csci5931 web security1 more web hacking & tools: html source and site linkage analysis (mss...
TRANSCRIPT
csci5931 Web Security 2
Topics
A. Ch. 7 (Reading between the lines)
B. Ch. 8 (Site Linkage Analysis)
csci5931 Web Security 3
Reading between the lines Whenever you view a Web page through a
browser, you see only the browser’s
interpretation and rendering of the content
delivered to it.
Vast amount of information may be hidden from
view: HTML comments, hidden input fields, <META>
tags, JavaScript codes, …
What you see isn’t necessarily what you get.
What you can’t see isn’t necessarily not there!
csci5931 Web Security 4
Reading between the lines Source sifting:
Going through the HTML source of a Web page to
find clues for Web hacking
Manual source sifting can be a painstaking task.
There exist automated source sifting techniques and
tools.
Information leakage through HTML may seem
trivial, but it adds pieces of information to the
attacker’s toolbox.
csci5931 Web Security 5
Reading between the lines c.f., source code disclosure attacks
Techniques whereby the Web server is tricked into
sending the source code of a script or an application
without its being parsed or executed;
The attacker gets to see the source code as it was coded in
the original script.
Source sifting only lets the viewer see the
HTML content generated by the script, not the
actual code of the script.
csci5931 Web Security 6
Source Sifting using the Browser
Netscape Navigator:
View | Page Source
Internet Explorer:
View | Source
For HTML specification, refer to
http://www.w3.org/TR/html4/
csci5931 Web Security 7
Source Sifting: Clues to look for
A. HTML comments
revision history,
details about the developer/author,
cross-references to files and scripts,
reminders and placeholders,
comments inserted by Web application servers,
old “commented-out” codes
csci5931 Web Security 8
Source Sifting: Clues to look for
B. Internal and external hyperlinks
Hyperlinks may link resources within the same Web
site, or to resources on external Web sites.
<A HREF= …>
<FORM ACTION=…>
Studying hyperlinks helps to reveal how the
application is structured and thus may help to
identify the weak link.
csci5931 Web Security 9
Source Sifting: Clues to look forC. E-mail addresses and usernames
<A HREF=mailto: … > or as part of the comments
“e-mail harvesting”: Using a Web crawler program to
gather e-mail addresses from Web pages
D. Keywords and meta tags
an HTML page = the HTML header + the body
The header holds information about the contents of
the body section, such as the title, the name of the
author, etc.
csci5931 Web Security 10
Source Sifting: Clues to look for
E. Hidden input fields
<INPUT TYPE=HIDDEN NAME=… VALUE=…>
Problems:
1. information leakage
2. possible tampering of the hidden fields
F. Client-side scripts
Problems: visible and modifiable by the users
Lessons: Use server-side scripts if possible.
csci5931 Web Security 11
Automated Source Sifting
wget http://www.gnu.org
grep
Sam Spade
Black Widow http://www.softbytelabs.com/
Teleport Pro (shareware, up to 40 trials before
registration) http://www.tenmax.com/company/downloads.htm
Teleport Ultra (trial version available)
csci5931 Web Security 21
Site linkage analysis• Method to understand the conceptual links
between web resources and their functionality.– the purpose of a web page– its type– the overall structure of the web site
The result:An inventory of web resources of a site
csci5931 Web Security 23
Automated tools
wget http://www.gnu.org
Black Widow http://www.softbytelabs.com/
Funnel web profiler
http://www.quest.com/solutions/download.asp