Index
A
absolute session timeouts, 141
Accept-Language headers, 129
access control
authentication. See authentication
authorization. See authorization
Access-Control-Allow-Origin HTTP headers, 165
access control lists (ACLs), 99–100
accounts
default, 86
lockout, 84–86
permissions, 240–241
single account security, 238–240
unique, 124
ACLs (access control lists), 99–100
active scanners, 307
Acunetix Web Vulnerability Scanner tool, 307
ad-hoc source control, 262
Adobe Flash
cross-domain policy file, 161–163
LSOs, 132
Advanced Encryption Standard (AES) algorithm, 20, 259, 302
affected users, 43
Ajax programming (Asynchronous JavaScript And Xml), 165
alert method, 176
Android Market XSS vulnerability, 5
Anti-XSS library, 302
AntiSamy library, 302
Apache web server, 262
application layer in authorization, 105, 110–112
compartmentalization, 110
server code, 111
application security vs. network security, 6–7
“are” factor in authentication, 58
Armorize CodeSecure tool, 305
Armstrong, Louis, 282
.asp files, 219
Asprox botnet, 219–220
Asprox SQL injection worm, 30–31
Asynchronous JavaScript And Xml (Ajax programming), 165
attack surface reduction, 32–35
authentication
access control systems, 54–55
best practices, 80–84
broken, 14–15
cookies, 204
custom systems, 67–69
fundamentals, 56–57
HTTP built-in, 61–64
identification, 57–60
overview, 54
single sign-on, 64–66
transmissions, 84
two-factor and three-factor, 60
authenticity, 40
authorization, 92
3×3 model, 116–119
access control, 92–93
access determination, 99–102
attacks, 127–130
best practices, 123–127
centralizing, 125
check process, 96–102
CSRF, 129–130
custom code, 125
custom mechanisms, 116–119
database servers, 112–115
forceful browsing, 127–128
fundamentals, 94–96
goals, 96
HTTP header manipulation, 129
input, 128
insecure direct object references, 249–251
invalidating sessions, 122–123
layers overview, 103–108
mistrust, 127
operating systems, 106, 109–112
overview, 54–55
permissions, 102–103
placement, 115–116
resources, 98–99
scenario, 106–108
server-side, 126
session management. See sessions and session IDs
SSL and HTTPS, 136–138
static resources, 125
TOCTTOU exploits, 121–123
URL, 109
availability, 39–40
B
back-end authorization, 105
backup file leaks, 260–263
baking security, 288–293
base rating scores in CVSS, 45–46
Basic access authentication, 61–63
Basili, Victor, 290
Beale, Jay, 271
biometrics, 58–60
black-box scanners, 307–309
blacklists
IP addresses, 108
regular expressions, 232
testing, 283
validation, 25–27
blended threat attacks, 218
blind SQL injection attacks, 229
Blowfish cryptography algorithm, 20
Boehm, Barry, 290
box products, 296–297
broken authentication, 14–15
brute-force attacks, 73–74
Bugzilla tool, 304
Building Security In Maturity Model (BSIMM), 315–316
built-in browser defenses, 12
built-in frameworks in authorization, 111
Burp Proxy tool, 307
bytecode language, 260
C
Cain & Abel tool, 74
canonicalization attacks, 279, 282–284
CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart), 85–86, 238
CAS (code access security), 111–112
Cascading Style Sheet (CSS) properties, 119
centralizing authorization, 125
Cenzic Hailstorm tool, 307
Cenzic Inc. study, 170
changing passwords, 75
CIA (Confidentiality-Integrity-Availability) perspective
insecure direct object references, 248–249
overview, 39–40
SQL injection, 217–223
CLASP (Comprehensive Lightweight Application Security Process), 312–314
classifying threats, 35–36
client-side authorization, 120–121, 126
client-side code
3x3 model, 119
same-origin policy, 152–154
XSS, 184
clientaccesspolicy.xml file, 164
code access security (CAS), 111–112
Code Red worm, 311
Code Red II worm, 311
code review, 303–306
coding libraries, 301–303
comments in documentation, 265–268
Common Vulnerabilities and Exposure (CVE), 41, 45
Common Vulnerability Scoring System (CVSS), 44–48
Common Weakness Enumeration (CWE), 41
compartmentalization of applications, 110
compiled code, 259–260
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHAs), 85–86, 238
compliance standards for SQL injection, 220
Comprehensive Lightweight Application Security Process (CLASP), 312–314
concurrent sessions, 142
Confidentiality-Integrity-Availability (CIA) perspective
insecure direct object references, 248–249
overview, 39–40
SQL injection, 217–223
confirmation in authentication, 56
confused deputy attacks, 199
Content Security Policy (CSP), 196–197
conversion validation, 232
cookies
authentication tokens in, 204
CSRF, 199
double-submitted, 206–207
encrypted, 144
expiration date, 88
HttpOnly property, 194–195
persistence, 132
poisoning, 135
secure, 142–144
theft, 173–174
unencrypted, 126
CORS (Cross-Origin Resource Sharing), 165–166
costs of software defect repair, 289–291
Coverity Static Analysis tool, 305
credentialed resources, 154
credentials
Basic access authentication, 62–63
phishing attacks, 187–188
validating, 69–70
Crockford, Douglas, 156
cross-domain policy file, 161–163
Cross-Origin Resource Sharing (CORS), 165–166
cross-site request forgery (CSRF), 15
authorization, 129–130, 139–140
defense steps, 209–210
double-submitted cookies, 206–207
HTTP POST, 202
logged in status, 208
overview, 199–201
reauthentication, 208
referer headers, 202–204
safe methods concepts, 201–202
shared secrets, 205–206
summary, 210
URL rewriting, 204
XSS, 207
cross-site scripting (XSS), 13–14, 170–171
Android Market, 5
Anti-XSS library, 302
Content Security Policy, 196–197
CSRF, 207
defense steps, 198
encoding output, 188–191
HTML injection, 186–188
HttpOnly property, 194–195
local, 184–186
overview, 171–177
POST-based reflected, 180–182
reduced markup languages, 193–194
reflected, 177–180
sanitizing input, 191–193
sessions, 135
stored, 182–184
summary, 197
crossdomain.xml file, 162–164
CRUD permissions, 239
cryptography. See encryption and cryptography
CSP (Content Security Policy), 196–197
CSRF. See cross-site request forgery (CSRF)
CSRFGuard version, 206
CSS (Cascading Style Sheet) properties, 119
custom authorization mechanisms, 11, 116–119, 125
custom encryption, 302
CVE (Common Vulnerabilities and Exposure), 41, 45
CVSS (Common Vulnerability Scoring System), 44–48
CWE (Common Weakness Enumeration), 41
D
DAC (Discretionary Access Control), 101
damage potential, 42
Data Execution Prevention (DEP), 196
data flow diagram (DFD) format, 298
database servers in authorization, 112–115
databases, 214–215
insecure direct object references, 246–251
permissions, 238–242
plaintext passwords, 69–70
SQL injection. See Structured Query Language (SQL) injection
stored procedures, 242–246
DDoS (distributed denial-of-service) attacks, 37
default accounts, 86
defense-in-depth approach
description, 31–32
XSS, 194–197
defense mentality, 9–11
definition phase in authorization, 97
DELETE method, 202
deltas, status code, 274–276
denial-of-service (DoS) attacks, 37–39, 233
DEP (Data Execution Prevention), 196
design threats, 301
detailed error messages in SQL injection, 223–230
development methods, 288
baking security in, 288–293
BSIMM, 315–316
CLASP, 312–314
code review, 303–306
coding libraries, 301–303
defense steps, 310
holistic approach, 293–294
penetrate-and-patch approach, 291–293
SAMM, 314–315
SDL, 311–312
security incident response planning, 309
security testing, 306–309
summary, 316
threat modeling, 296–301
training, 294–296
DFD (data flow diagram) format, 298
dictionary attacks, 72–74
Digest access authentication, 63–64
directory enumeration, 273–276
directory traversal, 278–279
canonicalization attacks, 282–284
etc/passwd file, 279–280
file inclusion attacks, 280–282
discoverability, 43–44
Discretionary Access Control (DAC), 101
distributed denial-of-service (DDoS) attacks, 37
dnf666 attacks, 220
document.cookie property, 195
document.domain property, 159–160
documentation, threats from, 265–268
DOM (Document Object Model), 119
DOM-based XSS, 184–186
DoS (denial-of-service) attacks, 37–39, 233
dot-dot-slash attacks, 279
double-submitted cookies, 206–207
DREAD system, 42–44
duties, separating, 124
dynamic source code content, 256–258
E
Easter eggs, 184–185
Elevation of Privilege card game, 299–300
elevation of privilege (EoP) vulnerabilities, 38–39
encode function, 190
encodeURI function, 190
encoding output, 188–191
encryption and cryptography
cautions, 206
client-side tokens, 126
cookies, 144
custom, 302
insecure storage, 16–17
passwords, 78
session IDs, 143–144
source code, 259
SSL, 137
enforcement in authorization, 97
Enterprise Security API (ESAPI), 191
EoP (elevation of privilege) vulnerabilities, 38–39
error messages for SQL injection, 223–230
ESAPI (Enterprise Security API), 191
ESCAPE clause, 235
escape function, 190
escapeHtml function, 190
escaping input, 189–190, 233–237
etc/passwd file, 279–280
eval function, 157
execute access permissions, 102
EXECUTE command, 245
expiration date of cookies, 88
exploitability, 42–43
extensions for files, 264
F
fabrication attacks, 39
Facebook Connect system, 66
failing in secure state, 123
features in attack surface reduction, 32–35
Fiddler tool, 307
file inclusion attacks, 280–282
files, 254
directory traversal, 278–284
extensions, 264
forceful browsing, 271–278
security through obscurity, 271
source code. See source code
filters, WAF, 231
FindBugs tool, 305
fingerprint scanners, 58–60
Firebug extension, 120
Firesheep tool, 126
FIRST (Forum of Incident Response and Security Teams), 45
fixation, session, 138–139
Flash
cross-domain policy file, 161–163
LSOs, 132
forceful browsing, 271–272
authorization, 127–128
defense steps, 277
directory enumeration, 273–276
insecure direct object references, 272–273
redirect workflow manipulation, 276–278
forgery. See cross-site request forgery (CSRF)
form field persistence, 132
Fortify Source Code Analyzer tool, 305
Forum of Incident Response and Security Teams (FIRST), 45
forwards, unvalidated, 19
401 Authorized Required message, 62, 275–276
403 Forbidden message, 275–276
404 Not Found message, 275–276
frame elements for same-origin policy, 158–161
frameworks in authorization, 111
front-end web server authorization, 104
G
Gates, Bill, 311
GET requests
XSS, 178
getElementById function, 173
glob function, 257
Gonzalez, Albert, 214–215
Google Accounts, 64–65
Google hacking, 219
Google Web Accelerator, 201–202
GPS systems, 33
GRANT command, 241
green-field projects, 313
Grossman, Jeremiah, 290
gummy bears, 59
H
hard-coded credentials, 86, 259
hardware layers in authorization, 106
Hash-based Message Authentication Code (HMAC), 145
hashes
Digest access authentication, 63–64
passwords, 16–17, 70, 73, 78–80
“have” factor in authentication, 57
HBGary Federal firm, 5
HEAD method, 201
headers
referer, 202–204
hijacking sessions, 139–140
HMAC (Hash-based Message Authentication Code), 145
holistic approach to application security, 293–294
horizontal privilege escalations, 39
HP Fortify Source Code Analyzer tool, 305
HP Scrawlr tool, 220
HP WebInspect tool, 307
HTML comments, 265–266
html_escape function, 190
HTML injection, 186–188
HTML5 Local Storage, 132
HtmlEncode function, 190
Htmlspecialcharacters function, 190
HTTP (Hypertext Transfer Protocol), 14
built-in authentication, 61–64
header manipulation, 129
response codes, 227
HTTP DELETE method, 202
HTTP GET requests
XSS, 178
HTTP HEAD method, 201
HTTP POST method, 178, 180–182, 202
HTTP PUT method, 202
HttpOnly flag, 142–143, 194–195
HTTPS (HTTP over SSL) protocol, 18, 136–138
hybrid systems, 101
Hydra tool, 74
Hypertext Transfer Protocol (HTTP), 14
built-in authentication, 61–64
header manipulation, 129
response codes, 227
I
IBM Rational AppScan tool, 305, 307
idempotent HTTP requests, 201
identification in authentication, 57–60
idle session timeouts, 141–142
iframes for same-origin policy, 158–161
IIMF (interception, interruption, modification, and fabrication) model, 38–39
IIS (Internet Information Services)
file leaks, 262
server vulnerabilities, 33
SQL injection, 219
impersonation, 113
incident response planning, 309
include-file leaks, 264
include functions in PHP, 281
information disclosure vulnerabilities, 37
INFORMATION_SCHEMA view, 224–225, 229
injection attacks, 13
HTML, 186–188
SQL. See Structured Query Language (SQL) injection
innerHTML property, 173
input
authorization, 128
sanitizing, 191–193
input validation, 24–25
blacklist, 25–27
practices, 30–31
SQL injection, 230–232
whitelist, 27–30
insecure cryptographic storage, 16–17
insecure direct object references, 15, 246
authorization checks, 249–251
confidentiality-integrity-availability, 248–249
defense steps, 251
forceful browsing, 272–273
overview, 246–248
summary, 251
insecure storage and transmissions in authentication, 63
integrity, 39–40
interception, interruption, modification, and fabrication (IIMF) model, 38–39
Internet Information Services (IIS)
file leaks, 262
server vulnerabilities, 33
SQL injection, 219
interpreted source code, 259–260
interruption attacks, 39
invalidated session IDs, 143–144
invalidating sessions, 122–123
IP addresses, 108–109
Isolated Storage, 133
J
Java
Decompiler tool, 260–261
encoding functions, 190
random numbers, 138
JavaScript encoding functions, 190
JavaScript Object Notation (JSON), 156–157
Jetty component, 138
John the Ripper tool, 74
Johnny’s Google Hacking Database site, 219
JSLint tool, 305
JSON (JavaScript Object Notation), 156–157
JSONP (JSON with Padding), 158
just-in-time training, 296
K
Kamkar, Samy, 188
key space, 74
Kinect device, 59
Klocwork Insight tool, 305
“know” factor in authentication, 57
L
landing pages in CSRF, 203
leaks
backup files, 260–263
include files, 264
least privilege principle, 35, 123–124
length of passwords, 76–77
“Lettuce Issue”, 31
libraries, coding, 301–303
LIKE clauses, 235
Live ID service, 65–67
LizaMoon attacks, 220
Local Shared Objects (LSOs), 132
local XSS, 184–186
Lockheed Martin breach, 59
lockout, account, 84–86
logged in status in CSRF, 208
logging out sessions, 144–145
Long, Johnny, 219
LSOs (Local Shared Objects), 132
M
MAC (Mandatory Access Control), 101
MACs (message authentication codes), 18
MacWorld Expo web site, 269
MadLibs game analogy, 215–216
malware in SQL injection, 218–219
man-in-the-middle attacks, 64
Mandatory Access Control (MAC), 101
manual code review, 303
markup languages, reduced, 193–194
May, Brian, 141
MD5 hashing
CSRF, 207
Digest access authentication, 63–64
passwords, 79
message authentication codes (MACs), 18
Microsoft SDL Regex Fuzzer tool, 234
Microsoft Security Response Center (MSRC), 220
middleware layers in authorization, 106
misplaced priorities, 4–6
modification attacks, 39
modules, authorization, 111
Most Critical Web Application Security Risks. See Open Web Application Security Project (OWASP) Top Ten List
MSRC (Microsoft Security Response Center), 220
Mt Gox bitcoin exchange, 201
multitenant environments, 247
Mustafa, K., 313
mysql_real_escape_string method, 235
N
.NET encoding functions, 190
network firewalls, 4–6
network security vs. application security, 6–7
Never Trust the User principle, 24
nginx web server, 262
Nimda worm, 311
nonces
CSRF, 205
Digest access authentication, 63–64
nonrepudiation, 40–41
O
offline password attacks, 72
one-click attacks, 199
1-Click feature, 34
open redirect vulnerabilities, 19
open-source software, 256
Open Web Application Security Project (OWASP)
AntiSamy library, 302
CLASP, 312–314
LAPSE+ tool, 305
training material, 296
WebScarab tool, 307
Open Web Application Security Project (OWASP) Top Ten List, 11–12
broken authentication and session management, 14–15
cross-site scripting, 13–14
CSRF attacks, 15
injection attacks, 13
insecure cryptographic storage, 16–17
insecure direct object references, 15
security misconfiguration, 16
transport layer protection, 18–19
unvalidated redirects and forwards, 19
URL access restrictions, 17–18
OpenSAMM site, 314
operating system layers in authorization, 106, 109–110
Ophcrack tool, 73
output encoding, 188–191
OWASP. See Open Web Application Security Project (OWASP)
owning servers, 222
P
packet sniffers, 126, 136, 139
Pandey, S. K., 313
parable of the wizard and the magic fruit trees, 6–9, 320
parameter tampering in authorization, 125, 128
parameterized queries in SQL injection, 236–237
Paros Proxy tool, 307
pass-through, 113
passive scanners, 307
Password Based Key Derivation Function (PBKDF), 80
passwords
attacks, 70–74
authorization, 137
Basic access authentication, 61–63
best practices, 76–80
cryptographic storage, 16–17
in databases, 69–70
encryption, 78
length, 76–77
reset systems, 76
SQL injection, 221
storing, 78
uniqueness, 77–78
web applications, 67–68
XSS, 187–188
path traversal attacks, 278–279
canonicalization attacks, 282–284
etc/passwd file, 279–280
file inclusion attacks, 280–282
payloads in malware, 218
PBKDF (Password Based Key Derivation Function), 80
penetrate-and-patch development approach, 291–293
penetration tests, 291–293
permissions, 238
accounts and roles, 240–241
defense steps, 242
Elevation of Privilege card game, 299–300
principle of least privilege, 35
single account security, 238–240
stored procedures, 243–244
types, 102–103
persistence, 131–132
Pescatore, John, 311
phishing attacks, 187–188
PHP
dynamic content, 257–258
encoding functions, 190
include and require functions, 281
PHP-Sat tool, 305
PHP Security Scanner tool, 305
PINs
security tokens, 57
two-factor authentication, 60
Pixy tool, 305
placeholder characters in SQL injection, 236–237
plaintext passwords, 69–70, 78
policies for authorization, 99–100, 124
POST requests, 178, 180–182, 202
pre-request and post-request authorization checks for insecure direct object references, 249–251
precomputed dictionary attacks, 73
predictability in sessions, 138
prepared statements. See stored procedures
principle of least privilege, 35, 123–124
priorities
misplaced, 4–6
threats, 35–36
PUT method, 202
pwning servers, 222
Q
Qriocity attacks, 5
query parameter persistence, 132
R
rainbow tables, 17
RainbowCrack tool, 73
random values
java, 138
Rational AppScan tool, 305, 307
ratproxy tool, 307
rawurlencode function, 190
RBAC (Role-Based Access Control), 101
read access permissions, 102
reauthentication in CSRF, 208
redirects
unvalidated, 19
workflow, 276–278
ReDoS (regular expression denial of service) attacks, 233
reduced markup languages, 193–194
referer headers in CSRF, 202–204
reflected XSS, 177–182
regenerating session IDs, 145–146
regular expression denial of service (ReDoS) attacks, 233
regular expressions (regexes), 29–30, 232–233
Rehman, S., 313
reliability, 42
Remember Me option, 86–88
repeated exposure in authentication, 63
Representational State Transfer (REST) method, 99
reproducibility, 42
repudiation vulnerabilities, 37
require functions in PHP, 281
reset systems for passwords, 76
resources in authorization, 98–99
response codes in HTTP, 227
REST (Representational State Transfer) method, 99
revocation
biometric devices, 60
security tokens, 58
REVOKE command, 241
rewriting URL, 204
Rich Internet Applications (RIAs), 161, 268–269
Role-Based Access Control (RBAC), 101
roles
authorization, 99–101
permissions, 240–241
rooting servers, 222
rounds of hashing, 79
RSA vendor, 59
rubber-hose attacks, 74
Ruby on Rails encoding functions, 190
S
SaaS (software-as-a-service) applications, 40, 247
safe requests in CSRF, 201
salts for passwords, 17, 79–80
same-origin policy, 150
client-side vs. server-side, 152–154
CORS, 165–166
cross-domain policy file, 161–163
defining, 150–152
HTML <script> element, 155–156
iframes and document.domain property, 158–161
importance, 154–155
JSON, 156–158
Silverlight plugin, 164
summary, 166
XDomainRequest, 166
XMLHttpRequest, 164–166
SAMM (Software Assurance Maturity Model), 314–315
Samy worm, 188
sandbox environments, 112
sanitizing input in XSS, 191–193
scanners, 307–309
Scrawlr tool, 220
script kiddie attacks, 42–43
scripts
Content Security Policy, 196–197
same-origin policy, 155–156
XSS. See cross-site scripting (XSS)
SDL (Security Development Lifecycle), 293–294, 297–299, 311–312
SDL Regex Fuzzer tool, 233–234
SDL Threat Modeling Tool, 297–300
search engines in XSS, 171
secure cookies, 142–144
secure features vs. security features, 20–21
Secure Hash Algorithm (SHA), 16
CSRF, 207
passwords, 79
Secure Sockets Layer (SSL) protocol, 18, 62
authentication, 63
authorization, 136–138
Security Development Lifecycle (SDL), 293–294, 297–299, 311–312
security executive surveys, 4–5
security incident response planning, 309
security misconfiguration, 16
security testing, 291–293, 306–309
security through obscurity, 271
security tokens, 57–58
self-service password reset systems, 76
sensitive functionality, 268–270
separating duties, 124
server code for applications, 111
server-side authorization, 126
server-side code in same-origin policy, 152–154
server-side persistent storage, 133
servlet restrictions, 110–111
sessions and session IDs, 14
attacks, 135–136
authentication, 81–82
authorization, 93–94
best practices, 141–146
concurrency, 142
CSRF, 139–140
description, 130–131
encrypted cookies, 144
fixation, 138–139
hijacking, 139–140
HttpOnly flag, 142–143
invalidating, 122–123
logging out, 144–145
predictability, 138
regenerating, 145–146
riding, 199
secure cookies, 142
sidejacking, 139
timeouts, 141–142
Set-Cookie directive, 143, 195
setInterval function, 157
setTimeout function, 157
SHA (Secure Hash Algorithm), 16
CSRF, 207
passwords, 79
shared secrets in CSRF, 205–206
shopping cart persistence, 131–132
sidejacking sessions, 139
single account security, 238–240
single sign-on (SSO) solutions, 64–66
Social Web, 183
soft token versions, 58
software-as-a-service (SaaS) applications, 40, 247
Software Assurance Maturity Model (SAMM), 314–315
software defect repair costs, 289–291
Sony Music web sites, 5
Sony PlayStation Network, 5
source code, 254–255
backup file leaks, 260–263
defense steps, 270
include-file leaks, 264
interpreted vs. compiled code, 259–260
revealing, 258–259
sensitive functionality, 268–270
static content and dynamic content, 256–258
static files, 265–268
sp_configure stored procedure, 222
spear phishing, 179
spoofing vulnerabilities, 36, 39
SQL. See Structured Query Language (SQL) injection
SSL (Secure Sockets Layer) protocol, 18, 82
authentication, 63
authorization, 136–138
SSO (single sign-on) solutions, 64–66
stateless protocols, 130–131
static analysis code review tools, 304–306
static content in source code, 256–258
static files in source code, 265–268
static resources in authorization, 125
status code deltas, 274–276
Stay Signed In option, 86–88
stealing
cookies, 173–174
sessions, 135–136
Stephenson, Neal, 20
storage
Basic access authentication, 63
insecure, 16–17
passwords, 78
persistence, 133
stored procedures, 242–243
defense steps, 246
limitations, 244
permissions, 243–244
SQL injection, 244–245
stored XSS, 182–184
STRIDE threat classification system, 36–39, 298
strong authorization policies, 124
Structured Query Language (SQL) injection, 13, 215
Asprox worm, 30–31
coding libraries, 303
Confidentiality-Integrity-Availability perspective, 217–223
defense steps, 237
detailed errors, 223–230
escaping input, 233–237
overview, 215–217
regular expressions, 232–233
Sony Music web sites, 5
stored procedures, 244–245
validating input, 230–232
subjects
3x3 model, 117
System.Data.DataSet object, 35
T
tampering
vulnerabilities, 36–37
testing security, 291–293, 306–309
theft
cookies, 173–174
sessions, 135–136
“think like an attacker”, 10
threats
classifying and prioritizing, 35–39, 298
modeling, 296–301
3x3 authorization model, 116–119
three-factor authentication, 60
time of check to time of use (TOCTTOU), 121-123
timeouts, session, 141–142
TLS (Transport Layer Security) protocol, 18
TOCTTOU (time of check to time of use), 121–123
tokens, 57–58
client-side authorization, 126
in cookies, 204
training, 294–296
transmissions in authentication, 84
transport layer protection, 18–19
Transport Layer Security (TLS) protocol, 18
traversal, directory, 278–279
canonicalization attacks, 282–284
etc/passwd file, 279–280
file inclusion attacks, 280–282
authorization, 127
in input validation, 24–25, 30
trusted subsystems, 114
“Trustworthy Computing Memo”, 311
two-factor authentication, 60
Type-1 XSS, 177–180
Type-2 XSS, 182–184
type conversion validation, 232
U
unique accounts, 124
unvalidated redirects and forwards, 19
UrlEncode function, 190
URLs
access restrictions, 17–18
CSRF, 204
encoding functions, 190–191
persistent query parameters, 132
user layers in authorization, 105
usernames
Basic access authentication, 62–63
as passwords, 78
SQL injection, 221
web applications, 67–68
V
validate-early vs. validate-late debate, 31
validating
credentials, 69–70
input. See input validation
vectors, malware, 218
vertical privilege escalations, 39
vulnerability disclosure rates per vendor report, 9
W
WAF (web application firewall), 231
WASC (Web Application Security Consortium), 296
web
authentication, 67–69
web application firewall (WAF), 231
Web Application Security Consortium (WASC), 296
Web Slayer tool, 74
Web Storage model, 132
WebInspect tool, 307
when axis in 3x3 model, 118–119
white-box scanners, 308–309
WhiteHat Security studies, 170, 290, 292
whitelists
IP addresses, 108–109
regular expressions, 232
validation, 27–30
wiki markup language, 194
Wikipedia, 194
wildcards in CORS, 165
withCredentials property, 165
wizard and the magic fruit trees parable, 6–9, 320
write access permissions, 102
X
XDomainRequest object, 166
XMLHttpRequest object, 164–166, 204
xp_cmdshell stored procedure, 222–223, 228, 239
XSRF. See cross-site request forgery (CSRF)
XSS. See cross-site scripting (XSS)
Z
zero-day vulnerability, 219
zombie machines, 13