Flylib.com
Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156
Authors:
Tom Gallagher
,
Lawrence Landauer
,
Bryan Jeffries
BUY ON AMAZON
Hunting Security Bugs
Back Cover
About
Foreword
Introduction
Who is This Book for?
Organization of This Book
System Requirements
Technology Updates
Code Samples and Companion Content
Support for This Book
Acknowledgments
Chapter 1: General Approach to Security Testing
Different Types of Security Testers
An Approach to Security Testing
Summary
Chapter 2: Using Threat Models for Security Testing
How Testers can Leverage a Threat Model
Data Flow Diagrams
Enumeration of Entry Points and Exit Points
Enumeration of Threats
How Testers Should Use a Completed Threat Model
Implementation Rarely Matches the Specification or Threat Model
Summary
Chapter 3: Finding Entry Points
Finding and Ranking Entry Points
Common Entry Points
Summary
Chapter 4: Becoming a Malicious Client
Testing HTTP
Testing Specific Network Requests Quickly
Testing Tips
Summary
Chapter 5: Becoming a Malicious Server
Understanding Common Ways Clients Receive Malicious Server Responses
Does SSL Prevent Malicious Server Attacks?
Manipulating Server Responses
Examples of Malicious Response Bugs
Myth: It Is Difficult for an Attacker to Create a Malicious Server
Understanding Downgrade MITM Attacks
Testing Tips
Summary
Chapter 6: Spoofing
Finding Spoofing Issues
General Spoofing
User Interface Spoofing
Testing Tips
Summary
Chapter 7: Information Disclosure
Locating Common Areas of Information Disclosure
Identifying Interesting Data
Summary
Chapter 8: Buffer Overflows and Stack and Heap Manipulation
Understanding How Overflows Work
Testing for Overruns: Where to Look for Cases
Black Box (Functional) Testing
White Box Testing
Additional Topics
Testing Tips
Summary
Chapter 9: Format String Attacks
Understanding Why Format Strings Are a Problem
Testing for Format String Vulnerabilities
Walkthrough: Seeing a Format String Attack in Action
Testing Tips
Summary
Chapter 10: HTML Scripting Attacks
Understanding Persistent XSS Attacks Against Servers
Identifying Attackable Data for Reflected and Persistent XSS Attacks
Common Ways Programmers Try to Stop Attacks
Understanding Reflected XSS Attacks Against Local Files
Understanding Script Injection Attacks in the My Computer Zone
Ways Programmers Try to Prevent HTML Scripting Attacks
Understanding How Internet Explorer Mitigates XSS Attacks Against Local Files
Identifying HTML Scripting Vulnerabilities
Finding HTML Scripting Bugs Through Code Review
Summary
Chapter 11: XML Issues
Testing XML-Specific Attacks
Simple Object Access Protocol
Testing Tips
Summary
Chapter 12: Canonicalization Issues
Finding Canonicalization Issues
File-Based Canonicalization Issues
Web-Based Canonicalization Issues
Testing Tips
Summary
Chapter 13: Finding Weak Permissions
Finding Permissions Problems
Understanding the Windows Access Control Mechanism
Finding and Analyzing Permissions on Objects
Recognizing Common Permissions Problems
Determining the Accessibility of Objects
Other Permissions Considerations
Summary
Chapter 14: Denial of Service Attacks
Testing Tips
Summary
Chapter 15: Managed Code Issues
Dispelling Common Myths About Using Managed Code
Understanding the Basics of Code Access Security
Finding Problems Using Code Reviews
Understanding the Issues of Using APTCA
Decompiling .NET Assemblies
Testing Tips
Summary
Chapter 16: SQL Injection
Exactly What Is SQL Injection?
Understanding the Importance of SQL Injection
Finding SQL Injection Issues
Avoiding Common Mistakes About SQL Injection
Understanding Repurposing of SQL Stored Procedures
Recognizing Similar Injection Attacks
Testing Tips
Summary
Chapter 17: Observation and Reverse Engineering
Using a Debugger to Trace Program Execution and Change its Behavior
Using a Decompiler or Disassembler to Reverse Engineer a Program
Analyzing Security Updates
Testing Tips
Legal Considerations
Summary
Chapter 18: ActiveX Repurposing Attacks
Understanding ActiveX Controls
ActiveX Control Testing Walkthrough
Testing Tips
Summary
Chapter 19: Additional Repurposing Attacks
Web Pages Requesting External Data
Understanding Repurposing of Window and Thread Messages
Summary
Chapter 20: Reporting Security Bugs
Contacting the Vendor
What to Expect After Contacting the Vendor
Public Disclosure
Addressing Security Bugs in Your Product
Summary
Appendix A: Tools of the Trade
Appendix B: Security Test Cases Cheat Sheet
Spoofing
Information Disclosures
Buffer Overflows
Format Strings
Cross-Site Scripting and Script Injection
XML
SOAP
Canonicalization Issues
Weak Permissions
Denial of Service
Managed Code
SQL Injection
ActiveX
List of Figures
List of Tables
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156
Authors:
Tom Gallagher
,
Lawrence Landauer
,
Bryan Jeffries
BUY ON AMAZON
The .NET Developers Guide to Directory Services Programming
System.DirectoryServices Overview
Binding and CRUD Operations with DirectoryEntry
Summary
Discovering Schema Information at Runtime
Error 0x8007203A: "The server is not operational."
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Defining the Input and Output Functions in C
Summary
Client 1Connecting to the Server
User Accounts
Managing Databases
802.11 Wireless Networks: The Definitive Guide, Second Edition
1X: Network Port Authentication
OFDM as Applied by 802.11a
Implementation-Specific Behavior
Using 802.11 on Linux
Other Tools
MPLS Configuration on Cisco IOS Software
Frame-Mode MPLS Configuration and Verification
Command Reference
Case Study-Inter-AS Implementing Route-Reflector and BGP Confederation in Provider Networks
Deployment Scenarios with CSC Architecture
L2TPv3 Overview
Java All-In-One Desk Reference For Dummies
Using Eclipse
Going Around in Circles (Or, Using Loops)
Handling Exceptions
Using Regular Expressions
Fun with Fonts and Colors
Python Standard Library (Nutshell Handbooks) with
The xml.parsers.expat Module
The sgmllib Module
The packmail Module
The profile Module
The regex_syntax Module
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy
This website uses cookies. Click
here
to find out more.
Accept cookies