Flylib.com
Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156
Authors:
Tom Gallagher
,
Lawrence Landauer
,
Bryan Jeffries
BUY ON AMAZON
Hunting Security Bugs
Back Cover
About
Foreword
Introduction
Who is This Book for?
Organization of This Book
System Requirements
Technology Updates
Code Samples and Companion Content
Support for This Book
Acknowledgments
Chapter 1: General Approach to Security Testing
Different Types of Security Testers
An Approach to Security Testing
Summary
Chapter 2: Using Threat Models for Security Testing
How Testers can Leverage a Threat Model
Data Flow Diagrams
Enumeration of Entry Points and Exit Points
Enumeration of Threats
How Testers Should Use a Completed Threat Model
Implementation Rarely Matches the Specification or Threat Model
Summary
Chapter 3: Finding Entry Points
Finding and Ranking Entry Points
Common Entry Points
Summary
Chapter 4: Becoming a Malicious Client
Testing HTTP
Testing Specific Network Requests Quickly
Testing Tips
Summary
Chapter 5: Becoming a Malicious Server
Understanding Common Ways Clients Receive Malicious Server Responses
Does SSL Prevent Malicious Server Attacks?
Manipulating Server Responses
Examples of Malicious Response Bugs
Myth: It Is Difficult for an Attacker to Create a Malicious Server
Understanding Downgrade MITM Attacks
Testing Tips
Summary
Chapter 6: Spoofing
Finding Spoofing Issues
General Spoofing
User Interface Spoofing
Testing Tips
Summary
Chapter 7: Information Disclosure
Locating Common Areas of Information Disclosure
Identifying Interesting Data
Summary
Chapter 8: Buffer Overflows and Stack and Heap Manipulation
Understanding How Overflows Work
Testing for Overruns: Where to Look for Cases
Black Box (Functional) Testing
White Box Testing
Additional Topics
Testing Tips
Summary
Chapter 9: Format String Attacks
Understanding Why Format Strings Are a Problem
Testing for Format String Vulnerabilities
Walkthrough: Seeing a Format String Attack in Action
Testing Tips
Summary
Chapter 10: HTML Scripting Attacks
Understanding Persistent XSS Attacks Against Servers
Identifying Attackable Data for Reflected and Persistent XSS Attacks
Common Ways Programmers Try to Stop Attacks
Understanding Reflected XSS Attacks Against Local Files
Understanding Script Injection Attacks in the My Computer Zone
Ways Programmers Try to Prevent HTML Scripting Attacks
Understanding How Internet Explorer Mitigates XSS Attacks Against Local Files
Identifying HTML Scripting Vulnerabilities
Finding HTML Scripting Bugs Through Code Review
Summary
Chapter 11: XML Issues
Testing XML-Specific Attacks
Simple Object Access Protocol
Testing Tips
Summary
Chapter 12: Canonicalization Issues
Finding Canonicalization Issues
File-Based Canonicalization Issues
Web-Based Canonicalization Issues
Testing Tips
Summary
Chapter 13: Finding Weak Permissions
Finding Permissions Problems
Understanding the Windows Access Control Mechanism
Finding and Analyzing Permissions on Objects
Recognizing Common Permissions Problems
Determining the Accessibility of Objects
Other Permissions Considerations
Summary
Chapter 14: Denial of Service Attacks
Testing Tips
Summary
Chapter 15: Managed Code Issues
Dispelling Common Myths About Using Managed Code
Understanding the Basics of Code Access Security
Finding Problems Using Code Reviews
Understanding the Issues of Using APTCA
Decompiling .NET Assemblies
Testing Tips
Summary
Chapter 16: SQL Injection
Exactly What Is SQL Injection?
Understanding the Importance of SQL Injection
Finding SQL Injection Issues
Avoiding Common Mistakes About SQL Injection
Understanding Repurposing of SQL Stored Procedures
Recognizing Similar Injection Attacks
Testing Tips
Summary
Chapter 17: Observation and Reverse Engineering
Using a Debugger to Trace Program Execution and Change its Behavior
Using a Decompiler or Disassembler to Reverse Engineer a Program
Analyzing Security Updates
Testing Tips
Legal Considerations
Summary
Chapter 18: ActiveX Repurposing Attacks
Understanding ActiveX Controls
ActiveX Control Testing Walkthrough
Testing Tips
Summary
Chapter 19: Additional Repurposing Attacks
Web Pages Requesting External Data
Understanding Repurposing of Window and Thread Messages
Summary
Chapter 20: Reporting Security Bugs
Contacting the Vendor
What to Expect After Contacting the Vendor
Public Disclosure
Addressing Security Bugs in Your Product
Summary
Appendix A: Tools of the Trade
Appendix B: Security Test Cases Cheat Sheet
Spoofing
Information Disclosures
Buffer Overflows
Format Strings
Cross-Site Scripting and Script Injection
XML
SOAP
Canonicalization Issues
Weak Permissions
Denial of Service
Managed Code
SQL Injection
ActiveX
List of Figures
List of Tables
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156
Authors:
Tom Gallagher
,
Lawrence Landauer
,
Bryan Jeffries
BUY ON AMAZON
Beginning Cryptography with Java
The JCA and the JCE
Object Description in Cryptography Using ASN.1
Distinguished Names and Certificates
CMS and S/MIME
Appendix C Using the Bouncy Castle API for Elliptic Curve
The .NET Developers Guide to Directory Services Programming
Native Directory Services Programming Landscape
Basics of Writing Attribute Values
Foreign Security Principals
Authentication Using SSPI
Appendix A. Three Approaches to COM Interop with ADSI
Documenting Software Architectures: Views and Beyond
Advanced Concepts
Why to Document Behavior
Module Generalization View
C&C Shared-Data View
Allocation Deployment View
The Java Tutorial: A Short Course on the Basics, 4th Edition
About the Java Technology
How Will Java Technology Change My Life?
What Is Inheritance?
Taking Advantage of the Applet API
Interfaces
Microsoft VBScript Professional Projects
Conditional Logic and Iterative Structures
Data Collection, Notification, and Error Reporting
Creating Administrator Accounts
Processing and Consolidating Report Data
Designing the Web Site
.NET System Management Services
.NET Framework and Windows Management Instrumentation
Using the System.Management Namespace
Querying WMI
Instrumenting .NET Applications with WMI
WMI Providers
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy
This website uses cookies. Click
here
to find out more.
Accept cookies