You are previewing Web Security.
O'Reilly logo
Web Security

Book Description

In late 2013, approximately 40 million customer debit and credit cards were leaked in a data breach at Target. This catastrophic event, deemed one of the biggest data breaches ever, clearly showed that many companies need to significantly improve their information security strategies. Web Security: A White Hat Perspective presents a comprehensive guide to web security technology and explains how companies can build a highly effective and sustainable security system.

In this book, web security expert Wu Hanqing reveals how hackers work and explains why companies of different scale require different security methodologies. With in-depth analysis of the reasons behind the choices, the book covers client script security, server applications security, and Internet company security operations. It also includes coverage of browser security, cross sites script attacks, click jacking, HTML5/PHP security, injection attacks, authentication, session management, access control, web frame security, DDOS, leaks, Internet transactions security, and the security development lifecycle.

Table of Contents

  1. Foreword
  2. Preface
    1. MY JOURNEY INTO THE SECURITY WORLD
    2. Joining Alibaba
    3. Reflections on Network Security
    4. Security Enlightenment
    5. About White Hat
    6. Structure of This Book
    7. Acknowledgments
  3. Authors
  4. Section I - Our View of the Security World
    1. Chapter 1 - View of the IT Security World
      1. 1.1 Brief History of Web Security
        1. 1.1.1 Brief History of Chinese Hackers
        2. 1.1.2 Development Process of Hacking Techniques
        3. 1.1.3 Rise of Web Security
      2. 1.2 Black Hat, White Hat
      3. 1.3 Back to Nature: The Essence of Secret Security
      4. 1.4 Superstition: There Is No Silver Bullet
        1. 1.4.1 Security: An Ongoing Process
      5. 1.5 Security Elements
      6. 1.6 How to Implement Safety Assessment
        1. 1.6.1 Asset Classification
        2. 1.6.2 Threat Analysis
        3. 1.6.3 Risk Analysis
        4. 1.6.4 Design of Security Programs
      7. 1.7 Art of War FOR White Hat
        1. 1.7.1 Principle of Secure by Default
          1. 1.7.1.1 Blacklist, Whitelist
          2. 1.7.1.2 Principle of Least Privilege
        2. 1.7.2 Principle of Defense in Depth
        3. 1.7.3 Principles of Data and Code Separation
        4. 1.7.4 Unpredictability of the Principles
      8. 1.8 Summary
      9. 1.A Appendix
        1. Who Will Pay for Vulnerability?
  5. Section II - Safety on the Client Script
    1. Chapter 2 - Security of Browser
      1. 2.1 Same-Origin Policy
      2. 2.2 SANDBOX BROWSER
      3. 2.3 Malicious URL Intercept
      4. 2.4 Rapid Development of Browser Security
      5. 2.5 Summary
    2. Chapter 3 - Cross-Site Scripting Attack
      1. 3.1 Introduction
        1. 3.1.1 First Type: Reflected XSS
        2. 3.1.2 Second Type: Stored XSS
        3. 3.1.3 Third Type: DOM-Based XSS
      2. 3.2 Advanced XSS Attack
        1. 3.2.1 Preliminary Study on XSS Pay Load
        2. 3.2.2 XSS Payload Power
          1. 3.2.2.1 Structure GET and POST Request
          2. 3.2.2.2 XSS Phishing
          3. 3.2.2.3 Identify the User’s Browser
          4. 3.2.2.4 Identify User-Installed Software
          5. 3.2.2.5 CSS History Hack
          6. 3.2.2.6 Get the User’s Real IP Address
        3. 3.2.3 XSS Attack Platform
          1. 3.2.3.1 Attack API
          2. 3.2.3.2 BeEF
          3. 3.2.3.3 XSS-Proxy
        4. 3.2.4 Ultimate Weapon: XSS Worm
          1. 3.2.4.1 Samy Worm
          2. 3.2.4.2 Baidu Space Worms
        5. 3.2.5 Debugging JavaScript
          1. 3.2.5.1 Firebug
          2. 3.2.5.2 IE 8 Developer Tools
          3. 3.2.5.3 Fiddler
          4. 3.2.5.4 HttpWatch
        6. 3.2.6 Construction Skills of XSS
          1. 3.2.6.1 Use Character Encoding
          2. 3.2.6.2 Bypass the Length Limit
          3. 3.2.6.3 Using <base> Tags
          4. 3.2.6.4 Magical Effect of window.name
        7. 3.2.7 Turning Waste into Treasure: Mission Impossible
          1. 3.2.7.1 Apache Expect Header XSS
          2. 3.2.7.2 Anehta Boomerang
        8. 3.2.8 Easily Overlooked Corner: Flash XSS
        9. 3.2.9 Really Sleep without Any Anxiety: JavaScript Development Framework
          1. 3.2.9.1 Dojo
          2. 3.2.9.2 YUI
          3. 3.2.9.3 jQuery
      3. 3.3 XSS Defense
        1. 3.3.1 Skillfully Deflecting the Question: HttpOnly
        2. 3.3.2 Input Checking
        3. 3.3.3 Output Checking
          1. 3.3.3.1 Secure Coding Function
          2. 3.3.3.2 Only Need One Kind of Coding
        4. 3.3.4 Defense XSS Correctly Designed
          1. 3.3.4.1 Output in HTML Attributes
          2. 3.3.4.2 Output in the Event
          3. 3.3.4.3 Output in CSS
          4. 3.3.4.4 Output in Address
        5. 3.3.5 Dealing with Rich Text
        6. 3.3.6 Defense DOM-Based XSS
        7. 3.3.7 See XSS from Another Angle of Risk
      4. 3.4 Summary
    3. Chapter 4 - Cross-Site Request Forgery
      1. 4.1 Introduction
      2. 4.2 Advanced CSRF
        1. 4.2.1 Cookie Policy of Browsers
        2. 4.2.2 Side Effect of P3P Header
        3. 4.2.3 GET? POST?
        4. 4.2.4 Flash CSRF
        5. 4.2.5 CSRF Worm
      3. 4.3 CSRF DEFENSE
        1. 4.3.1 Verification Code
        2. 4.3.2 Referer Check
        3. 4.3.3 Anti-CSRF Token
          1. 4.3.3.1 Nature of CSRF
          2. 4.3.3.2 Token Principles
      4. 4.4 Summary
    4. Chapter 5 - Clickjacking
      1. 5.1 What Is Clickjacking?
      2. 5.2 Flash Clickjacking
      3. 5.3 Image-Covering Attacks
      4. 5.4 Drag Hijacking and Data Theft
      5. 5.5 Clickjacking 3.0: Tapjacking
      6. 5.6 Defense against Clickjacking
        1. 5.6.1 Frame Busting
        2. 5.6.2 X-Frame-Options
      7. 5.7 Summary
    5. Chapter 6 - HTML5 Securities
      1. 6.1 New Tags of HTML5
        1. 6.1.1 New Tags of XSS
        2. 6.1.2 iframe Sandbox
        3. 6.1.3 Link Types: Noreferrer
        4. 6.1.4 Magical Effect of Canvas
      2. 6.2 Other Security Problems
        1. 6.2.1 Cross-Origin Resource Sharing
        2. 6.2.2 postMessage: Send Message across Windows
        3. 6.2.3 Web Storage
      3. 6.3 Summary
  6. Section III - Application Security on the Server Side
    1. Chapter 7 - Injection Attacks
      1. 7.1 SQL Injection Attacks
        1. 7.1.1 Blind Injection
        2. 7.1.2 Timing Attack
      2. 7.2 Database Attacking Techniques
        1. 7.2.1 Common Attack Techniques
        2. 7.2.2 Command Execution
        3. 7.2.3 Stored Procedure Attacks
        4. 7.2.4 Coding Problems
        5. 7.2.5 SQL Column Truncation
      3. 7.3 Properly Defending against SQL Injection
        1. 7.3.1 Using Precompiled Statements
        2. 7.3.2 Using Stored Procedures
        3. 7.3.3 Checking the Data Type
        4. 7.3.4 Using Safety Functions
      4. 7.4 Other Injection Attacks
        1. 7.4.1 XML Injection
        2. 7.4.2 Code Injection
        3. 7.4.3 CRLF Injection
      5. 7.5 Summary
    2. Chapter 8 - File Upload Vulnerability
      1. 8.1 File Upload Vulnerability Overview
        1. 8.1.1 FCKEditor File Upload Vulnerability
        2. 8.1.2 Bypassing the File Upload Check Function
      2. 8.2 Functionality or Vulnerability
        1. 8.2.1 Apache File Parsing Problem
        2. 8.2.2 IIS File Parsing Problem
        3. 8.2.3 PHP CGI Path Parsing Problem
        4. 8.2.4 Upload Files Phishing
      3. 8.3 Designing Secure File Upload Features
      4. 8.4 Summary
    3. Chapter 9
    4. Authentication and Session Management
      1. 9.1 Who Am I?
      2. 9.2 Password
      3. 9.3 Multifactor Authentication
      4. 9.4 Session Management and Authentication
      5. 9.5 Session Fixation Attacks
      6. 9.6 Session Keep Attack
      7. 9.7 Single Sign-On
      8. 9.8 Summary
    5. Chapter 10 - Access Control
      1. 10.1 What Can I Do?
      2. 10.2 Vertical Rights Management
      3. 10.3 Horizontal Rights Management
        1. 10.3.1 Unauthorized User Access Problems on youku.com (Vulnerability No. Wooyun-2010-0129)
        2. 10.3.2 Unauthorized User Access Problems on layifen.com (Loopholes No. Wooyun-2010-01576)
      4. 10.4 Summary of OAuth
      5. 10.5 Summary
    6. Chapter 11 - Encryption Algorithms and Random Numbers
      1. 11.1 Introduction
      2. 11.2 Stream Cipher Attack
        1. 11.2.1 Reused Key Attack
        2. 11.2.2 Bit-Flipping Attack
        3. 11.2.3 Issue of Weak Random IV
      3. 11.3 WEP Crack
      4. 11.4 ECB Mode Defects
      5. 11.5 Padding Oracle Attack
      6. 11.6 Key Management
      7. 11.7 Problems with a Pseudorandom Number
        1. 11.7.1 Trouble with a Weak Pseudorandom Number
        2. 11.7.2 Time Is Really Random
        3. 11.7.3 Breaking the Pseudorandom Number Algorithm Seed
        4. 11.7.4 Using Secure Random Numbers
      8. 11.8 Summary
      9. 11.A Appendix: Understanding the MD5 Length Extension Attack
    7. Chapter 12 - Web Framework Security
      1. 12.1 MVC Framework Security
      2. 12.2 Template Engine and XSS Defenses
      3. 12.3 Web Framework and CSRF Defense
      4. 12.4 HTTP Header Management
      5. 12.5 Data Persistence Layer and SQL Injection
      6. 12.6 WHAT MORE CAN WE THINK OF?
      7. 12.7 Web Framework Self-Security
        1. 12.7.1 Struts 2 Command Execution Vulnerability
        2. 12.7.2 Struts 2 Patch
        3. 12.7.3 Spring MVC Execution Vulnerability
        4. 12.7.4 Django Execution Vulnerability
      8. 12.8 Summary
    8. Chapter 13 - Application-Layer Denial-of-Service Attacks
      1. 13.1 Introduction to DDoS
      2. 13.2 Application-Layer DDoS
        1. 13.2.1 CC Attack
        2. 13.2.2 Restriction of Request Frequency
        3. 13.2.3 The Priest Climbs a Post, the Devil Climbs Ten
      3. 13.3 About Verification Code
      4. 13.4 DDoS in the Defense Application Layer
      5. 13.5 Resource Exhaustion Attack
        1. 13.5.1 Slowloris Attack
        2. 13.5.2 HTTP POST DOS
        3. 13.5.3 Server Limit DoS
      6. 13.6 DOS Caused by Regular Expression: ReDOS
      7. 13.7 Summary
    9. Chapter 14 - PHP Security
      1. 14.1 File Inclusion Vulnerability
        1. 14.1.1 Local File Inclusion
        2. 14.1.2 Remote File Inclusion
        3. 14.1.3 Using Skill of Local File Inclusion
      2. 14.2 Variable Coverage Vulnerability
        1. 14.2.1 Global Variable Coverage
        2. 14.2.2 The extract() Variable Coverage
        3. 14.2.3 Traversal Initializing Variables
        4. 14.2.4 The import_request_variables Variable Coverage
        5. 14.2.5 The parse_str() Variable Coverage
      3. 14.3 Code Execution Vulnerability
        1. 14.3.1 “Dangerous Function” Executes the Code
          1. 14.3.1.1 The phpMyAdmin 3.4.3.1 Remote Code Execution Vulnerability
          2. 14.3.1.2 MyBB1.4 Remote Code Execution Vulnerability
        2. 14.3.2 File Writing Code Execution
        3. 14.3.3 Other Methods of Code Execution
          1. 14.3.3.1 Functions That Directly Execute Code
          2. 14.3.3.2 File Inclusion
          3. 14.3.3.3 Writing in Local File
          4. 14.3.3.4 Execution of the preg_replace() Code
          5. 14.3.3.5 Dynamic Function Execution
          6. 14.3.3.6 Curly Syntax
          7. 14.3.3.7 Callback Function Execution Code
          8. 14.3.3.8 Unserialize() Results in Code Execution
      4. 14.4 Customize Secure PHP Environment
      5. 14.5 Summary
    10. Chapter 15 - Web Server Configuration Security
      1. 15.1 Apache Security
      2. 15.2 Nginx Security
      3. 15.3 jBoss Remote Command Execution
      4. 15.4 Tomcat Remote Command Execution
      5. 15.5 HTTP Parameter Pollution
      6. 15.6 Summary
  7. Section IV - Safety Operations of Internet Companies
    1. Chapter 16 - Security of Internet Business
      1. 16.1 WHAT KIND OF SECURITY DO PRODUCTS REQUIRE?
        1. 16.1.1 Security Requirements of Internet Products
        2. 16.1.2 What Is a Good Security Program?
          1. 16.1.2.1 Complex Password Security
      2. 16.2 Business Logic Security
        1. 16.2.1 Loopholes in Password Security
        2. 16.2.2 Who Will Be the Big Winner?
        3. 16.2.3 Practice Deception
        4. 16.2.4 Password Recovery Process
      3. 16.3 How the Account Is Stolen
        1. 16.3.1 Various Ways of Account Theft
        2. 16.3.2 Analysis on Why Accounts Get Stolen
      4. 16.4 Internet Garbage
        1. 16.4.1 Threat of Spam
        2. 16.4.2 Spam Disposal
      5. 16.5 Phishing
        1. 16.5.1 Details about Phishing
        2. 16.5.2 Mail Phishing
        3. 16.5.3 Prevention and Control of Phishing Sites
          1. 16.5.3.1 Control the Routes of Transmission of Phishing Sites
          2. 16.5.3.2 Direct Fight against Phishing Sites
          3. 16.5.3.3 User Education
          4. 16.5.3.4 Automatic Identification of Phishing Sites
        4. 16.5.4 Phishing in Online Shopping
        5. 16.5.5 Analysis of Phishing in Online Shopping and Its Prevention
      6. 16.6 User Privacy Protection
        1. 16.6.1 Challenges in Internet User Privacy
        2. 16.6.2 How to Protect User Privacy
        3. 16.6.3 Do Not Track
      7. 16.7 Summary
      8. 16.A Appendix: Trouble Terminator
    2. Chapter 17 - Security Development Lifecycle
      1. 17.1 Introduction
      2. 17.2 Agile SDL
      3. 17.3 SDL Actual Combat Experience
      4. 17.4 Requirements Analysis and Design Phase
      5. 17.5 Development Phase
        1. 17.5.1 Providing Security Functions
        2. 17.5.2 Code Security Audit Tool
      6. 17.6 Test Phase
      7. 17.7 Summary
    3. Chapter 18 - Security Operations
      1. 18.1 Make the Security Operated
      2. 18.2 Process of Vulnerability Patch
      3. 18.3 Security Monitoring
      4. 18.4 Intrusion Detection
      5. 18.5 Emergency Response Process
      6. 18.6 Summary
      7. 18.A Appendix
        1. Development Direction of Security in Internet Enterprises1