Seven Deadliest Web Application Attacks

Seven Deadliest Web Application Attacks

1st Edition - February 20, 2010

Write a review

  • Author: Mike Shema
  • Paperback ISBN: 9781597495431
  • eBook ISBN: 9781597495448

Purchase options

Purchase options
DRM-free (EPub, Mobi, PDF)
Sales tax will be calculated at check-out

Institutional Subscription

Free Global Shipping
No minimum order


Seven Deadliest Web Application Attacks highlights the vagaries of web security by discussing the seven deadliest vulnerabilities exploited by attackers. This book pinpoints the most dangerous hacks and exploits specific to web applications, laying out the anatomy of these attacks including how to make your system more secure. You will discover the best ways to defend against these vicious hacks with step-by-step instruction and learn techniques to make your computer and network impenetrable. Each chapter presents examples of different attacks conducted against web sites. The methodology behind the attack is explored, showing its potential impact. The chapter then moves on to address possible countermeasures for different aspects of the attack. The book consists of seven chapters that cover the following: the most pervasive and easily exploited vulnerabilities in web sites and web browsers; Structured Query Language (SQL) injection attacks; mistakes of server administrators that expose the web site to attack; brute force attacks; and logic attacks. The ways in which malicious software malware has been growing as a threat on the Web are also considered. This book is intended for information security professionals of all levels, as well as web application developers and recreational hackers.

Key Features

  • Knowledge is power, find out about the most dominant attacks currently waging war on computers and networks globally
  • Discover the best ways to defend against these vicious attacks; step-by-step instruction shows you how
  • Institute countermeasures, don’t be caught defenseless again, and learn techniques to make your computer and network impenetrable


Information security professionals of all levels; web application developers; recreational hackers

Table of Contents

  • About the Authors


    Chapter 1 Cross-Site Scripting

        Understanding HTML Injection

             Identifying Points of Injection

             Distinguishing Different Delivery Vectors

             Handling Character Sets Safely

             Not Failing Secure

             Avoiding Blacklisted Characters Altogether

             Dealing with Browser Quirks

             The Unusual Suspects

        Employing Countermeasures

             Fixing a Static Character Set

             Normalizing Character Sets and Encoding

             Encoding the Output

             Beware of Exclusion Lists and Regexes

             Reuse, Don’t Reimplement, Code

             JavaScript Sandboxes


    Chapter 2 Cross-Site Request Forgery

        Understanding Cross-Site Request Forgery

             Request Forgery via Forced Browsing

             Attacking Authenticated Actions without Passwords

             Dangerous Liaison: CSRF and XSS

             Beyond GET

             Be Wary of the Tangled Web

             Variation on a Theme: Clickjacking

        Employing Countermeasures

             Defending the Web Application

             Defending the Web Browser


    Chapter 3 Structured Query Language Injection

        Understanding SQL Injection

             Breaking the Query

             Vivisecting the Database

             Alternate Attack Vectors

        Employing Countermeasures

             Validating Input

             Securing the Query

             Protecting Information

             Stay Current with Database Patches


    Chapter 4 Server Misconfiguration and Predictable Pages

        Understanding the Attacks

             Identifying Insecure Design Patterns

             Targeting the Operating System

             Attacking the Server

        Employing Countermeasures

             Restricting File Access

             Using Object References

             Blacklisting Insecure Functions

             Enforcing Authorization

             Restricting Network Connections


    Chapter 5 Breaking Authentication Schemes

        Understanding Authentication Attacks

             Replaying the Session Token

             Brute Force


             Resetting Passwords

             Cross-Site Scripting

             SQL Injection

             Gulls and Gullibility

        Employing Countermeasures

             Protect Session Cookies

             Engage the User

             Annoy the User

             Request Throttling

             Logging and Triangulation

             Use Alternate Authentication Schemes

             Defeating Phishing

             Protecting Passwords


    Chapter 6 Logic Attacks

        Understanding Logic Attacks

             Abusing Workflows

             Exploit Policies and Practices


             Denial of Service

             Insecure Design Patterns

             Information Sieves

        Employing Countermeasures

             Documenting Requirements

             Creating Robust Test Cases

             Mapping Policies to Controls

             Defensive Programming

             Verifying the Client


    Chapter 7 Web of Distrust

        Understanding Malware and Browser Attacks


             Plugging into Browser Plug-ins

             Domain Name System and Origins


        Employing Countermeasures

             Safer Browsing

             Isolating the Browser

             DNS Security Extensions



Product details

  • No. of pages: 192
  • Language: English
  • Copyright: © Syngress 2010
  • Published: February 20, 2010
  • Imprint: Syngress
  • Paperback ISBN: 9781597495431
  • eBook ISBN: 9781597495448

About the Author

Mike Shema

Mike Shema develops web application security solutions at Qualys, Inc. His current work is focused on an automated web assessment service. Mike previously worked as a security consultant and trainer for Foundstone where he conducted information security assessments across a range of industries and technologies. His security background ranges from network penetration testing, wireless security, code review, and web security. He is the co-author of Hacking Exposed: Web Applications, The Anti-Hacker Toolkit and the author of Hack Notes: Web Application Security. In addition to writing, Mike has presented at security conferences in the U.S., Europe, and Asia.

Affiliations and Expertise

Web Application Security Solutions, Qualys, Inc.

Ratings and Reviews

Write a review

There are currently no reviews for "Seven Deadliest Web Application Attacks"