The Web Application Hacker's Handbook,

The highly successful security book returns with a new edition, completely updated

Web applications are the front door to most organizations, exposing them to attacks that may disclose personal information, execute fraudulent transactions, or compromise ordinary users. This practical book has been completely updated and revised to discuss the latest step-by-step techniques for attacking and defending the range of ever-evolving web applications. You'll explore the various new technologies employed in web applications that have appeared since the first edition and review the new attack techniques that have been developed, particularly in relation to the client side.

• Reveals how to overcome the new technologies and techniques aimed at defending web applications against attacks that have appeared since the previous edition

• Discusses new remoting frameworks, HTML5, cross-domain integration techniques, UI redress, framebusting, HTTP parameter pollution, hybrid file attacks, and more

• Features a companion web site hosted by the authors that allows readers to try out the attacks described, gives answers to the questions that are posed at the end of each chapter, and provides a summarized methodology and checklist of tasks

Focusing on the areas of web application security where things have changed in recent years, this book is the most current resource on the critical topic of discovering, exploiting, and preventing web application security flaws.

Autorentext

DAFYDD STUTTARD is an independent security consultant,
author, and software developer specializing in penetration testing
of web applications and compiled software. Under the alias
PortSwigger, Dafydd created the popular Burp Suite of hacking
tools.

MARCUS PINTO delivers security consultancy and training
on web application attack and defense to leading global
organizations in the financial, government, telecom, gaming, and
retail sectors.

The authors cofounded MDSec, a consulting company that provides
training in attack and defense-based security.

Inhalt

Introduction xxiii

Chapter 1 Web Application (In)security 1

The Evolution of Web Applications 2

Common Web Application Functions 4

Benefits of Web Applications 5

Web Application Security 6

This Site Is Secure 7

The Core Security Problem: Users Can Submit Arbitrary Input 9

Key Problem Factors 10

The New Security Perimeter 12

The Future of Web Application Security 14

Summary 15

Chapter 2 Core Defense Mechanisms 17

Handling User Access 18

Authentication 18

Session Management 19

Access Control 20

Handling User Input 21

Varieties of Input 21

Approaches to Input Handling 23

Boundary Validation 25

Multistep Validation and Canonicalization 28

Handling Attackers 30

Handling Errors 30

Maintaining Audit Logs 31

Alerting Administrators 33

Reacting to Attacks 34

Managing the Application 35

Summary 36

Questions 36

Chapter 3 Web Application Technologies 39

The HTTP Protocol 39

HTTP Requests 40

HTTP Responses 41

HTTP Methods 42

URLs 44

Rest 44

HTTP Headers 45

Cookies 47

Status Codes 48

Https 49

HTTP Proxies 49

HTTP Authentication 50

Web Functionality 51

Server-Side Functionality 51

Client-Side Functionality 57

State and Sessions 66

Encoding Schemes 66

URL Encoding 67

Unicode Encoding 67

HTML Encoding 68

Base64 Encoding 69

Hex Encoding 69

Remoting and Serialization Frameworks 70

Next Steps 70

Questions 71

Chapter 4 Mapping the Application 73

Enumerating Content and Functionality 74

Web Spidering 74

User-Directed Spidering 77

Discovering Hidden Content 80

Application Pages Versus Functional Paths 93

Discovering Hidden Parameters 96

Analyzing the Application 97

Identifying Entry Points for User Input 98

Identifying Server-Side Technologies 101

Identifying Server-Side Functionality 107

Mapping the Attack Surface 111

Summary 114

Questions 114

Chapter 5 Bypassing Client-Side Controls 117

Transmitting Data Via the Client 118

Hidden Form Fields 118

HTTP Cookies 121

URL Parameters 121

The Referer Header 122

Opaque Data 123

The ASP.NET ViewState 124

Capturing User Data: HTML Forms 127

Length Limits 128

Script-Based Validation 129

Disabled Elements 131

Capturing User Data: Browser Extensions 133

Common Browser Extension Technologies 134

Approaches to Browser Extensions 135

Intercepting Traffic from Browser Extensions 135

Decompiling Browser Extensions 139

Attaching a Debugger 151

Native Client Components 153

Handling Client-Side Data Securely 154

Transmitting Data Via the Client 154

Validating Client-Generated Data 155

Logging and Alerting 156

Summary 156

Questions 157

Chapter 6 Attacking Authentication 159

Authentication Technologies 160

Design Flaws in Authentication Mechanisms 161

Bad Passwords 161

Brute-Forcible Login 162

Verbose Failure Messages 166

Vulnerable Transmission of Credentials 169

Password Change Functionality 171

Forgotten Password Functionality 173

Remember Me Functionality 176

User Impersonation Functionality 178 <p&gt...