Many scripting languages support the use of include files. This facility enables developers to place reusable code components into individual files, and to include these within function-specific code files as and when they are needed. The code within the included file is interpreted just as if it had been inserted at the location of the … Read more
The core logic of most web applications is written in interpreted scripting languages like PHP, VBScript, and Perl. In addition to the possibilities for injecting into languages used by other back-end components, a key area of vulnerability concerns injection into the core application code itself. Exposure to this type of attack arises from two main … Read more
If you are attacking an MS-SQL database, then there are alternative ways available of discovering the names of database tables and columns, and of extracting useful data. MS-SQL generates extremely verbose error messages, which can be exploited in various ways. Enumerating Table and Column Names Recall the login function described earlier, which performs the following SQL … Read more
In order to extract useful data from the database, you normally need to know the names of the tables and columns containing the data you wish to access. The main enterprise DBMS’s contain a rich amount of database metadata that you can query to discover the names of every table and column within the database. … Read more
Most of the techniques described so far are effective against all of the common database platforms, and any divergences have been accommodated through minor adjustments to syntax. However, as we begin to look at more advanced exploitation techniques, the differences between platforms become more significant, and you will increasingly need to know which type of … Read more
The topic of code injection is a huge one, encompassing dozens of different languages and environments, and a wide variety of different attacks. It would be possible to write an entire book on any one of these areas, exploring all of the theoretical subtleties of how vulnerabilities can arise and be exploited. Because this is … Read more
Issues relating to access apply not only to the web application itself but also to the other infrastructure tiers which lie beneath it — in particular, the application server, the database, and the operating system. Taking a defense-in-depth approach to security entails implementing access controls at each of these layers to create several layers of … Read more
Access controls are one of the easiest areas of web application security to understand, although a well-informed, thorough methodology must be carefully applied when implementing them. First, there are several obvious pitfalls to avoid. These usually arise from ignorance about the essential requirements of effective access control or flawed assumptions about the kinds of requests that … Read more
The application’s session management functionality should be closely integrated with its mechanisms for logging, monitoring, and alerting, in order to provide suitable records of anomalous activity and enable administrators to take defensive actions where necessary: ■ The application should monitor requests that contain invalid tokens. Except in the most trivially predictable cases, a successful attack … Read more
The defensive measures that web applications must take to prevent attacks on their session management mechanisms correspond to the two broad categories of vulnerability that affect those mechanisms. In order to perform session management in a secure manner, an application must generate its tokens in a robust way and must protect these tokens throughout their … Read more