The Web Application Hacker's Handbook
Finding and Exploiting Security Flaws
- English
- ePUB (mobile friendly)
- Available on iOS & Android
The Web Application Hacker's Handbook
Finding and Exploiting Security Flaws
About This Book
The highly successful security book returns with a new edition, completely updated
Web applications are the front door to most organizations, exposing them to attacks that may disclose personal information, execute fraudulent transactions, or compromise ordinary users. This practical book has been completely updated and revised to discuss the latest step-by-step techniques for attacking and defending the range of ever-evolving web applications. You'll explore the various new technologies employed in web applications that have appeared since the first edition and review the new attack techniques that have been developed, particularly in relation to the client side.
- Reveals how to overcome the new technologies and techniques aimed at defending web applications against attacks that have appeared since the previous edition
- Discusses new remoting frameworks, HTML5, cross-domain integration techniques, UI redress, framebusting, HTTP parameter pollution, hybrid file attacks, and more
- Features a companion web site hosted by the authors that allows readers to try out the attacks described, gives answers to the questions that are posed at the end of each chapter, and provides a summarized methodology and checklist of tasks
Focusing on the areas of web application security where things have changed in recent years, this book is the most current resource on the critical topic of discovering, exploiting, and preventing web application security flaws.
Frequently asked questions
Information
Chapter 1
Web Application (In)security
The Evolution of Web Applications
Common Web Application Functions
- Shopping (Amazon)
- Social networking (Facebook)
- Banking (Citibank)
- Web search (Google)
- Auctions (eBay)
- Gambling (Betfair)
- Web logs (Blogger)
- Web mail (Gmail)
- Interactive information (Wikipedia)
- HR applications allowing users to access payroll information, give and receive performance feedback, and manage recruitment and disciplinary procedures.
- Administrative interfaces to key infrastructure such as web and mail servers, user workstations, and virtual machine administration.
- Collaboration software used for sharing documents, managing workflow and projects, and tracking issues. These types of functionality often involve critical security and governance issues, and organizations often rely completely on the controls built into their web applications.
- Business applications such as enterprise resource planning (ERP) software, which previously were accessed using a proprietary thick-client application, can now be accessed using a web browser.
- Software services such as e-mail, which originally required a separate e-mail client, can now be accessed via web interfaces such as Outlook Web Access.
- Traditional desktop office applications such as word processors and spreadsheets have been migrated to web applications through services such as Google Apps and Microsoft Office Live.
Benefits of Web Applications
- HTTP, the core communications protocol used to access the World Wide Web, is lightweight and connectionless. This provides resilience in the event of communication errors and avoids the need for the server to hold open a network connection to every user, as was the case in many legacy client/server applications. HTTP can also be proxied and tunneled over other protocols, allowing for secure communication in any network configuration.
- Every web user already has a browser installed on his computer and mobile device. Web applications deploy their user interface dynamically to the browser, avoiding the need to distribute and manage separate client software, as was the case with pre-web applications. Changes to the interface need to be implemented only once, on the server, and take effect immediately.
- Today's browsers are highly functional, enabling rich and satisfying user interfaces to be built. Web interfaces use standard navigational and input controls that are immediately familiar to users, avoiding the need to learn how each individual application functions. Client-side scripting enables applications to push part of their processing to the client side, and browsers' capabilities can be extended in arbitrary ways using browser extension technologies where necessary.
- The core technologies and languages used to develop web applications are relatively simple. A wide range of platforms and development tools are available to facilitate the development of powerful applications by relative beginners, and a large quantity of open source code and other resources is available for incorporation into custom-built applications.
Web Application Security
Table of contents
- Cover
- Table of Contents
- Title
- Copyright
- About the Authors
- About the Technical Editor
- MDSec: The Authorsâ Company
- Credits
- Acknowledgments
- Introduction
- Chapter 1: Web Application (In)security
- Chapter 2: Core Defense Mechanisms
- Chapter 3: Web Application Technologies
- Chapter 4: Mapping the Application
- Chapter 5: Bypassing Client-Side Controls
- Chapter 6: Attacking Authentication
- Chapter 7: Attacking Session Management
- Chapter 8: Attacking Access Controls
- Chapter 9: Attacking Data Stores
- Chapter 10: Attacking Back-End Components
- Chapter 11: Attacking Application Logic
- Chapter 12: Attacking Users: Cross-Site Scripting
- Chapter 13: Attacking Users: Other Techniques
- Chapter 14: Automating Customized Attacks
- Chapter 15: Exploiting Information Disclosure
- Chapter 16: Attacking Native Compiled Applications
- Chapter 17: Attacking Application Architecture
- Chapter 18: Attacking the Application Server
- Chapter 19: Finding Vulnerabilities in Source Code
- Chapter 20: A Web Application Hacker's Toolkit
- Chapter 21: A Web Application Hacker's Methodology
- Index
- End User License Agreement