LEADER 05342nam  22006494a 450 
001 9910783400003321
005 20230617032520.0
010   $a1-280-27073-X
010   $a9786610270736
010   $a0-470-85747-1
035   $a(CKB)1000000000023154
035   $a(EBL)210558
035   $a(OCoLC)70720139
035   $a(SSID)ssj0000179429
035   $a(PQKBManifestationID)11168947
035   $a(PQKBTitleCode)TC0000179429
035   $a(PQKBWorkID)10149245
035   $a(PQKB)11311334
035   $a(MiAaPQ)EBC210558
035   $a(Au-PeEL)EBL210558
035   $a(CaPaEBR)ebr10114061
035   $a(CaONFJC)MIL27073
035   $a(EXLCZ)991000000000023154
100   $a20030715d2004      uy             0
101 0 $aeng
135   $aur|n|---|||||
181   $ctxt
182   $cc
183   $acr
200 10$aInnocent code$b[electronic resource] $ea security wake-up call for Web programmers /$fSverre H. Huseby
210   $aNew York $cJohn Wiley & Sons$dc2004
215   $a1 online resource (248 p.)
300   $aDescription based upon print version of record.
311   $a0-470-85744-7 
320   $aIncludes bibliographical references (p. 209-219) and index.
327   $aContents; Foreword; Acknowledgments; Introduction; 0.1 The Rules; 0.2 The Examples; 0.3 The Chapters; 0.4 What is Not in This Book?; 0.5 A Note from the Author; 0.6 Feedback; 1 The Basics; 1.1 HTTP; 1.1.1 Requests and responses; 1.1.2 The Referer header; 1.1.3 Caching; 1.1.4 Cookies; 1.2 Sessions; 1.2.1 Session hijacking; 1.3 HTTPS; 1.4 Summary; 1.5 Do You Want to Know More?; 2 Passing Data to Subsystems; 2.1 SQL Injection; 2.1.1 Examples, examples and then some; 2.1.2 Using error messages to fetch information; 2.1.3 Avoiding SQL injection; 2.2 Shell Command Injection; 2.2.1 Examples
327   $a2.2.2 Avoiding shell command injection2.3 Talking to Programs Written in C/C++; 2.3.1 Example; 2.4 The Evil Eval; 2.5 Solving Metacharacter Problems; 2.5.1 Multi-level interpretation; 2.5.2 Architecture; 2.5.3 Defense in depth; 2.6 Summary; 3 User Input; 3.1 What is Input Anyway?; 3.1.1 The invisible security barrier; 3.1.2 Language peculiarities: totally unexpected input; 3.2 Validating Input; 3.2.1 Whitelisting vs. blacklisting; 3.3 Handling Invalid Input; 3.3.1 Logging; 3.4 The Dangers of Client-side Validation; 3.5 Authorization Problems; 3.5.1 Indirect access to data
327   $a3.5.2 Passing too much to the client3.5.3 Missing authorization tests; 3.5.4 Authorization by obscurity; 3.6 Protecting server-generated input; 3.7 Summary; 4 Output Handling: The Cross-site Scripting Problem; 4.1 Examples; 4.1.1 Session hijacking; 4.1.2 Text modification; 4.1.3 Socially engineered Cross-site Scripting; 4.1.4 Theft of passwords; 4.1.5 Too short for scripts?; 4.2 The Problem; 4.3 The Solution; 4.3.1 HTML encoding; 4.3.2 Selective tag filtering; 4.3.3 Program design; 4.4 Browser Character Sets; 4.5 Summary; 4.6 Do You Want to Know More?; 5 Web Trojans; 5.1 Examples
327   $a5.2 The Problem5.3 A Solution; 5.4 Summary; 6 Passwords and Other Secrets; 6.1 Crypto-Stuff; 6.1.1 Symmetric encryption; 6.1.2 Asymmetric encryption; 6.1.3 Message digests; 6.1.4 Digital signatures; 6.1.5 Public key certificates; 6.2 Password-based Authentication; 6.2.1 On clear-text passwords; 6.2.2 Lost passwords; 6.2.3 Cracking hashed passwords; 6.2.4 Remember me?; 6.3 Secret Identifiers; 6.4 Secret Leakage; 6.4.1 GET request leakage; 6.4.2 Missing encryption; 6.5 Availability of Server-side Code; 6.5.1 Insecure file names; 6.5.2 System software bugs; 6.6 Summary
327   $a6.7 Do You Want to Know More?7 Enemies of Secure Code; 7.1 Ignorance; 7.2 Mess; 7.3 Deadlines; 7.4 Salesmen; 7.5 Closing Remarks; 7.6 Do You Want to Know More?; 8 Summary of Rules for Secure Coding; Appendix A: Bugs in the Web Server; Appendix B: Packet Sniffing; B.1 Teach Yourself TCP/IP in Four Minutes; B.2 Sniffing the Packets; B.3 Man-In-The-Middle Attacks; B.4 MITM with HTTPS; B.5 Summary; B.6 Do You Want to Know More?; Appendix C: Sending HTML Formatted E-mails with a Forged Sender Address; Appendix D: More Information; D.1 Mailing Lists; D.2 OWASP; Acronyms; References; Index; A; B; C
327   $aD
330   $aThis concise and practical book shows where code vulnerabilities lie-without delving into the specifics of each system architecture, programming or scripting language, or application-and how best to fix themBased on real-world situations taken from the author's experiences of tracking coding mistakes at major financial institutionsCovers SQL injection attacks, cross-site scripting, data manipulation in order to bypass authorization, and other attacks that work because of missing pieces of codeShows developers how to change their mindset from Web site construction to Web sit
606   $aComputer security
606   $aComputer networks$xSecurity measures
606   $aWorld Wide Web$xSecurity measures
615  0$aComputer security.
615  0$aComputer networks$xSecurity measures.
615  0$aWorld Wide Web$xSecurity measures.
676   $a005.8
700   $aHuseby$b Sverre H$01523201
801  0$bMiAaPQ
801  1$bMiAaPQ
801  2$bMiAaPQ
906   $aBOOK
912   $a9910783400003321
996   $aInnocent code$93763344
997   $aUNINA