Description |
1 online resource (xxxii, 736 pages) : illustrations |
Bibliography |
Includes bibliographical references and index. |
Contents |
Cover -- About the Authors -- Credits -- Contents -- Acknowledgments -- Introduction -- Overview of This Book -- Who Should Read This Book -- How This Book Is Organized -- Tools You Will Need -- What's on the Web Site -- Bring It On -- Chapter 1: Web Application (In)security -- The Evolution of Web Applications -- Web Application Security -- Chapter Summary -- Chapter 2: Core Defense Mechanisms -- Handling User Access -- Handling User Input -- Handling Attackers -- Managing the Application -- Chapter Summary -- Questions -- Chapter 3: Web Application Technologies -- The HTTP Protocol -- Web Functionality -- Encoding Schemes -- Next Steps -- Questions -- Chapter 4: Mapping the Application -- Enumerating Content and Functionality -- Analyzing the Application -- Chapter Summary -- Questions -- Chapter 5: Bypassing Client-Side Controls -- Transmitting Data via the Client -- Capturing User Data: HTML Forms -- Capturing User Data: Thick-Client Components -- Handling Client-Side Data Securely -- Chapter Summary -- Questions -- Chapter 6: Attacking Authentication -- Authentication Technologies -- Design Flaws in Authentication Mechanisms -- Implementation Flaws in Authentication -- Securing Authentication -- Chapter Summary -- Questions -- Chapter 7: Attacking Session Management -- The Need for State -- Weaknesses in Session Token Generation -- Weaknesses in Session Token Handling -- Securing Session Management -- Chapter Summary -- Questions -- Chapter 8: Attacking Access Controls -- Common Vulnerabilities -- Attacking Access Controls -- Securing Access Controls -- Chapter Summary -- Questions -- Chapter 9: Injecting Code -- Injecting into Interpreted Languages -- Injecting into SQL -- Injecting OS Commands -- Injecting into Web Scripting Languages -- Injecting into SOAP -- Injecting into XPath -- Injecting into SMTP -- Injecting into LDAP -- Chapter Summary -- Questions -- Chapter 10: Exploiting Path Traversal -- Common Vulnerabilities -- Finding and Exploiting Path Traversal Vulnerabilities -- Preventing Path Traversal Vulnerabilities -- Chapter Summary -- Questions -- Chapter 11: Attacking Application Logic -- The Nature of Logic Flaws -- Real-World Logic Flaws -- Avoiding Logic Flaws -- Chapter Summary -- Questions -- Chapter 12: Attacking Other Users -- Cross-Site Scripting -- Redirection Attacks -- HTTP Header Injection -- Frame Injection -- Request Forgery -- JSON Hijacking -- Session Fixation -- Attacking ActiveX Controls -- Local Privacy Attacks -- Advanced Exploitation Techniques -- Chapter Summary -- Questions -- Chapter 13: Automating Bespoke Attacks -- Uses for Bespoke Automation -- Enumerating Valid Identifiers -- Harvesting Useful Data -- Fuzzing for Common Vulnerabilities -- Putting It All Together: Burp Intruder -- Chapter Summary -- Questions -- Chapter 14: Exploiting Information Disclosure -- Exploiting Error Messages -- Gathering Published Information --T$11002. |
Summary |
This handbook offers a practical guide to discovering and exploiting security flaws in web applications. The authors explain each category of vulnerability using real-world examples, screen shots and code extracts. |
Subject |
Computer security.
|
|
Internet -- Security measures.
|
|
Sécurité informatique. |
|
Internet -- Sécurité -- Mesures. |
|
Computer security |
|
Internet -- Security measures |
Added Author |
Pinto, Marcus, 1978-
|
Other Form: |
Print version: Stuttard, Dafydd, 1972- Web application hacker's handbook. Indianapolis, IN : Wiley Pub., ©2008 (DLC) 2007029983 |
ISBN |
9780470237984 (electronic bk.) |
|
0470237988 (electronic bk.) |
|
(pbk.) |
|
(pbk.) |
Standard No. |
9786611100216 |
|