Home Page Icon
Home Page
Table of Contents for
Part II: The Threats
Close
Part II: The Threats
by Malcolm McDonald
Web Security for Developers
Cover Page
Title Page
Copyright Page
About the Authors
BRIEF CONTENTS
CONTENTS IN DETAIL
ACKNOWLEDGMENTS
INTRODUCTION
About This Book
Who Should Read This Book
A Brief History of the Internet
What’s in This Book
1 LET’S HACK A WEBSITE
Software Exploits and the Dark Web
How to Hack a Website
Part I: The Basics
2 HOW THE INTERNET WORKS
The Internet Protocol Suite
Application Layer Protocols
Stateful Connections
Encryption
Summary
3 HOW BROWSERS WORK
Web Page Rendering
JavaScript
Before and After Rendering: Everything Else the Browser Does
Summary
4 HOW WEB SERVERS WORK
Static and Dynamic Resources
Static Resources
Dynamic Resources
Summary
5 HOW PROGRAMMERS WORK
Phase 1: Design and Analysis
Phase 2: Writing Code
Phase 3: Pre-Release Testing
Phase 4: The Release Process
Phase 5: Post-Release Testing and Observation
Dependency Management
Summary
Part II: The Threats
6 INJECTION ATTACKS
SQL Injection
Command Injection
Remote Code Execution
File Upload Vulnerabilities
Summary
7 CROSS-SITE SCRIPTING ATTACKS
Stored Cross-Site Scripting Attacks
Reflected Cross-Site Scripting Attacks
DOM-Based Cross-Site Scripting Attacks
Summary
8 CROSS-SITE REQUEST FORGERY ATTACKS
Anatomy of a CSRF Attack
Mitigation 1: Follow REST Principles
Mitigation 2: Implement Anti-CSRF Cookies
Mitigation 3: Use the SameSite Cookie Attribute
Bonus Mitigation: Require Reauthentication for Sensitive Actions
Summary
9 COMPROMISING AUTHENTICATION
Implementing Authentication
Mitigation 1: Use Third-Party Authentication
Mitigation 2: Integrate with Single Sign-On
Mitigation 3: Secure Your Own Authentication System
Summary
10 SESSION HIJACKING
How Sessions Work
How Attackers Hijack Sessions
Summary
11 PERMISSIONS
Privilege Escalation
Access Control
Directory Traversal
Summary
12 INFORMATION LEAKS
Mitigation 1: Disable Telltale Server Headers
Mitigation 2: Use Clean URLs
Mitigation 3: Use Generic Cookie Parameters
Mitigation 4: Disable Client-Side Error Reporting
Mitigation 5: Minify or Obfuscate Your JavaScript Files
Mitigation 6: Sanitize Your Client-Side Files
Stay on Top of Security Advisories
Summary
13 ENCRYPTION
Encryption in the Internet Protocol
Enabling HTTPS
Attacking HTTP (and HTTPS)
Summary
14 THIRD-PARTY CODE
Securing Dependencies
Securing Configuration
Securing the Services That You Use
Services as an Attack Vector
Summary
15 XML ATTACKS
The Uses of XML
Validating XML
XML Bombs
XML External Entity Attacks
Securing Your XML Parser
Other Considerations
Summary
16 DON’T BE AN ACCESSORY
Email Fraud
Disguising Malicious Links in Email
Clickjacking
Server-Side Request Forgery
Botnets
Summary
17 DENIAL-OF-SERVICE ATTACKS
Denial-of-Service Attack Types
Denial-of-Service Attack Mitigation
Summary
18 SUMMING UP
INDEX
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
5 HOW PROGRAMMERS WORK
Next
Next Chapter
6 INJECTION ATTACKS
PART II
THE THREATS
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset