Hack Proofing XML. Syngress

The Only Way to Stop a Hacker Is to Think Like One

Technical Editor: Larry Loeb, Cover Designer: Michael KavishTechnical Reviewer: Adam Sills and Vitaly Osipov, Page Layout and Art by: Shannon TozierAcquisitions Editor: Catherine B. Nolan, Copy Editor: Adrienne RebelloDevelopmental Editor: Jonothan Babcock, Indexer: Nara Wood


‘ken’@ftu, Dr. Everett F. Carter, Jr., Jeremy Faircloth, Curtis Franklin, Jr., Larry Loeb  Technical Editor


e-books shop
Hack Proofing XML


Contributors
Hal Flynn is a Threat Analyst at SecurityFocus, the leading provider of
Security Intelligence Services for Business. Hal functions as a Senior
Analyst, performing research and analysis of vulnerabilities, malicious
code, and network attacks. He provides the SecurityFocus team with
UNIX and Network expertise. He is also the manager of the UNIX
Focus Area and moderator of the Focus-Sun, Focus-Linux, Focus-BSD,
and Focus-GeneralUnix mailing lists.
Hal has worked the field in jobs as varied as the Senior Systems and
Network Administrator of an Internet Service Provider, to contracting the
United States Defense Information Systems Agency, to Enterprise-level
consulting for Sprint. He is also a veteran of the United States Navy
Hospital Corps, having served a tour with the 2nd Marine Division at
Camp Lejeune, NC as a Fleet Marine Force Corpsman. Hal is mobile,
living between sunny Phoenix, AZ and wintry Calgary, Alberta, Canada.
Rooted in the South, he still calls Montgomery,AL home.

Curtis Franklin, Jr. is President and Editorial Director of CF2 Group.
CF2 Group is a technology assessment and communications firm headquartered
in Gainesville, FL. CF2 Group provides technology assessment,
product review, competitive product comparison and editorial creative
services to manufacturers, end-user organizations and publications across
the high-tech spectrum. Curtis provides leadership and principal creative
input to project technologies ranging from embedded systems to Webbased
enterprise infrastructure.

Curtis is the Founder of two major industry testing labs, the BYTE
Testing Lab and Client/Server Labs. He has published over 1,400 articles
in his career, and has led performance and technology assessment projects
for clients including IBM, Intel, Microsoft, and HP. Curtis hold’s a bachelor’s
degree from Birmingham-Southern College. He lives in Gainesville,
FL with his family, Carol and Daniel.
Curtis is grateful for the unending support and encouragement of his
wife, Carol, who has been a source of love and inspiration for so very long.

Dr. Everett F. (Skip) Carter, Jr. is President of Taygeta Network
Security Services (a division of Taygeta Scientific Inc.). He is also
CEO/CTO of CaphNet, Inc. Skip has expert level knowledge of multiple
programming/scripting languages (Ada, C, C++, C+ FORTRAN, Forth,
Perl, HTML,WML, and XML) as well as multiple operating systems
(DOS, NT, PalmOS, Unix: SYSV, BSD and Linux). Skip, through Taygeta
Network Security Services, is the “tip of the sword” for Internet intrusion
investigation and network security assessments.Taygeta Scientific Inc. provides
contract and consulting services in the areas of scientific computing,
smart instrumentation, and specialized data analysis. CaphNet, Inc. is a
start-up providing WML, cHTML and xHTML Browser Software
Platforms for mobile devices.
Skip holds both a Ph.D. and master’s in Applied Physics from Harvard
University. In addition, he holds two bachelor’s degrees from the
Massachusetts Institute of Technology—one in Physics and the other in
Earth and Planetary Sciences (Geophysics). Skip is a member of the
American Society for Industrial Security (ASIS). He has authored several
articles for Dr. Dobb’s Journal, and Computer Language magazines as well a
numerous scientific articles and is a past columnist for Forth Dimensions
magazine. Skip resides in Monterey, CA with his wife of 17 years,Trace
and their 12-year-old son, Rhett.

‘ken’@FTU has helped suppliers to conduct B2B XML transactions with
large e-commerce portals including Ariba. He is also credited with discovering
security vulnerabilities in software products by major vendors such as
Microsoft and IBM. Currently he works at a bank doing technical auditing
and penetrating testing of their networks, systems and applications.

Jeremy Faircloth (CCNA, MCSE, MCP+I,A+) is a Systems Analyst for
Gateway, Inc. where he develops and maintains enterprise-wide client/
server and Web-based technologies. He also acts as a technical resource
for other IT professionals, using his expertise to help others expand their
knowledge. As a Systems Analyst with over 10 years of real-world IT
experience, he has become an expert in many areas of IT including
Web development, database administration, programming, enterprise
security, network design, and project management. He is a co-author of
ASP .NET Developer’s Guide (Syngress Publishing, ISBN: 1-928994-51-2)
and C# for Java Programmers (Syngress, ISBN: 1-931836-54-X). Jeremy
currently resides in Dakota City, NE and wishes to thank Christina
Williams for her support in his various technical endeavors.

Joe Dulay (MCSD) is the Vice-President of Technology for the IT Age
Corporation. IT Age Corporation is a project management and software
development firm specializing in customer-oriented business enterprise
and e-commerce solutions located in Atlanta, GA. His current responsibilities
include managing the IT department, heading the technology
steering committee, software architecture, e-commerce product management,
and refining development processes and methodologies.Though
most of his responsibilities lay in the role of manager and architect, he is
still an active participant of the research and development team. Joe holds
a bachelor’s degree from the University of Wisconsin in Computer
Science. His background includes positions as a Senior Developer at
Siemens Energy and Automation, and as an independent contractor specializing
in e-commerce development. Joe is also co-author of Syngress
Publishing’s Hack Proofing Your Web Applications (ISBN:
1-928994-31-8). Joe would like to thank his family for always being
there to help him.

F.William Lynch (SCSA, CCNA, LPI-I, MCSE, MCP, Linux+, A+) is
co-author for Syngress Publishing’s Hack Proofing Sun Solaris 8 (ISBN:
1-928994-44-X) and Hack Proofing Your Network, Second Edition
(1-928994-70-9). He is an independent security and systems administration
consultant and specializes in firewalls, virtual private networks, security
auditing, documentation, and systems performance analysis.William
has served as a consultant to multinational corporations and the Federal
government including the Centers for Disease Control and Prevention
headquarters in Atlanta, GA as well as various airbases of the USAF. He is
also the Founder and Director of the MRTG-PME project, which uses
the MRTG engine to track systems performance of various UNIX-like
operating systems.William holds a bachelor’s degree in Chemical
Engineering from the University of Dayton in Dayton, OH and a master’s
of Business Administration from Regis University in Denver, CO.

Technical Editor
Larry Loeb is the Principal of pbc enterprises in Wallingford, CT, a consulting
firm specializing in IT matters. He has been a Consulting Editor
for BYTE magazine, Contributing Editor for Circuit Cellar Ink, Senior
Editor for WebWeek, Editor of the Macintosh Exchange on BIX, and a
columnist for ITworld. He currently writes a monthly column for IBM’s
online developer Works.
Larry has also contributed to the Internet Business Analyst (U.K.),
MacUser, Internet World, BYTEWeek, Macworld,VARBusiness, Home/Office
Computing, Solutions Integrator, and other publications. He is the author of
the book Secure Electronic Transactions: Introduction and Technical Reference

Technical Reviewers
Adam Sills is a Software Architect at GreatLand Insurance, a small insurance
company parented by Kemper Insurance. He works in a small IT
department that focuses on creating applications to expedite business processes
and manage data from a multitude of locations. Previously, he had a
small stint in consulting and also worked at a leading B2B e-commerce
company designing and building user interfaces to interact with a largescale
enterprise eCommerce application.Adam’s current duties include
building and maintaining Web applications, as well as helping to architect,
build, and deploy new Microsoft .NET technologies into production use.
Adam has contributed to the writing of a number of books for Syngress
including ASP .NET Developer’s Guide (ISBN: 1-928994-51-2), C# .NET
Web Developers Guide (ISBN: 1-9289984-50-4) and the XML.NET
Developer’s Guide (ISBN: 1-928994-47-4). Additionally, Adam is an active
member of a handful of ASP and ASP.NET mailing lists, providing support

and insight whenever he can.

Vitaly Osipov (CISSP, CCSA, CCSE, CCNA) is a Security Specialist
with a technical profile. He has spent the last five years consulting various
companies in Eastern, Central, and Western Europe on information security
issues. Last year Vitaly was busy with the development of managed
security service for a data center in Dublin, Ireland. He is a regular contributor
to various infosec-related mailing lists and recently co-authored
Check Point NG Certified Security Administrator Study Guide (Syngress
Publishing, ISBN: 1-928994-74-1) and Managing Cisco Network Security,
Second Edition (Syngress Publishing, ISBN: 1-931836-56-6).Vitaly has a

degree in mathematics. Currently he lives in the British Isles.


Foreword
The book you are holding in your hand is a battle plan.You are engaged in mortal
combat and might not even recognize the kind of battle you have to fight. But fight
it you will, and fight it you must.
If you are reading this foreword, the title Hack Proofing XML has interested you.
You might have picked it up in some bookstore and are thumbing through it to get a
sense of whether or not you are willing to plunk down the ducats to buy it. Or you
might have ordered it online. How you got the book into your hands doesn’t matter
a whit.You are here, and the dialogue has begun.
Wherever these words find you, find a comfortable place to sit down and read
these few introductory pages in one swoop. It will only take a few minutes, but it’s
important. Really.

One of the problems of writing (and reading) a technical book is that these
tomes are generally are unreadable.You want information, but the style and manner
of technical writing is usually so dense and impenetrable that getting that information
requires you to navigate the word puzzles implicit in the style in order to come
up with the nuggets of information you are looking for.The book’s publishers
(Syngress) have figured out a way to fix that. (“Yeah, riiiight,” I hear you say.Wait a
moment before you get cynical.) The fact is, the people at Syngress had to convince
me about their solution before I would undertake to write the book you are
holding. And I’m no pushover.

I’ve been writing in the field for the last 20 years or so. Like all writers, I’ve had to
use many styles for many different purposes. My last book was such an effort that I
swore I would never do it again. I didn’t think I could survive the process once more.
When the Syngress folks approached me about doing this book, I was rather
skeptical.They didn’t know it; but two other publishers had recently been sniffing
around my e-mail address.When I asked those other publishers what they would do
to help the process of writing; they mentioned money and let it go at that.When I
asked Syngress, they told me about the Syngress Outline.

Syngress has developed a method to communicate information that actually
works. It is both deceptively simple and flexible. Even better, it encourages communication
among collaborators. It works by focusing on the important information,
thereby eliminating extraneous fluff. Using this method, authors funnel their efforts
into writing that has a positive signal-to-noise ratio, something that doesn’t always
end up happening in books put out by other publishers. Syngress’s method is not a
panacea for bad writing, but it sure does encourage good and effective writing.
Even with this tool, I was somewhat leery of the title Hack Proofing XML. I told
Syngress that I felt that truly “proofing” anything against a determined hacker was
impossible, and I was not interested in leveraging my reputation for delivering the literary
goods on a marketing ploy.They countered that weatherproofing a house
doesn’t protect against all weather conditions, either, but it does mitigate the harm
that weather can cause a house. I realized they had a point, and that idea became the
overall goal of this book.You’ll never make any system totally secure against any and
all attacks. But you don’t have to leave yourself wide open to abuse, either.
Let’s take a look at what you can expect from this book.We made an assumption
during the preparation of the book about who the Reader will be: Just about
anyone—not just the technical folk, but their bosses as well. Both the wizards and the
trolls can stroll under the tent flap and feel confident that they will come away with
something useful. It might be heresy to say so, but it goes back to what I’ve already
mentioned about tech writing.The usual approach to writing on technical subjects
has been that unless you know the secret code words of the field (whatever they are),
you are considered not worth addressing.

I think it crucial that it be understood from the beginning that it is not a cookbook
of magical incantations meant to be sprinkled over code with gleeful abandon.
That kind of approach just does not work in the long term.We don’t just give you a
fish to eat, we want to teach you how to fish. XML is a fluid and changing arena,
and cookie-cutter code would be obsolete even as the book came off the presses.
Not that this book doesn’t contain illustrative code examples, but they are just that:
Illustrative of a concept or method.The code is there to show how something can be
brought down to the practical level from the abstract.
Not to belittle coders, but this book isn’t simply about code. I’ve tried to be
more inclusive in the ground that it covers.Tech writing often focuses on techniques
to the exclusion of everything else.That approach seems to me sterile and limiting.
Living up to the promise made by this book’s title requires a multifaceted approach
to the problem.

We begin by first stepping back from the purely technical side of things to try to
understand the adversary we will be dealing with. A defender (as has been recognized
since the writing of Sun Tzu’s The Art of War in ancient times) has a logistical
problem in that he cannot be everywhere at the same time with the necessary
resources for defense.An enlightened defense strategy has to begin with the threat
model.Who will pose the threat and how they will do so becomes the topic for contemplation.
We try to anticipate the attack by looking at what motivates and drives the attacker.

We then consider the types of attacks that can be made against computer systems
in general. Again, we start from the general and work toward the specific. It is a safe
bet that whatever attack is mounted in the specific instance you experience, but it
will follow the form of one or another that has preceded it. By appreciating the
methods used in the general form of attack, you can get a feel for how your efforts
will progress.The secret knowledge here (don’t tell anyone who doesn’t know the
club handshake!) is that attackers tend to be lazy, and they hate to reinvent the wheel.
If something has worked in the past, there’s a very good chance that someone will
try it again until it no longer works.

Time now to get specifically into XML.We start with a review of what makes up
XML and the syntax used, to get everyone on the same metaphoric page.Although
the VP of sales who has been reading with interest up to this point might feel threatened;
she or he shouldn’t.We’ve made an effort to explain the building blocks used
later in the text in plain American-style English.

The why and how of XML digital signatures is a topic that can get fairly “geeky”
very quickly.This fact has made a thorough understanding of the principles behind
signatures available only to a favored few. Rubbish, say I. If anyone is interested in the
security of a system, they can understand and apply the techniques and assumptions
that lie underneath digital signatures. Even better, they can appreciate when these
tools should be used and when they should be avoided. Like a firewall, signatures can
be eith a useful tool or a security nightmare if misapplied.

The seventh chapter forms what I consider to be the heart of the book: A general
security approach called Role-based Access Control (RBAC) is introduced along
with a look at how it has been implemented in the past.We then go on to show how
this approach can be used in the XML environment and the benefits it provides.
Here is where the rubber meets the metaphoric road, where the Hack Proofing
really gets applied. Of course, the approach can be used in other ways than only
XML, but it works so nicely for it, it’s a shame not to use it. As a bonus, coders will
find example code and tools here.You’re welcome.

It’s a sad but true fact that XML will see a lot of use in the proprietary .NET
environment over the Internet.We therefore take a look at this topic as well.
Wrapping up, we look at the paperwork so often ignored in an attack: reporting.
How you should report an attack and why you should do so are covered.Your own
self-interest demands that you report attacks as well, since the whole idea is to learn
from the problems that others experience.You never can tell on which side of the
fence you’ll be on any given day.

Those are the book’s main points laid out for you. If you’re in some bookstore
sitting in a comfy chair reading this book, get up and buy the doggone thing.To me,
books are like pinball. If you score enough, you get to play again.Working on this
book was fun enough that I want to play again. I think that after reading it, you’ll
want me to do more as well.
—Larry Loeb


Table of Contents
Foreword xix
Chapter 1 The Zen of Hack Proofing 1
Introduction 2
Learning to Appreciate the Tao of the Hack 2
Hacker 3
Cracker 4
Script Kiddie 5
Phreaker 7
Black Hat,White Hat,What’s the Difference? 7
Gray Hat 8
The Role of the Hacker 10
Criminal 10
Magician 11
Security Professional 12
Consumer Advocate 13
Civil Rights Activist 14
Cyber Warrior 15
Motivations of a Hacker 16
Recognition 16
Admiration 17
Curiosity 17
Power and Gain 18
Revenge 19
The Hacker Code 21
Summary 22
Solutions Fast Track 23
Frequently Asked Questions 25

Chapter 2 Classes of Attack 27
Introduction 28
Identifying and Understanding the Classes
of Attack 28
Denial of Service 29
Local Vector Denial of Service 29
Network Vector Denial of Service 32
Information Leakage 37
Service Information Leakage 38
Protocol Information Leakage 39
Leaky by Design 41
Leaky Web Servers 42
A Hypothetical Scenario 42
Why Be Concerned with Information
Leakage? 43
Regular File Access 44
Permissions 44
Symbolic Link Attacks 45
Misinformation 47
Standard Intrusion Procedure 48
Special File/Database Access 50
Attacks against Special Files 50
Attacks against Databases 50
Remote Arbitrary Code Execution 53
The Attack 54
Code Execution Limitations 55
Elevation of Privileges 55
Remote Privilege Elevation 55
Identifying Methods of Testing for Vulnerabilities 58
Proof of Concept 58
Exploit Code 59
Automated Security Tools 59
Versioning 60
Standard Research Techniques 62
Whois 62
Domain Name System 66
Nmap 69
Web Indexing 70
Summary 73
Solutions Fast Track 75
Frequently Asked Questions 76

Chapter 3 Reviewing the Fundamentals of XML 79
Introduction 80
An Overview of XML 80
The Goals of XML 81
What Does an XML Document Look Like? 81
Creating an XML Document 82
Creating an XML Document
in VS.NET XML Designer 82
Empty Element 86
Structure of an XML Document 87
Well-Formed XML Documents 87
Transforming XML through XSLT 88
XSL Use of Patterns 92
XPath 95
Summary 97
Solutions Fast Track 97
Frequently Asked Questions 99

Chapter 4 Document Type: The Validation Gateway 101
Introduction 102
Document Type Definitions and
Well-Formed XML Documents 102
Schema and Valid XML Documents 106
XML Schema Data Types 110
Learning About Plain-Text Attacks 112
Plain-Text Attacks 113
Example: HTML Escape Codes 114
Unicode 116
Understanding How Validation Is Processed
in XML 117
Validate the Input Text 118
Canonicalization 118
Validating Unicode 121
Validate the Document or Message 124
Is the XML Well Formed? 126
Using DTDs for Verifying the Proper
Structure 126
Using Schema for Data Consistency 127
Online Validation Methods and
Mechanisms 128
Summary 135
Solutions Fast Track 138
Frequently Asked Questions 140

Chapter 5 XML Digital Signatures 143
Introduction 144
Understanding How a Digital Signature Works 144
Basic Digital Signature and Authentication
Concepts 144
Why a Signature Is Not a MAC 145
Public and Private Keys 145
Why a Signature Binds Someone to
a Document 146
Learning the W3C XML Digital
Signature 146
Applying XML Digital Signatures to Security 149
Examples of XML Signatures 150
An Enveloping Signature Example 152
An Example of an Enveloped Signature 154
A Detached Signature Example 157
All Together Now: An Example
of Multiple References 161
Signing Parts of Documents 163
Using XPath to Transform a Document 164
Using XSLT to Transform a Document 166
Using Manifests to Manage Lists of Signed
Elements 169
Establishing Identity By Using X509 172
Required and Recommended Algorithms 173
Cautions and Pitfalls 175
Vendor Toolkits 176
Summary 178
Solutions Fast Track 179
Frequently Asked Questions 181

Chapter 6 Encryption in XML 183
Introduction 184
Understanding the Role of
Encryption in Messaging Security 184
Security Needs of Messaging 185
Privacy and Confidentiality 185
Authentication and Integrity 186
Nonrepudiation 190
Encryption Methods 191
AES 191
DES and 3-DES 193
RSA and RC4 195
Stream and Block Ciphers 196
Key Management Schemes 197
Learning How to Apply Encryption to XML 199
XML Transforms Before Encryption 204
Canonicalization 205
Flowchart of Encryption Process 207
Understanding Practical Usage of Encryption 207
Signing in Plain Text, Not Cipher Text 207
XPATH Transforms 210
Signing the Cipher-Text Version
Prevents Encryption Key Changes 210
Authentication by MAC Works on
Cipher Text 210
Cipher Text Cannot Validate Plain Text 211
Encryption Might Not Be Collision
Resistant 211
Summary 213
Solutions Fast Track 213
Frequently Asked Questions 214

Chapter 7 Role-Based Access Control 215
Introduction 216
Learning About Stateful Inspection 216
Packet Filtering 216
Application Layer Gateway 217
The FTP Process 219
Firewall Technologies and XML 220
First,You Inspect the State 221
Baselines 222
Evaluating State Changes 223
Default Behavior Affects Security 225
Learning About Role-Based Access Control
and Type Enforcement Implementations 227
NSA:The Flask Architecture 229
SELinux 232
Applying Role-Based Access Control Ideas
in XML 238
Know When to Evaluate 243
Protect Data Integrity 244
RBAC and Java 245
Fencing in JavaScript 246
Validate Your Java Code 246
Validate Your ActiveX Objects 247
Tools to Implement RBAC Efforts 248
Summary 254
Solutions Fast Track 255
Frequently Asked Questions 256

Chapter 8 Understanding .NET and XML Security 257
Introduction 258
The Risks Associated with Using
XML in the .NET Framework 258
Confidentiality Concerns 259
.NET Internal Security as a Viable Alternative 260
Permissions 261
Principal 262
Authentication 263
Authorization 263
Security Policy 263
Type Safety 264
Code Access Security 264
.NET Code Access Security Model 264
Stack Walking 265
Code Identity 266
Code Groups 267
Declarative and Imperative Security 270
Requesting Permissions 271
Demanding Permissions 275
Overriding Security Checks 277
Custom Permissions 282
Role based Security 283
Principals 284
WindowsPrincipal 284
GenericPrincipal 286
Manipulating Identity 287
Role-Based Security Checks 288
Security Policies 291
Creating a New Permission Set 294
Modifying the Code Group Structure 299
Remoting Security 305
Cryptography 306
Security Tools 309
Securing XML—Best Practices 311
XML Encryption 311
XML Digital Signatures 317
Summary 320
Solutions Fast Track 321
Frequently Asked Questions 326

Chapter 9 Reporting Security Problems 331
Introduction 332
Understanding Why Security Problems Need
to Be Reported 332
Full Disclosure 333
Determining When and to Whom to Report
the Problem 337
Whom to Report Security Problems to? 337
How to Report a Security Problem
to a Vendor 340
Deciding How Much Detail to Publish 341
Publishing Exploit Code 341
Problems 342
Repercussions from Vendors 342
Reporting Errors 344
Risk to the Public 344
Summary 345
Solutions Fast Track 346
Frequently Asked Questions 347
Hack Proofing XML Fast Track 351
Index 369


Screenshot

e-books shop

Purchase Now !
Just with Paypal



Product details
 Price
 Pages
 402 p
 File Size
 7,304 KB
 File Type
 PDF format
 ISBN
 1-931836-50-7
 Copyright
 2002 by Syngress Publishing 
  ●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●

═════ ═════

Previous Post Next Post