Seven Deadliest Web Application Attacks
1st Edition
Description
Seven Deadliest Web Application Attacks highlights the vagaries of web security by discussing the seven deadliest vulnerabilities exploited by attackers. This book pinpoints the most dangerous hacks and exploits specific to web applications, laying out the anatomy of these attacks including how to make your system more secure. You will discover the best ways to defend against these vicious hacks with step-by-step instruction and learn techniques to make your computer and network impenetrable.
Each chapter presents examples of different attacks conducted against web sites. The methodology behind the attack is explored, showing its potential impact. The chapter then moves on to address possible countermeasures for different aspects of the attack. The book consists of seven chapters that cover the following: the most pervasive and easily exploited vulnerabilities in web sites and web browsers; Structured Query Language (SQL) injection attacks; mistakes of server administrators that expose the web site to attack; brute force attacks; and logic attacks. The ways in which malicious software malware has been growing as a threat on the Web are also considered.
This book is intended for information security professionals of all levels, as well as web application developers and recreational hackers.
Key Features
- Knowledge is power, find out about the most dominant attacks currently waging war on computers and networks globally
- Discover the best ways to defend against these vicious attacks; step-by-step instruction shows you how
- Institute countermeasures, don’t be caught defenseless again, and learn techniques to make your computer and network impenetrable
Readership
Information security professionals of all levels; web application developers; recreational hackers
Table of Contents
About the Authors
Introduction
Chapter 1 Cross-Site Scripting
Understanding HTML Injection
Identifying Points of Injection
Distinguishing Different Delivery Vectors
Handling Character Sets Safely
Not Failing Secure
Avoiding Blacklisted Characters Altogether
Dealing with Browser Quirks
The Unusual Suspects
Employing Countermeasures
Fixing a Static Character Set
Normalizing Character Sets and Encoding
Encoding the Output
Beware of Exclusion Lists and Regexes
Reuse, Don’t Reimplement, Code
JavaScript Sandboxes
Summary
Chapter 2 Cross-Site Request Forgery
Understanding Cross-Site Request Forgery
Request Forgery via Forced Browsing
Attacking Authenticated Actions without Passwords
Dangerous Liaison: CSRF and XSS
Beyond GET
Be Wary of the Tangled Web
Variation on a Theme: Clickjacking
Employing Countermeasures
Defending the Web Application
Defending the Web Browser
Summary
Chapter 3 Structured Query Language Injection
Understanding SQL Injection
Breaking the Query
Vivisecting the Database
Alternate Attack Vectors
Employing Countermeasures
Validating Input
Securing the Query
Protecting Information
Stay Current with Database Patches
Summary
Chapter 4 Server Misconfiguration and Predictable Pages
Understanding the Attacks
Identifying Insecure Design Patterns
Targeting the Operating System
Attacking the Server
Employing Countermeasures
Restricting File Access
Using Object References
Blacklisting Insecure Functions
Enforcing Authorization
Restricting Network Connections
Summary
Chapter 5 Breaking Authentication Schemes
Understanding Authentication Attacks
Replaying the Session Token
Brute Force
Sniffing
Resetting Passwords
Cross-Site Scripting
SQL Injection
Gulls and Gullibility
Employing Countermeasures
Protect Session Cookies
Engage the User
Annoy the User
Request Throttling
Logging and Triangulation
Use Alternate Authentication Schemes
Defeating Phishing
Protecting Passwords
Summary
Chapter 6 Logic Attacks
Understanding Logic Attacks
Abusing Workflows
Exploit Policies and Practices
Induction
Denial of Service
Insecure Design Patterns
Information Sieves
Employing Countermeasures
Documenting Requirements
Creating Robust Test Cases
Mapping Policies to Controls
Defensive Programming
Verifying the Client
Summary
Chapter 7 Web of Distrust
Understanding Malware and Browser Attacks
Malware
Plugging into Browser Plug-ins
Domain Name System and Origins
HTML5
Employing Countermeasures
Safer Browsing
Isolating the Browser
DNS Security Extensions
Summary
Index
Details
- No. of pages:
- 192
- Language:
- English
- Copyright:
- © Syngress 2010
- Published:
- 17th March 2010
- Imprint:
- Syngress
- eBook ISBN:
- 9781597495448
- Paperback ISBN:
- 9781597495431
About the Author
Mike Shema
Mike Shema develops web application security solutions at Qualys, Inc. His current work is focused on an automated web assessment service. Mike previously worked as a security consultant and trainer for Foundstone where he conducted information security assessments across a range of industries and technologies. His security background ranges from network penetration testing, wireless security, code review, and web security. He is the co-author of Hacking Exposed: Web Applications, The Anti-Hacker Toolkit and the author of Hack Notes: Web Application Security. In addition to writing, Mike has presented at security conferences in the U.S., Europe, and Asia.
Affiliations and Expertise
Web Application Security Solutions, Qualys, Inc.
Reviews
"Author Mike Shema explains potential vulnerabilities and offers case studies based on actual attacks, looking at the topic from a forensic perspective to devise proper preventive measures. This is where the series will endear itself to Web application developers and to security professionals in particular…. This set of books assumes some basic familiarity with the Web. It should, however, appeal to all security professionals, from top-level executives and IT experts to the lowest rung of managers."--Security Management
"For the reader engaged in professional testing of this type the explanation of the issues and mitigation strategies will provide an ideal starting point for educating and advising clients.… For any reader looking for a sound basic introduction to web application security testing without wanting to spend too much this book can be recommended as an ideal place to start."--BCS British Computer Society