معرفی کتاب «هک وب: حملات و دفاع» (با عنوان لاتین Web hacking : attacks and defense) نوشتهٔ McClure, Stuart; Shah, Shreeraj; Shah, Saumil، منتشرشده توسط نشر Addison-Wesley Professional در سال 2002. این کتاب در فرمت pdf، زبان انگلیسی ارائه شده است.
Whether it's petty defacing or full-scale cyber-robbery, hackers are moving to the web along with everyone else. In this text, security experts Stuart McClure co-author of Hacking Exposed, Saumil Shah and Shreeraj Shah uncover the latest web attacks and defences. Cover......Page 1 Contents......Page 8 Foreword......Page 22 Introduction......Page 26 Writing on the Wall......Page 27 Parts......Page 28 Chapters......Page 29 Contributor......Page 31 Part One: The E-Commerce Playground......Page 34 Case Study: Acme Art, Inc. Hacked!......Page 35 Chapter 1: Web Languages: The Babylon of the 21st Century......Page 44 Introduction......Page 45 Languages of the Web......Page 46 Summary......Page 84 Chapter 2: Web and Database Servers......Page 86 Web Servers......Page 87 Database Servers......Page 103 Summary......Page 123 Chapter 3: Shopping Carts and Payment Gateways......Page 124 Introduction......Page 125 Evolution of the Storefront......Page 126 Electronic Shopping......Page 129 Shopping Cart Systems......Page 130 Implementation of a Shopping Cart Application......Page 133 Examples of Poorly Implemented Shopping Carts......Page 136 Processing Payments......Page 138 Overview of the Payment Processing System......Page 139 Interfacing with a Payment Gateway—An Example......Page 143 Payment System Implementation Issues......Page 147 PayPal—Enabling Individuals to Accept Electronic Payments......Page 148 Summary......Page 149 Chapter 4: HTTP and HTTPS: The Hacking Protocols......Page 150 Protocols of the Web......Page 151 Summary......Page 163 Chapter 5: URL: The Web Hacker’s Sword......Page 164 Introduction......Page 165 URL Structure......Page 166 URLs and Parameter Passing......Page 169 URL Encoding......Page 171 Abusing URL Encoding......Page 176 HTML Forms......Page 181 Summary......Page 190 Part Two: URLs Unraveled......Page 192 Case Study: Reconnaissance Leaks Corporate Assets......Page 193 Chapter 6: Web: Under (the) Cover......Page 196 The Components of a Web Application......Page 197 Wiring the Components......Page 202 Connecting with the Database......Page 208 Specialized Web Application Servers......Page 213 Identifying Web Application Components from URLs......Page 214 The Basics of Technology Identification......Page 215 Advanced Techniques for Technology Identification......Page 221 Identifying Database Servers......Page 223 Countermeasures......Page 225 Summary......Page 227 Chapter 7: Reading Between the Lines......Page 228 Introduction......Page 229 What the Browsers Don’t Show You......Page 230 HTML Comments......Page 233 Internal and External Hyperlinks......Page 238 E-mail Addresses and Usernames......Page 239 Keywords and Meta Tags......Page 240 Client-Side Scripts......Page 241 Automated Source Sifting Techniques......Page 243 Sam Spade, Black Widow, and Teleport Pro......Page 247 Summary......Page 248 Chapter 8: Site Linkage Analysis......Page 250 HTML and Site Linkage Analysis......Page 251 Site Linkage Analysis Methodology......Page 252 Step 1: Crawling the Web Site......Page 254 Step 2: Creating Logical Groups Within the Application Structure......Page 261 Step 3: Analyzing Each Web Resource......Page 265 Step 4: Inventorying Web Resources......Page 271 Summary......Page 272 Part Three: How Do They Do It?......Page 274 Case Study: How Boris Met Anna’s Need for Art Supplies......Page 275 Chapter 9: Cyber Graffiti......Page 278 Defacing Acme Travel, Inc.’s Web Site......Page 279 What Went Wrong?......Page 298 HTTP Brute-Forcing Tools......Page 300 Countermeasures Against the Acme Travel, Inc. Hack......Page 302 Summary......Page 306 Chapter 10: E-Shoplifting......Page 308 Introduction......Page 309 Building an Electronic Store......Page 310 Evolution of Electronic Storefronts......Page 312 Robbing Acme Fashions, Inc.......Page 314 Overhauling www.acme-fashions.com......Page 330 Postmortem and Further Countermeasures......Page 334 Summary......Page 339 Chapter 11: Database Access......Page 340 Introduction......Page 341 A Used Car Dealership Is Hacked......Page 344 Countermeasures......Page 350 Summary......Page 351 Chapter 12: Java: Remote Command Execution......Page 352 Introduction......Page 353 Java-Driven Technology......Page 354 Attacking a Java Web Server......Page 356 Identifying Loopholes in Java Application Servers......Page 358 Countermeasures......Page 371 Summary......Page 375 Chapter 13: Impersonation......Page 376 Session Hijacking: A Stolen Identity and a Broken Date......Page 377 Session Hijacking......Page 387 Application State Diagrams......Page 389 HTTP and Session Tracking......Page 391 Stateless Versus Stateful Applications......Page 393 Cookies and Hidden Fields......Page 395 Implementing Session and State Tracking......Page 396 Summary......Page 398 Chapter 14: Buffer Overflows: On-the-Fly......Page 400 Introduction......Page 401 Buffer Overflows......Page 402 Summary......Page 415 Part Four: Advanced Web Kung Fu......Page 416 Case Study......Page 417 Chapter 15: Web Hacking: Automated Tools......Page 420 Netcat......Page 421 Whisker......Page 423 Brutus......Page 427 Achilles......Page 431 Cookie Pal......Page 435 Teleport Pro......Page 446 Security Recommendations......Page 447 Summary......Page 448 Chapter 16: Worms......Page 450 Code Red Worm......Page 451 Summary......Page 459 Chapter 17: Beating the IDS......Page 460 IDS Basics......Page 461 Getting Past an IDS......Page 463 Secure Hacking—Hacking Over SSL......Page 464 Polymorphic URLs......Page 472 Generating False Positives......Page 477 Potential Countermeasures......Page 479 Summary......Page 480 Appendix A: Web and Database Port Listing......Page 482 Appendix B: HTTP/1.1 and HTTP/1.0 Method and Field Definitions......Page 486 Appendix C: Remote Command Execution Cheat Sheet......Page 492 Appendix D: Source Code, File, and Directory Disclosure Cheat Sheet......Page 496 Appendix E: Resources and Links......Page 504 Appendix F: Web-Related Tools......Page 506 Index......Page 510 B......Page 511 C......Page 512 D......Page 513 E......Page 514 H......Page 515 I......Page 516 J......Page 517 N......Page 518 P......Page 519 S......Page 520 U......Page 522 W......Page 523 X......Page 525 "Both novice and seasoned readers will come away with an increased understanding of how Web hacking occurs and enhanced skill at developing defenses against such Web attacks. Technologies covered include Web languages and protocols, Web and database servers, payment systems and shopping carts, and critical vulnerabilities associated with URLs. This book is a virtual battle plan that will help you identify and eliminate threats that could take your Web site off line..."
--From the Foreword by William C. Boni, Chief Information Security Officer, Motorola "Just because you have a firewall and IDS sensor does not mean you aresecure; this book shows you why."
--Lance Spitzner, Founder, The Honeynet Project Whether it's petty defacing or full-scale cyber robbery, hackers are moving to the Web along with everyone else. Organizations using Web-based business applications are increasingly at risk.
Web Hacking: Attacks and Defense is a powerful guide to the latest information on Web attacks and defense. Security experts Stuart McClure (lead author of
Hacking Exposed), Saumil Shah, and Shreeraj Shah present a broad range of Web attacks and defense.
Features include:
- Overview of the Web and what hackers go after
- Complete Web application security methodologies
- Detailed analysis of hack techniques
- Countermeasures
- What to do at development time to eliminate vulnerabilities
- New case studies and eye-opening attack scenarios
- Advanced Web hacking concepts, methodologies, and tools
"How Do They Do It?" sections show how and why different attacks succeed, including:
- Cyber graffiti and Web site defacements
- e-Shoplifting
- Database access and Web applications
- Java application servers; how to harden your Java Web Server
- Impersonation and session hijacking
- Buffer overflows, the most wicked of attacks
- Automated attack tools and worms
Appendices include a listing of Web and database ports, cheat sheets for remote command execution, and source code disclosure techniques.
Web Hacking informs from the trenches. Experts show you how to connect the dots--how to put the stages of a Web hack together so you can best defend against them. Written for maximum brain absorption with unparalleled technical content and battle-tested analysis, Web Hacking will help you combat potentially costly security threats and attacks.
0201761769B07192002
In the evolution of hacking, firewalls are a mere speed bump. Hacking continues to develop, becoming ever more sophisticated, adapting and growing in ingenuity as well as in the damage that results. Web attacks running over web ports strike with enormous impact. Stuart McClure's new book focuses on Web hacking, an area where organizations are particularly vulnerable. The material covers the web commerce "playground', describing web languages and protocols, web and database servers, and payment systems. The authors bring unparalleled insight to both well- known and lesser known web vulnerabilities. They show the dangerous range of the many different attacks web hackers harbor in their bag of tricks -- including buffer overflows, the most wicked of attacks, plus other advanced attacks. The book features complete methodologies, including techniques and attacks, countermeasures, tools, plus case studies and web attack scenarios showing how different attacks work and why they work Exposes complete methodologies showing the actual techniques and attacks. Shows countermeasures, tools, and eye-opening case studies. Covers the web commerce playground, describing web languages and protocols, web and database servers, and payment systems. Softcover. Intended for a course that is teaching students how and where web-based applications are particularly vulnerable. The authors explain the complete range of attacks, including buffer overflows-the most problematic of all attacks.