Tải bản đầy đủ - 0 (trang)
Chapter 7. Performing Web Server Attacks

Chapter 7. Performing Web Server Attacks

Tải bản đầy đủ - 0trang

UnderstandingWebLanguages

TheintroductionoftheInternethascausedanexplosionoftechnologyand

resultedinaracetoseewhowillprovidethedominantwebserverandbackend

languages.HTML,thebackboneofthewebpresentation,doesnotseemtobe

goingawayanytimesoon,butthereisalsotheraceforwhichwebserver

technologyandscriptingprogrammerswilluse.Forexample,Microsoftis

pushingtheActiveServerPages(ASP)and.NETservicestoaidprogrammersin

dynamiccontent;however,SunandIBMarepushingtheirownengines,

too.jhtmland.jsp.Withsomanypossibletechnologies,asyouwillseeintherest

ofthechapter,itiseasytoswitchfromoneplatformtoanotherwithoutperhaps

everreallyacquiringaspecialistonanysingleplatform.Thisleavespenetration

testersandwebhackerswithcommonandpredictablewebsiteimplementations

thatarenottotallysecure.Furthermore,penetrationtestersandwebhackers

mightpossiblyfindsampleordemocodeonwebsites,orevenpoorlydesigned

(andinsecure)websites.Everyday,websitesaredefacedandexploitedbecause

oflackoftotalknowledgeaboutweblanguage,design,andserverconfiguration.

Thisfirstsectioncoversseveraloftheweblanguagesandsomeoftheirhistory.

However,thisisonlyonechapterwithasubjectthatisimmenseandcouldeasily

expandintoseveraldetailedbooks.Youshouldcontinuetoincreaseyour

knowledgeofthebasiclanguagesonebyoneuntilyoubecameawellversed

webpenetrationtester.Remember:Themoreyouknow,thefasterandbetteryou

willbeabletopickapartawebsitelookingforcluesandavenuesofentryinto

theserverofthevictim.

Table7-1listssomeofthewebextensionsyouwillcomeacrossontheweb.

Thisshouldaidyouinnarrowingwhatweblanguageatargetisusingonhis

backend.

Table7-1.WebExtensions

FileExtension



ClientorServerSide



Description



.htm,.html,or



Client-side



HTML



.html4

.dhtmloranonrecognizablefile

extension



Client-side



DynamicHTML



.xml



Client-side



Extensiblemarkup

language



.js



Clientandserverside



JavaScript



.xhtml



Client-side



HTMLcombinedwith

XML



.asp



Server-side



ActiveServerPages



.php,.php3,or

.phtml



Server-side



PersonalHomePage



.cfm



Server-side



ColdFusion



.pl



Server-side



Perl



.cgiorcgi-bin



Server-side



CommonGateway

Interface



.jsp



Server-side



JavaServerPages



.jhtml



Server-side



SunJavaSoft



Note

LookattheW3Schoolswebsite

(http://www.w3schools.com/w3c/default.asp)forgreattutorialsand

informationaboutwebtechnologiesandlanguages.



Abasictimelineofwheneachweblanguageortechnologystartedtoreachthe

marketalsohelpstogiveyouanideaofwhichtechnologiesarenewandwhich

arereallyold(andthuslessusedtoday):

1960GeneralMarkupLanguage

1969CProgramming

1986StandardGeneralizedMarkupLanguage(SGML)

1987Perl

1989HTML

1991JavaPrivatetoSunonly,VisualBasic1.0

1993CGI

1995ColdFusion,PHP,JavaScript;Javagoespublic

1996XMLwasdrafted,JScript,ASP

2000XHTML

Tip

Agreatlocationforfindinghistoricalinformationoranswersto

technologyquestionsishttp://www.wikipedia.org/.Thissitehasa

freecontentencyclopediawiththousandsofarticles.



HTML

HTMListhedefactosyntaxusedtodaytoformatwebpages.Whenyouopena

webpage,youseetextindifferentcolors,sizes,buttons,listboxes,pictures,and

evenlinkstootherwebpages.Allstandardwebpagesareformattedina

predefinedstructureofHTML.Ifyouopenthemwithabasiceditorsuchas

Notepad,youcanseethesourcecodeusedtoformatthewebpage.Figure7-1

showsthesourcecodeforasamplewebpage,calledhello.html,withinNotepad.

IfyouopenthesamefilewithintheInternetExplorerorMozillaFirefox

browsers,however,alltheelementpartsareremovedandallyoureyesseeis

neat,cleantext,asdemonstratedinFigure7-2.

Figure7-1.HTMLinNotepad



Figure7-2.HTMLDisplayedinBrowsers

[Viewfullsizeimage]



HTMListhesyntaxusedtohelpgivewebpagesallthoseprettycolorsand

features.Originallycreatedin1989byTimBerners-Lee,HTMLisbasedonthe

slightlyolderlanguageSGMLandonelements.Theseelementshelptotellthe

formattingprogram(Mozilla,forexample)howtopresentthedataonthescreen

oftheuser.Forexample,lookatFigure7-3.

Figure7-3.HTMLFormatting

[Viewfullsizeimage]



Thewords"ThisisWonderful"betweenthebeginningtagandthe<br /><br />endingtagaredisplayedinthetitlebarsofthebrowsers.Next,you

canseetheword"Welcome,"whichisbetweenanopeningtaganda

closingtag
.Thistellsthebrowserthatalltextbetweenthesetwotags

shouldbebold.HTMLwasnotmadetobeparticularlysophisticatedorto

provideflashymovingcontent;rather,itisastaticformattinglanguagethathas

stoodthetestoftimetobecomeagreatuniversalformatter.

Asapenetrationtester,thebetteryouknowHTMLandallitsinsandouts,the

betteryouwillbeabletoreadandunderstandwebpages.Youcanstarttolearn

thebasicsatgreatsitessuchasthese:

http://www.w3.org/MarkUp/

http://www.w3.org/People/Raggett/tidy/

Note

IfyouwanttoknowmoreaboutthehistoryofHTML,alwayshitthe

http://www.w3.orgwebsite.TheWorldWideWebConsortium

overseesthestandard.Alsolookat

http://www.w3.org/People/Berners-Lee/,fornotesfromthefounder



ofHTML.



DHTML

DynamicHTMLextendsstandardHTMLbyallowingcontroloverwebpagesat

thebrowseroftheclient.Forexample,ifyougotoawebsitethatchanges

images,launchespopupboxes,orhaslinksthatchangecolorasyoumoveyour

mouseoverthem,thatsiteprobablyusesDHTML.Withintheavailableelements

listforHTMLareseveralthatcanaddtremendousprogrammercontroland

flexibilitytocreateFlashanimationandpowerfulwebpages.DHTMLisused

onalmostallthebiggerwebsitesbecauseitenhancesthecustomerexperience.

TheDHTMLinExample7-1demonstrateshowtochangecolorfromblackto

yellowwhenyoumoveyourmouseoverit.TheninExample7-2,theDHTML

providestwobuttonstoselectallcheckboxesordeselectallcheckboxes.It

doesthisbyimplementinga








onclick="makeCheck(this.form)">


onclick="makeUncheck(this.form)">




Hacker


Cracker


Pentester










XML

LikeHTML,ExtensibleMarkupLanguage(XML)wasderivedfromtheoriginal

SGMLstandard.Itwasthenextstepintheevolutionofmakingdata

understandablebyalltypesofplatforms.BeforeXML,systemsorapplications

sentdatainaspecificformatthatwastypicallyunderstandableonlybetweenthe

twosystems.Onesampleformatwascomma-separatedvalue(CSV)files.CSV

fileswererawdataseparatedbycommasortabs.IfyouweretoopenaCSVfile

thatyoudidnotactuallycreateorknowagreatdealabout,youwouldfindit

difficulttounderstandwhateverydatapointwas.FormatslikeCSVwereeasyto

makebutnotexpandableorversatile.ThenalongcametheconceptofXML,

wheredatacanbedescribedandisunderstandablewithinthefile.XMLcomes

intwoparts:thedocument,whichcontainsdata;andtheDocumentType

Definition(DTD),whichdescribeswhattypeofdataisstoredinthedocument.

Example7-3isaDTDcalledForSale.dtdthatwascreatedforhousesforsale.

Example7-3.SampleDTD

















Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 7. Performing Web Server Attacks

Tải bản đầy đủ ngay(0 tr)

×