Tải bản đầy đủ - 0 (trang)
2  Viewing the Source, Advanced

2  Viewing the Source, Advanced

Tải bản đầy đủ - 0trang

Figure 3-2. Searching for Amazon in bookmarks

To filter out portions of the website in the source chart, click on the HTML tag at the

top of that portion. Further searches will not find text in that area. For instance, in

Figure 3-2, the top definition term (
tag) is folded, and thus not searched.


While this may seem a trivial task, using a tool like this to view the source saves us time.

For instance, the simple-looking pages on http://apple.com will regularly include upward of 3,000 lines of code.

The Source Chart parses the HTML and displays HTML tags in nested boxes. Clicking

on any one box will hide it for the moment and prevent searching of that hidden area.

This functionality excels when dealing with templates, as one can locate particular

template areas under test and hide everything else.

When running through many test cases, each requiring manual HTML validation, one

can just copy and paste the test case expected result right into the Find field.

Often times when viewing a page’s source, one will see frame elements, such as:

These frames include another page of HTML, hidden from the normal source viewer.

With View Source Chart, one can view the HTML of a frame by left-clicking anywhere

within that frame, prior to right clicking to select “View Source Chart.” Manipulating

frames is a common cross-site scripting attack pattern. If vulnerable, they allow an

34 | Chapter 3: Basic Observation

attacker to create a frame that covers the entire page, substituting attacker-controlled

content for the real thing. This is discussed in detail in Recipe 12.2.

While some will use command-line tools to fetch and parse web pages, as we’ll discuss

in Chapter 8, attackers often view the effects of failed attacks in the source. An attacker

can find a way around defenses by observing what is explicitly protected—and slogging

through the source is often a useful exercise. For instance, if your application filters out

quotes in user input (to prevent JavaScript or SQL injection, perhaps), an attacker might

try these substitutes to see which make it past the filter, and into the source code:

Unbalanced quotes


Accent grave


HTML entities


Escaped quotes


Some revealing tidbits to look for are the ever-popular hidden form fields, as discussed

in Recipe 3.4. You can find these by viewing the HTML source and then searching for

hidden. As that recipe discusses, hidden fields can often be manipulated more easily

than it would seem.

Often, form fields will be validated locally via JavaScript. It’s easy to locate the relevant

JavaScript for a form or area by examining the typical JavaScript events, such as

onClick or onLoad. These are discussed in Recipe 3.10, and you’ll learn how to circumvent these checks in Chapter 8, but first it’s nice to be able to look them up quickly.

Simple reconnaissance shines in finding defaults for a template or platform. Check the

meta tags, the comments, and header information for clues about which framework or

platform the application was built on. For example, if you find the following code lying

around, you want to make sure you know about any recent WordPress template


If you notice that a lot of the default third-party code was left in place, you may have

a potential security issue. Try researching a bit online to find out what the default

administration pages and passwords are. It’s amazing how many security precautions

can be bypassed by trying the default username (admin) and password (admin). Basic

observation of this type is crucial when so many platforms are insecure out of the box.

3.2 Viewing the Source, Advanced | 35

Figure 3-3. Firebug dissecting benwalther.net

3.3 Observing Live Request Headers with Firebug


When conducting a thorough security evaluation, typically a specialist will construct

a trust boundary diagram. These diagrams detail the exchange of data between various

software modules, third parties, servers, databases, and clients—all with varying degrees of trust.

By observing live request headers, you can see exactly which pages, servers, and actions

the web-based client accesses. Even without a formal trust boundary diagram, knowing

what the client (the web browser) accesses reveals potentially dangerous dependencies.


In Firefox, open Firebug via the Tools menu. Be sure to enable Firebug if you have not

already. Via the Net tab, browse to any website. In the Firebug console, you’ll see

various lines show up, as shown in Figure 3-3.

Each line corresponds to one HTTP request and is titled according to the request’s

URL. Mouse over the request line to see the URL requested, and select the plus sign

next to a request to reveal the exact request headers. You can see an example in Figure 3-4, but please don’t steal my session (details on stealing sessions can be found in

Chapter 9).

36 | Chapter 3: Basic Observation

Figure 3-4. Firebug inspecting request headers




Web Server

Web browser

Figure 3-5. Basic web request model


Threat modeling and trust boundary diagrams are a great exercise for assessing the

security of an application, but is a subject worthy of a book unto itself. However, the

first steps are to understand dependencies and how portions of the application fit together. This basic understanding provides quite a bit of security awareness without the

effort of a full assessment. For our purposes, we’re looking at something as simple as

what is shown in Figure 3-5. A browser makes a request, the server thinks about it, and

then responds.

In fact, you’ll notice that your browser makes many requests on your behalf, even

though you requested only one page. These additional requests retrieve components

of the page such as graphics or style sheets. You may even see some variation just visiting

the same page twice. If your browser has already cached some elements (graphics, style

3.3 Observing Live Request Headers with Firebug | 37

Tài liệu bạn tìm kiếm đã sẵn sàng tải về

2  Viewing the Source, Advanced

Tải bản đầy đủ ngay(0 tr)