Hacking the Code: Auditor's Guide to Writing Secure Code for the Web

Front Cover
Elsevier, May 10, 2004 - Computers - 550 pages

Hacking the Code has over 400 pages of dedicated exploit, vulnerability, and tool code with corresponding instruction. Unlike other security and programming books that dedicate hundreds of pages to architecture and theory based flaws and exploits, Hacking the Code dives right into deep code analysis. Previously undisclosed security research in combination with superior programming techniques from Foundstone and other respected organizations is included in both the Local and Remote Code sections of the book.

The book is accompanied with a FREE COMPANION CD containing both commented and uncommented versions of the source code examples presented throughout the book. In addition to the book source code, the CD also contains a copy of the author-developed Hacker Code Library v1.0. The Hacker Code Library includes multiple attack classes and functions that can be utilized to quickly create security programs and scripts. These classes and functions simplify exploit and vulnerability tool development to an extent never before possible with publicly available software.

  • Learn to quickly create security tools that ease the burden of software testing and network administration
  • Find out about key security issues regarding vulnerabilities, exploits, programming flaws, and secure code development
  • Discover the differences in numerous types of web-based attacks so that developers can create proper quality assurance testing procedures and tools
  • Learn to automate quality assurance, management, and development tasks and procedures for testing systems and applications
  • Learn to write complex Snort rules based solely upon traffic generated by network tools and exploits
 

Selected pages

Contents

Managing Users
1
Introduction
2
Establishing User Credentials
3
Enforcing Strong Passwords
4
Ensuring Strong Passwords
6
Security Policies
10
Security Policies
12
Preventing Credential Harvesting
13
Working with NET Encryption Features
200
Code Audit Fast Track
201
Keeping Memory Clean
202
Frequently Asked Questions
203
Filtering User Input
205
Introduction
206
Handling Malicious Input
207
Other Sources of Input
209

The Spam King
14
Limiting Credential Exposure
15
Security Policies
16
Security Policies
18
Managing Passwords
19
Security Policies
22
Security Policies
25
Security Policies
27
Resetting Lost or Forgotten Passwords
28
Security Policies
33
Sending Information Via EMail
34
Security Policies
36
Building the Code
37
Using Secret Questions
38
Building the Code
41
Security Policies
42
Security Policies
44
Security Policies
45
Coding Standards Fast Track
46
Changing Passwords
47
Empowering Users
48
Managing Passwords
49
Sending Information Via EMail
50
Frequently Asked Questions
51
Authenticating and Authorizing Users
53
Introduction
54
Authenticating Users
55
Security Policies
57
Using Forms Authentication
58
Configuring Forms Authentication
64
Security Policies
65
Basic Authentication
66
Digest Authentication
67
Integrated Windows Authentication
68
Client Certificate Mapping
69
Authenticating Users
70
Security Policies
75
Security Policies
78
Locking Accounts
79
Finding Other Countermeasures
81
Security Policies
86
Deciding How to Authorize
87
Roles and Resources
90
Security Policies
91
Security Policies
92
Applying URL Authorization
93
HTTP Verbs
95
Files and Paths
97
Configuration Hierarchy
98
Security Policies
99
Declarative Authorization
100
Explicit Authorization
101
Security Policies
102
Coding Standards Fast Track
103
Blocking BruteForce Attacks
104
Applying URL Authorization
105
Using Windows Authentication
106
Employing File Authorization
107
Frequently Asked Questions
108
Managing Sessions
109
Introduction
110
Authentication Tokens
111
Maintaining State
113
Does the Application Use a Sufficiently Large Keyspace?
114
Is It Possible for a User to Manipulate the Token to Hop to Another Account?
115
Does the Client Store the Token After the Session Ends?
116
Selecting a Token Mechanism
117
CookieBased Tokens
118
Security Policies
119
Securing InProcess State
120
Securing SQL Server State Management
122
General Settings
123
Using ASPNET Tokens
124
Cookie Domain
125
Cookie Path
127
Cookie Expiration
128
Secure Cookies
130
Cookie Values
131
Protecting View State
132
Security Policies
135
Creating Tokens
136
Binding to the Client
139
Security Policies
141
Terminating Sessions
142
Security Policies
144
Coding Standards Fast Track
145
Using ASPNET Tokens
146
Terminating Sessions
147
Using State Providers
148
Enhancing ASPNET State Management
149
Frequently Asked Questions
150
Encrypting Private Data
153
Introduction
154
Using Cryptography in ASPNET
155
Employing Symmetric Cryptography
156
DES and 3DES
159
Rijndael
163
RC2
165
Selecting an Algorithm
166
Establishing Keys and Initialization Vectors
170
Security Policies
177
Working with Hashing Algorithms
179
Verifying Integrity
181
Hashing Passwords
183
Security Policy
186
Creating Random Numbers
187
Security Policy
188
Security Policies
190
Storing Secrets in a File
192
Storing Secrets in the Registry
194
Storing Secrets Using DPAPI
195
Protecting Communications with SSL
196
Security Policies
198
Coding Standards Fast Track
199
Security Policy
211
Centralizing Code
213
Testing and Auditing
214
Security Policy
218
Bounds Checking
219
Validator Controls
220
Security Policy
222
Escaping Data
225
Security Policy
226
Reflecting the Data
227
Security Policy
229
Encoding Data
230
Security Policy
234
Security Policy
235
Security Policy
237
Security Policy
239
Security Policy
240
Security Policy
241
Security Policy
243
Unused Code
244
Limiting Access to Code
246
Security Policy
247
ServerSide Code
248
Request Length
249
Security Policy
250
Coding Standards Fast Track
251
Data Reflecting
252
Exception Handling
253
Hardening Server Applications
254
Pattern Matching
255
Double Decoding
256
Limiting Attack Scope
257
Frequently Asked Questions
258
Accessing Data
261
Introduction
262
Securing Databases
263
Security Policy
265
Securing Specific Drivers
267
IIS with ODBC
269
Security Policy
270
Security Policy
272
Security Policy
274
Authentication
275
Protecting Connection Strings
277
Authorization
278
Security Policy
279
Preventing SQL Injection
280
Filtering or Escaping Dangerous Characters
285
Using SqlParameters
287
Constraining Data Types and Length
289
Handling Errors on the Server
290
Security Policy
291
Security Policy
296
Security Policy
302
Coding Standards Fast Track
303
Writing Secure Data Access Code
304
Code Audit Fast Track
305
Securing the Database
306
Reading and Writing to Data Files
307
Developing Secure ASPNET Applications
309
Introduction
310
Constructing Safe HTML
311
Security Policy
314
Security Policy
315
Using Structured Error Handling
317
Structured Error Handling
319
Security Policy
321
Generic Errors
322
Logging Errors
323
Security Policy
325
Coding Standards Fast Track
326
Handling Exceptions
327
Preventing Information Leaks
328
Frequently Asked Questions
329
Securing XML
331
Introduction
332
Encrypting XML Data
333
XML Encryption Process
339
XML Encryption Example
340
Security Policies
348
XML Digital Signatures Specification
349
XML Digital Signature Example
351
Security Policies
357
Coding Standards Fast Track
358
Applying XML Digital Signatures
359
Understanding NET Security
361
Introduction
362
Principal
363
Authentication
364
Type Safety
365
Stack Walking
366
Code Identity
368
Code Groups
369
Declarative and Imperative Security
371
Requesting Permissions
373
Demanding Permissions
376
Overriding Security Checks
379
Custom Permissions
385
RoleBased Security
387
WindowsPrincipal
388
GenericPrincipal
389
Manipulating Identity
390
RoleBased Security Checks
392
Security Policies
396
Creating a New Permission Set
399
Modifying the Code Group Structure
405
Remoting Security
412
Security Tools
415
Summary
418
Security Fast Track
419
Frequently Asked Questions
423
Glossary of Web Application Security Threats
427
Index
429
Copyright

Common terms and phrases

account hijacking allow users application ASP.NET assembly attack surface basic authentication block browser brute-force attacks buffer byte CAPTCHA characters ciphertext client code access Code Audit code group configuration connection strings Continued Figure cookie create cross-site scripting cryptography database decrypt decryptedString default domain DPAPI e-mail element encoding error handling error messages example expiration FileIOPermission filtering forms authentication Framework Frequently Asked Questions gain access hackers hashing algorithms identity Information leakage Internet IP address limit Malicious Input match method NET Framework permission set plainText prevent query random number registry request Rijndael role secret questions Security Policies session fixation session token shown in Figure specific SQL injection SQL Server SqlParameter stack walk Symmetric Cryptography syntax techniques Threats tion UIPermission user input user’s valid VB.NET vulnerable Web application web.config web.config file Windows Authentication WindowsPrincipal XML Digital Signature XML document XML encryption

Popular passages

Page 39 - New York, Los Angeles, Chicago, Houston, Philadelphia, Phoenix, San Diego, Dallas, San Antonio, and Detroit...
Appears in 7 books from 2002-2005

Bibliographic information

TitleHacking the Code: Auditor's Guide to Writing Secure Code for the Web
AuthorMark Burnett
Editionrevised
PublisherElsevier, 2004
ISBN0080478174, 9780080478173
Length550 pages
Subjects ›  › 

Computers / Security / General
  
Export CitationBiBTeX EndNote RefMan