Seven Deadliest Web Application Attacks - 1st Edition - ISBN: 9781597495431, 9781597495448

Seven Deadliest Web Application Attacks

1st Edition

Authors: Mike Shema
Paperback ISBN: 9781597495431
eBook ISBN: 9781597495448
Imprint: Syngress
Published Date: 17th March 2010
Page Count: 192
Tax/VAT will be calculated at check-out
19.95
15.99
26.95
Unavailable
Compatible Not compatible
VitalSource PC, Mac, iPhone & iPad Amazon Kindle eReader
ePub & PDF Apple & PC desktop. Mobile devices (Apple & Android) Amazon Kindle eReader
Mobi Amazon Kindle eReader Anything else

Institutional Access


Description

Seven Deadliest Web Application Attacks highlights the vagaries of web security by discussing the seven deadliest vulnerabilities exploited by attackers. This book pinpoints the most dangerous hacks and exploits specific to web applications, laying out the anatomy of these attacks including how to make your system more secure. You will discover the best ways to defend against these vicious hacks with step-by-step instruction and learn techniques to make your computer and network impenetrable.

Each chapter presents examples of different attacks conducted against web sites. The methodology behind the attack is explored, showing its potential impact. The chapter then moves on to address possible countermeasures for different aspects of the attack. The book consists of seven chapters that cover the following: the most pervasive and easily exploited vulnerabilities in web sites and web browsers; Structured Query Language (SQL) injection attacks; mistakes of server administrators that expose the web site to attack; brute force attacks; and logic attacks. The ways in which malicious software malware has been growing as a threat on the Web are also considered.

This book is intended for information security professionals of all levels, as well as web application developers and recreational hackers.

Key Features

  • Knowledge is power, find out about the most dominant attacks currently waging war on computers and networks globally
  • Discover the best ways to defend against these vicious attacks; step-by-step instruction shows you how
  • Institute countermeasures, don’t be caught defenseless again, and learn techniques to make your computer and network impenetrable

Readership

Information security professionals of all levels; web application developers; recreational hackers

Table of Contents


About the Authors

Introduction

Chapter 1 Cross-Site Scripting

Understanding HTML Injection

Identifying Points of Injection

Distinguishing Different Delivery Vectors

Handling Character Sets Safely

Not Failing Secure

Avoiding Blacklisted Characters Altogether

Dealing with Browser Quirks

The Unusual Suspects

Employing Countermeasures

Fixing a Static Character Set

Normalizing Character Sets and Encoding

Encoding the Output

Beware of Exclusion Lists and Regexes

Reuse, Don’t Reimplement, Code

JavaScript Sandboxes

Summary

Chapter 2 Cross-Site Request Forgery

Understanding Cross-Site Request Forgery

Request Forgery via Forced Browsing

Attacking Authenticated Actions without Passwords

Dangerous Liaison: CSRF and XSS

Beyond GET

Be Wary of the Tangled Web

Variation on a Theme: Clickjacking

Employing Countermeasures

Defending the Web Application

Defending the Web Browser

Summary

Chapter 3 Structured Query Language Injection

Understanding SQL Injection

Breaking the Query

Vivisecting the Database

Alternate Attack Vectors

Employing Countermeasures

Validating Input

Securing the Query

Protecting Information

Stay Current with Database Patches

Summary

Chapter 4 Server Misconfiguration and Predictable Pages

Understanding the Attacks

Identifying Insecure Design Patterns

Targeting the Operating System

Attacking the Server

Employing Countermeasures

Restricting File Access

Using Object References

Blacklisting Insecure Functions

Enforcing Authorization

Restricting Network Connections

Summary

Chapter 5 Breaking Authentication Schemes

Understanding Authentication Attacks

Replaying the Session Token

Brute Force

Sniffing

Resetting Passwords

Cross-Site Scripting

SQL Injection

Gulls and Gullibility

Employing Countermeasures

Protect Session Cookies

Engage the User

Annoy the User

Request Throttling

Logging and Triangulation

Use Alternate Authentication Schemes

Defeating Phishing

Protecting Passwords

Summary

Chapter 6 Logic Attacks

Understanding Logic Attacks

Abusing Workflows

Exploit Policies and Practices

Induction

Denial of Service

Insecure Design Patterns

Information Sieves

Employing Countermeasures

Documenting Requirements

Creating Robust Test Cases

Mapping Policies to Controls

Defensive Programming

Verifying the Client

Summary

Chapter 7 Web of Distrust

Understanding Malware and Browser Attacks

Malware

Plugging into Browser Plug-ins

Domain Name System and Origins

HTML5

Employing Countermeasures

Safer Browsing

Isolating the Browser

DNS Security Extensions

Summary

Index




Details

No. of pages:
192
Language:
English
Copyright:
© Syngress 2010
Published:
Imprint:
Syngress
eBook ISBN:
9781597495448
Paperback ISBN:
9781597495431

About the Author

Mike Shema

Mike Shema develops web application security solutions at Qualys, Inc. His current work is focused on an automated web assessment service. Mike previously worked as a security consultant and trainer for Foundstone where he conducted information security assessments across a range of industries and technologies. His security background ranges from network penetration testing, wireless security, code review, and web security. He is the co-author of Hacking Exposed: Web Applications, The Anti-Hacker Toolkit and the author of Hack Notes: Web Application Security. In addition to writing, Mike has presented at security conferences in the U.S., Europe, and Asia.

Affiliations and Expertise

Web Application Security Solutions, Qualys, Inc.

Reviews

"Author Mike Shema explains potential vulnerabilities and offers case studies based on actual attacks, looking at the topic from a forensic perspective to devise proper preventive measures. This is where the series will endear itself to Web application developers and to security professionals in particular…. This set of books assumes some basic familiarity with the Web. It should, however, appeal to all security professionals, from top-level executives and IT experts to the lowest rung of managers."--Security Management

"For the reader engaged in professional testing of this type the explanation of the issues and mitigation strategies will provide an ideal starting point for educating and advising clients.… For any reader looking for a sound basic introduction to web application security testing without wanting to spend too much this book can be recommended as an ideal place to start."--BCS British Computer Society