Web Functionality

In addition to the core communications protocol used to send messages between client and server, web applications employ numerous different technologies to deliver their functionality. Any reasonably functional application may employ dozens of distinct technologies within its server and client components. Before you can mount a serious attack against a web application, you need a basic understanding of how its functionality is implemented, how the technologies used are designed to behave, and where their weak points are likely to lie.

Server-Side Functionality

The early World Wide Web contained entirely static content. Web sites consisted of various resources such as HTML pages and images, which were simply loaded onto a web server and delivered to any user who requested them. Each time a particular resource was requested, the server responded with the same content.

Today’s web applications still typically employ a fair number of static resources. However, a large amount of the content that they present to users is generated dynamically. When a user requests a dynamic resource, the server’s response is created on the fly, and each user may receive content that is uniquely customized for them.

Dynamic content is generated by scripts or other code executing on the server. These scripts are akin to computer programs in their own right — they have various inputs, perform processing on these, and return their outputs to the user.

When a user’s browser makes a request for a dynamic resource, it does not normally simply ask for a copy of that resource. In general, it will also submit various parameters along with its request. It is these parameters that enable the server-side application to generate content that is tailored to the individual user. There are three main ways in which HTTP requests can be used to send parameters to the application:

■ In the URL query string.  ■ In HTTP cookies.
■ In the body of requests using the POST method.

In addition to these primary sources of input, the server-side application may in principle use any part of the HTTP request as an input to its processing. For example, an application may process the User-Agent header to generate content that is optimized for the type of browser being used.

Like computer software in general, web applications employ a wide range of technologies on the server side to deliver their functionality. These include:

■ Scripting languages such as PHP, VBScript, and Perl.
■ Web application platforms such as ASP.NET and Java.
■ Web servers such as Apache, IIS, and Netscape Enterprise.
■ Databases such as MS-SQL, Oracle, and MySQL.
■ Other back-end components such as file systems, SOAP-based web services, and directory services.

The Java Platform

For several years, the Java Platform, Enterprise Edition (formerly known as J2EE) has been a defacto standard for large-scale enterprise applications. Developed by Sun Microsystems, it lends itself to multi-tiered and load-balanced architectures, and is well suited to modular development and code reuse. Because of its long history and widespread adoption, there are many high-quality development tools, application servers, and frameworks available to assist developers. The Java Platform can be run on several underlying operating systems, including Windows, Linux, and Solaris.

Descriptions of Java-based web applications often employ a number of potentially confusing terms that you may need to be aware of:

■ An Enterprise Java Bean (EJB) is a relatively heavyweight software component that encapsulates the logic of a specific business function within the application. EJBs are intended to take care of various technical challenges that application developers must address, such as transactional integrity.

■ A Plain Old Java Object (POJO) is an ordinary Java object, as distinct from a special object like an EJB. POJO is normally used to denote objects that are user-defined and much simpler and more lightweight than EJBs and those used in other frameworks.

■ A Java Servlet is an object that resides on an application server and receives HTTP requests from clients and returns HTTP responses. There are numerous useful interfaces that Servlet implementations can use to facilitate the development of useful applications.

■ A Java web container is a platform or engine that provides a runtime environment for Java-based web applications. Examples of Java web containers are Apache Tomcat, BEA WebLogic, and JBoss. Many Java web applications employ third-party and open source components alongside custom-built code. This is an attractive option because it
reduces development effort, and Java is well-suited to this modular approach. Examples of components commonly used for key application functions are:

■ Authentication — JAAS, ACEGI
■ Presentation layer — SiteMesh, Tapestry
■ Database object relational mapping — Hibernate
■ Logging — Log4J

If you can determine which open source packages are used in the application you are attacking, you can download these and perform a code review or install them to experiment on. A vulnerability in any of these may be exploitable to compromise the wider application.

ASP.NET

ASP.NET is Microsoft’s web application framework and is a direct competitor to the Java Platform. ASP.NET is several years younger than its counterpart but has made some inroads into Java’s territory. ASP.NET uses Microsoft’s .NET Framework, which provides a virtual machine (the Common Language Runtime) and a set of powerful APIs. Hence, ASP.NET applications can be written in any .NET language, such as C# or VB.NET.

ASP.NET lends itself to the event-driven programming paradigm which is normally used in conventional desktop software, rather than the script-based approach used in most earlier web application frameworks. This, together with the powerful development tools provided with Visual Studio, make developing a functional web application extremely easy for anyone with minimal programming skills.

The ASP.NET framework helps to protect against some common web application vulnerabilities such as cross-site scripting, without requiring any effort by the developer. However, one practical downside of its apparent simplicity is that many small-scale ASP.NET applications are actually created by beginners who lack any awareness of the core security problems faced by web applications.

PHP

The PHP language emerged out of a hobby project (the acronym originally stood for personal home page). It has since evolved almost unrecognizably into a highly powerful and rich framework for developing web applications. It is often used in conjunction with other free technologies in what is known as the LAMP stack (comprising Linux, Apache, MySQL, and PHP).

Numerous open source applications and components have been developed using PHP. Many of these provide off-the-shelf solutions for common application functions, which are often incorporated into wider custom-built applications, for example:

■ Bulletin boards — PHPBB, PHP-Nuke
■ Administrative front ends — PHPMyAdmin
■ Web mail — SquirrelMail, IlohaMail
■ Photo galleries — Gallery

■ Shopping carts — osCommerce, ECW-Shop
■ Wikis — MediaWiki, WakkaWikki

Because PHP is free and easy to use, it has often been the language of choice for many beginners writing web applications. Further, the design and default configuration of the PHP framework has historically made it easy for programmers to unwittingly introduce security bugs into their code. These factors have meant that applications written in PHP have suffered from a disproportionate number of security vulnerabilities. In addition to this, several defects have existed within the PHP platform itself, which could often be exploited via applications running on it.


NEXT is ..Client-Side Functionality…….,