The web application hacker's handbook discovering and exploiting security flaws /

This handbook offers a practical guide to discovering and exploiting security flaws in web applications. The authors explain each category of vulnerability using real-world examples, screen shots and code extracts.

Bibliographic Details
Main Author: Stuttard, Dafydd, 1972-
Other Authors: Pinto, Marcus, 1978-
Format: Electronic
Language:English
Published: Indianapolis, IN : Wiley Pub., c2008.
Subjects:
Online Access:Books24x7
ebrary
View fulltext via EzAccess
MyiLibrary
Table of Contents:
  • Cover
  • About the Authors
  • Credits
  • Contents
  • Acknowledgments
  • Introduction
  • Overview of This Book
  • Who Should Read This Book
  • How This Book Is Organized
  • Tools You Will Need
  • What's on the Web Site
  • Bring It On
  • Chapter 1: Web Application (In)security
  • The Evolution of Web Applications
  • Web Application Security
  • Chapter Summary
  • Chapter 2: Core Defense Mechanisms
  • Handling User Access
  • Handling User Input
  • Handling Attackers
  • Managing the Application
  • Chapter Summary
  • Questions
  • Chapter 3: Web Application Technologies
  • The HTTP Protocol
  • Web Functionality
  • Encoding Schemes
  • Next Steps
  • Questions
  • Chapter 4: Mapping the Application
  • Enumerating Content and Functionality
  • Analyzing the Application
  • Chapter Summary
  • Questions
  • Chapter 5: Bypassing Client-Side Controls
  • Transmitting Data via the Client
  • Capturing User Data: HTML Forms
  • Capturing User Data: Thick-Client Components
  • Handling Client-Side Data Securely
  • Chapter Summary
  • Questions
  • Chapter 6: Attacking Authentication
  • Authentication Technologies
  • Design Flaws in Authentication Mechanisms
  • Implementation Flaws in Authentication
  • Securing Authentication
  • Chapter Summary
  • Questions
  • Chapter 7: Attacking Session Management
  • The Need for State
  • Weaknesses in Session Token Generation
  • Weaknesses in Session Token Handling
  • Securing Session Management
  • Chapter Summary
  • Questions
  • Chapter 8: Attacking Access Controls
  • Common Vulnerabilities
  • Attacking Access Controls
  • Securing Access Controls
  • Chapter Summary
  • Questions
  • Chapter 9: Injecting Code
  • Injecting into Interpreted Languages
  • Injecting into SQL
  • Injecting OS Commands
  • Injecting into Web Scripting Languages
  • Injecting into SOAP
  • Injecting into XPath
  • Injecting into SMTP
  • Injecting into LDAP
  • Chapter Summary
  • Questions
  • Chapter 10: Exploiting Path Traversal
  • Common Vulnerabilities
  • Finding and Exploiting Path Traversal Vulnerabilities
  • Preventing Path Traversal Vulnerabilities
  • Chapter Summary
  • Questions
  • Chapter 11: Attacking Application Logic
  • The Nature of Logic Flaws
  • Real-World Logic Flaws
  • Avoiding Logic Flaws
  • Chapter Summary
  • Questions
  • Chapter 12: Attacking Other Users
  • Cross-Site Scripting
  • Redirection Attacks
  • HTTP Header Injection
  • Frame Injection
  • Request Forgery
  • JSON Hijacking
  • Session Fixation
  • Attacking ActiveX Controls
  • Local Privacy Attacks
  • Advanced Exploitation Techniques
  • Chapter Summary
  • Questions
  • Chapter 13: Automating Bespoke Attacks
  • Uses for Bespoke Automation
  • Enumerating Valid Identifiers
  • Harvesting Useful Data
  • Fuzzing for Common Vulnerabilities
  • Putting It All Together: Burp Intruder
  • Chapter Summary
  • Questions
  • Chapter 14: Exploiting Information Disclosure
  • Exploiting Error Messages
  • Gathering Published Information
  • T$11002.