Skip to content
Cart (0) Free shipping over $35*
Buybacks (0) Free shipping on buybacks
loading
Help Contact
Return rental ›

Hacking Exposed Web Applications, Second Edition Web Application Security Secrets and Solutions

Best in textbook rentals since 2012!

ISBN-10: 0072262990

ISBN-13: 9780072262995

Edition: 2nd 2006 (Revised)

Authors: Joel Scambray, Mike Shema, Caleb Sima, Nishchal Bhalla

List price: $49.99
Blue ribbon 30 day, 100% satisfaction guarantee!
Marketplace
1 new & used from $6.90
what's this?
Rush Rewards U
Members Receive:
Carrot Coin icon
XP icon
You have reached 400 XP and carrot coins. That is the daily max!

Description:

Implement bulletproof e-business security the proven Hacking Exposed way Defend against the latest Web-based attacks by looking at your Web applications through the eyes of a malicious intruder. Fully revised and updated to cover the latest Web exploitation techniques, Hacking Exposed Web Applications, Second Edition shows you, step-by-step, how cyber-criminals target vulnerable sites, gain access, steal critical data, and execute devastating attacks. All of the cutting-edge threats and vulnerabilities are covered in full detail alongside real-world examples, case studies, and battle-tested countermeasures from the authors' experiences as gray hat security professionals.
Customers also bought

Book details

List price: $49.99
Edition: 2nd
Copyright year: 2006
Publisher: McGraw-Hill Osborne
Publication date: 6/5/2006
Binding: Paperback
Pages: 552
Size: 7.00" wide x 8.75" long x 1.00" tall
Weight: 1.958
Language: English

Joel Scambray, CISSP , is Chief Strategy Officer at Leviathan Security Group (leviathansecurity.com). His nearly 15 years of information security experience encompasses roles as a corporate leader (senior management positions at Microsoft and Ernst & Young), entrepreneur (co-founder of Foundstone), successful technical consultant for Fortune 500 firms, and internationally recognized speaker and author of multiple security books, including all five editions of Hacking Exposed: Network Security Secrets & Solutions . Stuart McClure, CISSP , an independent computer security consultant, is one of today's leading authorities on information security. He was SVP of Global Threats and Research for…    

Mike Shema develops web application security solutions at Qualys, Inc. His current work is focused on an automated web assessment service. Mike previously worked as a security consultant and trainer for Foundstone where he conducted information security assessments across a range of industries and technologies. His security background ranges from network penetration testing, wireless security, code review, and web security. He is the co-author of Hacking Exposed: Web Applications, The Anti-Hacker Toolkit and the author of Hack Notes: Web Application Security. In addition to writing, Mike has presented at security conferences in the U.S., Europe, and Asia.

Foreword
Acknowledgments
Introduction
Hacking Web Apps 101
What Is Web Application Hacking?
GUI Web Hacking
URI Hacking
Methods, Headers, and Body
Resources
Authentication, Sessions, and Authorization
The Web Client and HTML
Other Protocols
Why Attack Web Applications?
Who, When, and Where?
Weak Spots
How Are Web Apps Attacked?
The Web Browser
Browser Extensions
HTTP Proxies
Command-line Tools
Older Tools
Summary
References and Further Reading
Profiling
Infrastructure Profiling
Footprinting and Scanning: Defining Scope
Basic Banner Grabbing
Advanced HTTP Fingerprinting
Infrastructure Intermediaries
Application Profiling
Manual Inspection
Using Search Tools for Profiling
Automated Web Crawling
Common Web Application Profiles
General Countermeasures
A Cautionary Note
Protecting Directories
Protecting include Files
Miscellaneous Tips
Summary
References and Further Reading
Hacking Web Platforms
Point-and-click Exploitation Using Metasploit
Manual Exploitation
Evading Detection
Web Platform Security Best Practices
Common Best Practices
IIS Hardening
Apache Hardening
PHP Best Practices
Summary
References and Further Reading
Attacking Web Authentication
Web Authentication Threats
Username/Password Threats
Strong(er) Web Authentication
Web Authentication Services
Bypassing Authentication
Token Replay
Identity Management
Client-side Piggybacking
Some Final Thoughts: Identity Theft
Summary
References and Further Reading
Attacking Web Authorization
Fingerprinting Authz
Crawling ACLs
Identifying Access/Session Tokens
Analyzing Session Tokens
Differential Analysis
Role Matrix
Attacking ACLs
Attacking Tokens
Manual Prediction
Automated Prediction
Capture/Replay
Session Fixation
Authorization Attack Case Studies
Horizontal Privilege Escalation
Vertical Privilege Escalation
Differential Analysis
Using Curl to Map Permissions
Authorization Best Practices
Web ACL Best Practices
Web Authorization/Session Token Security
Security Logs
Summary
References and Further Reading
Input Validation Attacks
Expect the Unexpected
Where to Find Attack Vectors
Bypass Client-side Validation Routines
Common Input Validation Attacks
Buffer Overflow
Canonicalization (dot-dot-slash)
HTML Injection
Boundary Checks
Manipulate Application Behavior
SQL Injection and Datastore Attacks
Command Execution
Encoding Abuse
PHP Global Variables
Common Side-effects
Summary
References and Further Reading
Attacking Web Datastores
SQL Primer
Syntax
SELECT, INSERT, and UPDATE
SQL Injection Discovery
Syntax and Errors
Semantics and Behavior
Alternate Character Encoding
Exploit SQL Injection Vulnerabilities
Alter a Process
Query Alternate Data
Platforms
Other Datastore Attacks
Input Validation
Decouple Query Logic from Query Data
Database Encryption
Database Configuration
Summary
Attacking XML Web Services
What Is a Web Service?
Transport: SOAP Over HTTP(S)
WSDL
Directory Services: UDDI and DISCO
Similarities to Web Application Security
Attacking Web Services
Web Service Security Basics
Web Services Security Measures
Summary
References and Further Reading
Attacking Web Application Management
Remote Server Management
Telnet
SSH
Proprietary Management Ports
Other Administration Services
Web Content Management
FTP
SSH/scp
FrontPage
WebDAV
Admin Misconfigurations
Unnecessary Web Server Extensions
Information Leakage
Developer-driven Mistakes
Summary
References and Further Reading
Hacking Web Clients
Exploits
Trickery
General Countermeasures
IE Security Zones
Firefox Secure Configuration
Low-privilege Browsing
Server-side Countermeasures
Summary
References and Further Reading
Denial-of-Service (DoS) Attacks
Common DoS Attack Techniques
Old School DoS: Vulnerabilities
Modern DoS: Capacity Depletion
Application-layer DoS
General DoS Countermeasures
Proactive DoS Mitigation
Detecting DoS
Responding to DoS
Summary
References and Further Reading
Full-Knowledge Analysis
Threat Modeling
Clarify Security Objectives
Identify Assets
Architecture Overview
Decompose the Application
Identify and Document Threats
Rank the Threats
Develop Threat Mitigation Strategies
Code Review
Manual Source Code Review
Automated Source Code Review
Binary Analysis
Security Testing of Web App Code
Fuzzing
Test Tools, Utilities, and Harnesses
Pen-testing
Security in the Web Development Process
People
Process
Technology
Summary
References and Further Reading
Web Application Security Scanners
Technology: Web App Security Scanners
The Testbed
The Tests
Reviews of Individual Scanners
Overall Test Results
Nontechnical Issues
Process
People
Summary
References and Further Reading
Web Application Security Checklist
Web Hacking Tools and Techniques Cribsheet
URLScan and ModSecurity
URLScan
Basic URLScan Deployment (IIS5.x and Earlier)
Advanced URLScan Configuration
Managing URLScan
ModSecurity
ModSecurity Installation
ModSecurity Configuration
Summary
References and Further Reading
About the Companion Web Site
Index
  • TextbookRush.com BBB Business Review
  • Trustpilot
Like TextbookRush on Facebook Follow TextbookRush on X Follow TextbookRush on Instagram Subscribe to TextbookRush on YouTube Follow TextbookRush on Pinterest Add TextbookRush on Snapchat Add TextbookRush on TikTok
© 2002-2024 TextbookRush
Subscribe