Innocent Code : A Security Wake-Up Call for Web Programmers

購買商店

Innocent Code : A Security Wake-Up Call for Web Programmers

$999.00

馬上購買

內容描述

This book is much more than a wake-up call. It is also an eye-opener. Even
for those who are already awake to the problems of Web server security, it is a
serious guide for what to do and what not to do, with many well-chosen examples.
The set of fundamental rules is highly relevant.
Peter G. Neumann, Author of Computer-Related Risks,and moderator of the
Internet Risks Forum (risks.org).
This concise and practical book will show where code vulnerabilities lie and
how best to fix them. Its value is in showing where code may be exploited to
gain access to - or break - systems, but without delving into specific
architectures, programming or scripting languages or applications. It provides
illustrations with real code.
Innocent Code is an entertaining read showing how to change your mindset from
website construction to website destruction so as to
avoid writing dangerous code. Abundant examples from susceptible sites will
bring the material alive and help you to guard against:

SQL Injection, shell command i njection and other attacks based on
mishandling meta-characters

bad input

cross-site scripting

attackers who trick users into performing actions

leakage of server-side secrets

hidden enemies such as project deadlines, salesmen, messy code and tight
budgets
All web programmers need to take precautions against producing websites
vulnerable to malicious attack. This is the book which tells you how without
trying to turn you into a security specialist.

Table of Contents
Foreword.
Acknowledgments.
Introduction.
I.1 The Rules.
I.2 The Examples.
I.3 The Chapters.
I.4 What is Not in this Book?
I.5 A Note From the Author.
I.6 Feedback.

1. The Basics.
   1.1 HTTP.
   1.2 Sessions.
   1.3 HTTPS.
   1.4 Summary.
   1.5 Do You Want to Know More?
2. Passing Data to Subsystems.
   2.1 SQL Injection.
   2.2 Shell Command Injection.
   2.3 Talking to Programs Written in C/C++.
   2.4 The Evil Eval.
   2.5 Solving Metacharacter Problems.
   2.6 Summary.
3. User Input.
   3.1 What is Input Anyway?
   3.2 Validating Input.
   3.3 Handling Invalid Input.
   3.4 The Dangers of Client-side Validation.
   3.5 Authorization Problems.
   3.6 Protecting Server-generated Input.
   3.7 Summary.
4. Output Handling: The Cross-site Scripting Problem.
   4.1 Examples.
   4.2 The Problem.
   4.3 The Solution.
   4.4 Browser Character Sets.
   4.5 Summary.; 4.6 Do You Want to Know More?
5. Web Trojans.
   5.1 Examples.
   5.2 The Problem.
   5.3 A Solution.
   5.4 Summary.
6. Passwords and Other Secrets.
   6.1 Crypto-stuff.
   6.2 Password-based Authentication.
   6.3 Secret Identifiers.
   6.4 Secret Leakage.
   6.5 Availability of Server-side Code.
   6.6 Summary.
   6.7 Do You Want to Know More?
7. Enemies of Secure Code.
   7.1 Ignorance.
   7.2 Mess.
   7.3 Deadlines.
   7.4 Salesmen.
   7.5 Closing Remarks.
   7.6 Do You Want to Know More?
8. Summary of Rules for Secure Coding.
   Appendix A: Bugs in the Web Server.
   Appendix B: Packet Sniffing.
   Appendix C: Sending HTML Formatted E-mails with Forged Sender Address.
   Appendix D: More Information.
   Acronyms.
   References.
   Index.