Index[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] wait functions waitable timer, Windows NT Wang, Xiaoyun Warning header field (HTTP) waterfall models wcsncpy( ) function Web 2.0 Web applications access control ASP (Active Server Pages) configuration settings cross-site scripting file access file inclusion inline evaluation shell invocation SQL injection queries 2nd ASP.NET configuration settings cross-site scripting file access file inclusion inline evaluation shell invocation SQL injection queries auditing activities to isolate avoiding assumptions black box testing enumerating functionality goals multiple approaches reverse-engineering testing and experimentation authentication authorization business logic C/C++ problems CGI (Common Gateway Interface) 2nd environment variables indexed queries client control client visibility dynamic content ecryption HTML (Hypertext Markup Langage) HTTP (Hypertext Transport Protocol) authentication 2nd cookies embedded path information forms headers methods 2nd overview of parameter encoding query strings requests responses sessions 2nd state maintenance versions IDC (Internet Database Connection) Java servlets configuration settings cross-site scripting file access file inclusion inline evaluation JSP file inclusion shell invocation SQL injection queries threading Web server APIs versus N-tier architectures 2nd business tier client tier data tier MVC (Model-View-Controller) Web tier 2nd OS and file system interaction execution file uploading null bytes path traversal programmatic SSI overview of page flow parameters, transmitting embedded path information forms GET method 2nd parameter encoding POST method query strings Perl cross-site scripting file access file inclusion inline evaluation shell invocation SQL injection queries taint mode phishing and impersonation PHP (PHP Hypertext Preprocessor) configuration settings cross-site scripting file access file inclusion inline evaluation shell invocation 2nd SQL injection queries presentation logic redundancy security environment server-side scripting sessions security vulnerabilities session management session tokens SQL injection parameterized queries prepared statements second order injection stored procedures testing for SSIs (server-side includes) static content Struts framework threading issues URIs (Uniform Resource Identifiers) Web server APIs XML injection XPath injection XSLT (Extensible Stylesheet Language Transformation) XSS (cross-site scripting) Web Distributed Authoring and Versioning (WebDAV) methods Web server APIs, Java servlets versus Web servers APIs directory indexing server-side scripting server-side transformation SSIs (server-side includes) Web Services AJAX (Asynchronous JavaScript and XML) REST (Representational State Transfer) SOAP (Simple Object Access Protocol) Web Services Description Language (WSDL) Web tier (Web applications) 2nd Web-specific vulnerabilities, applications authentication default site installations directory indexing file handlers HTTP request methods overly verbose error messages public-facing administrative interfaces web.config file, ASP.NET WebDAV (Web Distributed Authoring and Versioning) methods Weil, Alejandro David WEP (Wired Equivalent Privacy) white-list filters, metacharacters Whitehead, Alfred North Wi-Fi Protected Access (WPA) WideCharToMultiByte( ) function 2nd width, integer types 2nd Wilson, Daniel H. window scale option, TCP (Transmission Control Protocol) processing window station, IPC (interprocess communications) Windows functions, Unicode Windows Internals, 4th Edition Windows messaging, IPC (interprocess communications) DDE (Dynamic Data Exchange) desktop object shatter attacks window station WTS (Windows Terminal Services) Windows NT 2nd COM (Component Object Model) Active X security application IDs automation objects 2nd CLSID mapping components DCOM Configuration utility interfaces OLE (Object Linking and Embedding) proxies stubs threading type libraries DCOM (Distibuted Component Object Model) access controls application audits application identity application registration ATL (Active Template Library) DCOM Configuration utility impersonation interface audits MIDL (Microsoft Interface Definition Language) subsystem access permissions development of event objects file access canonicalization case sensitivity device files DOS 8.3 filenames extraneous filename characters File I/O API file open audits file squatting file streams file types links permissions IPC (interprocess communications) COM (Component Object Model) DDE (Dynamic Data Exchange) desktop object impersonation mailslots messaging pipes redirector RPCs (Remote Procedure Calls) security shatter attacks window station WTS (Windows Terminal Services) KOM (Kernel Object Manager) multithreaded programs, synchronicity mutex objects namespaces objects boundary descriptor objects handles namespaces nonsecurable objects SymbolicLink objects system objects origins of pipes anonymous pipes creating impersonation named pipes permissions pipe squatting POSIX subsystem, signals, handling processes DLL loading loading process synchronization services ShellExecute( ) function ShellExecuteEx( ) function registry key permissions key squatting predefined keys value squatting RPCs (Remote Procedure Calls) ACFs (application configuration files) application audits connections context handles DCE (Distributed Computing Environment) RPCs IDL file structure impersonation MIDL (Microsoft Interface Definition Language) ONC (Open Network Computing) RPCs proprietary state mechanisms RPC servers threading transports security descriptors access masks ACL inheritance ACL permissions programming interfaces strings semaphores sessions access tokens 2nd logon rights SIDs (security IDs) threads waitable timer Windows registry, path metacharacters Windows System Programming WinObj Wired Equivalent Privacy (WEP) Wojtczuk, Rafal working directories, UNIX working papers, application review WPA (Wi-Fi Protected Access) Writing Secure Code, 2nd Edition 2nd 3rd writing to files, stdio file system WSDL (Web Services Description Language) _wsprintfW( ) function WTS (Windows Terminal Services), Windows messaging WWW-Authenticate header field (HTTP) WWW-Link header field (HTTP) WWW-Title header field (HTTP) |