 |
| Hacking Exposed: Web Applications 3 |
Praise for Hacking Exposed™ Web Applications:
Web Application Security Secrets and Solutions, Third Edition
“Whether you are a business leader attempting to understand the threat space for your business, or an engineer tasked with writing the code for those sites, or a security engineer attempting to identify and mitigate the threats to your applications, this book will be an invaluable weapon in your arsenal.”
—From the Foreword by Chris Peterson
Senior Director of Application Security, Zynga Game Network
Former Director of Security Assurance, Microsoft Corporation
“I cut my teeth reading Joel’s work, and this book is no disappointment. People often ask where to find high-quality content that will help them gain a foothold in this daunting industry. This is the kind of desk reference every web application security practitioner needs.
It will certainly hold a place of prominence in my personal library.”
—Robert “RSnake” Hansen
CEO SecTheory and founder of ha.ckers.org
“An eye-opening resource for realizing the realities of today’s web application security landscape, this book explores the latest vulnerabilities as well as exploitation techniques and tradecraft being deployed against those vulnerabilities. This book is a valuable read for both the aspiring engineer who is looking for the first foray into the world of web application security and the seasoned application-security, penetration-testing expert who wants to keep abreast of current techniques.”
—Chad Greene
Director, eBay Global Information Security
“As our businesses push more of their information and commerce to their customers through webapplications, the confidentiality and integrity of these transactions is our fundamental, if not mandatory, responsibility. Hacking Exposed Web Applications provides a comprehensive blueprint for application developers and security professionals charged with living up to this responsibility. The authors’ research, insight, and 30+ years as information security experts, make this an invaluable resource in the application and information protection toolkit. Great Stuff!”
—Ken Swanson
CISM, IS Business Solution Manager, regionally based P&C insurance company
“This book is so much more then the authoritative primer on web application security; it’s also an opportunity to accompany the foremost industry experts in an apprenticeship that even seasoned professionals will enjoy.”
—Andrew Stravitz, CISSP
Director of Information Security, Barnes & Noble.com
“A very timely reference, as cloud computing continues to expand into the enterprise and web security emerges as the new battleground for attackers and defenders alike.
This comprehensive text is the definitive starting point for understanding the contemporary landscape of threats and mitigations to web applications. Particularly notable for its extensive treatment of identity management, marking the first time that challenges around authentication have been surveyed in-depth and presented in such an accessible fashion.”
—Cem Paya
Google Security Team
Web Application Security Secrets and Solutions, Third Edition
“Whether you are a business leader attempting to understand the threat space for your business, or an engineer tasked with writing the code for those sites, or a security engineer attempting to identify and mitigate the threats to your applications, this book will be an invaluable weapon in your arsenal.”
—From the Foreword by Chris Peterson
Senior Director of Application Security, Zynga Game Network
Former Director of Security Assurance, Microsoft Corporation
“I cut my teeth reading Joel’s work, and this book is no disappointment. People often ask where to find high-quality content that will help them gain a foothold in this daunting industry. This is the kind of desk reference every web application security practitioner needs.
It will certainly hold a place of prominence in my personal library.”
—Robert “RSnake” Hansen
CEO SecTheory and founder of ha.ckers.org
“An eye-opening resource for realizing the realities of today’s web application security landscape, this book explores the latest vulnerabilities as well as exploitation techniques and tradecraft being deployed against those vulnerabilities. This book is a valuable read for both the aspiring engineer who is looking for the first foray into the world of web application security and the seasoned application-security, penetration-testing expert who wants to keep abreast of current techniques.”
—Chad Greene
Director, eBay Global Information Security
“As our businesses push more of their information and commerce to their customers through webapplications, the confidentiality and integrity of these transactions is our fundamental, if not mandatory, responsibility. Hacking Exposed Web Applications provides a comprehensive blueprint for application developers and security professionals charged with living up to this responsibility. The authors’ research, insight, and 30+ years as information security experts, make this an invaluable resource in the application and information protection toolkit. Great Stuff!”
—Ken Swanson
CISM, IS Business Solution Manager, regionally based P&C insurance company
“This book is so much more then the authoritative primer on web application security; it’s also an opportunity to accompany the foremost industry experts in an apprenticeship that even seasoned professionals will enjoy.”
—Andrew Stravitz, CISSP
Director of Information Security, Barnes & Noble.com
“A very timely reference, as cloud computing continues to expand into the enterprise and web security emerges as the new battleground for attackers and defenders alike.
This comprehensive text is the definitive starting point for understanding the contemporary landscape of threats and mitigations to web applications. Particularly notable for its extensive treatment of identity management, marking the first time that challenges around authentication have been surveyed in-depth and presented in such an accessible fashion.”
—Cem Paya
Google Security Team
Contents At Glace
▼ 1 Hacking Web Apps 101 . . . . . 1
▼ 2 Profi ling . . . . . 31
▼ 3 Hacking Web Platforms. . . . . . 87
▼ 4 Attacking Web Authentication. . . . . . 123
▼ 5 Attacking Web Authorization . . . 167
▼ 6 Input Injection Attacks . . . . . . 221
▼ 7 Attacking XML Web Services. . . . . 267
▼ 8 Attacking Web Application Management. . . . 295
▼ 9 Hacking Web Clients . . . . . . . . 335
▼ 10 The Enterprise Web Application Security Program . . . 371
▼ A Web Application Security Checklist. . . . . 413
▼ B Web Hacking Tools and Techniques Cribsheet. . . . . 419
▼ Index. . . . . . . . . . . . . 429
+++++++++++++++++++++++++
Contents
Foreword
Acknowledgments
Introduction
▼ 1 Hacking Web Apps 101
What Is Web Application Hacking?
GUI Web Hacking
URI Hacking
Methods, Headers, and Body
Resources
Authentication, Sessions, and Authorization
The Web Client and HTML
Other Protocols
Why Attack Web Applications?
Who, When, and Where?
Weak Spots
How Are Web Apps Attacked?
The Web Browser
Browser Extensions
HTTP Proxies
Command-line Tools
Older Tools
Summary
References & Further Reading
▼ 2 Profi ling
Infrastructure Profi ling
Footprinting and Scanning: Defi ning Scope
Basic Banner Grabbing
Advanced HTTP Fingerprinting
Infrastructure Intermediaries
Application Profi ling
Manual Inspection
Search Tools for Profi ling
Automated Web Crawling
Common Web Application Profi les
General Countermeasures
A Cautionary Note
Protecting Directories
Protecting include Files
Miscellaneous Tips
Summary
References & Further Reading
▼ 3 Hacking Web Platforms
Point-and-Click Exploitation Using Metasploit
Manual Exploitation
Evading Detection
Web Platform Security Best Practices
Common Best Practices
IIS Hardening
Apache Hardening
PHP Best Practices
Summary
References & Further Reading
▼ 4 Attacking Web Authentication
Web Authentication Threats
Username/Password Threats
Strong(er) Web Authentication
Web Authentication Services
Bypassing Authentication
Token Replay
Cross-site Request Forgery
Identity Management
Client-side Piggybacking
Some Final Thoughts: Identity Theft
Summary
References & Further Reading
▼ 5 Attacking Web Authorization
Fingerprinting Authz
Crawling ACLs
Identifying Access Tokens
Analyzing Session Tokens
Differential Analysis
Role Matrix
Attacking ACLS
Attacking Tokens
Manual Prediction
Automated Prediction
Capture/Replay
Session Fixation
Authorization Attack Case Studies
Horizontal Privilege Escalation
Vertical Privilege Escalation
Differential Analysis
When Encryption Fails
Using cURL to Map Permissions
Authorization Best Practices
Web ACL Best Practices
Web Authorization/Session Token Security
Security Logs
Summary
References & Further Reading
▼ 6 Input Injection Attacks
Expect the Unexpected
Where to Find Attack Vectors
Bypass Client-Side Validation Routines
Common Input Injection Attacks
Buffer Overfl ow
Canonicalization (dot-dot-slash)
HTML Injection
Boundary Checks
Manipulate Application Behavior
SQL Injection
XPATH Injection
LDAP Injection
Custom Parameter Injection
Log Injection
Command Execution
Encoding Abuse
PHP Global Variables
Common Side-effects
Common Countermeasures
Summary
References & Further Reading
▼ 7 Attacking XML Web Services
What Is a Web Service?
Transport: SOAP over HTTP(S)
WSDL
Directory Services: UDDI and DISCO
Similarities to Web Application Security
Attacking Web Services .
Web Service Security Basics
Summary
References & Further Reading
▼ 8 Attacking Web Application Management
Remote Server Management
Telnet
SSH
Proprietary Management Ports
Other Administration Services
Web Content Management
FTP
SSH/scp
FrontPage
WebDAV
Misconfi gurations
Unnecessary Web Server Extensions
Information Leakage Misconfi gurations
State Management Misconfi guration
Summary
References & Further Reading
▼ 9 Hacking Web Clients
Exploits
Web Client Implementation Vulnerabilities
Trickery
General Countermeasures
Low-privilege Browsing
Firefox Security Extensions
ActiveX Countermeasures
Server-side Countermeasures
Summary
References & Further Reading
▼ 10 The Enterprise Web Application Security Program
Threat Modeling
Clarify Security Objectives
Identify Assets
Architecture Overview
Decompose the Application
Identify and Document Threats
Rank the Threats
Develop Threat Mitigation Strategies
Code Review
Manual Source Code Review
Automated Source Code Review
Binary Analysis
Security Testing of Web App Code
Fuzzing
Test Tools, Utilities, and Harnesses
Pen-testing
Security in the Web Development Process
People
Process
Technology
Summary
References & Further Reading
▼ A Web Application Security Checklist
▼ B Web Hacking Tools and Techniques Cribsheet
▼ Index
● Screenshot ●
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 7,012 KB |
Pages
|
481 p |
File Type
|
PDF format |
ISBN
| 978-0-07-174042-5 |
Copyright
| 2011 by Joel Scambray |
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
