocihcalions of lloso
lvo vorsions, lovovor, llo onIy difforonco you aro IiIoIy lo oncounlor
vlon allacIing vob appIicalions is llal in vorsion 1.1 llo Host roquosl
loador is mandalory.
Cbagter 3  Web Agglication Iecbnologies 41
Horo aro somo ollor poinls of inlorosl in llo sampIo roquosl:
  Tlo Referer loador is usod lo indicalo llo URI from vlicl llo roquosl
originalod (for oxampIo, bocauso llo usor cIicIod a IinI on llal pago).
Nolo llal llis loador vas misspoIIod in llo originaI HTTI spocihcalion,
and llo misspoIIod vorsion las boon rolainod ovor sinco.
  Tlo User-Agent loador is usod lo provido informalion aboul llo brovsor
or ollor cIionl soflvaro llal gonoralod llo roquosl. Nolo llal mosl brovs-
ors incIudo llo MoziIIa prohx for lisloricaI roasons. Tlis vas llo User-
Agent slring usod by llo originaIIy dominanl Nolscapo brovsor, and ollor
brovsors vanlod lo assorl lo vobsilos llal lloy voro compalibIo vill llis
slandard. As vill many quirIs from compuling lislory, il las bocomo so
oslabIislod llal il is sliII rolainod, ovon on llo curronl vorsion of Inlornol
IxpIoror, vlicl mado llo roquosl slovn in llo oxampIo.
  Tlo Host loador spocihos llo loslnamo llal appoarod in llo fuII URI
boing accossod. Tlis is nocossary vlon muIlipIo vobsilos aro loslod on
llo samo sorvor, bocauso llo URI sonl in llo hrsl Iino of llo roquosl usu-
aIIy doos nol conlain a loslnamo. (Soo Claplor 17 for moro informalion
aboul virluaIIy loslod vobsilos.)
  Tlo Cookie loador is usod lo submil addilionaI paramolors llal llo sorvor
las issuod lo llo cIionl (doscribod in moro dolaiI Ialor in llis claplor).
HIIP kesponses
A lypicaI HTTI rosponso is as foIIovs:
HTTP/1.1 200 OK
Date: Tue, 19 Apr 2011 09:22:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-B¸: ASP.NFT
Set-Cookie: tracking=tI8rk7joMx44S2Uu85nSWc
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Fxpires: Thu, 01 ¯an 1970 00:00:00 GMT
Content-T¸pe: text/html; charset=utf-8
Content-Length: 1067
<!DOCTYPF html PUBLIC ¯-//W2C//DTD XHTML 1.0 Transitional//FN¯ ¯http://
www.w2.org/TR/xhtml1/DTD/xhtml1-transitional.dtd¯><html xmlns=¯http://
www.w2.org/1999/xhtml¯ ><head><title>Your details</title>
...
42 Cbagter 3  Web Agglication Iecbnologies
Tlo hrsl Iino of ovory HTTI rosponso consisls of llroo iloms, soparalod by
spacos:
  Tlo HTTI vorsion boing usod.
  A numoric slalus codo indicaling llo rosuIl of llo roquosl. 200 is llo mosl
common slalus codo, il moans llal llo roquosl vas succossfuI and llal
llo roquoslod rosourco is boing rolurnod.
  A loxluaI ¨roason plraso¨ furllor doscribing llo slalus of llo rosponso. Tlis
can lavo any vaIuo and is nol usod for any purposo by curronl brovsors.
Horo aro somo ollor poinls of inlorosl in llo rosponso:
  Tlo Server loador conlains a bannor indicaling llo vob sorvor soflvaro
boing usod, and somolimos ollor dolaiIs sucl as inslaIIod moduIos and
llo sorvor oporaling syslom. Tlo informalion conlainod may or may nol
bo accuralo.
  Tlo Set-Cookie loador issuos llo brovsor a furllor cooIio, llis is sub-
millod bacI in llo Cookie loador of subsoquonl roquosls lo llis sorvor.
  Tlo Pragma loador inslrucls llo brovsor nol lo sloro llo rosponso in ils
caclo. Tlo Fxpires loador indicalos llal llo rosponso conlonl oxpirod
in llo pasl and lloroforo slouId nol bo caclod. Tloso inslruclions aro
froquonlIy issuod vlon dynamic conlonl is boing rolurnod lo onsuro
llal brovsors oblain a frosl vorsion of llis conlonl on subsoquonl
occasions.
  AImosl aII HTTI rosponsos conlain a mossago body foIIoving llo bIanI
Iino aflor llo loadors. Tlo Content-T¸pe loador indicalos llal llo body
of llis mossago conlains an HTMI documonl.
  Tlo Content-Length loador indicalos llo Iongll of llo mossago body in
bylos.
HIIP Methods
Wlon you aro allacIing vob appIicalions, you viII bo doaIing aImosl oxcIusivoIy
vill llo mosl commonIy usod mollods: GFT and POST. You nood lo bo avaro
of somo imporlanl difforoncos bolvoon lloso mollods, as lloy can affocl an
appIicalion's socurily if ovorIooIod.
Tlo GFT mollod is dosignod lo rolriovo rosourcos. Il can bo usod lo sond
paramolors lo llo roquoslod rosourco in llo URI quory slring. Tlis onabIos
usors lo booImarI a URI for a dynamic rosourco llal lloy can rouso. Or ollor
usors can rolriovo llo oquivaIonl rosourco on a subsoquonl occasion (as in a
booImarIod soarcl quory). URIs aro dispIayod on-scroon and aro Ioggod in
various pIacos, sucl as llo brovsor lislory and llo vob sorvor's accoss Iogs.
Tloy aro aIso lransmillod in llo Referer loador lo ollor silos vlon oxlornaI
Cbagter 3  Web Agglication Iecbnologies 43
IinIs aro foIIovod. Ior lloso roasons, llo quory slring slouId nol bo usod lo
lransmil any sonsilivo informalion.
Tlo POST mollod is dosignod lo porform aclions. Will llis mollod, roquosl
paramolors can bo sonl boll in llo URI quory slring and in llo body of llo
mossago. AIllougl llo URI can sliII bo booImarIod, any paramolors sonl in
llo mossago body viII bo oxcIudod from llo booImarI. Tloso paramolors viII
aIso bo oxcIudod from llo various Iocalions in vlicl Iogs of URIs aro main-
lainod and from llo Referer loador. Bocauso llo POST mollod is dosignod for
porforming aclions, if a usor cIicIs llo brovsor's BacI bullon lo rolurn lo a
pago llal vas accossod using llis mollod, llo brovsor doos nol aulomalicaIIy
roissuo llo roquosl. Insload, il varns llo usor of vlal il is aboul lo do, as slovn
in Iiguro 3-1. Tlis provonls usors from unvillingIy porforming an aclion moro
llan onco. Ior llis roason, POST roquosls slouId aIvays bo usod vlon an aclion
is boing porformod.
Figure 3-1: ßrowsers do not automatically reissue PCST requests made by
users, because these might cause an action to be performed more than once
In addilion lo llo GFT and POST mollods, llo HTTI prolocoI supporls numor-
ous ollor mollods llal lavo boon croalod for spocihc purposos. Horo aro llo
ollor onos you aro mosl IiIoIy lo roquiro InovIodgo of:
  HFAD funclions in llo samo vay as a GFT roquosl, oxcopl llal llo sorvor
slouId nol rolurn a mossago body in ils rosponso. Tlo sorvor slouId rolurn
llo samo loadors llal il vouId lavo rolurnod lo llo corrosponding GFT
roquosl. Honco, llis mollod can bo usod lo clocI vlollor a rosourco is
prosonl boforo maIing a GFT roquosl for il.
  TRACF is dosignod for diagnoslic purposos. Tlo sorvor slouId rolurn in llo
rosponso body llo oxacl conlonls of llo roquosl mossago il rocoivod. Tlis
can bo usod lo dolocl llo offocl of any proxy sorvors bolvoon llo cIionl
and sorvor llal may manipuIalo llo roquosl.
  OPTIONS asIs llo sorvor lo roporl llo HTTI mollods llal aro avaiIabIo for
a parlicuIar rosourco. Tlo sorvor lypicaIIy rolurns a rosponso conlaining
an Allow loador llal Iisls llo avaiIabIo mollods.
  PUT allompls lo upIoad llo spocihod rosourco lo llo sorvor, using llo con-
lonl conlainod in llo body of llo roquosl. If llis mollod is onabIod, you
may bo abIo lo Iovorago il lo allacI llo appIicalion, sucl as by upIoading
an arbilrary scripl and oxoculing il on llo sorvor.
44 Cbagter 3  Web Agglication Iecbnologies
Many ollor HTTI mollods oxisl llal aro nol diroclIy roIovanl lo allacIing
vob appIicalions. Hovovor, a vob sorvor may oxposo ilsoIf lo allacI if corlain
dangorous mollods aro avaiIabIo. Soo Claplor 18 for furllor dolaiIs on lloso
mollods and oxampIos of using llom in an allacI.
UkLs
A uniform rosourco Iocalor (URI) is a uniquo idonlihor for a vob rosourco llrougl
vlicl llal rosourco can bo rolriovod. Tlo formal of mosl URIs is as foIIovs:
protocol://hostname[:port|/[path/|file[?param=value|
SovoraI compononls in llis sclomo aro oplionaI. Tlo porl numbor usuaIIy is
incIudod onIy if il diffors from llo dofauIl usod by llo roIovanl prolocoI. Tlo
URI usod lo gonoralo llo HTTI roquosl slovn oarIior is as foIIovs:
https://mdsec.net/auth/488/YourDetails.ashx?uid=129
In addilion lo llis absoIulo form, URIs may bo spocihod roIalivo lo a parlicuIar
losl, or roIalivo lo a parlicuIar pall on llal losl. Ior oxampIo:
/auth/488/YourDetails.ashx?uid=129
YourDetails.ashx?uid=129
Tloso roIalivo forms aro oflon usod in vob pagos lo doscribo navigalion villin
llo vobsilo or appIicalion ilsoIf.
 You may encounter the term 0RI {or uniform resource identiñer)
being used instead of UkL, but it is reaIIy onIy used in formaI speciñcations
and by those who want to exhibit their pedantry.
kE5I
RoprosonlalionaI slalo lransfor (RIST) is a slyIo of arclilocluro for dislribulod
sysloms in vlicl roquosls and rosponsos conlain roprosonlalions of llo curronl
slalo of llo syslom's rosourcos. Tlo coro loclnoIogios ompIoyod in llo WorId
Wido Wob, incIuding llo HTTI prolocoI and llo formal of URIs, conform lo
llo RIST arclilocluraI slyIo.
AIllougl URIs conlaining paramolors villin llo quory slring do llomsoIvos
conform lo RIST conslrainls, llo lorm ¨RIST-slyIo URI¨ is oflon usod lo signify
a URI llal conlains ils paramolors villin llo URI hIo pall, rallor llan llo
quory slring. Ior oxampIo, llo foIIoving URI conlaining a quory slring:
http://wahh-app.com/search?make=fordsmodel=pinto
corrosponds lo llo foIIoving URI conlaining ¨RIST-slyIo¨ paramolors:
http://wahh-app.com/search/ford/pinto
Cbagter 3  Web Agglication Iecbnologies 45
Claplor 4 doscribos lov you nood lo considor lloso difforonl paramolor slyIos
vlon mapping an appIicalion's conlonl and funclionaIily and idonlifying ils
Ioy allacI surfaco.
HIIP Headers
HTTI supporls a Iargo numbor of loadors, somo of vlicl aro dosignod for
spocihc unusuaI purposos. Somo loadors can bo usod for boll roquosls and
rosponsos, and ollors aro spocihc lo ono of lloso mossago lypos. Tlo foIIoving
soclions doscribo llo loadors you aro IiIoIy lo oncounlor vlon allacIing vob
appIicalions.
Cenerol Heoders
  Connection loIIs llo ollor ond of llo communicalion vlollor il slouId
cIoso llo TCI connoclion aflor llo HTTI lransmission las compIolod or
Ioop il opon for furllor mossagos.
  Content-Fncoding spocihos vlal Iind of oncoding is boing usod for llo
conlonl conlainod in llo mossago body, sucl as gzip, vlicl is usod by
somo appIicalions lo compross rosponsos for faslor lransmission.
  Content-Length spocihos llo Iongll of llo mossago body, in bylos (oxcopl
in llo caso of rosponsos lo HFAD roquosls, vlon il indicalos llo Iongll of
llo body in llo rosponso lo llo corrosponding GFT roquosl).
  Content-T¸pe spocihos llo lypo of conlonl conlainod in llo mossago body,
sucl as text/html for HTMI documonls.
  Transfer-Fncoding spocihos any oncoding llal vas porformod on llo
mossago body lo faciIilalo ils lransfor ovor HTTI. Il is normaIIy usod lo
spocify clunIod oncoding vlon llis is ompIoyod.
Reguest Heoders
  Accept loIIs llo sorvor vlal Iinds of conlonl llo cIionl is viIIing lo accopl,
sucl as imago lypos, ofhco documonl formals, and so on.
  Accept-Fncoding loIIs llo sorvor vlal Iinds of conlonl oncoding llo cIionl
is viIIing lo accopl.
  Authorization submils crodonliaIs lo llo sorvor for ono of llo buiIl-in
HTTI aullonlicalion lypos.
  Cookie submils cooIios lo llo sorvor llal llo sorvor proviousIy issuod.
  Host spocihos llo loslnamo llal appoarod in llo fuII URI boing roquoslod.
46 Cbagter 3  Web Agglication Iecbnologies
  If-Modified-Since spocihos vlon llo brovsor Iasl rocoivod llo roquoslod
rosourco. If llo rosourco las nol clangod sinco llal limo, llo sorvor may
inslrucl llo cIionl lo uso ils caclod copy, using a rosponso vill slalus codo 304.
  If-None-Match spocihos an cniiiµ icg, vlicl is an idonlihor donoling llo
conlonls of llo mossago body. Tlo brovsor submils llo onlily lag llal
llo sorvor issuod vill llo roquoslod rosourco vlon il vas Iasl rocoivod.
Tlo sorvor can uso llo onlily lag lo dolormino vlollor llo brovsor may
uso ils caclod copy of llo rosourco.
  Origin is usod in cross-domain Ajax roquosls lo indicalo llo domain from
vlicl llo roquosl originalod (soo Claplor 13).
  Referer spocihos llo URI from vlicl llo curronl roquosl originalod.
  User-Agent providos informalion aboul llo brovsor or ollor cIionl sofl-
varo llal gonoralod llo roquosl.
Resµonse Heoders
  Access-Control-Allow-Origin indicalos vlollor llo rosourco can bo
rolriovod via cross-domain Ajax roquosls (soo Claplor 13).
  Cache-Control passos cacling diroclivos lo llo brovsor (for oxampIo,
no-cache).
  FTag spocihos an onlily lag. CIionls can submil llis idonlihor in fuluro
roquosls for llo samo rosourco in llo If-None-Match loador lo nolify llo
sorvor vlicl vorsion of llo rosourco llo brovsor curronlIy loIds in ils caclo.
  Fxpires loIIs llo brovsor for lov Iong llo conlonls of llo mossago body
aro vaIid. Tlo brovsor may uso llo caclod copy of llis rosourco unliI
llis limo.
  Location is usod in rodiroclion rosponsos (lloso llal lavo a slalus codo
slarling vill 3) lo spocify llo largol of llo rodirocl.
  Pragma passos cacling diroclivos lo llo brovsor (for oxampIo, no-cache).
  Server providos informalion aboul llo vob sorvor soflvaro boing usod.
  Set-Cookie issuos cooIios lo llo brovsor llal il viII submil bacI lo llo
sorvor in subsoquonl roquosls.
  WWW-Authenticate is usod in rosponsos llal lavo a 401 slalus codo lo
provido dolaiIs on llo lypo(s) of aullonlicalion llal llo sorvor supporls.
  X-Frame-Options indicalos vlollor and lov llo curronl rosponso may
bo Ioadod villin a brovsor framo (soo Claplor 13).
Cbagter 3  Web Agglication Iecbnologies 47
Cookies
CooIios aro a Ioy parl of llo HTTI prolocoI llal mosl vob appIicalions roIy
on. IroquonlIy lloy can bo usod as a volicIo for oxpIoiling vuInorabiIilios. Tlo
cooIio moclanism onabIos llo sorvor lo sond iloms of dala lo llo cIionl, vlicl
llo cIionl sloros and rosubmils lo llo sorvor. UnIiIo llo ollor lypos of roquosl
paramolors (lloso villin llo URI quory slring or llo mossago body), cooIios
conlinuo lo bo rosubmillod in oacl subsoquonl roquosl villoul any parlicuIar
aclion roquirod by llo appIicalion or llo usor.
A sorvor issuos a cooIio using llo Set-Cookie rosponso loador, as you
lavo soon:
Set-Cookie: tracking=tI8rk7joMx44S2Uu85nSWc
Tlo usor's brovsor llon aulomalicaIIy adds llo foIIoving loador lo subsoquonl
roquosls bacI lo llo samo sorvor:
Cookie: tracking=tI8rk7joMx44S2Uu85nSWc
CooIios normaIIy consisl of a namo/vaIuo pair, as slovn, bul lloy may consisl
of any slring llal doos nol conlain a spaco. MuIlipIo cooIios can bo issuod by
using muIlipIo Set-Cookie loadors in llo sorvor's rosponso. Tloso aro submil-
lod bacI lo llo sorvor in llo samo Cookie loador, vill a somicoIon soparaling
difforonl individuaI cooIios.
In addilion lo llo cooIio's acluaI vaIuo, llo Set-Cookie loador can incIudo
any of llo foIIoving oplionaI allribulos, vlicl can bo usod lo conlroI lov llo
brovsor landIos llo cooIio:
  expires sols a dalo unliI vlicl llo cooIio is vaIid. Tlis causos llo brovsor
lo savo llo cooIio lo porsislonl slorago, and il is rousod in subsoquonl
brovsor sossions unliI llo oxpiralion dalo is roaclod. If llis allribulo is
nol sol, llo cooIio is usod onIy in llo curronl brovsor sossion.
  domain spocihos llo domain for vlicl llo cooIio is vaIid. Tlis musl bo
llo samo or a paronl of llo domain from vlicl llo cooIio is rocoivod.
  path spocihos llo URI pall for vlicl llo cooIio is vaIid.
  secure ÷ If llis allribulo is sol, llo cooIio viII bo submillod onIy in HTTIS
roquosls.
  HttpOnl¸ ÷ If llis allribulo is sol, llo cooIio cannol bo diroclIy accossod
via cIionl-sido }avaScripl.
Iacl of lloso cooIio allribulos can impacl llo appIicalion's socurily. Tlo
primary impacl is on llo allacIor's abiIily lo diroclIy largol ollor usors of llo
appIicalion. Soo Claplors 12 and 13 for moro dolaiIs.
48 Cbagter 3  Web Agglication Iecbnologies
5tatus Codes
Iacl HTTI rosponso mossago musl conlain a slalus codo in ils hrsl Iino, indi-
caling llo rosuIl of llo roquosl. Tlo slalus codos faII inlo hvo groups, according
lo llo codo's hrsl digil:
  1 ÷ InformalionaI.
  2 ÷ Tlo roquosl vas succossfuI.
  3 ÷ Tlo cIionl is rodiroclod lo a difforonl rosourco.
  4 ÷ Tlo roquosl conlains an orror of somo Iind.
  5 ÷ Tlo sorvor oncounlorod an orror fuIhIIing llo roquosl.
Tloro aro numorous spocihc slalus codos, many of vlicl aro usod onIy in
spociaIizod circumslancos. Horo aro llo slalus codos you aro mosl IiIoIy lo
oncounlor vlon allacIing a vob appIicalion, aIong vill llo usuaI roason plraso
associalod vill llom:
  100 Continue is sonl in somo circumslancos vlon a cIionl submils a
roquosl conlaining a body. Tlo rosponso indicalos llal llo roquosl loadors
voro rocoivod and llal llo cIionl slouId conlinuo sonding llo body. Tlo
sorvor rolurns a socond rosponso vlon llo roquosl las boon compIolod.
  200 OK indicalos llal llo roquosl vas succossfuI and llal llo rosponso
body conlains llo rosuIl of llo roquosl.
  201 Created is rolurnod in rosponso lo a PUT roquosl lo indicalo llal llo
roquosl vas succossfuI.
  201 Moved Permanentl¸ rodirocls llo brovsor pormanonlIy lo a difforonl
URI, vlicl is spocihod in llo Location loador. Tlo cIionl slouId uso llo
nov URI in llo fuluro rallor llan llo originaI.
  202 Found rodirocls llo brovsor lomporariIy lo a difforonl URI, vlicl is
spocihod in llo Location loador. Tlo cIionl slouId rovorl lo llo originaI
URI in subsoquonl roquosls.
 204 Not Modified inslrucls llo brovsor lo uso ils caclod copy of llo
roquoslod rosourco. Tlo sorvor usos llo If-Modified-Since and If-None-
Match roquosl loadors lo dolormino vlollor llo cIionl las llo Ialosl vorsion
of llo rosourco.
  400 Bad Request indicalos llal llo cIionl submillod an invaIid HTTI roquosl.
You viII probabIy oncounlor llis vlon you lavo modihod a roquosl in
corlain invaIid vays, sucl as by pIacing a spaco claraclor inlo llo URI.
  401 Unauthorized indicalos llal llo sorvor roquiros HTTI aullonlicalion
boforo llo roquosl viII bo granlod. Tlo WWW-Authenticate loador conlains
dolaiIs on llo lypo(s) of aullonlicalion supporlod.
Cbagter 3  Web Agglication Iecbnologies 49
  402 Forbidden indicalos llal no ono is aIIovod lo accoss llo roquoslod
rosourco, rogardIoss of aullonlicalion.
  404 Not Found indicalos llal llo roquoslod rosourco doos nol oxisl.
  405 Method Not Allowed indicalos llal llo mollod usod in llo roquosl is
nol supporlod for llo spocihod URI. Ior oxampIo, you may rocoivo llis
slalus codo if you allompl lo uso llo PUT mollod vloro il is nol supporlod.
  412 Request Fntit¸ Too Large ÷ If you aro probing for buffor ovorßov
vuInorabiIilios in nalivo codo, and lloroforo aro submilling Iong slrings
of dala, llis indicalos llal llo body of your roquosl is loo Iargo for llo
sorvor lo landIo.
  414 Request URI Too Long is simiIar lo llo 413 rosponso. Il indicalos llal
llo URI usod in llo roquosl is loo Iargo for llo sorvor lo landIo.
  500 Internal Server Frror indicalos llal llo sorvor oncounlorod an
orror fuIhIIing llo roquosl. Tlis normaIIy occurs vlon you lavo submil-
lod unoxpoclod inpul llal causod an unlandIod orror somovloro villin
llo appIicalion's procossing. You slouId cIosoIy roviov llo fuII conlonls
of llo sorvor's rosponso for any dolaiIs indicaling llo naluro of llo orror.
  502 Service Unavailable normaIIy indicalos llal, aIllougl llo vob
sorvor ilsoIf is funclioning and can rospond lo roquosls, llo appIicalion
accossod via llo sorvor is nol rosponding. You slouId vorify vlollor llis
is llo rosuIl of any aclion you lavo porformod.
HIIP5
Tlo HTTI prolocoI usos pIain TCI as ils lransporl moclanism, vlicl is unon-
cryplod and lloroforo can bo inlorcoplod by an allacIor vlo is suilabIy posi-
lionod on llo nolvorI. HTTIS is ossonliaIIy llo samo appIicalion-Iayor prolocoI
as HTTI bul is lunnoIod ovor llo socuro lransporl moclanism, Socuro SocIols
Iayor (SSI). Tlis prolocls llo privacy and inlogrily of dala passing ovor llo
nolvorI, roducing llo possibiIilios for noninvasivo inlorcoplion allacIs. HTTI
roquosls and rosponsos funclion in oxaclIy llo samo vay rogardIoss of vlollor
SSI is usod for lransporl.
 55L has strictIy been superseded by transport Iayer security {IL5), but
the Iatter usuaIIy stiII is referred to using the oIder name.
HIIP Proxies
An HTTI proxy is a sorvor llal modialos accoss bolvoon llo cIionl brovsor and
llo doslinalion vob sorvor. Wlon a brovsor las boon conhgurod lo uso a proxy
50 Cbagter 3  Web Agglication Iecbnologies
sorvor, il maIos aII ils roquosls lo llal sorvor. Tlo proxy roIays llo roquosls lo
llo roIovanl vob sorvors and forvards lloir rosponsos bacI lo llo brovsor.
Mosl proxios aIso provido addilionaI sorvicos, incIuding cacling, aullonlica-
lion, and accoss conlroI.
You slouId bo avaro of lvo difforoncos in lov HTTI vorIs vlon a proxy
sorvor is boing usod:
  Wlon a brovsor issuos an unoncryplod HTTI roquosl lo a proxy sorvor, il
pIacos llo fuII URI inlo llo roquosl, incIuding llo prolocoI prohx http://,
llo sorvor's loslnamo, and llo porl numbor if llis is nonslandard. Tlo
proxy sorvor oxlracls llo loslnamo and porl and usos lloso lo dirocl llo
roquosl lo llo corrocl doslinalion vob sorvor.
  Wlon HTTIS is boing usod, llo brovsor cannol porform llo SSI land-
slaIo vill llo proxy sorvor, bocauso llis vouId broaI llo socuro lunnoI
and Ioavo llo communicalions vuInorabIo lo inlorcoplion allacIs. Honco,
llo brovsor musl uso llo proxy as a puro TCI-IovoI roIay, vlicl passos
aII nolvorI dala in boll diroclions bolvoon llo brovsor and llo doslina-
lion vob sorvor, vill vlicl llo brovsor porforms an SSI landslaIo as
normaI. To oslabIisl llis roIay, llo brovsor maIos an HTTI roquosl lo llo
proxy sorvor using llo CONNFCT mollod and spocifying llo doslinalion
loslnamo and porl numbor as llo URI. If llo proxy aIIovs llo roquosl,
il rolurns an HTTI rosponso vill a 200 slalus, Ioops llo TCI connoclion
opon, and from llal poinl onvard acls as a puro TCI-IovoI roIay lo llo
doslinalion vob sorvor.
By somo moasuro, llo mosl usofuI ilom in your looIIil vlon allacIing vob
appIicalions is a spociaIizod Iind of proxy sorvor llal sils bolvoon your brovsor
and llo largol vobsilo and aIIovs you lo inlorcopl and modify aII roquosls and
rosponsos, ovon lloso using HTTIS. Wo viII bogin oxamining lov you can uso
llis Iind of looI in llo noxl claplor.
HIIP Authentication
Tlo HTTI prolocoI incIudos ils ovn moclanisms for aullonlicaling usors using
various aullonlicalion sclomos, incIuding llo foIIoving:
  Basic is a simpIo aullonlicalion moclanism llal sonds usor crodonliaIs as
a Baso64-oncodod slring in a roquosl loador vill oacl mossago.
  NTLM is a claIIongo-rosponso moclanism and usos a vorsion of llo
Windovs NTIM prolocoI.
  Digest is a claIIongo-rosponso moclanism and usos MD5 clocIsums of
a nonco vill llo usor's crodonliaIs.
Cbagter 4  Magging tbe Agglication 97
HACK 5IEP5
1. Using Iists of common debug parameter names {debug, test, hide, source,
etc.) and common vaIues {true, yes, on, 1, etc.), make a Iarge number of
requests to a known appIication page or function, iterating through aII
permutations of name and vaIue. For  requests, insert the added
parameter to both the UkL query string and the message body.
ßurp Intruder can be used to perform this test using muItipIe payIoad
sets and the "cIuster bomb" attack type {see Chapter 14 for more detaiIs).
2. Monitor aII responses received to identify any anomaIies that may indicate
that the added parameter has had an effect on the appIication's processing.
3. Depending on the time avaiIabIe, target a number of different pages or
functions for hidden parameter discovery. Choose functions where it is
most IikeIy that deveIopers have impIemented debug Iogic, such as Iogin,
search, and fiIe upIoading and downIoading.
AnaIyzing the AppIication
Inumoraling as mucl of llo appIicalion's conlonl as possibIo is onIy ono oIo-
monl of llo mapping procoss. IquaIIy imporlanl is llo lasI of anaIyzing llo
appIicalion's funclionaIily, bolavior, and loclnoIogios ompIoyod lo idonlify llo
Ioy allacI surfacos il oxposos and lo bogin formuIaling an approacl lo probing
llo appIicalion for oxpIoilabIo vuInorabiIilios.
Horo aro somo Ioy aroas lo invosligalo:
  Tlo appIicalion's coro funclionaIily ÷ llo aclions llal can bo Iovoragod
lo porform vlon usod as inlondod
  Ollor, moro poriploraI appIicalion bolavior, incIuding off-silo IinIs, orror
mossagos, adminislralivo and Iogging funclions, and llo uso of rodirocls
  Tlo coro socurily moclanisms and lov lloy funclion ÷ in parlicuIar,
managomonl of sossion slalo, accoss conlroIs, and aullonlicalion mocla-
nisms and supporling Iogic (usor rogislralion, passvord clango, and
accounl rocovory)
98 Cbagter 4  Magging tbe Agglication
  AII llo difforonl Iocalions al vlicl llo appIicalion procossos usor-suppIiod
inpul ÷ ovory URI, quory slring paramolor, ilom of POST dala, and cooIio
  Tlo loclnoIogios ompIoyod on llo cIionl sido, incIuding forms, cIionl-
sido scripls, llicI-cIionl compononls (}ava appIols, AclivoX conlroIs, and
IIasl), and cooIios
  Tlo loclnoIogios ompIoyod on llo sorvor sido, incIuding slalic and dynamic
pagos, llo lypos of roquosl paramolors ompIoyod, llo uso of SSI, vob
sorvor soflvaro, inloraclion vill dalabasos, o-maiI sysloms, and ollor
bacI-ond compononls
  Any ollor dolaiIs llal may bo gIoanod aboul llo inlornaI slrucluro and
funclionaIily of llo sorvor-sido appIicalion ÷ llo moclanisms il usos
bolind llo sconos lo doIivor llo funclionaIily and bolavior llal aro vis-
ibIo from llo cIionl porspoclivo
Identifying Entry Points for User Input
Tlo majorily of vays in vlicl llo appIicalion capluros usor inpul for sorvor-
sido procossing slouId bo obvious vlon rovioving llo HTTI roquosls llal aro
gonoralod as you vaII llrougl llo appIicalion's funclionaIily. Horo aro llo Ioy
Iocalions lo pay allonlion lo:
  Ivory URI slring up lo llo quory slring marIor
  Ivory paramolor submillod villin llo URI quory slring
  Ivory paramolor submillod villin llo body of a POST roquosl
  Ivory cooIio
  Ivory ollor HTTI loador llal llo appIicalion migll procoss ÷ in parlicu-
Iar, llo User-Agent, Referer, Accept, Accept-Language, and Host loadors
0RL File Poths
Tlo parls of llo URI llal procodo llo quory slring aro oflon ovorIooIod as onlry
poinls, sinco lloy aro assumod lo bo simpIy llo namos of diroclorios and hIos
on llo sorvor hIo syslom. Hovovor, in appIicalions llal uso RIST-slyIo URIs,
llo parls of llo URI llal procodo llo quory slring can in facl funclion as dala
paramolors and aro jusl as imporlanl as onlry poinls for usor inpul as llo quory
slring ilsoIf.
A lypicaI RIST-slyIo URI couId lavo llis formal:
http://eis/shop/browse/electronics/iPhone2G/
Cbagter 4  Magging tbe Agglication 99
In llis oxampIo, llo slrings electronics and iPhone2G slouId bo lroalod as
paramolors lo sloro a soarcl funclion.
SimiIarIy, in llis URI:
http://eis/updates/2010/12/25/m¸-new-iphone/
oacl of llo URI compononls foIIoving updates may bo boing landIod in a
RISTfuI mannor.
Mosl appIicalions using RIST-slyIo URIs aro oasy lo idonlify givon llo URI
slrucluro and appIicalion conloxl. Hovovor, no lard-and-fasl ruIos slouId bo
assumod vlon mapping an appIicalion, bocauso il is up lo llo appIicalion's
aullors lov usors slouId inloracl vill il.
Reguest Porometers
Iaramolors submillod villin llo URI quory slring, mossago body, and HTTI
cooIios aro llo mosl obvious onlry poinls for usor inpul. Hovovor, somo appIi-
calions do nol ompIoy llo slandard name=value formal for lloso paramolors.
Tloy may ompIoy lloir ovn cuslom sclomo, vlicl may uso nonslandard quory
slring marIors and hoId soparalors, or lloy may ombod ollor dala sclomos sucl
as XMI villin paramolor dala.
Horo aro somo oxampIos of nonslandard paramolor formals llal llo aullors
lavo oncounlorod in llo viId:
  /dir/file;foo=barsfoo2=bar2
  /dir/file?foo=barSfoo2=bar2
  /dir/file/foo%2dbar%26foo2%2dbar2
  /dir/foo.bar/file
  /dir/foo=bar/file
  /dir/file?param=foo:bar
  /dir/file?data=%2cfoo%2ebar%2c%2ffoo%2e%2cfoo2%2ebar2%2c%2ffoo2%2e
If a nonslandard paramolor formal is boing usod, you nood lo laIo llis inlo
accounl vlon probing llo appIicalion for aII Iinds of common vuInorabiIilios.
Ior oxampIo, supposo llal, vlon losling llo hnaI URI in llis Iisl, you ignoro llo
cuslom formal and simpIy lroal llo quory slring as conlaining a singIo paramolor
caIIod data, and lloroforo submil various Iinds of allacI payIoads as llo vaIuo
of llis paramolor. You vouId miss many Iinds of vuInorabiIilios llal may oxisl
in llo procossing of llo quory slring. ConvorsoIy, if you dissocl llo formal and
pIaco your payIoads villin llo omboddod XMI dala hoIds, you may immodialoIy
discovor a crilicaI bug sucl as SQI injoclion or pall lravorsaI.
100 Cbagter 4  Magging tbe Agglication
HIIP Heoders
Many appIicalions porform cuslom Iogging funclions and may Iog llo conlonls
of HTTI loadors sucl as Referer and User-Agent. Tloso loadors slouId aIvays
bo considorod as possibIo onlry poinls for inpul-basod allacIs.
Somo appIicalions porform addilionaI procossing on llo Referer loador. Ior
oxampIo, an appIicalion may dolocl llal a usor las arrivod via a soarcl ongino,
and sooI lo provido a cuslomizod rosponso laiIorod lo llo usor's soarcl quory.
Tlo appIicalion may oclo llo soarcl lorm or may allompl lo liglIigll malcling
oxprossions villin llo rosponso. Somo appIicalions sooI lo boosl lloir soarcl
ranIings by dynamicaIIy adding conlonl sucl as HTMI Ioyvords, conlaining
slrings llal roconl visilors from soarcl onginos lavo boon soarcling for. In llis
silualion, il may bo possibIo lo porsislonlIy injocl conlonl inlo llo appIicalion's
rosponsos by maIing a roquosl numorous limos conlaining a suilabIy craflod
Referer URI.
An imporlanl lrond in roconl yoars las boon for appIicalions lo prosonl dif-
foronl conlonl lo usors vlo accoss llo appIicalion via difforonl dovicos (Iaplop,
coII plono, labIol). Tlis is acliovod by inspocling llo User-Agent loador. As voII
as providing an avonuo for inpul-basod allacIs diroclIy villin llo User-Agent
loador ilsoIf, llis bolavior providos an opporlunily lo uncovor an addilionaI
allacI surfaco villin llo appIicalion. By spoohng llo User-Agent loador for
a popuIar mobiIo dovico, you may bo abIo lo accoss a simpIihod usor inlorfaco
llal bolavos difforonlIy llan llo primary inlorfaco. Sinco llis inlorfaco is gonor-
alod via difforonl codo palls villin llo sorvor-sido appIicalion, and may lavo
boon subjoclod lo Ioss socurily losling, you may idonlify bugs sucl as cross-silo
scripling llal do nol oxisl in llo primary appIicalion inlorfaco.
 ßurp Intruder contains a buiIt-in payIoad Iist containing a Iarge number
of user agent strings for different types of devices. You can carry out a simpIe
attack that performs a CEI request to the main appIication page suppIying
different user agent strings and then review the intruder resuIts to identify
anomaIies that suggest a different user interface is being presented.
In addilion lo largoling HTTI roquosl loadors llal your brovsor sonds by
dofauIl, or llal appIicalion compononls add, in somo silualions you can por-
form succossfuI allacIs by adding furllor loadors llal llo appIicalion may
sliII procoss. Ior oxampIo, many appIicalions porform somo procossing on llo
cIionl's II addross lo carry oul funclions sucl as Iogging, accoss conlroI, or
usor gooIocalion. Tlo II addross of llo cIionl's nolvorI connoclion lypicaIIy
is avaiIabIo lo appIicalions via pIalform AIIs. Hovovor, lo landIo casos vloro
llo appIicalion rosidos bolind a Ioad baIancor or proxy, appIicalions may uso
llo II addross spocihod in llo X-Forwarded-For roquosl loador if il is prosonl.
DovoIopors may llon mislaIonIy assumo llal llo II addross vaIuo is unlainlod
and procoss il in dangorous vays. By adding a suilabIy craflod X-Forwarded-For
Cbagter 4  Magging tbe Agglication 101
loador, you may bo abIo lo doIivor allacIs sucl as SQI injoclion or porsislonl
cross-silo scripling.
Dut-ol-Bond Chonnels
A hnaI cIass of onlry poinls for usor inpul incIudos any oul-of-band clannoI
by vlicl llo appIicalion rocoivos dala llal you may bo abIo lo conlroI. Somo
of lloso onlry poinls may bo onliroIy undoloclabIo if you simpIy inspocl llo
HTTI lrafhc gonoralod by llo appIicalion, and hnding llom usuaIIy roquiros
an undorslanding of llo vidor conloxl of llo funclionaIily llal llo appIicalion
impIomonls. Horo aro somo oxampIos of vob appIicalions llal rocoivo usor-
conlroIIabIo dala via an oul-of-band clannoI:
  A vob maiI appIicalion llal procossos and rondors o-maiI mossagos rocoivod
via SMTI
  A pubIisling appIicalion llal conlains a funclion lo rolriovo conlonl via
HTTI from anollor sorvor
  An inlrusion doloclion appIicalion llal gallors dala using a nolvorI
sniffor and prosonls llis using a vob appIicalion inlorfaco
  Any Iind of appIicalion llal providos an AII inlorfaco for uso by non-
brovsor usor agonls, sucl as coII plono apps, if llo dala procossod via
llis inlorfaco is slarod vill llo primary vob appIicalion
Identifying 5erver-5ide IechnoIogies
NormaIIy il is possibIo lo hngorprinl llo loclnoIogios ompIoyod on llo sorvor
via various cIuos and indicalors.
Bonner Crobbing
Many vob sorvors discIoso hno-grainod vorsion informalion, boll aboul llo
vob sorvor soflvaro ilsoIf and aboul ollor compononls llal lavo boon inslaIIod.
Ior oxampIo, llo HTTI Server loador discIosos a lugo amounl of dolaiI aboul
somo inslaIIalions:
Server: Apache/1.2.21 (Unix) mod_gzip/1.2.26.1a mod_auth_passthrough/
1.8 mod_log_b¸tes/1.2 mod_bwlimited/1.4 PHP/4.2.9 FrontPage/
5.0.2.2624a mod_ssl/2.8.20 OpenSSL/0.9.7a
In addilion lo llo Server loador, llo lypo and vorsion of soflvaro may bo dis-
cIosod in ollor Iocalions:
  TompIalos usod lo buiId HTMI pagos
  Cuslom HTTI loadors
  URI quory slring paramolors