Note: Supplemental materials are not guaranteed with Rental or Used book purchases.
Purchase Benefits
What is included with this book?
Hacking Methodology | p. 1 |
Introduction | p. 2 |
Understanding the Terms | p. 3 |
A Brief History of Hacking | p. 3 |
Phone System Hacking | p. 4 |
Computer Hacking | p. 5 |
What Motivates a Hacker? | p. 7 |
Ethical Hacking versus Malicious Hacking | p. 8 |
Working with Security Professionals | p. 9 |
Associated Risks with Hiring a Security Professional | p. 9 |
Understanding Current Attack Types | p. 10 |
DoS/DDoS | p. 10 |
Virus Hacking | p. 12 |
End-User Virus Protection | p. 14 |
Worms | p. 16 |
Rogue Applets | p. 18 |
Stealing | p. 18 |
Credit Card Theft | p. 19 |
Theft of Identity | p. 21 |
Information Piracy | p. 22 |
Recognizing Web Application Security Threats | p. 23 |
Hidden Manipulation | p. 23 |
Parameter Tampering | p. 24 |
Cross-Site Scripting | p. 24 |
Buffer Overflow | p. 24 |
Cookie Poisoning | p. 25 |
Preventing Break-Ins by Thinking like a Hacker | p. 25 |
Summary | p. 28 |
Solutions Fast Track | p. 28 |
Frequently Asked Questions | p. 32 |
How to Avoid Becoming a Code Grinder | p. 35 |
Introduction | p. 36 |
What Is a Code Grinder? | p. 37 |
Following the Rules | p. 39 |
Thinking Creatively when Coding | p. 41 |
Use All Available Resources at Your Disposal | p. 43 |
Allowing for Thought | p. 44 |
Modular Programming Done Correctly | p. 44 |
Security from the Perspective of a Code Grinder | p. 46 |
Coding in a Vacuum | p. 48 |
Building Functional and Secure Web Applications | p. 49 |
But My Code Is Functional! | p. 54 |
There Is More to an Application than Functionality | p. 55 |
You Can Make the Difference! | p. 56 |
Let's Make It Secure and Functional | p. 58 |
Summary | p. 62 |
Solutions Fast Track | p. 63 |
Frequently Asked Questions | p. 64 |
Understanding the Risk Associated with Mobile Code | p. 67 |
Introduction | p. 68 |
Recognizing the Impact of Mobile Code Attacks | p. 69 |
Browser Attacks | p. 69 |
Mail Client Attacks | p. 69 |
Malicious Scripts or Macros | p. 72 |
Identifying Common Forms of Mobile Code | p. 72 |
Macro Languages: Visual Basic for Applications (VBA) | p. 73 |
Security Problems with VBA | p. 74 |
The Melissa Virus | p. 79 |
Protecting against VBA Viruses | p. 80 |
JavaScript | p. 83 |
JavaScript Security Overview | p. 84 |
Security Problems | p. 84 |
Exploiting Plug-In Commands | p. 86 |
Web-Based E-Mail Attacks | p. 87 |
Social Engineering | p. 87 |
Lowering JavaScript Security Risks | p. 88 |
VBScript | p. 88 |
VBScript Security Overview | p. 89 |
VBScript Security Problems | p. 89 |
VBScript Security Precautions | p. 90 |
Java Applets | p. 91 |
Granting Additional Access to Applets | p. 92 |
Security Problems with Java | p. 92 |
Background Threads | p. 92 |
Contacting the Host Server | p. 93 |
Java Security Precautions | p. 93 |
ActiveX Controls | p. 94 |
ActiveX Security Overview | p. 94 |
Security Problems with ActiveX | p. 95 |
Preinstalled ActiveX Controls | p. 96 |
Buffer Overrun Error | p. 97 |
Intentionally Malicious ActiveX | p. 98 |
Unsafe for Scripting | p. 98 |
ActiveX Security Precautions | p. 98 |
Disabling an ActiveX Control | p. 98 |
E-Mail Attachments and Downloaded Executables | p. 99 |
Back Orifice 2000 Trojan | p. 99 |
Protecting Your System from Mobile Code Attacks | p. 103 |
Security Applications | p. 103 |
ActiveX Manager | p. 103 |
Back Orifice Detectors | p. 104 |
Firewall Software | p. 108 |
Web-Based Tools | p. 108 |
Online Scanners | p. 108 |
Client Security Updates | p. 109 |
Summary | p. 110 |
Solutions Fast Track | p. 110 |
Frequently Asked Questions | p. 112 |
Vulnerable CGI Scripts | p. 113 |
Introduction | p. 114 |
What Is a CGI Script, and What Does It Do? | p. 114 |
Typical Uses of CGI Scripts | p. 116 |
When Should You Use CGI? | p. 121 |
CGI Script Hosting Issues | p. 122 |
Break-Ins Resulting from Weak CGI Scripts | p. 123 |
How to Write "Tighter" CGI Scripts | p. 124 |
Searchable Index Commands | p. 128 |
CGI Wrappers | p. 128 |
Nikto | p. 129 |
Acquiring and Using Nikto | p. 131 |
Nikto Commands | p. 133 |
Web Hack Control Center | p. 137 |
SQL Injection | p. 138 |
Languages for Writing CGI Scripts | p. 140 |
UNIX Shell | p. 141 |
Perl | p. 141 |
C/C++ | p. 142 |
Visual Basic | p. 142 |
Advantages of Using CGI Scripts | p. 143 |
Rules for Writing Secure CGI Scripts | p. 143 |
Storing CGI Scripts | p. 147 |
Summary | p. 149 |
Solutions Fast Track | p. 149 |
Frequently Asked Questions | p. 152 |
Hacking Techniques and Tools | p. 155 |
Introduction | p. 156 |
A Hacker's Goals | p. 157 |
Minimize the Warning Signs | p. 158 |
Maximize the Access | p. 160 |
Damage, Damage, Damage | p. 163 |
Turning the Tables | p. 165 |
The Five Phases of Hacking | p. 166 |
Creating an Attack Map | p. 166 |
Building an Execution Plan | p. 170 |
Establishing a Point of Entry | p. 171 |
Continued and Further Access | p. 172 |
The Attack | p. 174 |
Defacing Web Sites | p. 176 |
Social Engineering | p. 178 |
Sensitive Information | p. 178 |
E-Mail or Messaging Services | p. 179 |
Telephones and Documents | p. 180 |
Credentials | p. 182 |
The Intentional "Back Door" Attack | p. 183 |
Hard-Coding a Back Door Password | p. 184 |
Exploiting Inherent Weaknesses in Code or Programming Environments | p. 186 |
The Tools of the Trade | p. 187 |
Hex Editors | p. 187 |
Debuggers | p. 189 |
Disassemblers | p. 189 |
PE Disassembler | p. 190 |
DJ Java Decompiler | p. 190 |
Hackman Disassembler | p. 191 |
Summary | p. 192 |
Solutions Fast Track | p. 192 |
Frequently Asked Questions | p. 196 |
Code Auditing and Reverse Engineering | p. 199 |
Introduction | p. 200 |
How to Efficiently Trace through a Program | p. 200 |
Auditing and Reviewing Selected Programming Languages | p. 203 |
Java | p. 203 |
Java Server Pages | p. 204 |
Active Server Pages | p. 204 |
Server Side Includes | p. 204 |
Python | p. 204 |
The Tool Command Language | p. 205 |
Practical Extraction and Reporting Language | p. 205 |
PHP: Hypertext Preprocessor | p. 205 |
C/C++ | p. 205 |
ColdFusion | p. 206 |
Looking for Vulnerabilities | p. 206 |
Getting the Data from the User | p. 207 |
Looking for Buffer Overflows | p. 208 |
The str[Characters not reproducible] Family of Functions | p. 209 |
The strn[Characters not reproducible] Family of Functions | p. 209 |
The [Characters not reproducible]scanf Family of Functions | p. 210 |
Other Functions Vulnerable to Buffer Overflows | p. 210 |
Checking the Output Given to the User | p. 211 |
Format String Vulnerabilities | p. 211 |
Cross-Site Scripting | p. 213 |
Information Disclosure | p. 214 |
Checking for File System Access/Interaction | p. 215 |
Checking External Program and Code Execution | p. 218 |
Calling External Programs | p. 218 |
Dynamic Code Execution | p. 219 |
External Objects/Libraries | p. 220 |
Checking Structured Query Language (SQL)/Database Queries | p. 221 |
Checking Networking and Communication Streams | p. 223 |
Pulling It All Together | p. 224 |
Summary | p. 225 |
Solutions Fast Track | p. 225 |
Frequently Asked Questions | p. 226 |
Securing Your Java Code | p. 227 |
Introduction | p. 228 |
Java Versions | p. 228 |
Java Runtime Environment | p. 229 |
Overview of the Java Security Architecture | p. 232 |
The Java Security Model | p. 233 |
The Sandbox | p. 236 |
Security and Java Applets | p. 238 |
How Java Handles Security | p. 241 |
Class Loaders | p. 242 |
The Applet Class Loader | p. 243 |
Adding Security to a Custom Class Loader | p. 243 |
Bytecode Verifier | p. 246 |
Java Protected Domains | p. 250 |
Java Security Manager | p. 251 |
Policy Files | p. 252 |
The Security Manager Class | p. 258 |
Potential Weaknesses in Java | p. 259 |
DoS Attack/Degradation of Service Attacks | p. 260 |
Third-Party Trojan Horse Attacks | p. 262 |
Coding Functional but Secure Java Applets | p. 263 |
Message Digests | p. 264 |
Digital Signatures | p. 268 |
Generating a Key Pair | p. 270 |
Obtaining and Verifying a Signature | p. 272 |
Authentication | p. 274 |
X.509 Certificate Format | p. 275 |
Obtaining Digital Certificates | p. 276 |
Protecting Security with JAR Signing | p. 280 |
Encryption | p. 284 |
Sun Microsystems Recommendations for Java Security | p. 287 |
Privileged Code Guidelines | p. 288 |
Java Code Guidelines | p. 288 |
C Code Guidelines | p. 289 |
Summary | p. 291 |
Solutions Fast Track | p. 292 |
Frequently Asked Questions | p. 293 |
Securing XML | p. 295 |
Introduction | p. 296 |
Defining XML | p. 296 |
Logical Structure | p. 297 |
Elements | p. 298 |
Attributes | p. 299 |
Well-Formed Documents | p. 300 |
Valid Document | p. 300 |
XML and XSL/DTD Documents | p. 301 |
XSL Use of Templates | p. 302 |
XSL Use of Patterns | p. 302 |
DTD | p. 304 |
Schemas | p. 306 |
Creating Web Applications Using XML | p. 307 |
The Risks Associated with Using XML | p. 311 |
Confidentiality Concerns | p. 312 |
Securing XML | p. 313 |
XML Encryption | p. 313 |
XML Digital Signatures | p. 318 |
Summary | p. 321 |
Solutions Fast Track | p. 321 |
Frequently Asked Questions | p. 323 |
Building Safe ActiveX Internet Controls | p. 325 |
Introduction | p. 326 |
Dangers Associated with Using ActiveX | p. 326 |
Avoiding Common ActiveX Vulnerabilities | p. 329 |
Lessening the Impact of ActiveX Vulnerabilities | p. 333 |
Protection at the Network Level | p. 333 |
Protection at the Client Level | p. 333 |
Methodology for Writing Safe ActiveX Controls | p. 337 |
Object Safety Settings | p. 337 |
Securing ActiveX Controls | p. 338 |
Control Signing | p. 339 |
Using Microsoft Authenticode | p. 340 |
Control Marking | p. 342 |
Using Safety Settings | p. 342 |
Using IobjectSafety | p. 343 |
Marking the Control in the Windows Registry | p. 346 |
Summary | p. 348 |
Solutions Fast Track | p. 348 |
Frequently Asked Questions | p. 351 |
Securing ColdFusion | p. 353 |
Introduction | p. 354 |
How Does ColdFusion Work? | p. 355 |
Using the Benefit of Rapid Development | p. 356 |
Understanding ColdFusion Markup Language | p. 358 |
Scalable Deployment | p. 360 |
Preserving ColdFusion Security | p. 360 |
Secure Development | p. 365 |
CFINCLUDE | p. 365 |
Relative Paths | p. 366 |
Queries | p. 369 |
Uploaded Files | p. 373 |
Denial of Service | p. 374 |
Turning Off Tags | p. 375 |
Secure Deployment | p. 375 |
ColdFusion Application Processing | p. 376 |
Checking for Existence of Data | p. 376 |
Checking Data Types | p. 378 |
Data Evaluation | p. 381 |
Risks Associated with Using ColdFusion | p. 382 |
Using Error Handling Programs | p. 384 |
Monitor.cfm Example | p. 386 |
Summary | p. 390 |
Solutions Fast Track | p. 390 |
Frequently Asked Questions | p. 392 |
Developing Security-Enabled Applications | p. 393 |
Introduction | p. 394 |
The Benefits of Using Security-Enabled Applications | p. 394 |
Types of Security Used in Applications | p. 395 |
Digital Signatures | p. 396 |
Pretty Good Privacy | p. 397 |
Outlook/Outlook Express | p. 400 |
Secure Multipurpose Internet Mail Extension | p. 401 |
Secure Sockets Layer | p. 401 |
Transport Layer Security | p. 403 |
Server Authentication | p. 404 |
Client Authentication | p. 405 |
Digital Certificates | p. 408 |
Reviewing the Basics of PKI | p. 410 |
Cookies | p. 412 |
Certificate Services | p. 415 |
Using PKI to Secure Web Applications | p. 416 |
Implementing PKI in Your Web Infrastructure | p. 417 |
Microsoft Certificate Services | p. 417 |
PKI for Apache Server | p. 421 |
Testing Your Security Implementation | p. 422 |
Summary | p. 425 |
Solutions Fast Track | p. 426 |
Frequently Asked Questions | p. 429 |
Cradle to Grave: Working with a Security Plan | p. 431 |
Introduction | p. 432 |
Examining Your Code | p. 433 |
Code Reviews | p. 434 |
Peer-to-Peer Code Reviews | p. 435 |
Being Aware of Code Vulnerabilities | p. 438 |
Testing, Testing, Testing | p. 439 |
Using Common Sense when Coding | p. 442 |
Planning | p. 442 |
Coding Standards | p. 443 |
Header Comments | p. 443 |
Variable Declaration Comments | p. 444 |
The Tools | p. 444 |
Rule-Based Analyzers | p. 444 |
Debugging and Error Handling | p. 445 |
Version Control and Source Code Tracking | p. 446 |
Visual SourceSafe | p. 446 |
StarTeam | p. 447 |
Creating a Security Plan | p. 448 |
Security Planning at the Network Level | p. 449 |
Security Planning at the Application Level | p. 450 |
Security Planning at the Desktop Level | p. 450 |
Web Application Security Process | p. 451 |
Summary | p. 453 |
Solutions Fast Track | p. 454 |
Frequently Asked Questions | p. 455 |
Index | p. 457 |
Table of Contents provided by Ingram. All Rights Reserved. |
The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.