Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
Cover Page Hacking Exposed™ Web Applications: Web Application Security Secrets and Solutions Copyright Page Dedication About the Authors AT A GLANCE Contents Foreword Acknowledgments Introduction 1 Hacking Web Apps 101
What Is Web Application Hacking?
GUI Web Hacking URI Hacking Methods, Headers, and Body Resources Authentication, Sessions, and Authorization The Web Client and HTML Other Protocols
Why Attack Web Applications? Who, When, and Where?
Weak Spots
How Are Web Apps Attacked?
The Web Browser Browser Extensions HTTP Proxies Command-line Tools Older Tools
Summary References & Further Reading
2 Profiling
Infrastructure Profiling
Footprinting and Scanning: Defining Scope Basic Banner Grabbing Advanced HTTP Fingerprinting Infrastructure Intermediaries
Application Profiling
Manual Inspection Search Tools for Profiling Automated Web Crawling Common Web Application Profiles
General Countermeasures
A Cautionary Note Protecting Directories Protecting include Files Miscellaneous Tips
Summary References & Further Reading
3 Hacking Web Platforms
Point-and-Click Exploitation Using Metasploit Manual Exploitation Evading Detection Web Platform Security Best Practices
Common Best Practices IIS Hardening Apache Hardening PHP Best Practices
Summary References & Further Reading
4 Attacking Web Authentication
Web Authentication Threats
Username/Password Threats Strong(er) Web Authentication Web Authentication Services
Bypassing Authentication
Token Replay Cross-site Request Forgery Identity Management Client-side Piggybacking
Some Final Thoughts: Identity Theft Summary References & Further Reading
5 Attacking Web Authorization
Fingerprinting Authz
Crawling ACLs Identifying Access Tokens Analyzing Session Tokens Differential Analysis Role Matrix
Attacking ACLS Attacking Tokens
Manual Prediction Automated Prediction Capture/Replay Session Fixation
Authorization Attack Case Studies
Horizontal Privilege Escalation Vertical Privilege Escalation Differential Analysis When Encryption Fails Using cURL to Map Permissions
Authorization Best Practices
Web ACL Best Practices Web Authorization/Session Token Security Security Logs
Summary References & Further Reading
6 Input Injection Attacks
Expect the Unexpected Where to Find Attack Vectors Bypass Client-Side Validation Routines Common Input Injection Attacks
Buffer Overflow Canonicalization (dot-dot-slash) HTML Injection Boundary Checks Manipulate Application Behavior SQL Injection XPATH Injection LDAP Injection Custom Parameter Injection Log Injection Command Execution Encoding Abuse PHP Global Variables Common Side-effects
Common Countermeasures Summary References & Further Reading
7 Attacking XML Web Services
What Is a Web Service?
Transport: SOAP over HTTP(S) WSDL Directory Services: UDDI and DISCO Similarities to Web Application Security
Attacking Web Services Web Service Security Basics Summary References & Further Reading
8 Attacking Web Application Management
Remote Server Management
Telnet SSH Proprietary Management Ports Other Administration Services
Web Content Management
FTP SSH/scp FrontPage WebDAV
Misconfigurations
Unnecessary Web Server Extensions Information Leakage Misconfigurations State Management Misconfiguration
Summary References & Further Reading
9 Hacking Web Clients
Exploits
Web Client Implementation Vulnerabilities
Trickery General Countermeasures
Low-privilege Browsing Firefox Security Extensions ActiveX Countermeasures Server-side Countermeasures
Summary References & Further Reading
10 The Enterprise Web Application Security Program
Threat Modeling
Clarify Security Objectives Identify Assets Architecture Overview Decompose the Application Identify and Document Threats Rank the Threats Develop Threat Mitigation Strategies
Code Review
Manual Source Code Review Automated Source Code Review Binary Analysis
Security Testing of Web App Code
Fuzzing Test Tools, Utilities, and Harnesses Pen-testing
Security in the Web Development Process
People Process Technology
Summary References & Further Reading
A Web Application Security Checklist B Web Hacking Tools and Techniques Cribsheet Index
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion