Innocent Code: A Security Wake-Up Call for Web Programmers

Front Cover
John Wiley & Sons, Nov 19, 2004 - Computers - 246 pages
  • This concise and practical book shows where code vulnerabilities lie-without delving into the specifics of each system architecture, programming or scripting language, or application-and how best to fix them
  • Based on real-world situations taken from the author's experiences of tracking coding mistakes at major financial institutions
  • Covers SQL injection attacks, cross-site scripting, data manipulation in order to bypass authorization, and other attacks that work because of missing pieces of code
  • Shows developers how to change their mindset from Web site construction to Web site destruction in order to find dangerous code
 

Selected pages

Contents

1 The Basics
1
2 Passing Data to Subsystems
21
3 User Input
57
The Crosssite Scripting Problem
97
5 Web Trojans
125
6 Passwords and Other Secrets
135
7 Enemies of Secure Code
163
8 Summary of Rules for Secure Coding
177
Bugs in the Web Server
187
Packet Sniffing
193
Sending HTML Formatted Emails with a Forged Sender Address
199
More Information
201
Acronyms
205
References
209
Index
221
Copyright

Common terms and phrases

algorithm application ARP spoofing asymmetric encryption attacker attacker’s authentication backslash bank browser bugs bytes cache certificate characters client client-side client-side scripts command contain cookie create Cross-site Scripting cryptographic cryptographic hash function document encoding encryption error message example file name filtering function hashed passwords input validation insert instance Internet IP address Java JavaScript language log-in look malicious markup metacharacters Microsoft modify name and password null-byte output OWASP packet sniffing pass data password Perl possible PostgreSQL private key problem Protocol proxy public key query Referer header Rule secret Section sendmail server-generated input session hijacking session ID shell single quotes someone SQL Injection string constant subsystem target ticket trick typically Unfortunately Unicode Unix user name user’s username victim vulnerable web application web server whitelisting

About the author (2004)

Sverre Huseby runs his own company selling courses and consultancy services in Web application security. He's an active participant on webappsec mail forum.

Bibliographic information

TitleInnocent Code: A Security Wake-Up Call for Web Programmers
AuthorSverre H. Huseby
PublisherJohn Wiley & Sons, 2004
ISBN0470857471, 9780470857472
Length246 pages
Subjects ›  › 

Computers / Networking / General
Computers / Security / General
  
Export CitationBiBTeX EndNote RefMan