The Manager's Guide to Web Application Security A Concise Guide to the Weaker Side of the Web
The Manager's Guide to Web Application Security is a concise, information-packed guide to application security risks every organization faces, written in plain language, with guidance on how to deal with those issues quickly and effectively. Often, security vulnerabilities are difficult to unde...
| Autor principal: | |
|---|---|
| Formato: | Libro electrónico |
| Idioma: | Inglés |
| Publicado: |
Berkeley, CA :
Apress
2014.
|
| Edición: | 1st ed. 2014. |
| Colección: | Expert's voice in security.
|
| Materias: | |
| Ver en Biblioteca Universitat Ramon Llull: | https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009629566006719 |
Tabla de Contenidos:
- Contents at a Glance; Contents; About the Author; About the Technical Reviewer; Acknowledgments; Introduction; Chapter 1: Understanding IT Security Risks; Web Application Security Terminology; Risk Calculation Models; DREAD; How to Calculate Web Application Security Risk; Standard Calculations; A Customized Approach; Calculating a Security Risk; Calculating Risk from Multiple Vulnerabilities for Any Asset; Calculating the Monetary Value at Risk for Any Asset; Sources of Web Application Security Vulnerability Information; Summary; Chapter 2: Types of Web Application Security Testing
- Understanding the Testing ProcessWeb Application Audits; Vulnerability Assessment; Fully Automated Testing; Manual Testing; Combining Automated and Manual Testing; Penetration Testing; Postremediation Testing; Important Report Deliverables for All Testing Reports; Summary; Chapter 3: Web Application Vulnerabilities and the Damage They Can Cause; Lack of Sufficient Authentication; Weak Password Controls; Passwords Submitted Without Encryption; Username Harvesting; Weak Session Management; Weak SSL Ciphers Support; Information Submitted Using the GET Method
- Self-Signed Certificates, Insecure Keys, and PasswordsUsername Harvesting Applied to Forgotten Password Process; Autocomplete Enabled on Password Fields; Session IDs Nonrandom and Too Short; Weak Access Control; Frameable Response (Clickjacking); Cached HTTPS Response; Sensitive Information Disclosed in HTML Comments; HTTP Server Type and Version Number Disclosed; Insufficient Session Expiration; HTML Does Not Specify Charset; Session Fixation; Insecure Cookies; Cookies with No Secure Flag; Cookies Set to Expire in the Distant Future; Cookies with No HttpOnly Flag
- Cookies Created on the Client SideCookies Scoped to a Parent Domain; Weak Input Validation at the Application Level; Lack of Validated Input Allowing Automatic Script Execution; Unauthorized Access by Parameter Manipulation; Buffer Overflows; Forms Submitted Using the GET Method; Redirects and Forwards to Insecure Sites; Application Susceptible to Brute-Force Attacks; Client-Side Enforcement of Server-Side Security; Injection Flaws; SQL Injection; Blind SQL Injection; Link Injection; HTTP Header Injection Vulnerability; HTTP Response-Splitting Attack; Unauthorized View of Data
- Web Application Source Code DisclosureWeb Directories Enumerated; Active Directory Object Default Page on Server; Temporary Files Left in the Environment; Internal IP Address Revealed by Web Server; Server Path Disclosed; Hidden Directory Detected; Unencrypted VIEWSTATE; Obsolete Web Server; Query Parameter in SSL Request; Error Handling; Cross-Site Scripting Attacks; Reflected Cross-Site Scripting Attack; Stored Cross-Site Scripting Attack; Cross-Site Request Forgery Attack; Security Misconfigurations and Use of Known Vulnerable Components; Denial-of-Service Attack; Related Security Issues
- Storage of Data at Rest
