Seven Deadliest Web Application Attacks book cover

Seven Deadliest Web Application Attacks

Seven Deadliest Wireless Technologies Attacks draws attention to the vagaries of Web security by discussing the seven deadliest vulnerabilities exploited by attackers. Each chapter presents examples of different attacks conducted against Web sites. The methodology behind the attack is explored, showing its potential impact. Then, the chapter moves on to address possible countermeasures for different aspects of the attack. The book consists of seven chapters that cover the following: the most pervasive and easily exploited vulnerabilities in Web sites and Web browsers; Structured Query Language (SQL) injection attacks; mistakes of server administrators that expose the Web site to attack; brute force attacks; and logic attacks. The ways in which malicious software malware has been growing as a threat on the Web are also discussed. This book is intended for anyone who uses the Web to check e-mail, shop, or work. Web application developers and security professionals will benefit from the technical details and methodology behind the Web attacks covered in this book. Executive level management will benefit from understanding the threats to a Web site, and in many cases, how a simple attack requiring nothing more than a Web browser can severely impact a site.

Audience

Information security professionals of all levels; web application developers; recreational hackers

Paperback, 192 Pages

Published: March 2010

Imprint: Syngress

ISBN: 978-1-59749-543-1

Reviews

  • "Author Mike Shema explains potential vulnerabilities and offers case studies based on actual attacks, looking at the topic from a forensic perspective to devise proper preventive measures. This is where the series will endear itself to Web application developers and to security professionals in particular…. This set of books assumes some basic familiarity with the Web. It should, however, appeal to all security professionals, from top-level executives and IT experts to the lowest rung of managers."--Security Management

    "For the reader engaged in professional testing of this type the explanation of the issues and mitigation strategies will provide an ideal starting point for educating and advising clients.… For any reader looking for a sound basic introduction to web application security testing without wanting to spend too much this book can be recommended as an ideal place to start."--BCS British Computer Society


Contents


  • About the Authors

    Introduction

    Chapter 1 Cross-Site Scripting

        Understanding HTML Injection

             Identifying Points of Injection

             Distinguishing Different Delivery Vectors

             Handling Character Sets Safely

             Not Failing Secure

             Avoiding Blacklisted Characters Altogether

             Dealing with Browser Quirks

             The Unusual Suspects

        Employing Countermeasures

             Fixing a Static Character Set

             Normalizing Character Sets and Encoding

             Encoding the Output

             Beware of Exclusion Lists and Regexes

             Reuse, Don’t Reimplement, Code

             JavaScript Sandboxes

        Summary

    Chapter 2 Cross-Site Request Forgery

        Understanding Cross-Site Request Forgery

             Request Forgery via Forced Browsing

             Attacking Authenticated Actions without Passwords

             Dangerous Liaison: CSRF and XSS

             Beyond GET

             Be Wary of the Tangled Web

             Variation on a Theme: Clickjacking

        Employing Countermeasures

             Defending the Web Application

             Defending the Web Browser

        Summary

    Chapter 3 Structured Query Language Injection

        Understanding SQL Injection

             Breaking the Query

             Vivisecting the Database

             Alternate Attack Vectors

        Employing Countermeasures

             Validating Input

             Securing the Query

             Protecting Information

             Stay Current with Database Patches

        Summary

    Chapter 4 Server Misconfiguration and Predictable Pages

        Understanding the Attacks

             Identifying Insecure Design Patterns

             Targeting the Operating System

             Attacking the Server

        Employing Countermeasures

             Restricting File Access

             Using Object References

             Blacklisting Insecure Functions

             Enforcing Authorization

             Restricting Network Connections

        Summary

    Chapter 5 Breaking Authentication Schemes

        Understanding Authentication Attacks

             Replaying the Session Token

             Brute Force

             Sniffing

             Resetting Passwords

             Cross-Site Scripting

             SQL Injection

             Gulls and Gullibility

        Employing Countermeasures

             Protect Session Cookies

             Engage the User

             Annoy the User

             Request Throttling

             Logging and Triangulation

             Use Alternate Authentication Schemes

             Defeating Phishing

             Protecting Passwords

        Summary

    Chapter 6 Logic Attacks

        Understanding Logic Attacks

             Abusing Workflows

             Exploit Policies and Practices

             Induction

             Denial of Service

             Insecure Design Patterns

             Information Sieves

        Employing Countermeasures

             Documenting Requirements

             Creating Robust Test Cases

             Mapping Policies to Controls

             Defensive Programming

             Verifying the Client

        Summary

    Chapter 7 Web of Distrust

        Understanding Malware and Browser Attacks

             Malware

             Plugging into Browser Plug-ins

             Domain Name System and Origins

             HTML5

        Employing Countermeasures

             Safer Browsing

             Isolating the Browser

             DNS Security Extensions

        Summary

    Index




Advertisement

advert image