Title:
Hacking expose web applications
Personal Author:
Publication Information:
New York : McGraw-Hill/Osborne, 2002
ISBN:
9780072224382
Added Author:
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010018868 | TK5105.9 S32 2002 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Provides comprehensive coverage of Web application security issues.
Author Notes
Joel Scambray, CISSP, is co-author of Hacking Exposed, the international best-selling Internet security book, currently in its third edition, and Hacking Exposed Windows 2000
Mike Shema is a Principle Consultant and Trainer for Foundstone. He has performed several security assessments for government and financial sites in addition to developing security training material
Table of Contents
Foreword | p. xvii |
Acknowledgements | p. xix |
Preface | p. xxi |
Part I Reconnaissance | |
1 Introduction to Web Applications and Security | p. 3 |
The Web Application Architecture | p. 5 |
Potential Weak Spots | p. 19 |
The Methodology of Web Hacking | p. 20 |
Summary | p. 22 |
References and Further Reading | p. 23 |
2 Profiling | p. 25 |
Server Discovery | p. 26 |
Service Discovery | p. 35 |
Server Identification | p. 37 |
Summary | p. 39 |
References and Further Reading | p. 40 |
3 Hacking Web Servers | p. 41 |
Common Vulnerabilities by Platform | p. 42 |
Automated Vulnerability Scanning Software | p. 80 |
Denial of Service Against Web Servers | p. 92 |
Summary | p. 95 |
References and Further Reading | p. 95 |
4 Surveying the Application | p. 99 |
Documenting Application Structure | p. 100 |
Manually Inspecting the Application | p. 102 |
Manually Inspecting the Application | p. 102 |
Tools to Automate the Survey | p. 117 |
Common Countermeasures | p. 125 |
Summary | p. 127 |
References and Further Reading | p. 127 |
Part II The Attack | |
5 Authentication | p. 131 |
Authentication Mechanisms | p. 132 |
Attacking Web Authentication | p. 149 |
Bypassing Authentication | p. 158 |
Summary | p. 159 |
References and Further Reading | p. 159 |
6 Authorization | p. 161 |
The Attacks | p. 162 |
The Methodology | p. 164 |
Case Study: Using Curl to Map Permissions | p. 170 |
Summary | p. 176 |
References and Further Reading | p. 176 |
7 Attacking Session State Management | p. 177 |
Client-Side Techniques | p. 179 |
Server-Side Techniques | p. 183 |
SessionID Analysis | p. 185 |
Summary | p. 200 |
References and Further Reading | p. 200 |
8 Input Validation Attacks | p. 201 |
Expecting the Unexpected | p. 202 |
Input Validation EndGame | p. 203 |
Where to Find Potential Targets | p. 203 |
Bypassing Client-Side Validation Routines | p. 204 |
Common Input Validation Attacks | p. 205 |
Common Countermeasures | p. 220 |
Summary | p. 221 |
References and Further Reading | p. 222 |
9 Attacking Web Datastores | p. 225 |
A SQL Primer | p. 226 |
SQL Injection | p. 226 |
Summary | p. 241 |
References and Further Reading | p. 241 |
10 Attacking Web Services | p. 243 |
What Is a Web Service? | p. 244 |
Sample Web Services Hacks | p. 252 |
Basics of Web Service Security | p. 253 |
Summary | p. 258 |
References and Further Reading | p. 258 |
11 Hacking Web Application Management | p. 261 |
Web Server Administration | p. 262 |
Web Content Management | p. 264 |
Web-Based Network and System Management | p. 271 |
Summary | p. 275 |
References and Further Reading | p. 275 |
12 Web Client Hacking | p. 277 |
The Problem of Client-Side Security | p. 278 |
Active Content Attacks | p. 279 |
Cross-Site Scripting | p. 289 |
Cookie Hijacking | p. 292 |
Summary | p. 296 |
References and Further Reading | p. 297 |
13 Case Studies | p. 299 |
Case Study #1 From the URL to the Command Line and Back | p. 300 |
Case Study #2 XOR Does Not Equal Security | p. 303 |
Case Study #3 The Cross-Site Scripting Calendar | p. 305 |
Summary | p. 307 |
References and Further Reading | p. 307 |
Part III Appendixes | |
A Web Site Security Checklist | p. 311 |
B Web Hacking Tools and Techniques Cribsheet | p. 317 |
C Using Libwhisker | p. 333 |
Inside Libwhisker | p. 334 |
D UrlScan Installation and Configuration | p. 345 |
Overview of UrlScan | p. 346 |
Obtaining UrlScan | p. 347 |
Updating Windows Family Products | p. 348 |
Basic UrlScan Deployment | p. 351 |
Advanced UrlScan Deployment | p. 358 |
UrlScan.ini Command Reference | p. 365 |
Summary | p. 369 |
References and Further Reading | p. 369 |
E About the Companion Web Site | p. 371 |
Index | p. 373 |