Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »
Authoritative.
Strategic.
Innocent Code - a Security Wake-up Call for Web Programmers
-
Author:
-
Subject:
-
Published by:John Wiley & Sons (UK)
-
Published:09/12/2003
-
Price:$67.99
- < Buy this book >
- This concise and practical book shows where code vulnerabilities lie-without delving into the specifics of each system architecture, programming or scripting language, or application-and how best to fix them
- Based on real-world situations taken from the author's experiences of tracking coding mistakes at major financial institutions
- Covers SQL injection attacks, cross-site scripting, data manipulation in order to bypass authorization, and other attacks that work because of missing pieces of code
- Shows developers how to change their mindset from Web site construction to Web site destruction in order to find dangerous code
Biography
Sverre Huseby runs his own company selling courses and consultancy services in Web application security. He's an active participant on webappsec mail forum.
Table of Contents
Foreword.
Acknowledgments.
Introduction.
I.1 The Rules.
I.2 The Examples.
I.3 The Chapters.
I.4 What is Not in this Book?
I.5 A Note From the Author.
I.6 Feedback.
1. The Basics.
1.1 HTTP.
1.2 Sessions.
1.3 HTTPS.
1.4 Summary.
1.5 Do You Want to Know More?
2. Passing Data to Subsystems.
2.1 SQL Injection.
2.2 Shell Command Injection.
2.3 Talking to Programs Written in C/C++.
2.4 The Evil Eval.
2.5 Solving Metacharacter Problems.
2.6 Summary.
3. User Input.
3.1 What is Input Anyway?
3.2 Validating Input.
3.3 Handling Invalid Input.
3.4 The Dangers of Client-side Validation.
3.5 Authorization Problems.
3.6 Protecting Server-generated Input.
3.7 Summary.
4. Output Handling: The Cross-site Scripting Problem.
4.1 Examples.
4.2 The Problem.
4.3 The Solution.
4.4 Browser Character Sets.
4.5 Summary.; 4.6 Do You Want to Know More?
5. Web Trojans.
5.1 Examples.
5.2 The Problem.
5.3 A Solution.
5.4 Summary.
6. Passwords and Other Secrets.
6.1 Crypto-stuff.
6.2 Password-based Authentication.
6.3 Secret Identifiers.
6.4 Secret Leakage.
6.5 Availability of Server-side Code.
6.6 Summary.
6.7 Do You Want to Know More?
7. Enemies of Secure Code.
7.1 Ignorance.
7.2 Mess.
7.3 Deadlines.
7.4 Salesmen.
7.5 Closing Remarks.
7.6 Do You Want to Know More?
8. Summary of Rules for Secure Coding.
Appendix A: Bugs in the Web Server.
Appendix B: Packet Sniffing.
Appendix C: Sending HTML Formatted E-mails with Forged Sender Address.
Appendix D: More Information.
Acronyms.
References.
Index.
Get exclusive access to Invitation only events CIO, reports & analysis. Latest Jobs
- FTSenior Network Field Engineer - Cisco R&S / Wireless SolutionsNSW
- CCSystem Engineer - Lync and Exchange - CONTRACTSWA
- FTSenior Citrix EngineerNSW
- FTiPhone App DeveloperNSW
- FTSenior Citrix EngineerNSW
- CCSystem Engineer - Exchange - CONTRACTSWA
- FTiPhone App DeveloperNSW
- FTiPhone Developer DeveloperNSW
- FTSenior Network Engineer - Cisco / Nexus / UCS / - Routing / Switching / WirelessNSW
- FTSenior Network Field Engineer - Cisco R&S / Wireless SolutionsNSW
- FTTechnical Services Engineer - ShoreTel/MitelVIC
- FTChange Management ProfessionalsNSW
- FTiPhone App DeveloperNSW
- FTIT Account Manager - System Integrator - Career Progression - Start ImmediatelyNSW
- FTProduct Manager Strategist - Enterprise ApplicationsNSW
- CCAvaya Engineer - ERS 8600 4.1NSW
Zones
Featured Whitepapers
Top 10 Mistakes in Data Centre Operations: Operating Efficient and Effective Data Centers
For years, the data centre industry has accepted that human operational error, not poor data centre design or engineering, is the number one cause of data centre downtime. Now is ...
Most Popular Whitepapers
-
1
The Pathways ICT Leadership Development Program Brochure and Curriculum 2012
Developed by the CIO executive Council, Pathways is a unique, flexible, self-managed, self-paced 12-month CIO designed and delivered ...
Recent comments
-
"Ich kenne einige Leute, die aus Kanadakommen. Eines Tages werde ich auch ..."
Australia's first 4G smartphone is the HTC Velocity 4G
-
"Actually when someone doesn't know then its up to other visitors that ..."
Swedish e-commerce startup's execs linked to NYC sex crime
-
"Hi to all, how is everything, I think every one is getting ..."
Face Time - Interview with John Brennan and Robert DiStefano
-
"I am truly thankful to the owner of this website who has ..."
How to implement next-generation storage infrastructure for Big Data
-
"hwjae , click here http://www.breastenhanceproduct.org/how-to-benefit-from-herbal-breast-enhancements"
Pfizer's Future Depends on IT Transformation
Subscribe to CIO
Critical. Authoritative. Strategic. CIO magazine addresses the issues vital to the success of IT and business executives. Solutions-oriented editorial provides a greater understanding of the role IT plays in achieving corporate goals. Subscribe to the print edition today.
CSO
Computerworld
ARN
Techworld
Copyright 2012 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.
IDG Sites:
PC World |
GoodGearGuide |
Computerworld Australia |
CSO Online |
Techworld |
ARN |
CIO Executive Council
