免费下载书籍地址:PDF下载地址
精美图片
Web Application黑客手册:安全漏洞的发现与利用The Web Application Hacker's Handbook : Discovering and Exploiting Security Flaws书籍详细信息
- ISBN:9780470170779
- 作者:暂无作者
- 出版社:暂无出版社
- 出版时间:2007-10
- 页数:768
- 价格:372.20
- 纸张:胶版纸
- 装帧:平装
- 开本:16开
- 语言:未知
- 丛书:暂无丛书
- TAG:暂无
- 豆瓣评分:暂无豆瓣评分
内容简介:
This book is a practical guide to discovering and exploiting security flaws in web applications. The authors explain each category of vulnerability using real-world examples, screen shots and code extracts. The book is extremely practical in focus, and describes in detail the steps involved in detecting and exploiting each kind of security weakness found within a variety of applications such as online banking, e-commerce and other web applications.
The topics covered include bypassing login mechanisms, injecting code, exploiting logic flaws and compromising other users. Because every web application is different, attacking them entails bringing to bear various general principles, techniques and experience in an imaginative way. The most successful hackers go beyond this, and find ways to automate their bespoke attacks. This handbook describes a proven methodology that combines the virtues of human intelligence and computerized brute force, often with devastating results.
The authors are professional penetration testers who have been involved in web application security for nearly a decade. They have presented training courses at the Black Hat security conferences throughout the world. Under the alias "PortSwigger", Dafydd developed the popular Burp Suite of web application hack tools.
书籍目录:
Acknowledgments
Introduction
Chapter 1 Web Application (In)security
Chapter 2 Core Defense Mechanisms
Chapter 3 Web Application Technologies
Chapter 4 Mapping the Application
Chapter 5 Bypassing Client-Side Controls
Chapter 6 Attacking Authentication
Chapter 7 Attacking Session Management
Chapter 8 Attacking Access Controls
Chapter 9 Injecting Code
Chapter 10 Exploiting Path Traversal
Chapter 11 Attacking Application Logic
Chapter 12 Attacking Other Users
Chapter 13 Automating Bespoke Attacks
Chapter 14 Exploiting Information Disclosure
Chapter 15 Attacking Compiled Applications
Chapter 16 Attacking Application Architecture
Chapter 17 Attacking the Web Server
Chapter 18 Finding Vulnerabilities in Source Code
Chapter 19 A Web Application Hacker's Toolkit
Chapter 20 A Web Application Hacker's Methodology
Index
作者介绍:
Dafydd Stuttard is a Principal Security Consultant at Next Generation Security Software, where he leads the web application security competency. He has nine years’ experience in security consulting and specializes in the penetration testing of web applic
出版社信息:
暂无出版社相关信息,正在全力查找中!
书籍摘录:
暂无相关书籍摘录,正在全力查找中!
在线阅读/听书/购买/PDF下载地址:
原文赏析:
应用程序必须假设所有输入的信息都是恶意的输入,并必须采取措施确保攻击者无法使用专门设计的输入破坏应用程序,
任何设计安全应用程序的开发人员必须基于这样一个假设:应用程序将成为意志坚定且经验丰富的攻击者的直接攻击目标。
如果可能,最好避免清除某些不良输入的做法,完全拒绝这种类型的输入。
这里是介绍
大多数Web应用程序使用三层相互关联的安全机制处理用户访问: 身份验证; 会话管理; 访问控制。
令牌是一个唯一的字符串,应用程序将其映射到会话中。当用户收到一个令牌时,浏览器会在随后的HTTP请求中将它返回给服务器,帮助应用程序将请求与该用户联系起来。虽然许多应用程序使用隐藏表单字段(hidden form field)或URL查询字符串(query string)传送会话令牌(session token),但HTTP cookie才是实现这一目的的常规方法。如果用户在一段时间内没有发出请求,会话将会自动终止,如图2-2所示。
会话管理机制中存在的漏洞主要分为两类: 会话令牌生成过程中的薄弱环节; 在整个生命周期过程中处理会话令牌的薄弱环节。
渗透测试步骤 (1)如果应用程序使用HTTP验证,它可能并不执行会话管理机制。使用前面描述的方法分析任何可能是令牌的数据的作用。 (2)如果应用程序使用无会话状态机制,通过客户端传送所有必要数据进行状态维护,有时我们可能很难检测出这种机制,但如果发现下列迹象,即可确定应用程序使用这种机制。 向客户端发布的可能令牌的数据相当长(如100 B或超过100 B)。 应用程序对每个请求做出响应,发布一个新的类似令牌的数据。 数据似乎被加密(因此无法辨别其结构)或包含签名(由有意义的结构和几个字节的无意义二进制数据组成)。 应用程序拒绝通过多个请求提交相同数据的做法。 (3)如果相关证据明确表明应用程序并未使用会话令牌管理状态,那么本章描述的任何攻击都不可能达到其目的。因此,最好着手去寻找其他严重的漏洞,如访问控制不完善或代码注入。
其它内容:
编辑推荐
"If you have an interest in web application security, I would highly recommend picking up a copy of this book, especially if you’re interested in being able to audit applications for vulnerabilities".
—Robert Wesley McGrew, McGrew Security
书籍介绍
This book is a practical guide to discovering and exploiting security flaws in web applications. The authors explain each category of vulnerability using real-world examples, screen shots and code extracts. The book is extremely practical in focus, and describes in detail the steps involved in detecting and exploiting each kind of security weakness found within a variety of applications such as online banking, e-commerce and other web applications.
The topics covered include bypassing login mechanisms, injecting code, exploiting logic flaws and compromising other users. Because every web application is different, attacking them entails bringing to bear various general principles, techniques and experience in an imaginative way. The most successful hackers go beyond this, and find ways to automate their bespoke attacks. This handbook describes a proven methodology that combines the virtues of human intelligence and computerized brute force, often with devastating results.
The authors are professional penetration testers who have been involved in web application security for nearly a decade. They have presented training courses at the Black Hat security conferences throughout the world. Under the alias "PortSwigger", Dafydd developed the popular Burp Suite of web application hack tools.
书籍真实打分
故事情节:3分
人物塑造:9分
主题深度:7分
文字风格:3分
语言运用:6分
文笔流畅:3分
思想传递:4分
知识深度:8分
知识广度:5分
实用性:4分
章节划分:5分
结构布局:3分
新颖与独特:8分
情感共鸣:5分
引人入胜:3分
现实相关:7分
沉浸感:5分
事实准确性:5分
文化贡献:6分
网站评分
书籍多样性:3分
书籍信息完全性:7分
网站更新速度:7分
使用便利性:8分
书籍清晰度:5分
书籍格式兼容性:6分
是否包含广告:3分
加载速度:9分
安全性:5分
稳定性:9分
搜索功能:9分
下载便捷性:9分
下载点评
- 无盗版(557+)
- 值得下载(223+)
- 经典(243+)
- 在线转格式(617+)
- 体验差(334+)
- 三星好评(104+)
下载评价
网友 苍***如:什么格式都有的呀。
网友 常***翠:哈哈哈哈哈哈
网友 堵***格:OK,还可以
网友 宓***莉:不仅速度快,而且内容无盗版痕迹。
网友 晏***媛:够人性化!
网友 冉***兮:如果满分一百分,我愿意给你99分,剩下一分怕你骄傲
网友 孙***夏:中评,比上不足比下有余
网友 石***烟:还可以吧,毕竟也是要成本的,付费应该的,更何况下载速度还挺快的
网友 陈***秋:不错,图文清晰,无错版,可以入手。
网友 曾***玉:直接选择epub/azw3/mobi就可以了,然后导入微信读书,体验百分百!!!
网友 戈***玉:特别棒
网友 沈***松:挺好的,不错
网友 隗***杉:挺好的,还好看!支持!快下载吧!
网友 方***旋:真的很好,里面很多小说都能搜到,但就是收费的太多了