did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9781597490610

Developer's Guide To Web Application Security

by
  • ISBN13:

    9781597490610

  • ISBN10:

    159749061X

  • Format: Paperback
  • Copyright: 2007-02-01
  • Publisher: Elsevier Science

Note: Supplemental materials are not guaranteed with Rental or Used book purchases.

Purchase Benefits

  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
  • Write a Review Icon Write a Review
List Price: $54.95 Save up to $13.74
  • Buy Used
    $41.21
    Add to Cart Free Shipping Icon Free Shipping

    USUALLY SHIPS IN 2-4 BUSINESS DAYS

Supplemental Materials

What is included with this book?

Summary

Attacks against Web applications are extremely difficult to defend. Most companies are still struggling to protect themselves from a network level-using antivirus software, having a firewall in place, and using the latest in intrusion detection software. Application security can't be covered by traditional intrusion detection systems and firewalls; they just aren't designed to handle the difficulty involved in this type of security-not yet, anyway Because Web applications are typically where a company stores its sensitive data-such as customer information, including names, passwords, and credit card information-they are an obvious area of interest for a malicious attack. This book investigates the kinds of security threats that Web applications face: hidden manipulation, parameter tampering, cross-site scripting, buffer overflows, and cookie poisoning are just a few. As the reader continues in the book, he will see topics in a more language-oriented approach, discussing issues with Java, XML, and ColdFusion, as well as known vulnerabilities and solutions to each specific language. 1 Think Creatively When Coding. Find a list of dos and don'ts and treat security bugs differently than other types of bugs. 2 Protect Your System from Mobile Code Attacks. Learn how to identify common forms of mobile code, 3 Write Secure CGI Scripts. Learn the rules of the road, including double-checking the source code of any third-party CGI programs. 4 Learn the Five Phases of Hacking. Skilled intruders will carefully plan their attacks for when you least expect it. Learn their methods and take control before they do. 5 Efficiently Trace through a Program. Tracing a program's execution from start to finish is too time intensive-learn shortcuts to save time by going directly to problem areas. 6 Code Functional but Secure Java Applets. See how the Java Cryptography Extension allows the integrity of a message to be validated by using message digests. 7 Secure XML. The goal of the XML Encryption specification is to describe a digitally encrypted Web resource using XML. 8 Learn the Dangers Associated with Using ActiveX. A common vulnerability in ActiveX controls is releasing versions that have not been thoroughly tested and that contain bugs such as the buffer overflow. 9 Preserve ColdFusion Security. Know which ColdFusion tags involve the movement of data in ways that can be attacked. 10 Use PKI to Secure Web Applications. PKI can be used to provide security for more than one application at the same time. 11 Use Common Sense When Coding. Using tools such as rule-based analyzers, debuggers, and version control software assists in the development effort and aids in the security of your application. Book jacket.

Table of Contents

Hacking Methodologyp. 1
Introductionp. 2
Understanding the Termsp. 3
A Brief History of Hackingp. 3
Phone System Hackingp. 4
Computer Hackingp. 5
What Motivates a Hacker?p. 7
Ethical Hacking versus Malicious Hackingp. 8
Working with Security Professionalsp. 9
Associated Risks with Hiring a Security Professionalp. 9
Understanding Current Attack Typesp. 10
DoS/DDoSp. 10
Virus Hackingp. 12
End-User Virus Protectionp. 14
Wormsp. 16
Rogue Appletsp. 18
Stealingp. 18
Credit Card Theftp. 19
Theft of Identityp. 21
Information Piracyp. 22
Recognizing Web Application Security Threatsp. 23
Hidden Manipulationp. 23
Parameter Tamperingp. 24
Cross-Site Scriptingp. 24
Buffer Overflowp. 24
Cookie Poisoningp. 25
Preventing Break-Ins by Thinking like a Hackerp. 25
Summaryp. 28
Solutions Fast Trackp. 28
Frequently Asked Questionsp. 32
How to Avoid Becoming a Code Grinderp. 35
Introductionp. 36
What Is a Code Grinder?p. 37
Following the Rulesp. 39
Thinking Creatively when Codingp. 41
Use All Available Resources at Your Disposalp. 43
Allowing for Thoughtp. 44
Modular Programming Done Correctlyp. 44
Security from the Perspective of a Code Grinderp. 46
Coding in a Vacuump. 48
Building Functional and Secure Web Applicationsp. 49
But My Code Is Functional!p. 54
There Is More to an Application than Functionalityp. 55
You Can Make the Difference!p. 56
Let's Make It Secure and Functionalp. 58
Summaryp. 62
Solutions Fast Trackp. 63
Frequently Asked Questionsp. 64
Understanding the Risk Associated with Mobile Codep. 67
Introductionp. 68
Recognizing the Impact of Mobile Code Attacksp. 69
Browser Attacksp. 69
Mail Client Attacksp. 69
Malicious Scripts or Macrosp. 72
Identifying Common Forms of Mobile Codep. 72
Macro Languages: Visual Basic for Applications (VBA)p. 73
Security Problems with VBAp. 74
The Melissa Virusp. 79
Protecting against VBA Virusesp. 80
JavaScriptp. 83
JavaScript Security Overviewp. 84
Security Problemsp. 84
Exploiting Plug-In Commandsp. 86
Web-Based E-Mail Attacksp. 87
Social Engineeringp. 87
Lowering JavaScript Security Risksp. 88
VBScriptp. 88
VBScript Security Overviewp. 89
VBScript Security Problemsp. 89
VBScript Security Precautionsp. 90
Java Appletsp. 91
Granting Additional Access to Appletsp. 92
Security Problems with Javap. 92
Background Threadsp. 92
Contacting the Host Serverp. 93
Java Security Precautionsp. 93
ActiveX Controlsp. 94
ActiveX Security Overviewp. 94
Security Problems with ActiveXp. 95
Preinstalled ActiveX Controlsp. 96
Buffer Overrun Errorp. 97
Intentionally Malicious ActiveXp. 98
Unsafe for Scriptingp. 98
ActiveX Security Precautionsp. 98
Disabling an ActiveX Controlp. 98
E-Mail Attachments and Downloaded Executablesp. 99
Back Orifice 2000 Trojanp. 99
Protecting Your System from Mobile Code Attacksp. 103
Security Applicationsp. 103
ActiveX Managerp. 103
Back Orifice Detectorsp. 104
Firewall Softwarep. 108
Web-Based Toolsp. 108
Online Scannersp. 108
Client Security Updatesp. 109
Summaryp. 110
Solutions Fast Trackp. 110
Frequently Asked Questionsp. 112
Vulnerable CGI Scriptsp. 113
Introductionp. 114
What Is a CGI Script, and What Does It Do?p. 114
Typical Uses of CGI Scriptsp. 116
When Should You Use CGI?p. 121
CGI Script Hosting Issuesp. 122
Break-Ins Resulting from Weak CGI Scriptsp. 123
How to Write "Tighter" CGI Scriptsp. 124
Searchable Index Commandsp. 128
CGI Wrappersp. 128
Niktop. 129
Acquiring and Using Niktop. 131
Nikto Commandsp. 133
Web Hack Control Centerp. 137
SQL Injectionp. 138
Languages for Writing CGI Scriptsp. 140
UNIX Shellp. 141
Perlp. 141
C/C++p. 142
Visual Basicp. 142
Advantages of Using CGI Scriptsp. 143
Rules for Writing Secure CGI Scriptsp. 143
Storing CGI Scriptsp. 147
Summaryp. 149
Solutions Fast Trackp. 149
Frequently Asked Questionsp. 152
Hacking Techniques and Toolsp. 155
Introductionp. 156
A Hacker's Goalsp. 157
Minimize the Warning Signsp. 158
Maximize the Accessp. 160
Damage, Damage, Damagep. 163
Turning the Tablesp. 165
The Five Phases of Hackingp. 166
Creating an Attack Mapp. 166
Building an Execution Planp. 170
Establishing a Point of Entryp. 171
Continued and Further Accessp. 172
The Attackp. 174
Defacing Web Sitesp. 176
Social Engineeringp. 178
Sensitive Informationp. 178
E-Mail or Messaging Servicesp. 179
Telephones and Documentsp. 180
Credentialsp. 182
The Intentional "Back Door" Attackp. 183
Hard-Coding a Back Door Passwordp. 184
Exploiting Inherent Weaknesses in Code or Programming Environmentsp. 186
The Tools of the Tradep. 187
Hex Editorsp. 187
Debuggersp. 189
Disassemblersp. 189
PE Disassemblerp. 190
DJ Java Decompilerp. 190
Hackman Disassemblerp. 191
Summaryp. 192
Solutions Fast Trackp. 192
Frequently Asked Questionsp. 196
Code Auditing and Reverse Engineeringp. 199
Introductionp. 200
How to Efficiently Trace through a Programp. 200
Auditing and Reviewing Selected Programming Languagesp. 203
Javap. 203
Java Server Pagesp. 204
Active Server Pagesp. 204
Server Side Includesp. 204
Pythonp. 204
The Tool Command Languagep. 205
Practical Extraction and Reporting Languagep. 205
PHP: Hypertext Preprocessorp. 205
C/C++p. 205
ColdFusionp. 206
Looking for Vulnerabilitiesp. 206
Getting the Data from the Userp. 207
Looking for Buffer Overflowsp. 208
The str[Characters not reproducible] Family of Functionsp. 209
The strn[Characters not reproducible] Family of Functionsp. 209
The [Characters not reproducible]scanf Family of Functionsp. 210
Other Functions Vulnerable to Buffer Overflowsp. 210
Checking the Output Given to the Userp. 211
Format String Vulnerabilitiesp. 211
Cross-Site Scriptingp. 213
Information Disclosurep. 214
Checking for File System Access/Interactionp. 215
Checking External Program and Code Executionp. 218
Calling External Programsp. 218
Dynamic Code Executionp. 219
External Objects/Librariesp. 220
Checking Structured Query Language (SQL)/Database Queriesp. 221
Checking Networking and Communication Streamsp. 223
Pulling It All Togetherp. 224
Summaryp. 225
Solutions Fast Trackp. 225
Frequently Asked Questionsp. 226
Securing Your Java Codep. 227
Introductionp. 228
Java Versionsp. 228
Java Runtime Environmentp. 229
Overview of the Java Security Architecturep. 232
The Java Security Modelp. 233
The Sandboxp. 236
Security and Java Appletsp. 238
How Java Handles Securityp. 241
Class Loadersp. 242
The Applet Class Loaderp. 243
Adding Security to a Custom Class Loaderp. 243
Bytecode Verifierp. 246
Java Protected Domainsp. 250
Java Security Managerp. 251
Policy Filesp. 252
The Security Manager Classp. 258
Potential Weaknesses in Javap. 259
DoS Attack/Degradation of Service Attacksp. 260
Third-Party Trojan Horse Attacksp. 262
Coding Functional but Secure Java Appletsp. 263
Message Digestsp. 264
Digital Signaturesp. 268
Generating a Key Pairp. 270
Obtaining and Verifying a Signaturep. 272
Authenticationp. 274
X.509 Certificate Formatp. 275
Obtaining Digital Certificatesp. 276
Protecting Security with JAR Signingp. 280
Encryptionp. 284
Sun Microsystems Recommendations for Java Securityp. 287
Privileged Code Guidelinesp. 288
Java Code Guidelinesp. 288
C Code Guidelinesp. 289
Summaryp. 291
Solutions Fast Trackp. 292
Frequently Asked Questionsp. 293
Securing XMLp. 295
Introductionp. 296
Defining XMLp. 296
Logical Structurep. 297
Elementsp. 298
Attributesp. 299
Well-Formed Documentsp. 300
Valid Documentp. 300
XML and XSL/DTD Documentsp. 301
XSL Use of Templatesp. 302
XSL Use of Patternsp. 302
DTDp. 304
Schemasp. 306
Creating Web Applications Using XMLp. 307
The Risks Associated with Using XMLp. 311
Confidentiality Concernsp. 312
Securing XMLp. 313
XML Encryptionp. 313
XML Digital Signaturesp. 318
Summaryp. 321
Solutions Fast Trackp. 321
Frequently Asked Questionsp. 323
Building Safe ActiveX Internet Controlsp. 325
Introductionp. 326
Dangers Associated with Using ActiveXp. 326
Avoiding Common ActiveX Vulnerabilitiesp. 329
Lessening the Impact of ActiveX Vulnerabilitiesp. 333
Protection at the Network Levelp. 333
Protection at the Client Levelp. 333
Methodology for Writing Safe ActiveX Controlsp. 337
Object Safety Settingsp. 337
Securing ActiveX Controlsp. 338
Control Signingp. 339
Using Microsoft Authenticodep. 340
Control Markingp. 342
Using Safety Settingsp. 342
Using IobjectSafetyp. 343
Marking the Control in the Windows Registryp. 346
Summaryp. 348
Solutions Fast Trackp. 348
Frequently Asked Questionsp. 351
Securing ColdFusionp. 353
Introductionp. 354
How Does ColdFusion Work?p. 355
Using the Benefit of Rapid Developmentp. 356
Understanding ColdFusion Markup Languagep. 358
Scalable Deploymentp. 360
Preserving ColdFusion Securityp. 360
Secure Developmentp. 365
CFINCLUDEp. 365
Relative Pathsp. 366
Queriesp. 369
Uploaded Filesp. 373
Denial of Servicep. 374
Turning Off Tagsp. 375
Secure Deploymentp. 375
ColdFusion Application Processingp. 376
Checking for Existence of Datap. 376
Checking Data Typesp. 378
Data Evaluationp. 381
Risks Associated with Using ColdFusionp. 382
Using Error Handling Programsp. 384
Monitor.cfm Examplep. 386
Summaryp. 390
Solutions Fast Trackp. 390
Frequently Asked Questionsp. 392
Developing Security-Enabled Applicationsp. 393
Introductionp. 394
The Benefits of Using Security-Enabled Applicationsp. 394
Types of Security Used in Applicationsp. 395
Digital Signaturesp. 396
Pretty Good Privacyp. 397
Outlook/Outlook Expressp. 400
Secure Multipurpose Internet Mail Extensionp. 401
Secure Sockets Layerp. 401
Transport Layer Securityp. 403
Server Authenticationp. 404
Client Authenticationp. 405
Digital Certificatesp. 408
Reviewing the Basics of PKIp. 410
Cookiesp. 412
Certificate Servicesp. 415
Using PKI to Secure Web Applicationsp. 416
Implementing PKI in Your Web Infrastructurep. 417
Microsoft Certificate Servicesp. 417
PKI for Apache Serverp. 421
Testing Your Security Implementationp. 422
Summaryp. 425
Solutions Fast Trackp. 426
Frequently Asked Questionsp. 429
Cradle to Grave: Working with a Security Planp. 431
Introductionp. 432
Examining Your Codep. 433
Code Reviewsp. 434
Peer-to-Peer Code Reviewsp. 435
Being Aware of Code Vulnerabilitiesp. 438
Testing, Testing, Testingp. 439
Using Common Sense when Codingp. 442
Planningp. 442
Coding Standardsp. 443
Header Commentsp. 443
Variable Declaration Commentsp. 444
The Toolsp. 444
Rule-Based Analyzersp. 444
Debugging and Error Handlingp. 445
Version Control and Source Code Trackingp. 446
Visual SourceSafep. 446
StarTeamp. 447
Creating a Security Planp. 448
Security Planning at the Network Levelp. 449
Security Planning at the Application Levelp. 450
Security Planning at the Desktop Levelp. 450
Web Application Security Processp. 451
Summaryp. 453
Solutions Fast Trackp. 454
Frequently Asked Questionsp. 455
Indexp. 457
Table of Contents provided by Ingram. All Rights Reserved.

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program