60 likes | 95 Views
Mapping web applications Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
E N D
Mapping web applicationsNote: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
“If you know your enemies and know yourself, you can win a hundred battles without a single loss.If you only know yourself, but not your opponent, you may win or may lose.If you know neither yourself nor your enemy, you will always endanger yourself.” —Sun Tzu(http://en.wikipedia.org/wiki/The_Art_of_War) • Reconnaissance attack — Probing of a system to provide attackers information on capabilities, vulnerabilities, and operation. (http://itlaw.wikia.com/wiki/Cyber_threat) Web Security
Mapping the application • Build a catalog of the application’s functionality and content • Closely examine the target application • every aspect of the application’s behavior • its resources (web pages, programs, …) • the employed technologies • its security mechanisms Goal: to identify the application’s attack surface (see p.111 for a list) Web Security
Enumerating the content • Techniques • Manual browsing • Automatic browsing via Web crawlers and spidering tools Examples: Burp Spider (http://portswigger.net/burp/spider.html) Web Security
Enumerating the content Note: Web spidering alone has its limitations: • May miss unusual navigation mechanism (e.g., dynamically created menus) • Cannot identify URLs in compiled objects • May not supply data to pass fine-grained input validation checks • Premature exit • May not pass authentication User-directed spidering: manual browsing aided with automatic tools Web Security
Some questions Q1. What are the differences between application pages and functional paths? Q2. What are the techniques for identifying server-side technology? Q3. After having learned the techniques of mapping web applications, as a defender, what are the lessons learned? That is, how would you protect your web applications against hackers’ mapping attempts? Web Security