1st Edition

Web Security A WhiteHat Perspective

By Hanqing Wu, Liz Zhao Copyright 2015
    532 Pages 306 B/W Illustrations
    by Auerbach Publications

    532 Pages
    by Auerbach Publications

    In late 2013, approximately 40 million customer debit and credit cards were leaked in a data breach at Target. This catastrophic event, deemed one of the biggest data breaches ever, clearly showed that many companies need to significantly improve their information security strategies. Web Security: A White Hat Perspective presents a comprehensive guide to web security technology and explains how companies can build a highly effective and sustainable security system.

    In this book, web security expert Wu Hanqing reveals how hackers work and explains why companies of different scale require different security methodologies. With in-depth analysis of the reasons behind the choices, the book covers client script security, server applications security, and Internet company security operations. It also includes coverage of browser security, cross sites script attacks, click jacking, HTML5/PHP security, injection attacks, authentication, session management, access control, web frame security, DDOS, leaks, Internet transactions security, and the security development lifecycle.

    MY VIEW OF THE SECURITY WORLD
    View of the IT Security World
    Brief History of Web Security
    Brief History of Chinese Hackers
    Development Process of Hacking Techniques
    Rise of Web Security
    Black Hat, White Hat
    Back to Nature: The Essence of Secret Security
    Superstition: There Is No Silver Bullet
    Security Is an Ongoing Process
    Security Elements
    How to Implement Safety Assessment
    Asset Classification
    Threat Analysis
    Risk Analysis
    Design of Security Programs
    Art of War of White Hat
    Principles of Secure by Default
    Blacklist, Whitelist
    Principle of Least Privilege
    Principle of Defense in Depth
    Principles of Data and Code Separation
    Unpredictability of the Principle
    Summary
    Appendix

    SAFETY ON THE CLIENT SCRIPT
    Security of Browser
    Same-Origin Policy
    Browser of Sandbox
    Malicious URL Intercept
    Rapid Development of Browser Security
    Summary

    Cross-Site Scripting Attack
    Introduction
    First Type: Reflected XSS
    Second Type: Stored XSS
    Third Type: DOM-Based XSS
    Advanced XSS Attack
    Preliminary Study on XSS Pay Load
    XSS Payload Power
    XSS Attack Platform
    Ultimate Weapon: XSS Worm
    Debugging JavaScript
    Construction Skills of XSS
    Turning Waste into Treasure: Mission Impossible
    Easily Overlooked Corner: Flash XSS
    Really Sleep without Any Anxiety: JavaScript Development Framework
    XSS Defense
    Skillfully Deflecting the Question: HttpOnly
    Input Checking
    Output Checking
    Defense XSS Correctly Designed
    Dealing with Rich Text
    Defense DOM-Based XSS
    See XSS from Another Angle of Risk
    Summary

    Cross-Site Request Forgery
    Introduction
    Advanced CSRF
    Cookie Policy of Browsers
    Side Effect of P3P Header
    GET? POST?
    Flash CSRF
    CSRF Worm
    Defense against CSRF
    Verification Code
    Referer Check
    Anti-CSRF Token
    Summary

    Clickjacking
    What Is Clickjacking?
    Flash Clickjacking
    Image-Covering Attacks
    Drag Hijacking and Data Theft
    Clickjacking 3.0: Tapjacking
    Defense against Clickjacking
    Frame Busting
    X-Frame-Options
    Summary

    HTML 5 Securities
    New Tags of HTML 5
    New Tags of XSS
    Sandbox Attribute of iframe
    Link Types: Noreferrer
    Magical Effect of Canvas
    Other Security Problems
    Cross-Origin Resource Sharing
    postMessage: Send Message across Windows
    Web Storage
    Summary

    APPLICATION SECURITY ON THE SERVER SIDE
    Injection Attacks
    SQL Injection Attacks
    Blind Injection
    Timing Attack
    Database Attacking Techniques
    Common Attack Techniques
    Command Execution
    Stored Procedure Attacks
    Coding Problems
    SQL Column Truncation
    Properly Defending against SQL Injection
    Using Precompiled Statements
    Using Stored Procedures
    Checking the Data Type
    Using Safety Functions
    Other Injection Attacks
    XML Injection
    Code Injection
    CRLF Injection
    Summary

    File Upload Vulnerability
    File Upload Vulnerability Overview
    FCKEditor File Upload Vulnerability
    Bypassing the File Upload Check Function
    Functionality or Vulnerability
    Apache File Parsing Problem
    IIS File Parsing Problem
    PHP CGI Path to Solve the Problem
    Upload Files Phishing
    Designing Secure File Upload Features
    Summary

    Authentication and Session Management
    Who Am I?
    Password
    Multifactor Authentication
    Session Management and Authentication
    Session Fixation Attacks
    Session Keep Attack
    Single Sign-On
    Summary

    Access Control
    What Can I Do?
    Vertical Rights Management
    Horizontal Rights Management
    Unauthorized Access from Youku Users (Vulnerability No. Wooyun-2010-0129)
    Access Problems in the Laiyifen Shopping Site (Loopholes No. Wooyun-2010-01576)
    Summary of OAuth
    Summary

    Encryption Algorithms and Random Numbers
    Introduction
    Stream Cipher Attack
    Reused Key Attack
    Bit-Flipping Attack
    Issue of Weak Random IV
    WEP Crack
    ECB Mode Defects
    Padding Oracle Attack
    Key Management
    Problems with a Pseudorandom Number
    Trouble with a Weak Pseudorandom Number
    The Time Really Do Random
    Breaking the Pseudorandom Number Algorithm Seed
    Using Secure Random Numbers
    Summary
    Appendix: Understanding the MD5 Length Extension Attack

    Web Framework Security
    MVC Framework Security
    Template Engine and XSS Defenses
    Web Framework and CSRF Defense
    HTTP Header Management
    Data Persistence Layer and SQL Injection
    What Can Think More?
    Web Framework Self-Security
    Struts 2 Command Execution Vulnerability
    Struts 2 Patch
    Spring MVC Execution Vulnerability
    Django Execution Vulnerability
    Summary

    Application-Layer Denial-of-Service Attacks
    Introduction to DDoS
    Application-Layer DDoS
    CC Attack
    Restriction of Request Frequency
    The Priest Climbs a Post, the Devil Climbs Ten
    About Verification Code
    DDoS in the Defense Application Layer
    Resource Exhaustion Attack
    Slowloris Attack
    HTTP POST DOS
    Server Limit DoS
    Murder Caused by Regular Expression: ReDoS
    Summary

    PHP Security
    File Inclusion Vulnerability
    Local File Inclusion
    Remote File Inclusion
    Using Skill of Local File Inclusion
    Variable Coverage Vulnerability
    Global Variable Coverage
    The extract() Variable Coverage
    Traversal Initializing Variables
    The import_request_variables Variable Coverage
    The parse_str() Variable Coverage
    Code Execution Vulnerability
    "Dangerous function" Executes the Code
    File Writing Code Execution
    Other Methods of Code Execution
    Customize Secure PHP Environment
    Summary

    Web Server Configuration Security
    Apache Security
    Nginx Security
    jBoss Remote Command Execution
    Tomcat Remote Command Execution
    HTTP Parameter Pollution
    Summary

    SAFETY OPERATIONS OF INTERNET COMPANIES
    Security of Internet Business
    Security Requirements in Internet Products
    Internet Products Need Security
    What Is a Good Security Program?
    Business Logic Security
    Loopholes in Password Security
    Who Will Be the Big Winner?
    Practice Deception
    Password Recovery Process
    How the Account Is Stolen
    Various Ways of Account Theft
    Analysis on Why Accounts Get Stolen
    Internet Garbage
    Threat of Spam
    Spam Disposal
    Phishing
    Details about Phishing
    Mail Phishing
    Prevention and Control of Phishing Sites
    Phishing in Online Shopping
    User Privacy Protection
    Challenges in Internet User Privacy
    How to Protect User Privacy
    Do Not Track
    Summary
    Appendix: Trouble Terminator

    Security Development Lifecycle
    SDL Introduction
    Agile SDL
    SDL Actual Combat Experience
    Requirements Analysis and Design Phase
    Development Phase
    Providing Security Functions
    Code Security Audit Tool
    Test Phase
    Summary

    Security Operations
    Make the Security Operated
    Process of Vulnerability Patch
    Security Monitoring
    Intrusion Detection
    Emergency Response Process
    Summary
    Appendix

    Biography

    Axie Wu was a founder of ph4nt0m.org, one of China’s famous domestic security organizations. He is proficient in different offensive and defensive techniques with regard to web security. He joined Alibaba Co., Ltd, China, after his graduation from Xi’an Jiaotong University in 2005 and became the youngest expert level engineer in Alibaba by 2007. He then designed the network security systems for Alibaba, Taobao, and Alipay. He was completely involved in the security development process for Alibaba, where he gained extensive experience in the field of application security. From 2011 onward, he has been a security architect in Alibaba, responsible for group-wide web security and cloud computing security. Wu is currently product vice president of Anquanbao.com and is responsible for the company’s product development and design. He also leads the Zhejiang chapter of OWASP China.

    Lizzie Zhao graduated from the University of Bridgeport, Connecticut, in 2001. She then worked at a computer training institute in New York City. Two years later, she returned to China and took up work with the subsidiary of a software company at the institute of the Chinese Academy of Sciences (CAS) as a project manager and system architect. In 2006, she joined the information technology promotion office of CECA (China E-Commerce Association). In 2007, she cofounded the RWStation (Beijing) Network Technology Co., Ltd., with other shareholders, and has since managed the company. From September 2011, Liz has focused her attention on China’s network security issues and has aimed to help enterprises in China with system security and network security business. She initiated the establishment of the Union SOSTC Alliance (Security Open Source Technology of China) with the help of other Chinese and overseas security experts. She is also a popular consultant for IT security service for various companies and for the Chinese government. Liz is currently the head of the STTC (Security Technology Training Center) and plans training activities with many universities in China, such as Northwestern Polytechnical University and Xidian University.