did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9780470857441

Innocent Code A Security Wake-Up Call for Web Programmers

by
  • ISBN13:

    9780470857441

  • ISBN10:

    0470857447

  • Edition: 1st
  • Format: Paperback
  • Copyright: 2004-01-30
  • Publisher: WILEY
  • Purchase Benefits
  • Free Shipping Icon Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • eCampus.com Logo Get Rewarded for Ordering Your Textbooks! Enroll Now
  • Write a Review Icon Write a Review
List Price: $60.00 Save up to $1.80
  • Buy New
    $58.20
    Add to Cart Free Shipping Icon Free Shipping

    PRINT ON DEMAND: 2-4 WEEKS. THIS ITEM CANNOT BE CANCELLED OR RETURNED.

Supplemental Materials

What is included with this book?

Summary

This concise and practical book shows where code vulnerabilities lie-without delving into the specifics of each system architecture, programming or scripting language, or application-and how best to fix them Based on real-world situations taken from the author's experiences of tracking coding mistakes at major financial institutions Covers SQL injection attacks, cross-site scripting, data manipulation in order to bypass authorization, and other attacks that work because of missing pieces of code Shows developers how to change their mindset from Web site construction to Web site destruction in order to find dangerous code

Author Biography

Sverre Huseby runs his own company selling courses and consultancy services in Web application security. He's an active participant on webappsec mail forum.

Table of Contents

Foreword ix
Acknowledgments xi
Introduction xiii
The Rules xiv
The Examples xv
The Chapters xvi
What is Not in This Book? xvii
A Note from the Author xviii
Feedback xviii
The Basics
1(20)
HTTP
1(9)
Requests and responses
2(4)
The Referer header
6(1)
Caching
7(2)
Cookies
9(1)
Sessions
10(5)
Session hijacking
11(4)
HTTPS
15(4)
Summary
19(1)
Do You Want to Know More?
19(2)
Passing Data to Subsystems
21(36)
SQL Injection
22(17)
Examples, examples and then some
22(8)
Using error messages to fetch information
30(3)
Avoiding SQL injection
33(6)
Shell Command Injection
39(9)
Examples
40(2)
Avoiding shell command injection
42(6)
Talking to Programs Written in C/C++
48(2)
Example
48(2)
The Evil Eval
50(1)
Solving Metacharacter Problems
50(5)
Multi-level interpretation
52(1)
Architecture
53(1)
Defense in depth
54(1)
Summary
55(2)
User Input
57(40)
What is Input Anyway?
57(10)
The invisible security barrier
62(3)
Language peculiarities: totally unexpected input
65(2)
Validating Input
67(7)
Whitelisting vs. blacklisting
71(3)
Handling Invalid Input
74(5)
Logging
76(3)
The Dangers of Client-side Validation
79(3)
Authorization Problems
82(10)
Indirect access to data
83(3)
Passing too much to the client
86(4)
Missing authorization tests
90(1)
Authorization by obscurity
91(1)
Protecting server-generated input
92(3)
Summary
95(2)
Output Handling: The Cross-site Scripting Problem
97(28)
Examples
98(13)
Session hijacking
99(4)
Text modification
103(1)
Socially engineered Cross-site Scripting
104(4)
Theft of passwords
108(1)
Too short for scripts?
109(2)
The Problem
111(1)
The Solution
112(9)
HTML encoding
113(1)
Selective tag filtering
114(6)
Program design
120(1)
Browser Character Sets
121(1)
Summary
122(1)
Do You Want to Know More?
123(2)
Web Trojans
125(10)
Examples
125(5)
The Problem
130(1)
A Solution
131(2)
Summary
133(2)
Passwords and Other Secrets
135(28)
Crypto-Stuff
135(7)
Symmetric encryption
137(1)
Asymmetric encryption
137(2)
Message digests
139(1)
Digital signatures
140(1)
Public key certificates
141(1)
Password-based Authentication
142(9)
On clear-text passwords
142(2)
Lost passwords
144(2)
Cracking hashed passwords
146(4)
Remember me?
150(1)
Secret Identifiers
151(2)
Secret Leakage
153(4)
GET request leakage
154(2)
Missing encryption
156(1)
Availability of Server-side Code
157(3)
Insecure file names
157(1)
System software bugs
158(2)
Summary
160(1)
Do You Want to Know More?
161(2)
Enemies of Secure Code
163(14)
Ignorance
163(2)
Mess
165(6)
Deadlines
171(2)
Salesmen
173(1)
Closing Remarks
174(1)
Do You Want to Know More?
174(3)
Summary of Rules for Secure Coding
177(10)
Appendix A Bugs in the Web Server
187(6)
Appendix B Packet Sniffing
193(6)
B.1 Teach Yourself TCP/IP in Four Minutes
193(2)
B.2 Sniffing the Packets
195(1)
B.3 Man-In-The-Middle Attacks
196(1)
B.4 MITM with HTTPS
197(1)
B.5 Summary
198(1)
B.6 Do You Want to Know More?
198(1)
Appendix C Sending HTML Formatted E-mails with a Forged Sender Address
199(2)
Appendix D More Information
201(4)
D.1 Mailing Lists
201(2)
D.2 OWASP
203(2)
Acronyms 205(4)
References 209(12)
Index 221

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program