LEADER 05631oam 2200685 a 450 001 9910781605703321 005 20220603115839.0 010 $a1-283-25821-8 010 $a9786613258212 010 $a1-118-17522-0 035 $a(CKB)2550000000051735 035 $a(EBL)819008 035 $a(OCoLC)759159321 035 $a(SSID)ssj0000642778 035 $a(PQKBManifestationID)11372030 035 $a(PQKBTitleCode)TC0000642778 035 $a(PQKBWorkID)10649105 035 $a(PQKB)10498589 035 $a(Au-PeEL)EBL819008 035 $a(CaPaEBR)ebr10494632 035 $a(CaSebORM)9781118026472 035 $a(MiAaPQ)EBC819008 035 $a(EXLCZ)992550000000051735 100 $a20110818d2011 uy 0 101 0 $aeng 135 $aurgn#---uuuuu 181 $ctxt$2rdacontent 182 $cc$2rdamedia 183 $acr$2rdacarrier 200 14$aThe web application hacker's handbook $efinding and exploiting security flaws /$fDafydd Stuttard, Marcus Pinto 205 $aSecond edition. 210 1$aIndianapolis, IN :$cJohn Wiley & Sons, Inc.,$d[2011]. 210 4$dİ2011 215 $a1 online resource (xxxiii, 878 pages) $cillustrations 300 $aPrevious edition published as: The web application hacker's handbook : discovering and exploiting security flaws. 2008. 300 $aDescription based upon print version of record. 300 $aIncludes index. 311 0 $a1118026470 327 $aThe Web Application Hacker's Handbook; Contents; Introduction; Chapter 1 Web Application (In)security; The Evolution of Web Applications; Common Web Application Functions; Benefits of Web Applications; Web Application Security; ""This Site Is Secure""; The Core Security Problem: Users Can Submit Arbitrary Input; Key Problem Factors; The New Security Perimeter; The Future of Web Application Security; Summary; Chapter 2 Core Defense Mechanisms; Handling User Access; Authentication; Session Management; Access Control; Handling User Input; Varieties of Input; Approaches to Input Handling 327 $aBoundary ValidationMultistep Validation and Canonicalization; Handling Attackers; Handling Errors; Maintaining Audit Logs; Alerting Administrators; Reacting to Attacks; Managing the Application; Summary; Questions; Chapter 3 Web Application Technologies; The HTTP Protocol; HTTP Requests; HTTP Responses; HTTP Methods; URLs; REST; HTTP Headers; Cookies; Status Codes; HTTPS; HTTP Proxies; HTTP Authentication; Web Functionality; Server-Side Functionality; Client-Side Functionality; State and Sessions; Encoding Schemes; URL Encoding; Unicode Encoding; HTML Encoding; Base64 Encoding; Hex Encoding 327 $aRemoting and Serialization FrameworksNext Steps; Questions; Chapter 4 Mapping the Application; Enumerating Content and Functionality; Web Spidering; User-Directed Spidering; Discovering Hidden Content; Application Pages Versus Functional Paths; Discovering Hidden Parameters; Analyzing the Application; Identifying Entry Points for User Input; Identifying Server-Side Technologies; Identifying Server-Side Functionality; Mapping the Attack Surface; Summary; Questions; Chapter 5 Bypassing Client-Side Controls; Transmitting Data Via the Client; Hidden Form Fields; HTTP Cookies; URL Parameters 327 $aThe Referer HeaderOpaque Data; The ASP.NET ViewState; Capturing User Data: HTML Forms; Length Limits; Script-Based Validation; Disabled Elements; Capturing User Data: Browser Extensions; Common Browser Extension Technologies; Approaches to Browser Extensions; Intercepting Traffic from Browser Extensions; Decompiling Browser Extensions; Attaching a Debugger; Native Client Components; Handling Client-Side Data Securely; Transmitting Data Via the Client; Validating Client-Generated Data; Logging and Alerting; Summary; Questions; Chapter 6 Attacking Authentication; Authentication Technologies 327 $aDesign Flaws in Authentication MechanismsBad Passwords; Brute-Forcible Login; Verbose Failure Messages; Vulnerable Transmission of Credentials; Password Change Functionality; Forgotten Password Functionality; ""Remember Me"" Functionality; User Impersonation Functionality; Incomplete Validation of Credentials; Nonunique Usernames; Predictable Usernames; Predictable Initial Passwords; Insecure Distribution of Credentials; Implementation Flaws in Authentication; Fail-Open Login Mechanisms; Defects in Multistage Login Mechanisms; Insecure Storage of Credentials; Securing Authentication 327 $aUse Strong Credentials 330 $aThe highly successful security book returns with a new edition, completely updated Web applications are the front door to most organizations, exposing them to attacks that may disclose personal information, execute fraudulent transactions, or compromise ordinary users. This practical book has been completely updated and revised to discuss the latest step-by-step techniques for attacking and defending the range of ever-evolving web applications. You'll explore the various new technologies employed in web applications that have appeared since the first edition and review the new attack 606 $aInternet$xSecurity measures 606 $aComputer security 615 0$aInternet$xSecurity measures. 615 0$aComputer security. 676 $a004 676 $a005.8 700 $aStuttard$b Dafydd$f1972-$01517578 701 $aPinto$b Marcus$f1978-$01517579 801 0$bMiAaPQ 801 1$bMiAaPQ 801 2$bMiAaPQ 906 $aBOOK 912 $a9910781605703321 996 $aThe web application hacker's handbook$93754734 997 $aUNINA