Web Security : A WhiteHat Perspective book cover
1st Edition

Web Security
A WhiteHat Perspective

ISBN 9781466592612
Published April 6, 2015 by Auerbach Publications
532 Pages 306 B/W Illustrations

FREE Standard Shipping
USD $115.00

Prices & shipping based on shipping country


Book Description

In late 2013, approximately 40 million customer debit and credit cards were leaked in a data breach at Target. This catastrophic event, deemed one of the biggest data breaches ever, clearly showed that many companies need to significantly improve their information security strategies. Web Security: A White Hat Perspective presents a comprehensive guide to web security technology and explains how companies can build a highly effective and sustainable security system.

In this book, web security expert Wu Hanqing reveals how hackers work and explains why companies of different scale require different security methodologies. With in-depth analysis of the reasons behind the choices, the book covers client script security, server applications security, and Internet company security operations. It also includes coverage of browser security, cross sites script attacks, click jacking, HTML5/PHP security, injection attacks, authentication, session management, access control, web frame security, DDOS, leaks, Internet transactions security, and the security development lifecycle.

Table of Contents

View of the IT Security World
Brief History of Web Security
Brief History of Chinese Hackers
Development Process of Hacking Techniques
Rise of Web Security
Black Hat, White Hat
Back to Nature: The Essence of Secret Security
Superstition: There Is No Silver Bullet
Security Is an Ongoing Process
Security Elements
How to Implement Safety Assessment
Asset Classification
Threat Analysis
Risk Analysis
Design of Security Programs
Art of War of White Hat
Principles of Secure by Default
Blacklist, Whitelist
Principle of Least Privilege
Principle of Defense in Depth
Principles of Data and Code Separation
Unpredictability of the Principle

Security of Browser
Same-Origin Policy
Browser of Sandbox
Malicious URL Intercept
Rapid Development of Browser Security

Cross-Site Scripting Attack
First Type: Reflected XSS
Second Type: Stored XSS
Third Type: DOM-Based XSS
Advanced XSS Attack
Preliminary Study on XSS Pay Load
XSS Payload Power
XSS Attack Platform
Ultimate Weapon: XSS Worm
Debugging JavaScript
Construction Skills of XSS
Turning Waste into Treasure: Mission Impossible
Easily Overlooked Corner: Flash XSS
Really Sleep without Any Anxiety: JavaScript Development Framework
XSS Defense
Skillfully Deflecting the Question: HttpOnly
Input Checking
Output Checking
Defense XSS Correctly Designed
Dealing with Rich Text
Defense DOM-Based XSS
See XSS from Another Angle of Risk

Cross-Site Request Forgery
Advanced CSRF
Cookie Policy of Browsers
Side Effect of P3P Header
Flash CSRF
Defense against CSRF
Verification Code
Referer Check
Anti-CSRF Token

What Is Clickjacking?
Flash Clickjacking
Image-Covering Attacks
Drag Hijacking and Data Theft
Clickjacking 3.0: Tapjacking
Defense against Clickjacking
Frame Busting

HTML 5 Securities
New Tags of HTML 5
New Tags of XSS
Sandbox Attribute of iframe
Link Types: Noreferrer
Magical Effect of Canvas
Other Security Problems
Cross-Origin Resource Sharing
postMessage: Send Message across Windows
Web Storage

Injection Attacks
SQL Injection Attacks
Blind Injection
Timing Attack
Database Attacking Techniques
Common Attack Techniques
Command Execution
Stored Procedure Attacks
Coding Problems
SQL Column Truncation
Properly Defending against SQL Injection
Using Precompiled Statements
Using Stored Procedures
Checking the Data Type
Using Safety Functions
Other Injection Attacks
XML Injection
Code Injection
CRLF Injection

File Upload Vulnerability
File Upload Vulnerability Overview
FCKEditor File Upload Vulnerability
Bypassing the File Upload Check Function
Functionality or Vulnerability
Apache File Parsing Problem
IIS File Parsing Problem
PHP CGI Path to Solve the Problem
Upload Files Phishing
Designing Secure File Upload Features

Authentication and Session Management
Who Am I?
Multifactor Authentication
Session Management and Authentication
Session Fixation Attacks
Session Keep Attack
Single Sign-On

Access Control
What Can I Do?
Vertical Rights Management
Horizontal Rights Management
Unauthorized Access from Youku Users (Vulnerability No. Wooyun-2010-0129)
Access Problems in the Laiyifen Shopping Site (Loopholes No. Wooyun-2010-01576)
Summary of OAuth

Encryption Algorithms and Random Numbers
Stream Cipher Attack
Reused Key Attack
Bit-Flipping Attack
Issue of Weak Random IV
WEP Crack
ECB Mode Defects
Padding Oracle Attack
Key Management
Problems with a Pseudorandom Number
Trouble with a Weak Pseudorandom Number
The Time Really Do Random
Breaking the Pseudorandom Number Algorithm Seed
Using Secure Random Numbers
Appendix: Understanding the MD5 Length Extension Attack

Web Framework Security
MVC Framework Security
Template Engine and XSS Defenses
Web Framework and CSRF Defense
HTTP Header Management
Data Persistence Layer and SQL Injection
What Can Think More?
Web Framework Self-Security
Struts 2 Command Execution Vulnerability
Struts 2 Patch
Spring MVC Execution Vulnerability
Django Execution Vulnerability

Application-Layer Denial-of-Service Attacks
Introduction to DDoS
Application-Layer DDoS
CC Attack
Restriction of Request Frequency
The Priest Climbs a Post, the Devil Climbs Ten
About Verification Code
DDoS in the Defense Application Layer
Resource Exhaustion Attack
Slowloris Attack
Server Limit DoS
Murder Caused by Regular Expression: ReDoS

PHP Security
File Inclusion Vulnerability
Local File Inclusion
Remote File Inclusion
Using Skill of Local File Inclusion
Variable Coverage Vulnerability
Global Variable Coverage
The extract() Variable Coverage
Traversal Initializing Variables
The import_request_variables Variable Coverage
The parse_str() Variable Coverage
Code Execution Vulnerability
"Dangerous function" Executes the Code
File Writing Code Execution
Other Methods of Code Execution
Customize Secure PHP Environment

Web Server Configuration Security
Apache Security
Nginx Security
jBoss Remote Command Execution
Tomcat Remote Command Execution
HTTP Parameter Pollution

Security of Internet Business
Security Requirements in Internet Products
Internet Products Need Security
What Is a Good Security Program?
Business Logic Security
Loopholes in Password Security
Who Will Be the Big Winner?
Practice Deception
Password Recovery Process
How the Account Is Stolen
Various Ways of Account Theft
Analysis on Why Accounts Get Stolen
Internet Garbage
Threat of Spam
Spam Disposal
Details about Phishing
Mail Phishing
Prevention and Control of Phishing Sites
Phishing in Online Shopping
User Privacy Protection
Challenges in Internet User Privacy
How to Protect User Privacy
Do Not Track
Appendix: Trouble Terminator

Security Development Lifecycle
SDL Introduction
Agile SDL
SDL Actual Combat Experience
Requirements Analysis and Design Phase
Development Phase
Providing Security Functions
Code Security Audit Tool
Test Phase

Security Operations
Make the Security Operated
Process of Vulnerability Patch
Security Monitoring
Intrusion Detection
Emergency Response Process

View More



Axie Wu was a founder of ph4nt0m.org, one of China’s famous domestic security organizations. He is proficient in different offensive and defensive techniques with regard to web security. He joined Alibaba Co., Ltd, China, after his graduation from Xi’an Jiaotong University in 2005 and became the youngest expert level engineer in Alibaba by 2007. He then designed the network security systems for Alibaba, Taobao, and Alipay. He was completely involved in the security development process for Alibaba, where he gained extensive experience in the field of application security. From 2011 onward, he has been a security architect in Alibaba, responsible for group-wide web security and cloud computing security. Wu is currently product vice president of Anquanbao.com and is responsible for the company’s product development and design. He also leads the Zhejiang chapter of OWASP China.

Lizzie Zhao graduated from the University of Bridgeport, Connecticut, in 2001. She then worked at a computer training institute in New York City. Two years later, she returned to China and took up work with the subsidiary of a software company at the institute of the Chinese Academy of Sciences (CAS) as a project manager and system architect. In 2006, she joined the information technology promotion office of CECA (China E-Commerce Association). In 2007, she cofounded the RWStation (Beijing) Network Technology Co., Ltd., with other shareholders, and has since managed the company. From September 2011, Liz has focused her attention on China’s network security issues and has aimed to help enterprises in China with system security and network security business. She initiated the establishment of the Union SOSTC Alliance (Security Open Source Technology of China) with the help of other Chinese and overseas security experts. She is also a popular consultant for IT security service for various companies and for the Chinese government. Liz is currently the head of the STTC (Security Technology Training Center) and plans training activities with many universities in China, such as Northwestern Polytechnical University and Xidian University.