50% Off The Criterion Collection Shop Now
The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
The highly successful security book returns with a new edition, completely updated

Web applications are the front door to most organizations, exposing them to attacks that may disclose personal information, execute fraudulent transactions, or compromise ordinary users. This practical book has been completely updated and revised to discuss the latest step-by-step techniques for attacking and defending the range of ever-evolving web applications. You'll explore the various new technologies employed in web applications that have appeared since the first edition and review the new attack techniques that have been developed, particularly in relation to the client side.

  • Reveals how to overcome the new technologies and techniques aimed at defending web applications against attacks that have appeared since the previous edition
  • Discusses new remoting frameworks, HTML5, cross-domain integration techniques, UI redress, framebusting, HTTP parameter pollution, hybrid file attacks, and more
  • Features a companion web site hosted by the authors that allows readers to try out the attacks described, gives answers to the questions that are posed at the end of each chapter, and provides a summarized methodology and checklist of tasks

Focusing on the areas of web application security where things have changed in recent years, this book is the most current resource on the critical topic of discovering, exploiting, and preventing web application security flaws.


"1112113643"
The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
The highly successful security book returns with a new edition, completely updated

Web applications are the front door to most organizations, exposing them to attacks that may disclose personal information, execute fraudulent transactions, or compromise ordinary users. This practical book has been completely updated and revised to discuss the latest step-by-step techniques for attacking and defending the range of ever-evolving web applications. You'll explore the various new technologies employed in web applications that have appeared since the first edition and review the new attack techniques that have been developed, particularly in relation to the client side.

  • Reveals how to overcome the new technologies and techniques aimed at defending web applications against attacks that have appeared since the previous edition
  • Discusses new remoting frameworks, HTML5, cross-domain integration techniques, UI redress, framebusting, HTTP parameter pollution, hybrid file attacks, and more
  • Features a companion web site hosted by the authors that allows readers to try out the attacks described, gives answers to the questions that are posed at the end of each chapter, and provides a summarized methodology and checklist of tasks

Focusing on the areas of web application security where things have changed in recent years, this book is the most current resource on the critical topic of discovering, exploiting, and preventing web application security flaws.


52.0 In Stock
The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws

by Dafydd Stuttard, Marcus Pinto
The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
Add to Wishlist
The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws

by Dafydd Stuttard, Marcus Pinto

Overview

The highly successful security book returns with a new edition, completely updated

Web applications are the front door to most organizations, exposing them to attacks that may disclose personal information, execute fraudulent transactions, or compromise ordinary users. This practical book has been completely updated and revised to discuss the latest step-by-step techniques for attacking and defending the range of ever-evolving web applications. You'll explore the various new technologies employed in web applications that have appeared since the first edition and review the new attack techniques that have been developed, particularly in relation to the client side.

  • Reveals how to overcome the new technologies and techniques aimed at defending web applications against attacks that have appeared since the previous edition
  • Discusses new remoting frameworks, HTML5, cross-domain integration techniques, UI redress, framebusting, HTTP parameter pollution, hybrid file attacks, and more
  • Features a companion web site hosted by the authors that allows readers to try out the attacks described, gives answers to the questions that are posed at the end of each chapter, and provides a summarized methodology and checklist of tasks

Focusing on the areas of web application security where things have changed in recent years, this book is the most current resource on the critical topic of discovering, exploiting, and preventing web application security flaws.


Product Details

ISBN-13: 9781118026472
Publisher: Wiley
Publication date: 09/27/2011
Pages: 912
Sales rank: 1,091,382
Product dimensions: 7.40(w) x 9.20(h) x 1.90(d)

About the Author

DAFYDD STUTTARD is an independent security consultant, author, and software developer specializing in penetration testing of web applications and compiled software. Under the alias PortSwigger, Dafydd created the popular Burp Suite of hacking tools.

MARCUS PINTO delivers security consultancy and training on web application attack and defense to leading global organizations in the financial, government, telecom, gaming, and retail sectors.
The authors cofounded MDSec, a consulting company that provides training in attack and defense-based security.

Table of Contents

Introduction xxiii

Chapter 1 Web Application (In)security 1

The Evolution of Web Applications 2

Web Application Security 6

Summary 15

Chapter 2 Core Defense Mechanisms 17

Handling User Access 18

Handling User Input 21

Handling Attackers 30

Managing the Application 35

Summary 36

Questions 36

Chapter 3 Web Application Technologies 39

The HTTP Protocol 39

Web Functionality 51

Encoding Schemes 66

Next Steps 70

Questions 71

Chapter 4 Mapping the Application 73

Enumerating Content and Functionality 74

Analyzing the Application 97

Summary 114

Questions 114

Chapter 5 Bypassing Client-Side Controls 117

Transmitting Data Via the Client 118

Capturing User Data: HTML Forms 127

Capturing User Data: Browser Extensions 133

Handling Client-Side Data Securely 154

Summary 156

Questions 157

Chapter 6 Attacking Authentication 159

Authentication Technologies 160

Design Flaws in Authentication Mechanisms 161

Implementation Flaws in Authentication 185

Securing Authentication 191

Summary 201

Questions 202

Chapter 7 Attacking Session Management 205

The Need for State 206

Weaknesses in Token Generation 210

Weaknesses in Session Token Handling 233

Securing Session Management 248

Summary 254

Questions 255

Chapter 8 Attacking Access Controls 257

Common Vulnerabilities 258

Attacking Access Controls 266

Securing Access Controls 278

Summary 284

Questions 284

Chapter 9 Attacking Data Stores 287

Injecting into Interpreted Contexts 288

Injecting into SQL 291

Injecting into NoSQL 342

Injecting into XPath 344

Injecting into LDAP 349

Summary 354

Questions 354

Chapter 10 Attacking Back-End Components 357

Injecting OS Commands 358

Manipulating File Paths 368

Injecting into XML Interpreters 383

Injecting into Back-end HTTP Requests 390

Injecting into Mail Services 397

Summary 402

Questions 403

Chapter 11 Attacking Application Logic 405

The Nature of Logic Flaws 406

Real-World Logic Flaws 406

Avoiding Logic Flaws 428

Summary 429

Questions 430

Chapter 12 Attacking Users: Cross-Site Scripting 431

Varieties of XSS 433

XSS Attacks in Action 442

Finding and Exploiting XSS Vulnerabilities 451

Preventing XSS Attacks 492

Summary 498

Questions 498

Chapter 13 Attacking Users: Other Techniques 501

Inducing User Actions 501

Capturing Data Cross-Domain 515

The Same-Origin Policy Revisited 524

Other Client-Side Injection Attacks 531

Local Privacy Attacks 550

Attacking ActiveX Controls 555

Attacking the Browser 559

Summary 568

Questions 568

Chapter 14 Automating Customized Attacks 571

Uses for Customized Automation 572

Enumerating Valid Identifiers 573

Harvesting Useful Data 583

Fuzzing for Common Vulnerabilities 586

Putting It All Together: Burp Intruder 590

Barriers to Automation 602

Summary 613

Questions 613

Chapter 15 Exploiting Information Disclosure 615

Exploiting Error Messages 615

Gathering Published Information 625

Using Inference 626

Preventing Information Leakage 627

Summary 629

Questions 630

Chapter 16 Attacking Native Compiled Applications 633

Buffer Overflow Vulnerabilities 634         

Integer Vulnerabilities 640

Format String Vulnerabilities 643

Summary 645

Questions 645

Chapter 17 Attacking Application Architecture 647

Tiered Architectures 647

Shared Hosting and Application Service Providers 656

Summary 667

Questions 667

Chapter 18 Attacking the Application Server 669

Vulnerable Server Configuration 670

Vulnerable Server Software 684

Web Application Firewalls 697

Summary 699

Questions 699

Chapter 19 Finding Vulnerabilities in Source Code 701

Approaches to Code Review 702

Signatures of Common Vulnerabilities 704

The Java Platform 711

ASP.NET 718

PHP 724

Perl 735

JavaScript 740

Database Code Components 741

Tools for Code Browsing 743

Summary 744

Questions 744

Chapter 20 A Web Application Hacker’s Toolkit 747

Web Browsers 748

Integrated Testing Suites 751

Standalone Vulnerability Scanners 773

Other Tools 785

Summary 789

Chapter 21 A Web Application Hacker’s Methodology 791

General Guidelines 793

1 Map the Application’s Content 795

2 Analyze the Application 798

3 Test Client-Side Controls 800

4 Test the Authentication Mechanism 805

5 Test the Session Management Mechanism 814

6 Test Access Controls 821

7 Test for Input-Based Vulnerabilities 824

8 Test for Function-Specific Input Vulnerabilities 836

9 Test for Logic Flaws 842

10 Test for Shared Hosting Vulnerabilities 845

11 Test for Application Server Vulnerabilities 846

12 Miscellaneous Checks 849

13 Follow Up Any Information Leakage 852

Index 853

From the B&N Reads Blog
Page 1 of

Related Subjects

Computers
Home & Garden
Computers - General & Miscellaneous
Internet & World Wide Web
House & Home
Networking & Telecommunications
Computer Security
Internet & World Wide Web - General & Miscellaneous
Security - Computer Networks
Home Safety & Security
Internet->Security measures
Computers
Home & Garden
Computers - General & Miscellaneous
Internet & World Wide Web
House & Home
Networking & Telecommunications
Computer Security
Internet & World Wide Web - General & Miscellaneous
Security - Computer Networks
Home Safety & Security
Internet->Security measures

Customer Reviews