The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, 2ed Paperback – 2011
Hacker's Handbook

The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws

This Book Is Just Awesome. What Should I Say About this I DOn’t Know.

So I am Giving You The Glimpse of This Book’s Index .  You can Imagin You will Thank Me  after reading and learning these things . So let’s get into it Bro.

  • Introduction
    Chapter 1
    xxiii
    Web Application (In)security
    The Evolution of Web Applications
    Common Web Application Functions
    Benefi ts of Web Applications
    Web Application Security
    “This Site Is Secure”
    The Core Security Problem: Users Can Submit
    Arbitrary Input
    Key Problem Factors
    The New Security Perimeter
    The Future of Web Application SecurityCore Defense Mechanisms
    Handling User Access 17Authentication
    Session Management
    Access Control
    Handling User Input
    Varieties of Input
    Approaches to Input Handling
    Boundary Validation
    Multistep Validation and Canonicalization
    Handling Attackers
    Handling Errors
    Maintaining Audit Logs
    Alerting Administrators
    Reacting to AttacksChapter 3
    Managing the Application
    Summary
    Questions 35
    36
    36
    Web Application Technologies
    The HTTP Protocol 39
    39
    HTTP Requests
    HTTP Responses
    HTTP Methods
    URLs
    REST
    HTTP Headers
    Cookies
    Status Codes
    HTTPS
    HTTP Proxies
    HTTP Authentication
    Web Functionality
    Server-Side Functionality
    Client-Side Functionality
    State and Sessions
    Encoding Schemes
    URL Encoding
    Unicode Encoding
    HTML Encoding
    Base64 Encoding
    Hex Encoding
    Remoting and Serialization
    FrameworksQuestions 70
    71
    Mapping the Application
    Enumerating Content and Functionality 73
    74
    Web Spidering
    User-Directed Spidering
    Discovering Hidden Content
    Application Pages Versus
    Functional Paths
    Discovering Hidden Parameters
    Analyzing the Application
    Identifying Entry Points for User Input
    Identifying Server-Side Technologies
    Identifying Server-Side Functionality
    Mapping the Attack Surface
    Summary

    Chapter 5
    Bypassing Client-Side Controls
    Transmitting Data Via the Client
    Hidden Form Fields
    HTTP Cookies
    URL Parameters
    The Referer Header
    Opaque Data
    The ASP.NET ViewState
    Capturing User Data: HTML Forms
    Length Limits
    Script-Based Validation
    Disabled Elements
    Capturing User Data: Browser Extensions
    Common Browser Extension Technologies
    Approaches to Browser Extensions
    Intercepting Traffi c from Browser Extensions
    Decompiling Browser Extensions
    Attaching a Debugger
    Native Client Components
    Handling Client-Side Data Securely
    Transmitting Data Via the Client
    Validating Client-Generated Data
    Logging and Alerting
    Chapter 6Summary
    Questions 156
    157
    Attacking Authentication
    Authentication Technologies
    Design Flaws in Authentication
    Mechanisms 159
    160
    161
    Bad Passwords
    Brute-Forcible Login
    Verbose Failure Messages
    Vulnerable Transmission of Credentials
    Password Change Functionality
    Forgotten Password Functionality
    “Remember Me” Functionality
    User Impersonation Functionality
    Incomplete Validation of Credentials
    Nonunique Usernames
    Predictable Usernames
    Predictable Initial Passwords
    Insecure Distribution of Credentials 161

    Implementation Flaws in Authentication 185
    Fail-Open Login Mechanisms
    Defects in Multistage Login Mechanisms
    Insecure Storage of Credentials

    Contents
    Securing Authentication
    Use Strong Credentials
    Handle Credentials Secretively
    Validate Credentials Properly
    Prevent Information Leakage
    Prevent Brute-Force Attacks
    Prevent Misuse of the Password Change Function
    Prevent Misuse of the Account Recovery Function
    Log, Monitor, and Notify
    Chapter 7

    Summary
    Questions 201
    202
    Attacking Session Management
    The Need for State 205
    206
    Alternatives to Sessions
    Weaknesses in Token Generation
    Meaningful Tokens
    Predictable Tokens
    Encrypted Tokens
    Weaknesses in Session Token Handling
    Disclosure of Tokens on the Network
    Disclosure of Tokens in Logs
    Vulnerable Mapping of Tokens to Sessions
    Vulnerable Session Termination
    Client Exposure to Token Hijacking
    Liberal Cookie Scope
    Securing Session Management
    Generate Strong Tokens
    Protect Tokens Throughout Their Life Cycle
    Log, Monitor, and Alert
    Chapter 8

    Summary
    Questions 254
    255
    Attacking Access Controls
    Common Vulnerabilities 257
    258
    Completely Unprotected Functionality
    Identifi er-Based Functions
    Multistage Functions
    Static Files
    Platform Misconfi guration
    Insecure Access Control Methods
    Attacking Access Controls
    Testing with Different User Accounts
    Testing Multistage Processes
    Testing with Limited Access
    Testing Direct Access to Methods
    Testing Controls Over Static Resources
    Testing Restrictions on HTTP Methods
    Securing Access Controls
    A Multilayered Privilege Model
    Chapter 9
    278
    278
    280
    Summary
    Questions 284
    284

this is just  a part of Index… If Your Want to Become A hacker Must Buy This Book RIght Now.Bro



Download

RELATED ARTICLESMORE FROM AUTHOR