Index

Access-control-request-method

American Standard Code for Information Interchange (ASCII)

server-side HTML filter

seven-bit encoding characters

Shift_JIS

32, 32t

whitespace

33–34

Audience

Basic multilingual plane (BMP)

Browser quirks

comments

86–87

ECMA

84–85

multiline strings

parser

85–86

regular expression

85, 86

Bypasses and attacks mitigation

code injections

HTML injection and cross-site scripting

218–220

PHP

seePersonal Homepage

SQL

seeStructured Query Language

Web security

218

DOM protection

array detection

closure, definition

code replacement

defineProperty

extendWindow method

231

Firefox function

226–227

getter and setter syntax

Internet Explorer

JavaScript code

layers

object handling

onpropertychange event

proxy functions

sandboxing

SOP

styles property

top window reference

offensive computing

OWASP

server- and client-side databases

217

Web application bugs

218

Cascading style sheets (CSSs)

algorithm

131–132

at-rules

@charset

127–128

@font-face

129

@import

128–129

attacks

attribute reader

137–138

clickjacking

133f

crawler and navigation monitor

decompilation

history

IE6 and CSS2

Internet Explorer

LAN scanner

remote stylesheet inclusion

139–148

UI redressing

132–134

URL

148

conditional comments

CSS3

CSS1 vs. CSS2

data theft

declarations

entities

HTML5

239

HTML vs. JavaScript

126

JavaScript URIs

66–67

layout engine

parsers

220

rulesets and selectors

129–130

syntax

126

Web security model

243–244

Character data (CDATA)

JavaScript execution

Opera

predefined character sequence

user agents

19–20, 19t

Client-side filters

bypassing

205–213

IE8

seeInternet Explorer filters

NoScript design

vs. traditional

WAF

web vulnerability

CORS mechanism

seeCross-origin resource sharing mechanism

Crossdomain.xml files

altCrossDomainXMLFiles

265

APIs

264

getRequestProperty method

global wildcard

Java SE 6.10

JNLP files

site-control element

265

user-agent string

266

Cross-origin resource sharing (CORS) mechanism

actual request

actual response

247, 248f, 249f

preflight request

246

preflight response

Web site

246

Cross Site Request Forgery (CSRF)

240–241

CSSs

seeCascading style sheets

Database management system (DBMS)

applications

178–179

functions

183–184

intermediary characters

186, 186t

language elements

LIMIT

MySQL

SELECT

SQL injections

XML

Data theft

CSS

243–244

error messages

243

JSON

242–243

Data URIs

Acid2 test

arbitrary whitespace

bandwidth

56–57

base64 checkbox

DOM

event handlers

60–62

GHex

56, 56f

HTML5

autofocus attribute

Chromium and Opera

68–69

DoS

70–71

‹event-source›/‹eventsource›

multimedia objects

67–68

onblur event handler

Opera 10.5

Opera test-cases-domain

69–70

quirky rendering bugs

Web Forms 2.0 repetition model

WHATWG

W3Schools domain

XHTML

MIME type

57–58

style attributes

chameleon files

CSRF request

CSS-based console

66–67

CSS entities

CSS layout engine

HTML+TIME

64–65

Internet Explorer tested versions

65–66

onmouseover

Opera

sandbox object

social networking platform

63–64

unicode whitespace

vbscript protocol handler

XBL file

62–63

style tags

text/HTML

58–59

unicode entity

59–60

UTF-7 and UTF-16 character

DBMS

seeDatabase management system

Denial-of-service regular expression

213–215

DNS request

239, 267

Document type definitions (DTDs)

14, 14t, 15t

Document.URL

E4X

HTML

JavaScript comments

undefined object

XML

Extensible Hypertext Markup Language (XHTML)

Facebook Markup Language (FBML)

120

Filtering

2–3

Form Interpreter (FI)

151

Graphics interchange format (GIF)

156

Great JavaScript Charwall

121

HyperText Markup Language (HTML)

ASCII range

17–18

attack and defense

BMP

browser market competitors

CDATA

JavaScript execution

Opera

predefined character sequence

user agents

19–20, 19t

comments

20–21

cross-domain XHR problem

doctype declaration

14–15

DTDs

14, 14t, 15t

erroneous markup handling method

21–22

injection and cross-site scripting

CSS parsers

HTML Purifier

JavaScript code

Markdown

PHPIDS attack detection

220

safe HTML

219

text format

218–219

Web application filter

218–219

ISO/IEC 8859-15 character set

17–18

markup obfuscation

seeMarkup obfuscation

Mozilla Foundation

Netscape Navigator

22–23

remote code execution flaw

rendering engines

semantics and structure

SGML

strings and data types

tags

15–17

URIs

broken protocol handlers

54–55

data URIs

seeData URIs

JavaScript URIs

53–54

UTF-8 character set

Web browser

Web standards

XML

data islands

decimal and hexadecimal entities

default behaviors

design

DoS

entities

73–74

Firefox

72–73

HTC file

75–76

HTML+TIME

-moz-binding

74–75

SVG

77–79

W3C

XBL

Iframe attribute

name attribute

sandbox attribute

251

seamless attribute

251

srcdoc attribute

252

International Obfuscated C Code Contest (IOCCC)

105

Internet Explorer filters

attacks

209–213

compatibility, performance, and security

209

XSS filter

seeXSS filter

bypasses

208–209

JavaScript

208

23 versions

205–207

IOCCC

seeInternational Obfuscated C Code Contest

JAR file

262–263, 264

JavaScript (JScript)

compact value

100

conditional comments

101–102

encode value

100–101

encoding

combining

90–91

hexadecimal escapes

89–90

octal escapes

unicode escapes

87–89

execScript function

102

vs. HTML

126

nonalphanumeric

arbitrary JavaScript

121

arithmetic operators

ASCII

116

assignment operators

atob

binary data

Boolean

code execution

false string

FBML

filter blocking

Great JavaScript Charwall

IOCCC

native objects

not a number (NaN)

obfuscation

octal escapes

plain filter circumvention

sandboxing algorithm

sort function

sort method

static method

string indexes

toString method

true string

window

109, 112

zero conversion

110

zero creation

107–108, 108t

syntax

alert

81–82

arrays

browser quirks

84–87

object property

strings

window object

81–82

variables

alphanumeric characters

location.hash variable

94–95

name variable

92–94

unicode

95–96

URL

user-defined

91–92

VBScript

JavaScript Object Notation (JSON)

242–243

JSReg

228

Markup obfuscation

attributes and delimiters

attribute name and value characters

36, 36t

attribute value delimiters

37, 37t

JavaScript language element

size attribute, ‹font› tag

36–37

URL-encoding

closing tags

40–42

conditional comments

‹comment› tag

CSS browser

JScript layer

MSDN

50–51

outside and inside attributes

52–53

Trident layout engine

forensics

fun

25–26

JavaScript code alert(1) execution

JavaScript execution

about:blank, page

applet tags

47–48

body tags

data attribute

DOM

“encrypted” scripts

frameset tags

44–45

href attribute

45–46

http-equiv attribute

id/name attribute

language attribute

object tag

onload attribute

42–43

Opera

46–47

quirks modes

‹script› tags

trigger script execution

43–44

URIs

W3C

42–43

XML iframe

multiple same-named attributes

Gecko-based browsers

lowsrc attribute

onerror attribute

onmouseover

38–39

src attribute

style attribute

38–39, 40

type attribute

xmlns, XML namespace attribute

PHP

separators

ASCII whitespace

33–34

DoS attacks

PCRE

tag name and attribute characters

34, 34t

unicode character class

34–35

UTF-8 character

whitespace character

34–35

tag names obfuscation

character set and PHP-based application

Chrome charset

chr( ), PHP code

decimal ASCII

32, 32t

Firefox parser bug

injection, Web site

Japanese character set

non-ASCII characters

nullbyte

29, 30, 31, 33

server-side HTML filter

strip characters

Trident layout engine

XSS attacks/SQL injection

technical requirements

techniques

24–25

Ubuntu 9.10 platform

UTF-8 character

valid markup structure

27, 27t

Web application input filters

Web sites

Microsoft BlueHat security conference

259

Microsoft Data Access Components (MDAC)

223

Nonalphanumeric JavaScript

arithmetic operators

assignment operators

Boolean

110

character creation

ASCII

atob

binary data

obfuscation

octal escapes

toString method

false string

FBML

IOCCC

minimalistic sets

arbitrary JavaScript

121

code execution

121–122

filter blocking

120

Great JavaScript Charwall

native objects

not a number (NaN)

obfuscation process

plain filter circumvention

sandboxing algorithm

sort function

sort method

static method

string indexes

toString method

true string

window

109, 112

zero conversion

110

zero creation

107–108, 108t

Open Web Application Security Project (OWASP) Validation Regex Repository

217–218

Oracle

267

Oracle Express Edition

180–181

Perl Compatible Regular Expressions (PCRE)

Personal Homepage (PHP)

applications

226

attacker-controlled PHP code

224–225

auto_prepend_file

225–226

BBCode

226

code execution vulnerability

223–224

functions

225

Google Code Search Engine

224

history

form interpreter (FI)

151

security and bugs

153

versions

152, 152t

Zend Engine

152

include and require statements

224

numerical data types

representation

157–158

syntax

158

type juggling technique

157

values

157

obfuscation

code samples

file extension

GIF

runtime

snippet

Web server

strings

anonymous and variable functions

arrays

ASCII

backtick notation

code execution

curly bracket notation

166–167

encryption and decryption functions

escape character

159–160

evaluation

171

heredoc and nowdoc syntax

161

lambdas

172–173

mixing and comments

165

phpinfo( ) function

160–161

sneak past filter rules

superglobals

seeSuperglobals

variable variables

165–166

Web scanning

224

phpMyAdmin (PMA)

179

Regular expressions

character class

6, 7t

components

4, 4t

definition

greedy characters

nongreedy characters

restricted repetition

8, 8t

test string

4, 5t

Rulesets and selectors

129–130

Same Origin Policy (SOP)

CORS mechanism

seeCross-origin resource sharing mechanism

crossdomain.xml file

246

cross-site information exchange

245

DOM-based solutions

245

location.hash feature

UMP

Web security model

XMLHttpRequest

Scalable vector graphics (SVG)

77–79

Server-side Web development

SQL

seeStructured Query Language

Standard Generalized Markup Language (SGML)

Strings

PHP

anonymous and variable functions

arrays

ASCII

backtick notation

code execution

curly bracket notation

166–167

encryption and decryption functions

escape character

159–160

evaluation

171

heredoc and nowdoc syntax

161

lambdas

172–173

mixing and comments

165

phpinfo( ) function

160–161

sneak past filter rules

superglobals

162–165

variable variables

165–166

SQL

escaping

189–190

hexadecimal notation

188–189

regular notation and delimiting

187–188

unicode

189

XML

190–191

Structured English Query Language (SEQUEL)

177

Structured Query Language (SQL)

browser databases

executeSql

194

openDatabase object

193

SQLite

194

comments

MySQL-specific code

192–193

regular in-query

191–192

concatenation-based bugs

222

DBMS

seeDatabase management system

first version

177

language elements

functions

183–184

intermediary characters

185–187

operators

184–185

LIMIT

177–178, 178t

Microsoft SQL procedure

223

MySQL-specific code

222

obfuscation

195–196

Oracle Express Edition

PMA

proxy solution

query form

query structure

SELECT query

stacking queries

strings

escaping

189–190

hexadecimal notation

188–189

regular notation and delimitation

unicode

XML

WAFs

wafw00f tool

Web application security

223

Web sites

221–222

Superglobals

encryption

165

obfuscation

164

PHP

162, 163t

_SERVER array

164

SVG

seeScalable vector graphics

Text/html-sandboxed content type

253–255

cross-domain file

253

iframe@sandbox model

legacy browsers

MIME type

Web servers

Type juggling technique

157

Uniform Messaging Policy (UMP)

248–249

VBScript

comments

encoding

98–99

end of statement

events

execScript function

functions

97–98

W3C

seeWorld Wide Web Consortium

Web application firewalls (WAFs)

221

applications

199

bypassing WAFs

attack vectors

filters

whitelisting mode

cross-site scripting

denial-of-service attacks

213–215

public Web sites

199–200

Web attacks

203

Web applications

Content-Security-Policy header

257

cross-site scripting filters

flash plug-in

allowScriptAccess argument

258

always argument

258

arbitrary HTTP headers

Flash movie

LoadMovie method

never argument

sameDomain argument

258

Security.allowDomain API

258–259

HTML5

cross-site scripting filters

245

CSS3

239

features

244–245

JavaScript URLs origin

sandbox attribute

seamless attribute

security project

SOP

seeSame origin policy

srcdoc attribute

252

text/html-sandboxed content type

253–255

XML bindings

255–256

Java plug-in

AppletNode

261

crossdomain.xml files

seeCrossdomain.xml files

DNS rebinding attacks

266–267

Java applets

260–261

Java-based cross-site scripting

Java's APIs

Java security model

shared host attack

JavaScript code

‹meta› tag

‹param› tag

security ramifications

237

security-related extensions

256

Strict-Transport-Security header

256–257

toStaticHTML method

URL parsing

239

W3C

237–238

Web security model

CSRF

CSS

error messages

HTTP request

JSON

origin

Web server

Web sites

web technology standards

257–258

WHATWG

237–238

whitelisting property

238–239

X-Frame-Options header

256

X-XSS-Protection header

256

Web architecture

Web Hypertext Application Technology Working Group (WHATWG)

67, 237–238

Web security and technology

World Wide Web Consortium (W3C)