Constructivismo en el diseño e implementación de estrategias lúdicas para la

There may be content and functionality within the application that is not presently linked from its main content, but has been linked in the past. In this situation, it is likely that various historical repositories will still contain refer- ences to the hidden content. There are two main types of publicly available resources that are useful here:

■■ _{Search enginessuch as Google, Yahoo and MSN. These maintain a} fine-grained index of all content which their powerful spiders have

discovered, and also cached copies of much of this content, which per- sists even after the original content has been removed.

■■ Web archivessuch as the WayBack Machine located at

web.archive.org. These archives maintain a historical record of a very large number of web sites, and in many cases allow users to browse a fully replicated snapshot of a given site as it existed at various dates going back several years.

In addition to content that has been linked in the past, these resources are also likely to contain references to content that is linked from third-party sites, but not from within the target application itself. For example, some applica- tions contain restricted functionality for use by their business partners. Those partners may disclose the existence of the functionality in ways that the appli- cation itself does not.

HACK STEPS

■ Use several different search engines and web archives (listed previously) to discover what content they indexed or stored for the application you are attacking.

■ When querying a search engine, you can use various advanced tech- niques to maximize the effectiveness of your research. The following sug- gestions apply to Google — you can find the corresponding queries on other engines by selecting their Advanced Search option:

■ _{site:www.wahh-target.com— This will return every resource within}

the target site which Google has a reference to.

■ _{site:www.wahh-target.com login— This will return all of the}

pages containing the expression login. In a very large and complex application, this technique can be used to quickly home in on interest- ing resources, such as site maps, password reset functions, adminis- trative menus, and the like.

■ _{link:www.wahh-target.com— This will return all of the pages on}

other web sites and applications that contain a link to the target. This may include links to old content, or functionality that is intended for use only by third parties, such as partner links.

■ _{related:www.wahh-target.com— This returns pages that are “simi-}

lar” to the target, and so will include a lot of irrelevant material. How- ever, it may also include discussion about the target on other sites, which may be of interest.

■ _{For each search, perform it not only in the default Web section of}

Google, but also Groups and News, which may contain different results.

(continued)

HACK STEPS (continued)

■ _{Browse to the last page of search results for a given query, and select}

Repeat the Search with the Omitted Results Included. By default, Google attempts to filter out redundant results by removing pages that it believes are sufficiently similar to others included in the results. Overriding this behavior may uncover subtly different pages that are of interest to you when attacking the application.

■ _{View the cached version of interesting pages, including any content}

that is no longer present in the actual application. In some cases, search engine caches contain resources that cannot be directly accessed in the application without authentication or payment.

■ _{Perform the same queries on other domain names belonging to the}

same organization, which may contain useful information about the application you are targeting.

■ If your research identifies old content and functionality that is no longer linked to within the main application, it may still be present and usable. The old functionality may contain vulnerabilities that do not exist else- where within the application.

■ Even where old content has been removed from the live application, details about the content obtained from a search engine cache or web archive may contain references to or clues about other functionality that is still present within the live application, and that can be used to attack it.

A further public source of useful information about the target application is any posts that developers and others have made to Internet forums. There are numerous such forums in which software designers and programmers ask and answer technical questions. Often, items posted to these forums will con- tain information about an application that is of direct benefit to an attacker, including the technologies in use, the functionality implemented, problems encountered during development, known security bugs, configuration and log files submitted to assist troubleshooting, and even extracts of source code.

HACK STEPS

■ Compile a list containing every name and email address you can discover relating to the target application and its development. This should include any known developers, names found within HTML source code, names found in the contact information section of the main company web site, and any names disclosed within the application itself, such as administrative staff.

■ Using the search techniques described previously, search for each identi- fied name, to find any questions and answers they have posted to Inter- net forums. Review any information found for clues about functionality or vulnerabilities within the target application.