HackNotes : Web Security Portable Reference

Learn how hackers break into web applications with a tool as fundamental as a web browser, guard against simple to complex web application attacks, strengthen web application security using a detailed methodology for testing and secure coding, eliminate susceptibility to e-commerce, SQL injection, and input validation hacks. Abstract: Shows you how to guard against standard and uncommon network penetration methodologies and eliminate susceptibility to e-commerce hacking. This book helps you learn to bolster Web application security and secure vulnerable hacking function areas. Read more... Team DDU HackNotes : Web Security Portable Reference 1 Cover 1 CONTENTS 10 Acknowledgments 14 Hacknotes: The Series 16 Introduction 20 Reference Center 24 Application Assessment Methodology Checklist 25 HTTP Protocol Notes 33 Input Validation Tests 36 Common Web-Related Ports and Applications 39 Quick-Reference Command Techniques 41 Application Default Accounts and Configuration Files 44 "Wargling" Search Terms 45 IIS Metabase Settings and Recommendations 46 Online References 51 Useful Tools 53 Part I Hacking Techniques & Defenses 56 ■ 1 Web Hacking & Penetration Methodologies 58 Threats and Vulnerabilities 59 Profiling the Platform 60 Profiling the Application 64 Summary 76 ■ 2 Critical Hacks & Defenses 78 Generic Input Validation 80 Common Vectors 82 Source Disclosure 83 Character Encoding 84 URL Encoding (Escaped Characters) 84 Unicode 85 Alternate Request Methods 87 SQL Injection 88 Microsoft SQL Server 94 Oracle 97 MySQL 99 PostgreSQL 101 Putting It Together 102 Cross-Site Scripting 103 Token Analysis 105 Finding Tokens 105 Encoded vs Encrypted 106 Pattern Analysis 110 Session Attacks 110 Session Correlation 116 XML-Based Services 118 Attacking XML 119 Fundamental Application Defenses 120 Input Validation 120 Summary 127 Part II Host Assessment & Hardening 128 ■ 3 Platform Assessment Methodology 130 Vulnerability Scanners 131 Whisker and LibWhisker 131 Nikto 133 Nessus 136 Assessment Tools 141 Achilles 141 WebProxy 2 1 142 Curl 146 Replaying Requests 149 Summary 153 ■ 4 Assessment & Hardening Checklists 154 An Overview of Web Servers 155 Log File Checklist 156 Apache 156 Compile-Time Options 156 Configuration File: httpd conf 161 IIS 165 Adsutil vbs and the Metabase 165 Accounts 167 File Security 167 Logging 171 IIS Lockdown Utility (iislockd exe) 171 Summary 172 Part III Special Topics 174 ■ 5 Web Server Security & Analysis 176 Web Server Log Analysis 177 Proxies 184 Load Balancers 185 The Scope of an Attack 187 Read or Write Access to the File System 187 Arbitrary Command Execution 187 Summary 192 ■ 6 Secure Coding 194 Secure Programming 195 Language-Specific Items 199 Java 199 ASP 201 Perl 202 PHP 203 Summary 204 ■ A 7-Bit ASCII Reference 206 ■ B Web Application Scapegoat 214 Installing WebGoat 215 Using WebGoat 216 ■ Index 220 Team DDU 1 Broadband Internet.pdf 1 Local Disk -1 file:///C|/Documents and Settings/me/デスクトップ/pictures/getpedia.html 1 Content: Pt. I. Harking techniques & defenses. 1. Web harking & penetration methodologies. 2. Critical hacks & defenses -- pt. II. Host assessment & hardening. 3. Platform assessment methodology. 4. Assessment & hardening checklists -- pt. III. Special topics. 5. Web server security & analysis. 6. Secure coding. A. 7-bit ASCII reference. B. Web application scapegoat. Let consultant, trainer, and author Mike Shema show you how to guard against standard and uncommon network penetration methodologies and eliminate susceptibility to e-commerce hacking. Plus, learn to bolster Web application security and secure vulnerable hacking function areas.. Describes how hackers break into Web applications, what function areas are vulnerable, and how to guard against attacks.