Muutke küpsiste eelistusi

Web Security: A WhiteHat Perspective [Pehme köide]

3.40/5 (10 hinnangut Goodreads-ist)
,
  • Formaat: Paperback / softback, 532 pages, kõrgus x laius: 254x178 mm, kaal: 929 g, 10 Tables, black and white; 306 Illustrations, black and white
  • Ilmumisaeg: 06-Apr-2015
  • Kirjastus: Auerbach
  • ISBN-10: 1466592613
  • ISBN-13: 9781466592612
Teised raamatud teemal:
Web Security: A WhiteHat PerspectiveSuurem pilt
  • Formaat: Paperback / softback, 532 pages, kõrgus x laius: 254x178 mm, kaal: 929 g, 10 Tables, black and white; 306 Illustrations, black and white
  • Ilmumisaeg: 06-Apr-2015
  • Kirjastus: Auerbach
  • ISBN-10: 1466592613
  • ISBN-13: 9781466592612
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781466592612.html
Märksõnad:
"This book introduces nearly all aspects of web security. It reveals how hackers work and explains why companies of different scale should choose their own methodology of security. With in depth analysis of the reasons behind the choices, the book coversclient script security, server applications security, and Internet company security operations. It also includes coverage of browser security, cross sites script attacks, click jacking, HTML5/PHP security, injection attacks, authentication, session management, access control, web frame security, DDOS, leaks, Internet transactions security, security development lifecycle, and security operations. "--

"Preface In mid-2010, Zhang Chunyu asked me if I could write a book on cloud computing. While the concept of cloud computing is very popular, there is not enough written material on how to handle this. Though I have kept myself up to date with this technology, I declined Zhang's request as the prospects in the field were not clear and instead wrote this book on web security. My Road of Security My interest in security developed when I was a student, after I got a book on hacking with no ISBN from the black market. The book had a teaching course on coolfire, which intrigued me. Ever since, I have been hooked to hacking and have taken much interest in practicing the techniques covered in these types of books. In 2000, I joined Xi'an Jiaotong University. Fortunately for me, the computer room at the university was open even after school hours. Though the price of online browsing was high, I invested most of my living expenses in the computer room. In return, I was gaining more knowledge in this field. With the momentum gained at university, I soon got my first computer with the help of my parents. This only helped to increase my interest in the field. In a short while, I collaborated with my friends to set up a technical organization called ph4nt0m.org, named after my favorite comic character. Though the organization did not last long, it helped groom top talents through communication forums that it initiated. This was the proudest achievement in the 20 years of my life. Due to the openness of the Internet and the advances in technology, I have witnessed nearly all the developments in Internet security in the last decade. During the first five years, I witnessed the technology in penetrating tests, cache overflow, and web hacking; for the next five years"--

Wu and Zhao present students, academics, researchers, and professionals working in a wide variety of contexts with a comprehensive examination of web security technology and sustainable security systems strategy. The author has organized the eighteen chapters that make up the main body of his text in four parts devoted to our view of the security world, safety on the client script, application security on the server side, and the safety operations of internet companies. Hanqing Wu is a security architect with Alibaba, China. Liz Zhao is a IT security service consultant based in China. Annotation ©2015 Ringgold, Inc., Portland, OR (protoview.com)

In late 2013, approximately 40 million customer debit and credit cards were leaked in a data breach at Target. This catastrophic event, deemed one of the biggest data breaches ever, clearly showed that many companies need to significantly improve their information security strategies. Web Security: A White Hat Perspective presents a comprehensive guide to web security technology and explains how companies can build a highly effective and sustainable security system.

In this book, web security expert Wu Hanqing reveals how hackers work and explains why companies of different scale require different security methodologies. With in-depth analysis of the reasons behind the choices, the book covers client script security, server applications security, and Internet company security operations. It also includes coverage of browser security, cross sites script attacks, click jacking, HTML5/PHP security, injection attacks, authentication, session management, access control, web frame security, DDOS, leaks, Internet transactions security, and the security development lifecycle.

Foreword, xv
Preface, xvii
Authors, xxiii
Section I Our View Of The Security World
Chapter 1 View Of The It Security World
3(26)
1.1 Brief History Of Web Security
3(4)
1.1.1 Brief History Of Chinese Hackers
4(1)
1.1.2 Development Process Of Hacking Techniques
4(2)
1.1.3 Rise Of Web Security
6(1)
1.2 Black Hat, White Hat
7(1)
1.3 Back To Nature: The Essence Of Secret Security
8(2)
1.4 Superstition: There Is No Silver Bullet
10(1)
1.4.1 Security: An Ongoing Process
10(1)
1.5 Security Elements
11(1)
1.6 How To Implement Safety Assessment
11(6)
1.6.1 Asset Classification
12(1)
1.6.2 Threat Analysis
13(1)
1.6.3 Risk Analysis
14(2)
1.6.4 Design Of Security Programs
16(1)
1.7 Art Of War For White Hat
17(6)
1.7.1 Principle Of Secure By Default
17(2)
1.7.1.1 Blacklist, Whitelist
17(1)
1.7.1.2 Principle Of Least Privilege
18(1)
1.7.2 Principle Of Defense In Depth
19(1)
1.7.3 Principles Of Data And Code Separation
20(2)
1.7.4 Unpredictability Of The Principles
22(1)
1.8 Summary
23(1)
1.A Appendix
23(6)
Section II Safety On The Client Script
Chapter 2 Security Of Browser
29(16)
2.1 Same-Origin Policy
29(5)
2.2 Sandbox Browser
34(2)
2.3 Malicious URL Intercept
36(3)
2.4 Rapid Development Of Browser Security
39(4)
2.5 Summary
43(2)
Chapter 3 Cross-Site Scripting Attack
45(78)
3.1 Introduction
45(4)
3.1.1 First Type: Reflected XSS
47(1)
3.1.2 Second Type: Stored XSS
47(1)
3.1.3 Third Type: Dom-Based XSS
47(2)
3.2 Advanced XSS Attack
49(53)
3.2.1 Preliminary Study On XSS Pay Load
49(3)
3.2.2 XSS Payload Power
52(18)
3.2.2.1 Structure Get And Post Request
52(6)
3.2.2.2 XSS Phishing
58(1)
3.2.2.3 Identify The User's Browser
59(3)
3.2.2.4 Identify User-Installed Software
62(2)
3.2.2.5 CSS History Hack
64(4)
3.2.2.6 Get The User's Real IP Address
68(2)
3.2.3 XSS Attack Platform
70(1)
3.2.3.1 Attack API
70(1)
3.2.3.2 Beef
71(1)
3.2.3.3 XSS Proxy
71(1)
3.2.4 Ultimate Weapon: XSS Worm
71(12)
3.2.4.1 Samy Worm
71(7)
3.2.4.2 Baidu Space Worms
78(5)
3.2.5 Debugging Javascript
83(2)
3.2.5.1 Firebug
83(1)
3.2.5.2 IE 8 Developer Tools
84(1)
3.2.5.3 Fiddler
85(1)
3.2.5.4 Httpwatch
85(1)
3.2.6 Construction Skills Of XSS
85(8)
3.2.6.1 Use Character Encoding
86(1)
3.2.6.2 Bypass The Length Limit
87(3)
3.2.6.3 Using <Base> Tags
90(1)
3.2.6.4 Magical Effect Of Window.Name
91(2)
3.2.7 Turning Waste Into Treasure: Mission Impossible
93(4)
3.2.7.1 Apache Expect Header XSS
93(2)
3.2.7.2 Anehta Boomerang
95(2)
3.2.8 Easily Overlooked Corner: Flash XSS
97(2)
3.2.9 Really Sleep Without Any Anxiety: Javascript Development Framework
99(3)
3.2.9.1 Dojo
100(1)
3.2.9.2 Yui
101(1)
3.2.9.3 JQuery
101(1)
3.3 XSS Defense
102(20)
3.3.1 Skillfully Deflecting The Question: HTTPonly
102(4)
3.3.2 Input Checking
106(2)
3.3.3 Output Checking
108(4)
3.3.3.1 Secure Coding Function
108(3)
3.3.3.2 Only Need One Kind Of Coding
111(1)
3.3.4 Defense XSS Correctly Designed
112(4)
3.3.4.1 Output In HTML Attributes
113(1)
3.3.4.2 Output In The Event
114(1)
3.3.4.3 Output In CSS
114(1)
3.3.4.4 Output In Address
115(1)
3.3.5 Dealing With Rich Text
116(1)
3.3.6 Defense DOM-Based XSS
117(5)
3.3.7 See XSS From Another Angle Of Risk
122(1)
3.4 Summary
122(1)
Chapter 4 Cross-Site Request Forgery
123(18)
4.1 Introduction
123(2)
4.2 Advanced CSRF
125(11)
4.2.1 Cookie Policy Of Browsers
125(3)
4.2.2 Side Effect Of P3P Header
128(3)
4.2.3 Get? Post?
131(2)
4.2.4 Flash CSRF
133(1)
4.2.5 CSRF Worm
134(2)
4.3 CSRF Defense
136(4)
4.3.1 Verification Code
136(1)
4.3.2 Referer Check
136(1)
4.3.3 Anti-CSRF Token
136(18)
4.3.3.1 Nature Of CSRF
137(1)
4.3.3.2 Token Principles
138(2)
4.4 Summary
140(1)
Chapter 5 Clickjacking
141(16)
5.1 What Is Clickjacking?
141(3)
5.2 Flash Clickjacking
144(3)
5.3 Image-Covering Attacks
147(1)
5.4 Drag Hijacking And Data Theft
148(4)
5.5 Clickjacking 3.0: Tapjacking
152(2)
5.6 Defense Against Clickjacking
154(2)
5.6.1 Frame Busting
154(2)
5.6.2 X-Frame-Options
156(1)
5.7 Summary
156(1)
Chapter 6 HTML5 Securities
157(16)
6.1 New Tags Of HTML5
157(6)
6.1.1 New Tags Of XSS
157(1)
6.1.2 Iframe Sandbox
158(1)
6.1.3 Link Types: NoReferrer
159(1)
6.1.4 Magical Effect Of Canvas
159(4)
6.2 Other Security Problems
163(7)
6.2.1 Cross-Origin Resource Sharing
163(2)
6.2.2 Postmessage: Send Message Across Windows
165(2)
6.2.3 Web Storage
167(3)
6.3 Summary
170(3)
Section III Application Security On The Server Side
Chapter 7 Injection Attacks
173(34)
7.1 SQL Injection Attacks
173(6)
7.1.1 Blind Injection
174(1)
7.1.2 Timing Attack
175(4)
7.2 Database Attacking Techniques
179(15)
7.2.1 Common Attack Techniques
179(1)
7.2.2 Command Execution
180(7)
7.2.3 Stored Procedure Attacks
187(2)
7.2.4 Coding Problems
189(2)
7.2.5 SQL Column Truncation
191(3)
7.3 Properly Defending Against SQL Injection
194(4)
7.3.1 Using Precompiled Statements
195(1)
7.3.2 Using Stored Procedures
196(1)
7.3.3 Checking The Data Type
196(1)
7.3.4 Using Safety Functions
197(1)
7.4 Other Injection Attacks
198(6)
7.4.1 XML Injection
198(1)
7.4.2 Code Injection
199(2)
7.4.3 CRLF Injection
201(3)
7.5 Summary
204(3)
Chapter 8 File Upload Vulnerability
207(14)
8.1 File Upload Vulnerability Overview
207(3)
8.1.1 FCKEditor File Upload Vulnerability
208(1)
8.1.2 Bypassing The File Upload Check Function
209(1)
8.2 Functionality Or Vulnerability
210(8)
8.2.1 Apache File Parsing Problem
211(1)
8.2.2 IIS File Parsing Problem
212(3)
8.2.3 PHP CGI Path Parsing Problem
215(2)
8.2.4 Upload Files Phishing
217(1)
8.3 Designing Secure File Upload Features
218(1)
8.4 Summary
219(2)
Chapter 9 Authentication And Session Management
221(14)
9.1 Who Am I?
221(1)
9.2 Password
222(2)
9.3 Multi Factor Authentication
224(1)
9.4 Session Management And Authentication
225(2)
9.5 Session Fixation Attacks
227(1)
9.6 Session Keep Attack
228(3)
9.7 Single Sign-On
231(2)
9.8 Summary
233(2)
Chapter 10 Access Control
235(18)
10.1 What Can I Do?
235(4)
10.2 Vertical Rights Management
239(3)
10.3 Horizontal Rights Management
242(2)
10.3.1 Unauthorized User Access Problems On Youku.Com (Vulnerability No. Wooyun-2010-0129)
242(1)
10.3.2 Unauthorized User Access Problems On Iayifen.Com (Loopholes No. Wooyun-2010-01576)
242(2)
10.4 Summary Of Oauth
244(8)
10.5 Summary
252(1)
Chapter 11 Encryption Algorithms And Random Numbers
253(72)
11.1 Introduction
253(2)
11.2 Stream Cipher Attack
255(14)
11.2.1 Reused Key Attack
255(8)
11.2.2 Bit-Flipping Attack
263(2)
11.2.3 Issue Of Weak Random IV
265(4)
11.3 WEP Crack
269(4)
11.4 ECB Mode Defects
273(3)
11.5 Padding Oracle Attack
276(15)
11.6 Key Management
291(2)
11.7 Problems With A Pseudorandom Number
293(16)
11.7.1 Trouble With A Weak Pseudorandom Number
294(3)
11.7.2 Time Is Really Random
297(1)
11.7.3 Breaking The Pseudorandom Number Algorithm Seed
298(10)
11.7.4 Using Secure Random Numbers
308(1)
11.8 Summary
309(1)
11.A Appendix: Understanding The Md5 Length Extension Attack
309(16)
Chapter 12 Web Framework Security
325(18)
12.1 MVC Framework Security
325(2)
12.2 Template Engine And XSS Defenses
327(3)
12.3 Web Framework And CSRF Defense
330(3)
12.4 HTTP Header Management
333(1)
12.5 Data Persistence Layer And SQL Injection
334(1)
12.6 What More Can We Think Of?
335(1)
12.7 Web Framework Self-Security
336(4)
12.7.1 Struts 2 Command Execution Vulnerability
336(2)
12.7.2 Struts 2 Patch
338(1)
12.7.3 Spring MVC Execution Vulnerability
339(1)
12.7.4 Django Execution Vulnerability
340(1)
12.8 Summary
340(3)
Chapter 13 Application-Layer Denial-Of-Service Attacks
343(26)
13.1 Introduction To DDoS
343(2)
13.2 Application-Layer DDoS
345(5)
13.2.1 CC Attack
345(1)
13.2.2 Restriction Of Request Frequency
346(3)
13.2.3 The Priest Climbs A Post, The Devil Climbs Ten
349(1)
13.3 About Verification Code
350(3)
13.4 DDoS In The Defense Application Layer
353(2)
13.5 Resource Exhaustion Attack
355(7)
13.5.1 Slowloris Attack
355(4)
13.5.2 HTTP Post Dos
359(2)
13.5.3 Server Limit Dos
361(1)
13.6 Dos Caused By Regular Expression: Redos
362(6)
13.7 Summary
368(1)
Chapter 14 PHP Security
369(44)
14.1 File Inclusion Vulnerability
369(17)
14.1.1 Local File Inclusion
371(5)
14.1.2 Remote File Inclusion
376(1)
14.1.3 Using Skill Of Local File Inclusion
376(10)
14.2 Variable Coverage Vulnerability
386(5)
14.2.1 Global Variable Coverage
386(2)
14.2.2 The Extract() Variable Coverage
388(2)
14.2.3 Traversal Initializing Variables
390(1)
14.2.4 The Import_request_variables Variable Coverage
390(1)
14.2.5 The Parse_str() Variable Coverage
391(1)
14.3 Code Execution Vulnerability
391(15)
14.3.1 "Dangerous Function" Executes The Code
391(10)
14.3.1.1 The Phpmyadmin 3.4.3.1 Remote Code Execution Vulnerability
392(5)
14.3.1.2 Mybb1.4 Remote Code Execution Vulnerability
397(4)
14.3.2 File Writing Code Execution
401(1)
14.3.3 Other Methods Of Code Execution
402(27)
14.3.3.1 Functions That Directly Execute Code
402(1)
14.3.3.2 File Inclusion
403(1)
14.3.3.3 Writing In Local File
403(1)
14.3.3.4 Execution Of The Preg_replace() Code
403(1)
14.3.3.5 Dynamic Function Execution
404(1)
14.3.3.6 Curly Syntax
404(1)
14.3.3.7 Callback Function Execution Code
404(1)
14.3.3.8 Unserialize() Results In Code Execution
405(1)
14.4 Customize Secure PHP Environment
406(5)
14.5 Summary
411(2)
Chapter 15 Web Server Configuration Security
413(16)
15.1 Apache Security
413(2)
15.2 Nginx Security
415(2)
15.3 Jboss Remote Command Execution
417(5)
15.4 Tomcat Remote Command Execution
422(3)
15.5 HTTP Parameter Pollution
425(1)
15.6 Summary
426(3)
Section IV Safety Operations Of Internet Companies
Chapter 16 Security Of Internet Business
429(38)
16.1 What Kind Of Security Do Products Require?
429(5)
16.1.1 Security Requirements Of Internet Products
430(2)
16.1.2 What Is A Good Security Program?
432(2)
16.1.2.1 Complex Password Security
433(1)
16.2 Business Logic Security
434(3)
16.2.1 Loopholes In Password Security
434(1)
16.2.2 Who Will Be The Big Winner?
434(1)
16.2.3 Practice Deception
435(1)
16.2.4 Password Recovery Process
436(1)
16.3 How The Account Is Stolen
437(3)
16.3.1 Various Ways Of Account Theft
438(1)
16.3.2 Analysis On Why Accounts Get Stolen
439(1)
16.4 Internet Garbage
440(4)
16.4.1 Threat Of Spam
440(1)
16.4.2 Spam Disposal
441(3)
16.5 Phishing
444(13)
16.5.1 Details About Phishing
444(3)
16.5.2 Mail Phishing
447(1)
16.5.3 Prevention And Control Of Phishing Sites
448(4)
16.5.3.1 Control The Routes Of Transmission Of Phishing Sites
449(1)
16.5.3.2 Direct Fight Against Phishing Sites
450(1)
16.5.3.3 User Education
450(1)
16.5.3.4 Automatic Identification Of Phishing Sites
451(1)
16.5.4 Phishing In Online Shopping
452(4)
16.5.5 Analysis Of Phishing In Online Shopping And Its Prevention
456(1)
16.6 User Privacy Protection
457(3)
16.6.1 Challenges In Internet User Privacy
457(1)
16.6.2 How To Protect User Privacy
458(1)
16.6.3 Do Not Track
459(1)
16.7 Summary
460(1)
16.A Appendix: Trouble Terminator
461(6)
Chapter 17 Security Development Lifecycle
467(20)
17.1 Introduction
467(4)
17.2 Agile SDL
471(1)
17.3 SDL Actual Combat Experience
472(3)
17.4 Requirements Analysis And Design Phase
475(5)
17.5 Development Phase
480(4)
17.5.1 Providing Security Functions
480(3)
17.5.2 Code Security Audit Tool
483(1)
17.6 Test Phase
484(2)
17.7 Summary
486(1)
Chapter 18 Security Operations
487(12)
18.1 Make The Security Operated
487(1)
18.2 Process Of Vulnerability Patch
488(2)
18.3 Security Monitoring
490(1)
18.4 Intrusion Detection
491(3)
18.5 Emergency Response Process
494(2)
18.6 Summary
496(1)
18.A Appendix
496(3)
Index 499
Axie Wu was a founder of ph4nt0m.org, one of Chinas famous domestic security organizations. He is proficient in different offensive and defensive techniques with regard to web security. He joined Alibaba Co., Ltd, China, after his graduation from Xian Jiaotong University in 2005 and became the youngest expert level engineer in Alibaba by 2007. He then designed the network security systems for Alibaba, Taobao, and Alipay. He was completely involved in the security development process for Alibaba, where he gained extensive experience in the field of application security. From 2011 onward, he has been a security architect in Alibaba, responsible for group-wide web security and cloud computing security. Wu is currently product vice president of Anquanbao.com and is responsible for the companys product development and design. He also leads the Zhejiang chapter of OWASP China.

Lizzie Zhao graduated from the University of Bridgeport, Connecticut, in 2001. She then worked at a computer training institute in New York City. Two years later, she returned to China and took up work with the subsidiary of a software company at the institute of the Chinese Academy of Sciences (CAS) as a project manager and system architect. In 2006, she joined the information technology promotion office of CECA (China E-Commerce Association). In 2007, she cofounded the RWStation (Beijing) Network Technology Co., Ltd., with other shareholders, and has since managed the company. From September 2011, Liz has focused her attention on Chinas network security issues and has aimed to help enterprises in China with system security and network security business. She initiated the establishment of the Union SOSTC Alliance (Security Open Source Technology of China) with the help of other Chinese and overseas security experts. She is also a popular consultant for IT security service for various companies and for the Chinese government. Liz is currently the head of the STTC (Security Technology Training Center) and plans training activities with many universities in China, such as Northwestern Polytechnical University and Xidian University.