Flylib.com
Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156
Authors:
Tom Gallagher
,
Lawrence Landauer
,
Bryan Jeffries
BUY ON AMAZON
Hunting Security Bugs
Back Cover
About
Foreword
Introduction
Who is This Book for?
Organization of This Book
System Requirements
Technology Updates
Code Samples and Companion Content
Support for This Book
Acknowledgments
Chapter 1: General Approach to Security Testing
Different Types of Security Testers
An Approach to Security Testing
Summary
Chapter 2: Using Threat Models for Security Testing
How Testers can Leverage a Threat Model
Data Flow Diagrams
Enumeration of Entry Points and Exit Points
Enumeration of Threats
How Testers Should Use a Completed Threat Model
Implementation Rarely Matches the Specification or Threat Model
Summary
Chapter 3: Finding Entry Points
Finding and Ranking Entry Points
Common Entry Points
Summary
Chapter 4: Becoming a Malicious Client
Testing HTTP
Testing Specific Network Requests Quickly
Testing Tips
Summary
Chapter 5: Becoming a Malicious Server
Understanding Common Ways Clients Receive Malicious Server Responses
Does SSL Prevent Malicious Server Attacks?
Manipulating Server Responses
Examples of Malicious Response Bugs
Myth: It Is Difficult for an Attacker to Create a Malicious Server
Understanding Downgrade MITM Attacks
Testing Tips
Summary
Chapter 6: Spoofing
Finding Spoofing Issues
General Spoofing
User Interface Spoofing
Testing Tips
Summary
Chapter 7: Information Disclosure
Locating Common Areas of Information Disclosure
Identifying Interesting Data
Summary
Chapter 8: Buffer Overflows and Stack and Heap Manipulation
Understanding How Overflows Work
Testing for Overruns: Where to Look for Cases
Black Box (Functional) Testing
White Box Testing
Additional Topics
Testing Tips
Summary
Chapter 9: Format String Attacks
Understanding Why Format Strings Are a Problem
Testing for Format String Vulnerabilities
Walkthrough: Seeing a Format String Attack in Action
Testing Tips
Summary
Chapter 10: HTML Scripting Attacks
Understanding Persistent XSS Attacks Against Servers
Identifying Attackable Data for Reflected and Persistent XSS Attacks
Common Ways Programmers Try to Stop Attacks
Understanding Reflected XSS Attacks Against Local Files
Understanding Script Injection Attacks in the My Computer Zone
Ways Programmers Try to Prevent HTML Scripting Attacks
Understanding How Internet Explorer Mitigates XSS Attacks Against Local Files
Identifying HTML Scripting Vulnerabilities
Finding HTML Scripting Bugs Through Code Review
Summary
Chapter 11: XML Issues
Testing XML-Specific Attacks
Simple Object Access Protocol
Testing Tips
Summary
Chapter 12: Canonicalization Issues
Finding Canonicalization Issues
File-Based Canonicalization Issues
Web-Based Canonicalization Issues
Testing Tips
Summary
Chapter 13: Finding Weak Permissions
Finding Permissions Problems
Understanding the Windows Access Control Mechanism
Finding and Analyzing Permissions on Objects
Recognizing Common Permissions Problems
Determining the Accessibility of Objects
Other Permissions Considerations
Summary
Chapter 14: Denial of Service Attacks
Testing Tips
Summary
Chapter 15: Managed Code Issues
Dispelling Common Myths About Using Managed Code
Understanding the Basics of Code Access Security
Finding Problems Using Code Reviews
Understanding the Issues of Using APTCA
Decompiling .NET Assemblies
Testing Tips
Summary
Chapter 16: SQL Injection
Exactly What Is SQL Injection?
Understanding the Importance of SQL Injection
Finding SQL Injection Issues
Avoiding Common Mistakes About SQL Injection
Understanding Repurposing of SQL Stored Procedures
Recognizing Similar Injection Attacks
Testing Tips
Summary
Chapter 17: Observation and Reverse Engineering
Using a Debugger to Trace Program Execution and Change its Behavior
Using a Decompiler or Disassembler to Reverse Engineer a Program
Analyzing Security Updates
Testing Tips
Legal Considerations
Summary
Chapter 18: ActiveX Repurposing Attacks
Understanding ActiveX Controls
ActiveX Control Testing Walkthrough
Testing Tips
Summary
Chapter 19: Additional Repurposing Attacks
Web Pages Requesting External Data
Understanding Repurposing of Window and Thread Messages
Summary
Chapter 20: Reporting Security Bugs
Contacting the Vendor
What to Expect After Contacting the Vendor
Public Disclosure
Addressing Security Bugs in Your Product
Summary
Appendix A: Tools of the Trade
Appendix B: Security Test Cases Cheat Sheet
Spoofing
Information Disclosures
Buffer Overflows
Format Strings
Cross-Site Scripting and Script Injection
XML
SOAP
Canonicalization Issues
Weak Permissions
Denial of Service
Managed Code
SQL Injection
ActiveX
List of Figures
List of Tables
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156
Authors:
Tom Gallagher
,
Lawrence Landauer
,
Bryan Jeffries
BUY ON AMAZON
A Practitioners Guide to Software Test Design
State-Transition Testing
Scripted Testing
Test Planning
Section V - Some Final Thoughts
Appendix A Brown & Donaldson Case Study
101 Microsoft Visual Basic .NET Applications
Working with the Microsoft Visual Basic .NET Language
Building Enterprise Services Applications
Visual Studio .NET
Securing Applications
Windows Server 2003 for .NET Developers
The Java Tutorial: A Short Course on the Basics, 4th Edition
Understanding Thread Priority
Overview of the Swing API
Threads and Swing
Code Samples
POSIX Conventions for Command Line Arguments
Programming Microsoft ASP.NET 3.5
Configuration and Deployment
The HTTP Request Context
ASP.NET State Management
Working with Web Services
Data-Bound and Templated Controls
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
Hack 14. Control Your Bluetooth Phone with FMA
Hack 24. Discover Networks with NetStumbler
Hack 30. Monitor Wireless Links in Linux with Wavemon
Hack 32. Track 802.11 Frames in Ethereal
Section A.9. FRS and GMRS: Super Walkie-Talkies
Extending and Embedding PHP
The Evolution of the PHP Object Type
Handlers
Autoconf
Dealing with Errors
Appendix A. A Zend API Reference
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy
This website uses cookies. Click
here
to find out more.
Accept cookies