E-Book, Englisch, 532 Seiten
Wu / Zhao Web Security
Erscheinungsjahr 2015
ISBN: 978-1-4665-9262-9
Verlag: Taylor & Francis
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
A WhiteHat Perspective
E-Book, Englisch, 532 Seiten
ISBN: 978-1-4665-9262-9
Verlag: Taylor & Francis
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
In late 2013, approximately 40 million customer debit and credit cards were leaked in a data breach at Target. This catastrophic event, deemed one of the biggest data breaches ever, clearly showed that many companies need to significantly improve their information security strategies. Web Security: A White Hat Perspective presents a comprehensive guide to web security technology and explains how companies can build a highly effective and sustainable security system.
In this book, web security expert Wu Hanqing reveals how hackers work and explains why companies of different scale require different security methodologies. With in-depth analysis of the reasons behind the choices, the book covers client script security, server applications security, and Internet company security operations. It also includes coverage of browser security, cross sites script attacks, click jacking, HTML5/PHP security, injection attacks, authentication, session management, access control, web frame security, DDOS, leaks, Internet transactions security, and the security development lifecycle.
Zielgruppe
IT security practitioners, IT security hobbyists, Web developers, web architects, Internet product managers, students, and anyone interested in web security.
Autoren/Hrsg.
Fachgebiete
Weitere Infos & Material
MY VIEW OF THE SECURITY WORLD
View of the IT Security World
Brief History of Web Security
Brief History of Chinese Hackers
Development Process of Hacking Techniques
Rise of Web Security
Black Hat, White Hat
Back to Nature: The Essence of Secret Security
Superstition: There Is No Silver Bullet
Security Is an Ongoing Process
Security Elements
How to Implement Safety Assessment
Asset Classification
Threat Analysis
Risk Analysis
Design of Security Programs
Art of War of White Hat
Principles of Secure by Default
Blacklist, Whitelist
Principle of Least Privilege
Principle of Defense in Depth
Principles of Data and Code Separation
Unpredictability of the Principle
Summary
Appendix
SAFETY ON THE CLIENT SCRIPT
Security of Browser
Same-Origin Policy
Browser of Sandbox
Malicious URL Intercept
Rapid Development of Browser Security
Summary
Cross-Site Scripting Attack
Introduction
First Type: Reflected XSS
Second Type: Stored XSS
Third Type: DOM-Based XSS
Advanced XSS Attack
Preliminary Study on XSS Pay Load
XSS Payload Power
XSS Attack Platform
Ultimate Weapon: XSS Worm
Debugging JavaScript
Construction Skills of XSS
Turning Waste into Treasure: Mission Impossible
Easily Overlooked Corner: Flash XSS
Really Sleep without Any Anxiety: JavaScript Development Framework
XSS Defense
Skillfully Deflecting the Question: HttpOnly
Input Checking
Output Checking
Defense XSS Correctly Designed
Dealing with Rich Text
Defense DOM-Based XSS
See XSS from Another Angle of Risk
Summary
Cross-Site Request Forgery
Introduction
Advanced CSRF
Cookie Policy of Browsers
Side Effect of P3P Header
GET? POST?
Flash CSRF
CSRF Worm
Defense against CSRF
Verification Code
Referer Check
Anti-CSRF Token
Summary
Clickjacking
What Is Clickjacking?
Flash Clickjacking
Image-Covering Attacks
Drag Hijacking and Data Theft
Clickjacking 3.0: Tapjacking
Defense against Clickjacking
Frame Busting
X-Frame-Options
Summary
HTML 5 Securities
New Tags of HTML 5
New Tags of XSS
Sandbox Attribute of iframe
Link Types: Noreferrer
Magical Effect of Canvas
Other Security Problems
Cross-Origin Resource Sharing
postMessage: Send Message across Windows
Web Storage
Summary
APPLICATION SECURITY ON THE SERVER SIDE
Injection Attacks
SQL Injection Attacks
Blind Injection
Timing Attack
Database Attacking Techniques
Common Attack Techniques
Command Execution
Stored Procedure Attacks
Coding Problems
SQL Column Truncation
Properly Defending against SQL Injection
Using Precompiled Statements
Using Stored Procedures
Checking the Data Type
Using Safety Functions
Other Injection Attacks
XML Injection
Code Injection
CRLF Injection
Summary
File Upload Vulnerability
File Upload Vulnerability Overview
FCKEditor File Upload Vulnerability
Bypassing the File Upload Check Function
Functionality or Vulnerability
Apache File Parsing Problem
IIS File Parsing Problem
PHP CGI Path to Solve the Problem
Upload Files Phishing
Designing Secure File Upload Features
Summary
Authentication and Session Management
Who Am I?
Password
Multifactor Authentication
Session Management and Authentication
Session Fixation Attacks
Session Keep Attack
Single Sign-On
Summary
Access Control
What Can I Do?
Vertical Rights Management
Horizontal Rights Management
Unauthorized Access from Youku Users (Vulnerability No. Wooyun-2010-0129)
Access Problems in the Laiyifen Shopping Site (Loopholes No. Wooyun-2010-01576)
Summary of OAuth
Summary
Encryption Algorithms and Random Numbers
Introduction
Stream Cipher Attack
Reused Key Attack
Bit-Flipping Attack
Issue of Weak Random IV
WEP Crack
ECB Mode Defects
Padding Oracle Attack
Key Management
Problems with a Pseudorandom Number
Trouble with a Weak Pseudorandom Number
The Time Really Do Random
Breaking the Pseudorandom Number Algorithm Seed
Using Secure Random Numbers
Summary
Appendix: Understanding the MD5 Length Extension Attack
Web Framework Security
MVC Framework Security
Template Engine and XSS Defenses
Web Framework and CSRF Defense
HTTP Header Management
Data Persistence Layer and SQL Injection
What Can Think More?
Web Framework Self-Security
Struts 2 Command Execution Vulnerability
Struts 2 Patch
Spring MVC Execution Vulnerability
Django Execution Vulnerability
Summary
Application-Layer Denial-of-Service Attacks
Introduction to DDoS
Application-Layer DDoS
CC Attack
Restriction of Request Frequency
The Priest Climbs a Post, the Devil Climbs Ten
About Verification Code
DDoS in the Defense Application Layer
Resource Exhaustion Attack
Slowloris Attack
HTTP POST DOS
Server Limit DoS
Murder Caused by Regular Expression: ReDoS
Summary
PHP Security
File Inclusion Vulnerability
Local File Inclusion
Remote File Inclusion
Using Skill of Local File Inclusion
Variable Coverage Vulnerability
Global Variable Coverage
The extract() Variable Coverage
Traversal Initializing Variables
The import_request_variables Variable Coverage
The parse_str() Variable Coverage
Code Execution Vulnerability
"Dangerous function" Executes the Code
File Writing Code Execution
Other Methods of Code Execution
Customize Secure PHP Environment
Summary
Web Server Configuration Security
Apache Security
Nginx Security
jBoss Remote Command Execution
Tomcat Remote Command Execution
HTTP Parameter Pollution
Summary
SAFETY OPERATIONS OF INTERNET COMPANIES
Security of Internet Business
Security Requirements in Internet Products
Internet Products Need Security
What Is a Good Security Program?
Business Logic Security
Loopholes in Password Security
Who Will Be the Big Winner?
Practice Deception
Password Recovery Process
How the Account Is Stolen
Various Ways of Account Theft
Analysis on Why Accounts Get Stolen
Internet Garbage
Threat of Spam
Spam Disposal
Phishing
Details about Phishing
Mail Phishing
Prevention and Control of Phishing Sites
Phishing in Online Shopping
User Privacy Protection
Challenges in Internet User Privacy
How to Protect User Privacy
Do Not Track
Summary
Appendix: Trouble Terminator
Security Development Lifecycle
SDL Introduction
Agile SDL
SDL Actual Combat Experience
Requirements Analysis and Design Phase
Development Phase
Providing Security Functions
Code Security Audit Tool
Test Phase
Summary
Security Operations
Make the Security Operated
Process of Vulnerability Patch
Security Monitoring
Intrusion Detection
Emergency Response Process
Summary
Appendix
