Flylib.com
Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156
Authors:
Tom Gallagher
,
Lawrence Landauer
,
Bryan Jeffries
BUY ON AMAZON
Hunting Security Bugs
Back Cover
About
Foreword
Introduction
Who is This Book for?
Organization of This Book
System Requirements
Technology Updates
Code Samples and Companion Content
Support for This Book
Acknowledgments
Chapter 1: General Approach to Security Testing
Different Types of Security Testers
An Approach to Security Testing
Summary
Chapter 2: Using Threat Models for Security Testing
How Testers can Leverage a Threat Model
Data Flow Diagrams
Enumeration of Entry Points and Exit Points
Enumeration of Threats
How Testers Should Use a Completed Threat Model
Implementation Rarely Matches the Specification or Threat Model
Summary
Chapter 3: Finding Entry Points
Finding and Ranking Entry Points
Common Entry Points
Summary
Chapter 4: Becoming a Malicious Client
Testing HTTP
Testing Specific Network Requests Quickly
Testing Tips
Summary
Chapter 5: Becoming a Malicious Server
Understanding Common Ways Clients Receive Malicious Server Responses
Does SSL Prevent Malicious Server Attacks?
Manipulating Server Responses
Examples of Malicious Response Bugs
Myth: It Is Difficult for an Attacker to Create a Malicious Server
Understanding Downgrade MITM Attacks
Testing Tips
Summary
Chapter 6: Spoofing
Finding Spoofing Issues
General Spoofing
User Interface Spoofing
Testing Tips
Summary
Chapter 7: Information Disclosure
Locating Common Areas of Information Disclosure
Identifying Interesting Data
Summary
Chapter 8: Buffer Overflows and Stack and Heap Manipulation
Understanding How Overflows Work
Testing for Overruns: Where to Look for Cases
Black Box (Functional) Testing
White Box Testing
Additional Topics
Testing Tips
Summary
Chapter 9: Format String Attacks
Understanding Why Format Strings Are a Problem
Testing for Format String Vulnerabilities
Walkthrough: Seeing a Format String Attack in Action
Testing Tips
Summary
Chapter 10: HTML Scripting Attacks
Understanding Persistent XSS Attacks Against Servers
Identifying Attackable Data for Reflected and Persistent XSS Attacks
Common Ways Programmers Try to Stop Attacks
Understanding Reflected XSS Attacks Against Local Files
Understanding Script Injection Attacks in the My Computer Zone
Ways Programmers Try to Prevent HTML Scripting Attacks
Understanding How Internet Explorer Mitigates XSS Attacks Against Local Files
Identifying HTML Scripting Vulnerabilities
Finding HTML Scripting Bugs Through Code Review
Summary
Chapter 11: XML Issues
Testing XML-Specific Attacks
Simple Object Access Protocol
Testing Tips
Summary
Chapter 12: Canonicalization Issues
Finding Canonicalization Issues
File-Based Canonicalization Issues
Web-Based Canonicalization Issues
Testing Tips
Summary
Chapter 13: Finding Weak Permissions
Finding Permissions Problems
Understanding the Windows Access Control Mechanism
Finding and Analyzing Permissions on Objects
Recognizing Common Permissions Problems
Determining the Accessibility of Objects
Other Permissions Considerations
Summary
Chapter 14: Denial of Service Attacks
Testing Tips
Summary
Chapter 15: Managed Code Issues
Dispelling Common Myths About Using Managed Code
Understanding the Basics of Code Access Security
Finding Problems Using Code Reviews
Understanding the Issues of Using APTCA
Decompiling .NET Assemblies
Testing Tips
Summary
Chapter 16: SQL Injection
Exactly What Is SQL Injection?
Understanding the Importance of SQL Injection
Finding SQL Injection Issues
Avoiding Common Mistakes About SQL Injection
Understanding Repurposing of SQL Stored Procedures
Recognizing Similar Injection Attacks
Testing Tips
Summary
Chapter 17: Observation and Reverse Engineering
Using a Debugger to Trace Program Execution and Change its Behavior
Using a Decompiler or Disassembler to Reverse Engineer a Program
Analyzing Security Updates
Testing Tips
Legal Considerations
Summary
Chapter 18: ActiveX Repurposing Attacks
Understanding ActiveX Controls
ActiveX Control Testing Walkthrough
Testing Tips
Summary
Chapter 19: Additional Repurposing Attacks
Web Pages Requesting External Data
Understanding Repurposing of Window and Thread Messages
Summary
Chapter 20: Reporting Security Bugs
Contacting the Vendor
What to Expect After Contacting the Vendor
Public Disclosure
Addressing Security Bugs in Your Product
Summary
Appendix A: Tools of the Trade
Appendix B: Security Test Cases Cheat Sheet
Spoofing
Information Disclosures
Buffer Overflows
Format Strings
Cross-Site Scripting and Script Injection
XML
SOAP
Canonicalization Issues
Weak Permissions
Denial of Service
Managed Code
SQL Injection
ActiveX
List of Figures
List of Tables
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156
Authors:
Tom Gallagher
,
Lawrence Landauer
,
Bryan Jeffries
BUY ON AMAZON
Beginning Cryptography with Java
Message Digests, MACs, and HMACs
Key and Certificate Management Using Keystores
Appendix A Solutions to Exercises
Appendix B Algorithms Provided by the Bouncy Castle Provider
Appendix C Using the Bouncy Castle API for Elliptic Curve
The CISSP and CAP Prep Guide: Platinum Edition
Telecommunications and Network Security
Cryptography
The Accreditation Phase
Appendix A Answers to Assessment Questions
Appendix G Control Baselines
Documenting Software Architectures: Views and Beyond
For Further Reading
Discussion Questions
Summary Checklist
RM-ODP
Module Decomposition View
MySQL Clustering
Auto-discovery of Databases
Backup and Recovery
High-Speed Interconnects
MySQL Cluster Errors
Load Balancing and Failover
Twisted Network Programming Essentials
Installing from Source Files
Sending and Receiving Data
Monitoring Download Progress
Working with POST Data from HTML Forms
Setting Limits on an Applications Permissions
Web Systems Design and Online Consumer Behavior
Chapter VI Web Site Quality and Usability in E-Commerce
Chapter VIII Personalization Systems and Their Deployment as Web Site Interface Design Decisions
Chapter X Converting Browsers to Buyers: Key Considerations in Designing Business-to-Consumer Web Sites
Chapter XI User Satisfaction with Web Portals: An Empirical Study
Chapter XII Web Design and E-Commerce
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy
This website uses cookies. Click
here
to find out more.
Accept cookies