Presentation is loading. Please wait.

Presentation is loading. Please wait.

Csci5931 Web Security1 More Web Hacking & Tools: HTML Source and Site Linkage Analysis (MSS book)

Published byHorace Gibson Modified over 9 years ago

Similar presentations

Presentation on theme: "Csci5931 Web Security1 More Web Hacking & Tools: HTML Source and Site Linkage Analysis (MSS book)"— Presentation transcript:

1 csci5931 Web Security1 More Web Hacking & Tools: HTML Source and Site Linkage Analysis (MSS book)

2 csci5931 Web Security2 Topics A. Ch. 7 (Reading between the lines) B. Ch. 8 (Site Linkage Analysis)

3 csci5931 Web Security3 Reading between the lines  Whenever you view a Web page through a browser, you see only the browser’s interpretation and rendering of the content delivered to it.  Vast amount of information may be hidden from view: HTML comments, hidden input fields, tags, JavaScript codes, …  What you see isn’t necessarily what you get.  What you can’t see isn’t necessarily not there!

4 csci5931 Web Security4 Reading between the lines  Source sifting: Going through the HTML source of a Web page to find clues for Web hacking  Manual source sifting can be a painstaking task.  There exist automated source sifting techniques and tools.  Information leakage through HTML may seem trivial, but it adds pieces of information to the attacker’s toolbox.

5 csci5931 Web Security5 Reading between the lines  c.f., source code disclosure attacks Techniques whereby the Web server is tricked into sending the source code of a script or an application without its being parsed or executed; The attacker gets to see the source code as it was coded in the original script.  Source sifting only lets the viewer see the HTML content generated by the script, not the actual code of the script.

6 csci5931 Web Security6 Source Sifting using the Browser  Netscape Navigator: View | Page Source  Internet Explorer: View | Source  For HTML specification, refer to http://www.w3.org/TR/html4/ http://www.w3.org/TR/html4/

7 csci5931 Web Security7 Source Sifting: Clues to look for A. HTML comments revision history, details about the developer/author, cross-references to files and scripts, reminders and placeholders, comments inserted by Web application servers, old “commented-out” codes

8 csci5931 Web Security8 Source Sifting: Clues to look for B. Internal and external hyperlinks Hyperlinks may link resources within the same Web site, or to resources on external Web sites. Studying hyperlinks helps to reveal how the application is structured and thus may help to identify the weak link.

9 csci5931 Web Security9 Source Sifting: Clues to look for C. E-mail addresses and usernames or as part of the comments “e-mail harvesting”: Using a Web crawler program to gather e-mail addresses from Web pages D. Keywords and meta tags an HTML page = the HTML header + the body The header holds information about the contents of the body section, such as the title, the name of the author, etc.

10 csci5931 Web Security10 Source Sifting: Clues to look for E. Hidden input fields Problems: 1. information leakage 2. possible tampering of the hidden fields F. Client-side scripts Problems: visible and modifiable by the users Lessons: Use server-side scripts if possible.

11 csci5931 Web Security11 Automated Source Sifting  wget http://www.gnu.org http://www.gnu.org  grep  Sam Spade  Black Widow http://www.softbytelabs.com/ http://www.softbytelabs.com/  Teleport Pro (shareware, up to 40 trials before registration) http://www.tenmax.com/company/downloads.htm http://www.tenmax.com/company/downloads.htm Teleport Ultra (trial version available)

12 csci5931 Web Security12 Teleport Pro - New project wizard

13 csci5931 Web Security13 Teleport Pro - New project wizard

14 csci5931 Web Security14 Teleport Pro - New project wizard

15 csci5931 Web Security15 Teleport Pro - New project wizard

16 csci5931 Web Security16 Teleport Pro

17 csci5931 Web Security17 Teleport Pro

18 csci5931 Web Security18 Teleport Pro

19 csci5931 Web Security19 Teleport Pro

20 csci5931 Web Security20 Topics Ch. 8 (Site Linkage Analysis)

21 csci5931 Web Security21 Site linkage analysis Method to understand the conceptual links between web resources and their functionality. –the purpose of a web page –its type –the overall structure of the web site  The result: An inventory of web resources of a site

22 csci5931 Web Security22 Procedure of site linkage analysis

23 csci5931 Web Security23 Automated tools  wget http://www.gnu.org http://www.gnu.org  Black Widow http://www.softbytelabs.com/ http://www.softbytelabs.com/  Funnel web profiler http://www.quest.com/solutions/download.asp http://www.quest.com/solutions/download.asp

24 csci5931 Web Security24 Site linkage analysis (example) - Funnel web profiler

25 csci5931 Web Security25 Site linkage analysis (example) - Funnel web profiler

26 csci5931 Web Security26 Site linkage analysis (example) - Funnel web profiler

27 csci5931 Web Security27 Site linkage analysis (example) - Funnel web profiler

28 csci5931 Web Security28 Site linkage analysis (example) - Funnel web profiler

29 csci5931 Web Security29 Site linkage analysis (example) - Funnel web profiler

30 csci5931 Web Security30

Download ppt "Csci5931 Web Security1 More Web Hacking & Tools: HTML Source and Site Linkage Analysis (MSS book)"

Similar presentations

Getting Your Web Site Found. Meta Tags Description Tag This allows you to influence the description of your page with the web crawlers.

Getting Your Web Site Found. Meta Tags Description Tag This allows you to influence the description of your page with the web crawlers.
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
Introduction to JavaScript

Introduction to JavaScript
The Web Warrior Guide to Web Design Technologies

The Web Warrior Guide to Web Design Technologies
JavaScript 101 Lesson 01: Writing Your First JavaScript.

JavaScript 101 Lesson 01: Writing Your First JavaScript.
Tutorial 6 Working with Web Forms

Tutorial 6 Working with Web Forms
Macromedia Dreamweaver MX 2004 Design Professional Web Page DEVELOPING A.

Macromedia Dreamweaver MX 2004 Design Professional Web Page DEVELOPING A.
Active X Microsoft’s Answer to Dynamic Content Reference: Using Active X by Brian Farrar QUE

Active X Microsoft’s Answer to Dynamic Content Reference: Using Active X by Brian Farrar QUE
Create head content and set page properties Create, import, and format text Add links to Web pages Use the History panel and Code Inspector Modify and.

Create head content and set page properties Create, import, and format text Add links to Web pages Use the History panel and Code Inspector Modify and.
1 Computing for Todays Lecture 22 Yumei Huo Fall 2006.

1 Computing for Todays Lecture 22 Yumei Huo Fall 2006.
CM143 - Web Week 2 Basic HTML. Links and Image Tags.

CM143 - Web Week 2 Basic HTML. Links and Image Tags.
JavaScript 101 Lesson 5: Introduction to Events. Lesson Topics Event driven programming Events and event handlers The onClick event handler for hyperlinks.

JavaScript 101 Lesson 5: Introduction to Events. Lesson Topics Event driven programming Events and event handlers The onClick event handler for hyperlinks.
Tutorial 6 Working with Web Forms. XP Objectives Explore how Web forms interact with Web servers Create form elements Create field sets and legends Create.

Tutorial 6 Working with Web Forms. XP Objectives Explore how Web forms interact with Web servers Create form elements Create field sets and legends Create.
Unit 4.4 We are HTML Editors

Unit 4.4 We are HTML Editors
XP Tutorial 1 New Perspectives on JavaScript, Comprehensive1 Introducing JavaScript Hiding E-Mail Addresses from Spammers.

XP Tutorial 1 New Perspectives on JavaScript, Comprehensive1 Introducing JavaScript Hiding Addresses from Spammers.
1st Project Introduction to HTML.

1st Project Introduction to HTML.
CPSC 203 Introduction to Computers Lab 39, 40 By Jie (Jeff) Gao.

CPSC 203 Introduction to Computers Lab 39, 40 By Jie (Jeff) Gao.
Computer Concepts 2014 Chapter 7 The Web and E-mail.

Computer Concepts 2014 Chapter 7 The Web and .
Server- Side technologies Client-side vs. Server-side scripts PHP basic ASP.NET basic ColdFusion.

Server- Side technologies Client-side vs. Server-side scripts PHP basic ASP.NET basic ColdFusion.

Similar presentations

Ads by Google