Innocent Code : A Security Wake-Up Call for Web Programmers

個数:

Innocent Code : A Security Wake-Up Call for Web Programmers

  • 提携先の海外書籍取次会社に在庫がございます。通常2週間で発送いたします。
    重要ご説明事項
    1. 納期遅延や、ご入手不能となる場合が若干ございます。
    2. 複数冊ご注文の場合、分割発送となる場合がございます。
    3. 美品のご指定は承りかねます。

  • 提携先の海外書籍取次会社に在庫がございます。通常約2週間で発送いたします。
    重要ご説明事項
    1. 納期遅延や、ご入手不能となる場合が若干ございます。
    2. 複数冊ご注文の場合、分割発送となる場合がございます。
    3. 美品のご指定は承りかねます。
  • 【重要:入荷遅延について】
    各国での新型コロナウィルス感染拡大により、洋書・洋古書の入荷が不安定になっています。
    弊社サイト内で表示している標準的な納期よりもお届けまでに日数がかかる見込みでございます。
    申し訳ございませんが、あらかじめご了承くださいますようお願い申し上げます。

  • 製本 Paperback:紙装版/ペーパーバック版/ページ数 256 p.
  • 言語 ENG
  • 商品コード 9780470857441
  • DDC分類 005.8

Table of Contents

Foreword                                           ix
Acknowledgments xi
Introduction xiii
The Rules xiv
The Examples xv
The Chapters xvi
What is Not in This Book? xvii
A Note from the Author xviii
Feedback xviii
The Basics 1 (20)
HTTP 1 (9)
Requests and responses 2 (4)
The Referer header 6 (1)
Caching 7 (2)
Cookies 9 (1)
Sessions 10 (5)
Session hijacking 11 (4)
HTTPS 15 (4)
Summary 19 (1)
Do You Want to Know More? 19 (2)
Passing Data to Subsystems 21 (36)
SQL Injection 22 (17)
Examples, examples and then some 22 (8)
Using error messages to fetch 30 (3)
information
Avoiding SQL injection 33 (6)
Shell Command Injection 39 (9)
Examples 40 (2)
Avoiding shell command injection 42 (6)
Talking to Programs Written in C/C++ 48 (2)
Example 48 (2)
The Evil Eval 50 (1)
Solving Metacharacter Problems 50 (5)
Multi-level interpretation 52 (1)
Architecture 53 (1)
Defense in depth 54 (1)
Summary 55 (2)
User Input 57 (40)
What is Input Anyway? 57 (10)
The invisible security barrier 62 (3)
Language peculiarities: totally 65 (2)
unexpected input
Validating Input 67 (7)
Whitelisting vs. blacklisting 71 (3)
Handling Invalid Input 74 (5)
Logging 76 (3)
The Dangers of Client-side Validation 79 (3)
Authorization Problems 82 (10)
Indirect access to data 83 (3)
Passing too much to the client 86 (4)
Missing authorization tests 90 (1)
Authorization by obscurity 91 (1)
Protecting server-generated input 92 (3)
Summary 95 (2)
Output Handling: The Cross-site Scripting 97 (28)
Problem
Examples 98 (13)
Session hijacking 99 (4)
Text modification 103 (1)
Socially engineered Cross-site Scripting 104 (4)
Theft of passwords 108 (1)
Too short for scripts? 109 (2)
The Problem 111 (1)
The Solution 112 (9)
HTML encoding 113 (1)
Selective tag filtering 114 (6)
Program design 120 (1)
Browser Character Sets 121 (1)
Summary 122 (1)
Do You Want to Know More? 123 (2)
Web Trojans 125 (10)
Examples 125 (5)
The Problem 130 (1)
A Solution 131 (2)
Summary 133 (2)
Passwords and Other Secrets 135 (28)
Crypto-Stuff 135 (7)
Symmetric encryption 137 (1)
Asymmetric encryption 137 (2)
Message digests 139 (1)
Digital signatures 140 (1)
Public key certificates 141 (1)
Password-based Authentication 142 (9)
On clear-text passwords 142 (2)
Lost passwords 144 (2)
Cracking hashed passwords 146 (4)
Remember me? 150 (1)
Secret Identifiers 151 (2)
Secret Leakage 153 (4)
GET request leakage 154 (2)
Missing encryption 156 (1)
Availability of Server-side Code 157 (3)
Insecure file names 157 (1)
System software bugs 158 (2)
Summary 160 (1)
Do You Want to Know More? 161 (2)
Enemies of Secure Code 163 (14)
Ignorance 163 (2)
Mess 165 (6)
Deadlines 171 (2)
Salesmen 173 (1)
Closing Remarks 174 (1)
Do You Want to Know More? 174 (3)
Summary of Rules for Secure Coding 177 (10)
Appendix A Bugs in the Web Server 187 (6)
Appendix B Packet Sniffing 193 (6)
B.1 Teach Yourself TCP/IP in Four Minutes 193 (2)
B.2 Sniffing the Packets 195 (1)
B.3 Man-In-The-Middle Attacks 196 (1)
B.4 MITM with HTTPS 197 (1)
B.5 Summary 198 (1)
B.6 Do You Want to Know More? 198 (1)
Appendix C Sending HTML Formatted E-mails 199 (2)
with a Forged Sender Address
Appendix D More Information 201 (4)
D.1 Mailing Lists 201 (2)
D.2 OWASP 203 (2)
Acronyms 205 (4)
References 209 (12)
Index 221