没有合适的资源?快使用搜索试试~ 我知道了~
seven deadliest web application attacks
5星 · 超过95%的资源 需积分: 35 14 下载量 47 浏览量
2010-06-20
23:04:25
上传
评论
收藏 2.82MB PDF 举报
温馨提示
试读
152页
seven deadliest web application attacks
资源推荐
资源详情
资源评论
Syngress is an imprint of Elsevier.
30 Corporate Drive, Suite 400, Burlington, MA 01803, USA
This book is printed on acid-free paper.
© 2010 Elsevier Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or any information storage and retrieval system, without
permission in writing from the publisher. Details on how to seek permission, further information about the
Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance
Center and the Copyright Licensing Agency, can be found at our Web site: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the Publisher (other
than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our
understanding, changes in research methods, professional practices, or medical treatment may become necessary.
Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using
any information, methods, compounds, or experiments described herein. In using such information or methods,
they should be mindful of their own safety and the safety of others, including parties for whom they have a
professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability
for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or
from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data
Application submitted
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library.
ISBN: 978-1-59749-543-1
Printed in the United States of America
10 11 12 13 5 4 3 2 1
Elsevier Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively
“Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.
For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and
Rights; e-mail: m.pedersen@elsevier.com
Typeset by: diacriTech, Chennai, India
For information on all Syngress publications,
visit our Web site at www.syngress.com
ix
About the Authors
Mike Shema is the lead developer for the Web Application Scanning service offered
by the vulnerability management company Qualys. The Web scanning service pro-
vides automated, accurate tests for most common Web vulnerabilities. Prior to
Qualys, Mike gained extensive information security experience based on consulting
work while at Foundstone. He has developed and conducted training on topics rang-
ing from network security to wireless assessments to Web application penetration
testing. Much of this experience has driven research into various security-related
topics that he has presented at conferences in North America, Europe, and Asia,
including BlackHat, InfoSec, and RSA.
Mike has also coauthored Anti-Hacker Toolkit, Third Edition and Hacking
Exposed: Web Applications, Second Edition. He lives in San Francisco and would
like to thank the RPG crew for keeping anachronistic random generators alive.
Technical Editor
Adam Ely (CISSP, NSA IAM, MCSE) is Director of Corporate Security for TiVo
where he is responsible for IT security and corporate security policies. Adam has
held positions with The Walt Disney Company where he was Manager of Information
Security Operations for the Walt Disney Interactive Media Group, and Senior
Manager of Technology for a Walt Disney acquired business. In addition, Adam was
a consultant with Alvarez and Marsal where he led security engagements for clients.
Adam’s background focuses on application and infrastructure security. Adam has
published many application vulnerabilities, application security roadmaps, and other
articles.
xi
Introduction
INFORMATION IN THIS CHAPTER
• BookOverviewandKeyLearningPoints
• BookAudience
• HowThisBookIsOrganized
• WheretoGofromHere
Pick your favorite cliche or metaphor you’ve heard regarding the Web. The aphorism
might carry a generic description of Web security or generate a mental image of the
threats and risks faced by and emanating from Web sites. This book attempts to cast a
brighter light on the vagaries of Web security by tackling seven of the most, er, dead-
liest vulnerabilities that are exploited by attackers. Some of the attacks will sound
very familiar. Other attacks may be unexpected, or seem uncommon simply because
they aren’t on a top 10 list or don’t make headlines. Attackers often go for the low-
est common denominator, which is why vulnerabilities such as cross-site scripting
(XSS) and Structured Query Language (SQL) injection garner so much attention.
Determined attackers also target the logic of a particular Web site – exploits that
result in significant financial gain but have neither universal applicability from the
attacker’s perspective nor universal detection mechanisms for the defender.
On the Web, information equals money. Credit cards clearly have value to attackers;
underground e-commerce sites have popped up that deal in stolen cards. Yet our per-
sonal information, passwords, e-mail accounts, online game accounts, all have value to
the right buyer. Then consider economic espionage and state-sponsored network attacks.
It should be possible to map just about any scam, cheat, trick, ruse, and other synonyms
from real-world conflict between people, companies, and countries to an attack that
can be accomplished on the Web. There’s no lack of motivation for trying to gain illicit
access to the wealth of information on the Web that isn’t intended to be public.
BOOK OVERVIEW AND KEY LEARNING POINTS
Each chapter in this book presents examples of different attacks conducted against
Web sites. The methodology behind the attack is explored, as well as showing its
potential impact. Then the chapter moves on to address possible countermeasures
xii
Introduction
for different aspects of the attack. Countermeasures are a tricky beast. It’s important
to understand how an attack works before a good defense can be designed. It’s also
important to understand the limitations of a countermeasure and how other vulner-
abilities might entirely bypass it. Security is an emergent property of the Web site;
it’s not a summation of individual protections. Some countermeasures will show up
several times, and others make only a brief appearance.
BOOK AUDIENCE
Anyone who uses the Web to check e-mail, shop, or work will benefit from knowing
how the personal information on those sites might be compromised or even how
familiar sites can harbor malicious content. Although most security relies on the
site’s developers, consumers of Web applications can follow safe browsing practices
to help protect their data.
Web application developers and security professionals will benefit from the
technical details and methodology behind the Web attacks covered in this book. The
first step to creating a more secure Web site is understanding the threats and risks of
insecure code. Also, the chapters dive into countermeasures that can be applied to a
site regardless of the programming language or technologies underpinning it.
Executive level management will benefit from understanding the threats to a Web
site, and in many cases, how a simple attack – requiring nothing more than a Web
browser – can severely impact a site. It should also illustrate that even though many
attacks are simple to execute, good countermeasures require time and resources to
implement properly. These points should provide strong arguments for allocating
funding and resources to a site’s security to protect the wealth of information that
Web sites manage.
This book assumes some basic familiarity with the Web. Web security attacks
manipulate HTTP traffic to inject payloads or take advantage of deficiencies in the
protocol. They also require understanding HTML to manipulate forms or inject code
that puts the browser at the mercy of the attacker. This isn’t a prerequisite for under-
standing the broad strokes of an attack or learning how attackers compromise a site.
For example, it’s good to know that HTTP uses port 80 by default for unencrypted
traffic and port 443 for traffic encrypted with the Secure Sockets Layer (SSL). Sites
use the https:// to designate SSL connections. Additional details are necessary for
developers and security professionals who wish to venture deeper into the methodol-
ogy of attacks and defense.
Readers already familiar with basic Web concepts can skip the next two sections.
One Origin to Rule Them All
Web browsers have gone through many iterations on many platforms: Konqeror,
Mosaic, Mozilla, Internet Explorer, Opera, and Safari. Browsers have a rendering
engine at their core. Microsoft calls IE’s engine Trident. Safari uses WebKit. Firefox
剩余151页未读,继续阅读
资源评论
- qining782013-06-21已经下载了,看着还不错!感谢分享
computer197601
- 粉丝: 0
- 资源: 1
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- AIS2024 valid
- 最入门的爬虫代码 python.docx
- 爬虫零基础入门-爬取天气预报.pdf
- 最通俗易懂的 MongoDB 非结构化文档存储数据库教程.zip
- 以mongodb为数据库的订单物流小项目.zip
- 腾讯云-mongodb数据库, 项目部署.zip
- 腾讯 APIJSON 的 MongoDB 数据库插件.zip
- 理解非关系型数据库和关系型数据库的区别.zip
- 操作简单的Mongodb网页web管理工具,基于Spring Boot2.0支持mongodb集群.zip
- tms-mongodb-web,提供访问mongodb数据的REST API和可灵活扩展的mongodb web 客户端.zip
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功