The web application hacker's handbook discovering and exploiting security flaws /
This handbook offers a practical guide to discovering and exploiting security flaws in web applications. The authors explain each category of vulnerability using real-world examples, screen shots and code extracts.
Main Author: | |
---|---|
Other Authors: | |
Format: | Electronic |
Language: | English |
Published: |
Indianapolis, IN :
Wiley Pub.,
c2008.
|
Subjects: | |
Online Access: | Books24x7 ebrary View fulltext via EzAccess MyiLibrary |
Table of Contents:
- Cover
- About the Authors
- Credits
- Contents
- Acknowledgments
- Introduction
- Overview of This Book
- Who Should Read This Book
- How This Book Is Organized
- Tools You Will Need
- What's on the Web Site
- Bring It On
- Chapter 1: Web Application (In)security
- The Evolution of Web Applications
- Web Application Security
- Chapter Summary
- Chapter 2: Core Defense Mechanisms
- Handling User Access
- Handling User Input
- Handling Attackers
- Managing the Application
- Chapter Summary
- Questions
- Chapter 3: Web Application Technologies
- The HTTP Protocol
- Web Functionality
- Encoding Schemes
- Next Steps
- Questions
- Chapter 4: Mapping the Application
- Enumerating Content and Functionality
- Analyzing the Application
- Chapter Summary
- Questions
- Chapter 5: Bypassing Client-Side Controls
- Transmitting Data via the Client
- Capturing User Data: HTML Forms
- Capturing User Data: Thick-Client Components
- Handling Client-Side Data Securely
- Chapter Summary
- Questions
- Chapter 6: Attacking Authentication
- Authentication Technologies
- Design Flaws in Authentication Mechanisms
- Implementation Flaws in Authentication
- Securing Authentication
- Chapter Summary
- Questions
- Chapter 7: Attacking Session Management
- The Need for State
- Weaknesses in Session Token Generation
- Weaknesses in Session Token Handling
- Securing Session Management
- Chapter Summary
- Questions
- Chapter 8: Attacking Access Controls
- Common Vulnerabilities
- Attacking Access Controls
- Securing Access Controls
- Chapter Summary
- Questions
- Chapter 9: Injecting Code
- Injecting into Interpreted Languages
- Injecting into SQL
- Injecting OS Commands
- Injecting into Web Scripting Languages
- Injecting into SOAP
- Injecting into XPath
- Injecting into SMTP
- Injecting into LDAP
- Chapter Summary
- Questions
- Chapter 10: Exploiting Path Traversal
- Common Vulnerabilities
- Finding and Exploiting Path Traversal Vulnerabilities
- Preventing Path Traversal Vulnerabilities
- Chapter Summary
- Questions
- Chapter 11: Attacking Application Logic
- The Nature of Logic Flaws
- Real-World Logic Flaws
- Avoiding Logic Flaws
- Chapter Summary
- Questions
- Chapter 12: Attacking Other Users
- Cross-Site Scripting
- Redirection Attacks
- HTTP Header Injection
- Frame Injection
- Request Forgery
- JSON Hijacking
- Session Fixation
- Attacking ActiveX Controls
- Local Privacy Attacks
- Advanced Exploitation Techniques
- Chapter Summary
- Questions
- Chapter 13: Automating Bespoke Attacks
- Uses for Bespoke Automation
- Enumerating Valid Identifiers
- Harvesting Useful Data
- Fuzzing for Common Vulnerabilities
- Putting It All Together: Burp Intruder
- Chapter Summary
- Questions
- Chapter 14: Exploiting Information Disclosure
- Exploiting Error Messages
- Gathering Published Information
- T$11002.