Save to My Lists Export Return to Browse
     
Limit search to available items
Previous Record Next Record
  Permalink    
Book Cover
E-book
Author Gallagher, Tom

Title Hunting security bugs / Tom Gallagher, Bryan Jeffries, Lawrence Landauer
Published Redmond, Wash. : Microsoft Press, 2006
Click on the following:
O'Reilly

Copies

Description 1 online resource
Series Secure software development series
Secure software development series.
Contents Machine derived contents note: Dedication; Foreword; Introduction; Who Is This Book For?; Organization of This Book; System Requirements; Technology Updates; Code Samples and Companion Content; Support for This Book; Acknowledgments; Chapter 1: General Approach to Security Testing; 1.1 Different Types of Security Testers; 1.2 An Approach to Security Testing; 1.3 Summary; Chapter 2: Using Threat Models for Security Testing; 2.1 Threat Modeling; 2.2 How Testers Can Leverage a Threat Model; 2.3 Data Flow Diagrams; 2.4 Enumeration of Entry Points and Exit Points; 2.5 Enumeration of Threats; 2.6 How Testers Should Use a Completed Threat Model; 2.7 Implementation Rarely Matches the Specification or Threat Model; 2.8 Summary; Chapter 3: Finding Entry Points; 3.1 Finding and Ranking Entry Points; 3.2 Common Entry Points; 3.3 Summary; Chapter 4: Becoming a Malicious Client; 4.1 Client/Server Interaction; 4.2 Testing HTTP; 4.3 Testing Specific Network Requests Quickly; 4.4 Testing Tips; 4.5 Summary; Chapter 5: Becoming a Malicious Server; 5.1 Understanding Common Ways Clients Receive Malicious Server Responses; 5.2 Does SSL Prevent Malicious Server Attacks?; 5.3 Manipulating Server Responses; 5.4 Examples of Malicious Response Bugs; 5.5 Myth: It Is Difficult for an Attacker to Create a Malicious Server; 5.6 Understanding Downgrade MITM Attacks; 5.7 Testing Tips; 5.8 Summary; Chapter 6: Spoofing; 6.1 Grasping the Importance of Spoofing Issues; 6.2 Finding Spoofing Issues; 6.3 General Spoofing; 6.4 User Interface Spoofing; 6.5 Testing Tips; 6.6 Summary; Chapter 7: Information Disclosure; 7.1 Problems with Information Disclosure; 7.2 Locating Common Areas of Information Disclosure; 7.3 Identifying Interesting Data; 7.4 Summary; Chapter 8: Buffer Overflows and Stack and Heap Manipulation; 8.1 Understanding How Overflows Work; 8.2 Testing for Overruns: Where to Look for Cases; 8.3 Black Box (Functional) Testing; 8.4 White Box Testing; 8.5 Additional Topics; 8.6 Testing Tips; 8.7 Summary; Chapter 9: Format String Attacks; 9.1 What Are Format Strings?; 9.2 Understanding Why Format Strings Are a Problem; 9.3 Testing for Format String Vulnerabilities; 9.4 Walkthrough: Seeing a Format String Attack in Action; 9.5 Testing Tips; 9.6 Summary; Chapter 10: HTML Scripting Attacks; 10.1 Understanding Reflected Cross-Site Scripting Attacks Against Servers; 10.2 Understanding Persistent XSS Attacks Against Servers; 10.3 Identifying Attackable Data for Reflected and Persistent XSS Attacks; 10.4 Common Ways Programmers Try to Stop Attacks; 10.5 Understanding Reflected XSS Attacks Against Local Files; 10.6 Understanding Script Injection Attacks in the My Computer Zone; 10.7 Ways Programmers Try to Prevent HTML Scripting Attacks; 10.8 Understanding How Internet Explorer Mitigates XSS Attacks Against Local Files; 10.9 Identifying HTML Scripting Vulnerabilities; 10.10 Finding HTML Scripting Bugs Through Code Review; 10.11 Summary; Chapter 11: XML Issues; 11.1 Testing Non-XML Security Issues in XML Input Files; 11.2 Testing XML-Specific Attacks; 11.3 Simple Object Access Protocol; 11.4 Testing Tips; 11.5 Summary; Chapter 12: Canonicalization Issues; 12.1 Understanding the Importance of Canonicalization Issues; 12.2 Finding Canonicalization Issues; 12.3 File-Based Canonicalization Issues; 12.4 Web-Based Canonicalization Issues; 12.5 Testing Tips; 12.6 Summary; Chapter 13: Finding Weak Permissions; 13.1 Understanding the Importance of Permissions; 13.2 Finding Permissions Problems; 13.3 Understanding the Windows Access Control Mechanism; 13.4 Finding and Analyzing Permissions on Objects; 13.5 Recognizing Common Permissions Problems; 13.6 Determining the Accessibility of Objects; 13.7 Other Permissions Considerations; 13.8 Summary; Chapter 14: Denial of Service Attacks; 14.1 Understanding Types of DoS Attacks; 14.2 Testing Tips; 14.3 Summary; Chapter 15: Managed Code Issues; 15.1 Dispelling Common Myths About Using Managed Code; 15.2 Understanding the Basics of Code Access Security; 15.3 Finding Problems Using Code Reviews; 15.4 Understanding the Issues of Using APTCA; 15.5 Decompiling .NET Assemblies; 15.6 Testing Tips; 15.7 Summary; Chapter 16: SQL Injection; 16.1 Exactly What Is SQL Injection?; 16.2 Understanding the Importance of SQL Injection; 16.3 Finding SQL Injection Issues; 16.4 Avoiding Common Mistakes About SQL Injection; 16.5 Understanding Repurposing of SQL Stored Procedures; 16.6 Recognizing Similar Injection Attacks; 16.7 Testing Tips; 16.8 Summary; Chapter 17: Observation and Reverse Engineering; 17.1 Observation Without a Debugger or Disassembler; 17.2 Using a Debugger to Trace Program Execution and Change its Behavior; 17.3 Using a Decompiler or Disassembler to Reverse Engineer a Program; 17.4 Analyzing Security Updates; 17.5 Testing Tips; 17.6 Legal Considerations; 17.7 Summary; Chapter 18: ActiveX Repurposing Attacks; 18.1 Understanding ActiveX Controls; 18.2 ActiveX Control Testing Walkthrough; 18.3 Testing Tips; 18.4 Summary; Chapter 19: Additional Repurposing Attacks; 19.1 Understanding Document Formats That Request External Data; 19.2 Web Pages Requesting External Data; 19.3 Understanding Repurposing of Window and Thread Messages; 19.4 Summary; Chapter 20: Reporting Security Bugs; 20.1 Reporting the Issue; 20.2 Contacting the Vendor; 20.3 What to Expect After Contacting the Vendor; 20.4 Public Disclosure; 20.5 Addressing Security Bugs in Your Product; 20.6 Summary; Tools of the Trade; General; ActiveX/COM; Canonicalization; Code Analysis; Debugging; Documents and Binaries; Fuzzers; Memory/Runtime; Network; Permissions; SQL; Security Test Cases Cheat Sheet; Network Requests and Responses; Spoofing; Information Disclosures; Buffer Overflows; Format Strings; Cross-Site Scripting and Script Injection; XML; SOAP; Canonicalization Issues; Weak Permissions; Denial of Service; Managed Code; SQL Injection; ActiveX; ; Tom Gallagher; Bryan Jeffries; Lawrence Landauer
Summary "Finding security flaws is now a fundamental development task, yet there has not been adequate documentation of the process used to find security bugs-until now. Before the Internet, computers were deployed in trusted environments and software development and testing practices emphasized functionality over security. As networking technologies emerged, though, times changed and people began to connect their computers together, instead of deploying in silos. However, development and testing practices did not account for attacks that could be mounted over networks." --Microsoft
Analysis Computer networks Security measures
Computer security
Computer software Testing
Notes Includes index
Bibliography Includes index
Notes Master and use copy. Digital master created according to Benchmark for Faithful Digital Reproductions of Monographs and Serials, Version 1. Digital Library Federation, December 2002. http://purl.oclc.org/DLF/benchrepro0212 MiAaHDL
Print version record
digitized 2011 HathiTrust Digital Library committed to preserve pda MiAaHDL
Subject Computer security
Computer software -- Testing
Computer networks -- Security measures.
Computer Security
Computer security.
Computer software -- Testing.
Computer networks -- Security measures.
Computer networks -- Security measures
Computer security
Computer software -- Testing
Computersicherheit
Softwareentwicklung
Testen
Engineering & Applied Sciences.
Computer Science.
Form Electronic book
Author Jeffries, Bryan.
Landauer, Lawrence.
LC no. 2006927197
ISBN 073562187X
9780735621879
9780735690592
0735690596
9780735660243
0735660247
9780735660465
0735660468
  Permalink