The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
This Book Is Just Awesome. What Should I Say About this I DOn’t Know.
So I am Giving You The Glimpse of This Book’s Index . You can Imagin You will Thank Me after reading and learning these things . So let’s get into it Bro.
- Introduction
Chapter 1
xxiii
Web Application (In)security
The Evolution of Web Applications
Common Web Application Functions
Benefi ts of Web Applications
Web Application Security
“This Site Is Secure”
The Core Security Problem: Users Can Submit
Arbitrary Input
Key Problem Factors
The New Security Perimeter
The Future of Web Application SecurityCore Defense Mechanisms
Handling User Access 17Authentication
Session Management
Access Control
Handling User Input
Varieties of Input
Approaches to Input Handling
Boundary Validation
Multistep Validation and Canonicalization
Handling Attackers
Handling Errors
Maintaining Audit Logs
Alerting Administrators
Reacting to AttacksChapter 3
Managing the Application
Summary
Questions 35
36
36
Web Application Technologies
The HTTP Protocol 39
39
HTTP Requests
HTTP Responses
HTTP Methods
URLs
REST
HTTP Headers
Cookies
Status Codes
HTTPS
HTTP Proxies
HTTP Authentication
Web Functionality
Server-Side Functionality
Client-Side Functionality
State and Sessions
Encoding Schemes
URL Encoding
Unicode Encoding
HTML Encoding
Base64 Encoding
Hex Encoding
Remoting and Serialization
FrameworksQuestions 70
71
Mapping the Application
Enumerating Content and Functionality 73
74
Web Spidering
User-Directed Spidering
Discovering Hidden Content
Application Pages Versus
Functional Paths
Discovering Hidden Parameters
Analyzing the Application
Identifying Entry Points for User Input
Identifying Server-Side Technologies
Identifying Server-Side Functionality
Mapping the Attack Surface
SummaryChapter 5
Bypassing Client-Side Controls
Transmitting Data Via the Client
Hidden Form Fields
HTTP Cookies
URL Parameters
The Referer Header
Opaque Data
The ASP.NET ViewState
Capturing User Data: HTML Forms
Length Limits
Script-Based Validation
Disabled Elements
Capturing User Data: Browser Extensions
Common Browser Extension Technologies
Approaches to Browser Extensions
Intercepting Traffi c from Browser Extensions
Decompiling Browser Extensions
Attaching a Debugger
Native Client Components
Handling Client-Side Data Securely
Transmitting Data Via the Client
Validating Client-Generated Data
Logging and Alerting
Chapter 6Summary
Questions 156
157
Attacking Authentication
Authentication Technologies
Design Flaws in Authentication
Mechanisms 159
160
161
Bad Passwords
Brute-Forcible Login
Verbose Failure Messages
Vulnerable Transmission of Credentials
Password Change Functionality
Forgotten Password Functionality
“Remember Me” Functionality
User Impersonation Functionality
Incomplete Validation of Credentials
Nonunique Usernames
Predictable Usernames
Predictable Initial Passwords
Insecure Distribution of Credentials 161Implementation Flaws in Authentication 185
Fail-Open Login Mechanisms
Defects in Multistage Login Mechanisms
Insecure Storage of CredentialsContents
Securing Authentication
Use Strong Credentials
Handle Credentials Secretively
Validate Credentials Properly
Prevent Information Leakage
Prevent Brute-Force Attacks
Prevent Misuse of the Password Change Function
Prevent Misuse of the Account Recovery Function
Log, Monitor, and Notify
Chapter 7Summary
Questions 201
202
Attacking Session Management
The Need for State 205
206
Alternatives to Sessions
Weaknesses in Token Generation
Meaningful Tokens
Predictable Tokens
Encrypted Tokens
Weaknesses in Session Token Handling
Disclosure of Tokens on the Network
Disclosure of Tokens in Logs
Vulnerable Mapping of Tokens to Sessions
Vulnerable Session Termination
Client Exposure to Token Hijacking
Liberal Cookie Scope
Securing Session Management
Generate Strong Tokens
Protect Tokens Throughout Their Life Cycle
Log, Monitor, and Alert
Chapter 8Summary
Questions 254
255
Attacking Access Controls
Common Vulnerabilities 257
258
Completely Unprotected Functionality
Identifi er-Based Functions
Multistage Functions
Static Files
Platform Misconfi guration
Insecure Access Control Methods
Attacking Access Controls
Testing with Different User Accounts
Testing Multistage Processes
Testing with Limited Access
Testing Direct Access to Methods
Testing Controls Over Static Resources
Testing Restrictions on HTTP Methods
Securing Access Controls
A Multilayered Privilege Model
Chapter 9
278
278
280
Summary
Questions 284
284
this is just a part of Index… If Your Want to Become A hacker Must Buy This Book RIght Now.Bro