Web Security: A WhiteHat Perspective, 1st Edition (Paperback) book cover

Web Security

A WhiteHat Perspective, 1st Edition

By Hanqing Wu, Liz Zhao

Auerbach Publications

532 pages | 306 B/W Illus.

Purchasing Options:$ = USD
Paperback: 9781466592612
pub: 2015-04-06
$110.00
x
Hardback: 9781138436848
pub: 2017-07-27
$205.00
x
eBook (VitalSource) : 9781498760232
pub: 2015-09-15
from $52.50


FREE Standard Shipping!

Description

In late 2013, approximately 40 million customer debit and credit cards were leaked in a data breach at Target. This catastrophic event, deemed one of the biggest data breaches ever, clearly showed that many companies need to significantly improve their information security strategies. Web Security: A White Hat Perspective presents a comprehensive guide to web security technology and explains how companies can build a highly effective and sustainable security system.

In this book, web security expert Wu Hanqing reveals how hackers work and explains why companies of different scale require different security methodologies. With in-depth analysis of the reasons behind the choices, the book covers client script security, server applications security, and Internet company security operations. It also includes coverage of browser security, cross sites script attacks, click jacking, HTML5/PHP security, injection attacks, authentication, session management, access control, web frame security, DDOS, leaks, Internet transactions security, and the security development lifecycle.

Table of Contents

MY VIEW OF THE SECURITY WORLD

View of the IT Security World

Brief History of Web Security

Brief History of Chinese Hackers

Development Process of Hacking Techniques

Rise of Web Security

Black Hat, White Hat

Back to Nature: The Essence of Secret Security

Superstition: There Is No Silver Bullet

Security Is an Ongoing Process

Security Elements

How to Implement Safety Assessment

Asset Classification

Threat Analysis

Risk Analysis

Design of Security Programs

Art of War of White Hat

Principles of Secure by Default

Blacklist, Whitelist

Principle of Least Privilege

Principle of Defense in Depth

Principles of Data and Code Separation

Unpredictability of the Principle

Summary

Appendix

SAFETY ON THE CLIENT SCRIPT

Security of Browser

Same-Origin Policy

Browser of Sandbox

Malicious URL Intercept

Rapid Development of Browser Security

Summary

Cross-Site Scripting Attack

Introduction

First Type: Reflected XSS

Second Type: Stored XSS

Third Type: DOM-Based XSS

Advanced XSS Attack

Preliminary Study on XSS Pay Load

XSS Payload Power

XSS Attack Platform

Ultimate Weapon: XSS Worm

Debugging JavaScript

Construction Skills of XSS

Turning Waste into Treasure: Mission Impossible

Easily Overlooked Corner: Flash XSS

Really Sleep without Any Anxiety: JavaScript Development Framework

XSS Defense

Skillfully Deflecting the Question: HttpOnly

Input Checking

Output Checking

Defense XSS Correctly Designed

Dealing with Rich Text

Defense DOM-Based XSS

See XSS from Another Angle of Risk

Summary

Cross-Site Request Forgery

Introduction

Advanced CSRF

Cookie Policy of Browsers

Side Effect of P3P Header

GET? POST?

Flash CSRF

CSRF Worm

Defense against CSRF

Verification Code

Referer Check

Anti-CSRF Token

Summary

Clickjacking

What Is Clickjacking?

Flash Clickjacking

Image-Covering Attacks

Drag Hijacking and Data Theft

Clickjacking 3.0: Tapjacking

Defense against Clickjacking

Frame Busting

X-Frame-Options

Summary

HTML 5 Securities

New Tags of HTML 5

New Tags of XSS

Sandbox Attribute of iframe

Link Types: Noreferrer

Magical Effect of Canvas

Other Security Problems

Cross-Origin Resource Sharing

postMessage: Send Message across Windows

Web Storage

Summary

APPLICATION SECURITY ON THE SERVER SIDE

Injection Attacks

SQL Injection Attacks

Blind Injection

Timing Attack

Database Attacking Techniques

Common Attack Techniques

Command Execution

Stored Procedure Attacks

Coding Problems

SQL Column Truncation

Properly Defending against SQL Injection

Using Precompiled Statements

Using Stored Procedures

Checking the Data Type

Using Safety Functions

Other Injection Attacks

XML Injection

Code Injection

CRLF Injection

Summary

File Upload Vulnerability

File Upload Vulnerability Overview

FCKEditor File Upload Vulnerability

Bypassing the File Upload Check Function

Functionality or Vulnerability

Apache File Parsing Problem

IIS File Parsing Problem

PHP CGI Path to Solve the Problem

Upload Files Phishing

Designing Secure File Upload Features

Summary

Authentication and Session Management

Who Am I?

Password

Multifactor Authentication

Session Management and Authentication

Session Fixation Attacks

Session Keep Attack

Single Sign-On

Summary

Access Control

What Can I Do?

Vertical Rights Management

Horizontal Rights Management

Unauthorized Access from Youku Users (Vulnerability No. Wooyun-2010-0129)

Access Problems in the Laiyifen Shopping Site (Loopholes No. Wooyun-2010-01576)

Summary of OAuth

Summary

Encryption Algorithms and Random Numbers

Introduction

Stream Cipher Attack

Reused Key Attack

Bit-Flipping Attack

Issue of Weak Random IV

WEP Crack

ECB Mode Defects

Padding Oracle Attack

Key Management

Problems with a Pseudorandom Number

Trouble with a Weak Pseudorandom Number

The Time Really Do Random

Breaking the Pseudorandom Number Algorithm Seed

Using Secure Random Numbers

Summary

Appendix: Understanding the MD5 Length Extension Attack

Web Framework Security

MVC Framework Security

Template Engine and XSS Defenses

Web Framework and CSRF Defense

HTTP Header Management

Data Persistence Layer and SQL Injection

What Can Think More?

Web Framework Self-Security

Struts 2 Command Execution Vulnerability

Struts 2 Patch

Spring MVC Execution Vulnerability

Django Execution Vulnerability

Summary

Application-Layer Denial-of-Service Attacks

Introduction to DDoS

Application-Layer DDoS

CC Attack

Restriction of Request Frequency

The Priest Climbs a Post, the Devil Climbs Ten

About Verification Code

DDoS in the Defense Application Layer

Resource Exhaustion Attack

Slowloris Attack

HTTP POST DOS

Server Limit DoS

Murder Caused by Regular Expression: ReDoS

Summary

PHP Security

File Inclusion Vulnerability

Local File Inclusion

Remote File Inclusion

Using Skill of Local File Inclusion

Variable Coverage Vulnerability

Global Variable Coverage

The extract() Variable Coverage

Traversal Initializing Variables

The import_request_variables Variable Coverage

The parse_str() Variable Coverage

Code Execution Vulnerability

"Dangerous function" Executes the Code

File Writing Code Execution

Other Methods of Code Execution

Customize Secure PHP Environment

Summary

Web Server Configuration Security

Apache Security

Nginx Security

jBoss Remote Command Execution

Tomcat Remote Command Execution

HTTP Parameter Pollution

Summary

SAFETY OPERATIONS OF INTERNET COMPANIES

Security of Internet Business

Security Requirements in Internet Products

Internet Products Need Security

What Is a Good Security Program?

Business Logic Security

Loopholes in Password Security

Who Will Be the Big Winner?

Practice Deception

Password Recovery Process

How the Account Is Stolen

Various Ways of Account Theft

Analysis on Why Accounts Get Stolen

Internet Garbage

Threat of Spam

Spam Disposal

Phishing

Details about Phishing

Mail Phishing

Prevention and Control of Phishing Sites

Phishing in Online Shopping

User Privacy Protection

Challenges in Internet User Privacy

How to Protect User Privacy

Do Not Track

Summary

Appendix: Trouble Terminator

Security Development Lifecycle

SDL Introduction

Agile SDL

SDL Actual Combat Experience

Requirements Analysis and Design Phase

Development Phase

Providing Security Functions

Code Security Audit Tool

Test Phase

Summary

Security Operations

Make the Security Operated

Process of Vulnerability Patch

Security Monitoring

Intrusion Detection

Emergency Response Process

Summary

Appendix

About the Authors

Axie Wu was a founder of ph4nt0m.org, one of China’s famous domestic security organizations. He is proficient in different offensive and defensive techniques with regard to web security. He joined Alibaba Co., Ltd, China, after his graduation from Xi’an Jiaotong University in 2005 and became the youngest expert level engineer in Alibaba by 2007. He then designed the network security systems for Alibaba, Taobao, and Alipay. He was completely involved in the security development process for Alibaba, where he gained extensive experience in the field of application security. From 2011 onward, he has been a security architect in Alibaba, responsible for group-wide web security and cloud computing security. Wu is currently product vice president of Anquanbao.com and is responsible for the company’s product development and design. He also leads the Zhejiang chapter of OWASP China.

Lizzie Zhao graduated from the University of Bridgeport, Connecticut, in 2001. She then worked at a computer training institute in New York City. Two years later, she returned to China and took up work with the subsidiary of a software company at the institute of the Chinese Academy of Sciences (CAS) as a project manager and system architect. In 2006, she joined the information technology promotion office of CECA (China E-Commerce Association). In 2007, she cofounded the RWStation (Beijing) Network Technology Co., Ltd., with other shareholders, and has since managed the company. From September 2011, Liz has focused her attention on China’s network security issues and has aimed to help enterprises in China with system security and network security business. She initiated the establishment of the Union SOSTC Alliance (Security Open Source Technology of China) with the help of other Chinese and overseas security experts. She is also a popular consultant for IT security service for various companies and for the Chinese government. Liz is currently the head of the STTC (Security Technology Training Center) and plans training activities with many universities in China, such as Northwestern Polytechnical University and Xidian University.

Subject Categories

BISAC Subject Codes/Headings:
BUS041000
BUSINESS & ECONOMICS / Management
COM053000
COMPUTERS / Security / General
COM060000
COMPUTERS / Internet / General