Web hacking
Basics
- Web pilfering: download selectively web sites and search files off-line.
- Automated scripts: developed by advanced hackers for use by “script kiddies.” See SecurityInnovation for vulnerability scanners.
- IIS security: see Microsoft Web Application Security guide to setup the IIS and identify threats and create countermeasures.
- CGI: programming CGI with security in mind by W3org, a compilation and an index for CGI security resources, SSI and CGI security,
- ASP vulnerabilities: HTML and programming in the same directory, dot bug, samples (showcode and codebrws). See Microsoft ASP Security.
- Web vulnerability scanners are available for UNIX/Linux: Nikto and Whisker.
Poor Web design
- Misuse of hidden tags (price, shipping, etc), e.g. search “type=hidden name=price”
- SSI: noExecs, pre-processing for hidden code.