Web Security: A WhiteHat Perspective, 1st Edition (Paperback) book cover

Web Security

A WhiteHat Perspective, 1st Edition

By Hanqing Wu, Liz Zhao

Auerbach Publications

532 pages | 306 B/W Illus.

Purchasing Options:$ = USD
Paperback: 9781466592612
pub: 2015-04-06
Hardback: 9781138436848
pub: 2017-07-27
eBook (VitalSource) : 9781498760232
pub: 2015-09-15
from $52.50

FREE Standard Shipping!


In late 2013, approximately 40 million customer debit and credit cards were leaked in a data breach at Target. This catastrophic event, deemed one of the biggest data breaches ever, clearly showed that many companies need to significantly improve their information security strategies. Web Security: A White Hat Perspective presents a comprehensive guide to web security technology and explains how companies can build a highly effective and sustainable security system.

In this book, web security expert Wu Hanqing reveals how hackers work and explains why companies of different scale require different security methodologies. With in-depth analysis of the reasons behind the choices, the book covers client script security, server applications security, and Internet company security operations. It also includes coverage of browser security, cross sites script attacks, click jacking, HTML5/PHP security, injection attacks, authentication, session management, access control, web frame security, DDOS, leaks, Internet transactions security, and the security development lifecycle.

Table of Contents


View of the IT Security World

Brief History of Web Security

Brief History of Chinese Hackers

Development Process of Hacking Techniques

Rise of Web Security

Black Hat, White Hat

Back to Nature: The Essence of Secret Security

Superstition: There Is No Silver Bullet

Security Is an Ongoing Process

Security Elements

How to Implement Safety Assessment

Asset Classification

Threat Analysis

Risk Analysis

Design of Security Programs

Art of War of White Hat

Principles of Secure by Default

Blacklist, Whitelist

Principle of Least Privilege

Principle of Defense in Depth

Principles of Data and Code Separation

Unpredictability of the Principle




Security of Browser

Same-Origin Policy

Browser of Sandbox

Malicious URL Intercept

Rapid Development of Browser Security


Cross-Site Scripting Attack


First Type: Reflected XSS

Second Type: Stored XSS

Third Type: DOM-Based XSS

Advanced XSS Attack

Preliminary Study on XSS Pay Load

XSS Payload Power

XSS Attack Platform

Ultimate Weapon: XSS Worm

Debugging JavaScript

Construction Skills of XSS

Turning Waste into Treasure: Mission Impossible

Easily Overlooked Corner: Flash XSS

Really Sleep without Any Anxiety: JavaScript Development Framework

XSS Defense

Skillfully Deflecting the Question: HttpOnly

Input Checking

Output Checking

Defense XSS Correctly Designed

Dealing with Rich Text

Defense DOM-Based XSS

See XSS from Another Angle of Risk


Cross-Site Request Forgery


Advanced CSRF

Cookie Policy of Browsers

Side Effect of P3P Header


Flash CSRF


Defense against CSRF

Verification Code

Referer Check

Anti-CSRF Token



What Is Clickjacking?

Flash Clickjacking

Image-Covering Attacks

Drag Hijacking and Data Theft

Clickjacking 3.0: Tapjacking

Defense against Clickjacking

Frame Busting



HTML 5 Securities

New Tags of HTML 5

New Tags of XSS

Sandbox Attribute of iframe

Link Types: Noreferrer

Magical Effect of Canvas

Other Security Problems

Cross-Origin Resource Sharing

postMessage: Send Message across Windows

Web Storage



Injection Attacks

SQL Injection Attacks

Blind Injection

Timing Attack

Database Attacking Techniques

Common Attack Techniques

Command Execution

Stored Procedure Attacks

Coding Problems

SQL Column Truncation

Properly Defending against SQL Injection

Using Precompiled Statements

Using Stored Procedures

Checking the Data Type

Using Safety Functions

Other Injection Attacks

XML Injection

Code Injection

CRLF Injection


File Upload Vulnerability

File Upload Vulnerability Overview

FCKEditor File Upload Vulnerability

Bypassing the File Upload Check Function

Functionality or Vulnerability

Apache File Parsing Problem

IIS File Parsing Problem

PHP CGI Path to Solve the Problem

Upload Files Phishing

Designing Secure File Upload Features


Authentication and Session Management

Who Am I?


Multifactor Authentication

Session Management and Authentication

Session Fixation Attacks

Session Keep Attack

Single Sign-On


Access Control

What Can I Do?

Vertical Rights Management

Horizontal Rights Management

Unauthorized Access from Youku Users (Vulnerability No. Wooyun-2010-0129)

Access Problems in the Laiyifen Shopping Site (Loopholes No. Wooyun-2010-01576)

Summary of OAuth


Encryption Algorithms and Random Numbers


Stream Cipher Attack

Reused Key Attack

Bit-Flipping Attack

Issue of Weak Random IV

WEP Crack

ECB Mode Defects

Padding Oracle Attack

Key Management

Problems with a Pseudorandom Number

Trouble with a Weak Pseudorandom Number

The Time Really Do Random

Breaking the Pseudorandom Number Algorithm Seed

Using Secure Random Numbers


Appendix: Understanding the MD5 Length Extension Attack

Web Framework Security

MVC Framework Security

Template Engine and XSS Defenses

Web Framework and CSRF Defense

HTTP Header Management

Data Persistence Layer and SQL Injection

What Can Think More?

Web Framework Self-Security

Struts 2 Command Execution Vulnerability

Struts 2 Patch

Spring MVC Execution Vulnerability

Django Execution Vulnerability


Application-Layer Denial-of-Service Attacks

Introduction to DDoS

Application-Layer DDoS

CC Attack

Restriction of Request Frequency

The Priest Climbs a Post, the Devil Climbs Ten

About Verification Code

DDoS in the Defense Application Layer

Resource Exhaustion Attack

Slowloris Attack


Server Limit DoS

Murder Caused by Regular Expression: ReDoS


PHP Security

File Inclusion Vulnerability

Local File Inclusion

Remote File Inclusion

Using Skill of Local File Inclusion

Variable Coverage Vulnerability

Global Variable Coverage

The extract() Variable Coverage

Traversal Initializing Variables

The import_request_variables Variable Coverage

The parse_str() Variable Coverage

Code Execution Vulnerability

"Dangerous function" Executes the Code

File Writing Code Execution

Other Methods of Code Execution

Customize Secure PHP Environment


Web Server Configuration Security

Apache Security

Nginx Security

jBoss Remote Command Execution

Tomcat Remote Command Execution

HTTP Parameter Pollution



Security of Internet Business

Security Requirements in Internet Products

Internet Products Need Security

What Is a Good Security Program?

Business Logic Security

Loopholes in Password Security

Who Will Be the Big Winner?

Practice Deception

Password Recovery Process

How the Account Is Stolen

Various Ways of Account Theft

Analysis on Why Accounts Get Stolen

Internet Garbage

Threat of Spam

Spam Disposal


Details about Phishing

Mail Phishing

Prevention and Control of Phishing Sites

Phishing in Online Shopping

User Privacy Protection

Challenges in Internet User Privacy

How to Protect User Privacy

Do Not Track


Appendix: Trouble Terminator

Security Development Lifecycle

SDL Introduction

Agile SDL

SDL Actual Combat Experience

Requirements Analysis and Design Phase

Development Phase

Providing Security Functions

Code Security Audit Tool

Test Phase


Security Operations

Make the Security Operated

Process of Vulnerability Patch

Security Monitoring

Intrusion Detection

Emergency Response Process



About the Authors

Axie Wu was a founder of ph4nt0m.org, one of China’s famous domestic security organizations. He is proficient in different offensive and defensive techniques with regard to web security. He joined Alibaba Co., Ltd, China, after his graduation from Xi’an Jiaotong University in 2005 and became the youngest expert level engineer in Alibaba by 2007. He then designed the network security systems for Alibaba, Taobao, and Alipay. He was completely involved in the security development process for Alibaba, where he gained extensive experience in the field of application security. From 2011 onward, he has been a security architect in Alibaba, responsible for group-wide web security and cloud computing security. Wu is currently product vice president of Anquanbao.com and is responsible for the company’s product development and design. He also leads the Zhejiang chapter of OWASP China.

Lizzie Zhao graduated from the University of Bridgeport, Connecticut, in 2001. She then worked at a computer training institute in New York City. Two years later, she returned to China and took up work with the subsidiary of a software company at the institute of the Chinese Academy of Sciences (CAS) as a project manager and system architect. In 2006, she joined the information technology promotion office of CECA (China E-Commerce Association). In 2007, she cofounded the RWStation (Beijing) Network Technology Co., Ltd., with other shareholders, and has since managed the company. From September 2011, Liz has focused her attention on China’s network security issues and has aimed to help enterprises in China with system security and network security business. She initiated the establishment of the Union SOSTC Alliance (Security Open Source Technology of China) with the help of other Chinese and overseas security experts. She is also a popular consultant for IT security service for various companies and for the Chinese government. Liz is currently the head of the STTC (Security Technology Training Center) and plans training activities with many universities in China, such as Northwestern Polytechnical University and Xidian University.

Subject Categories

BISAC Subject Codes/Headings:
COMPUTERS / Security / General
COMPUTERS / Internet / General