Part I. Web Development Is a Blood Sport—Don’t Wander onto the Field Without a Helmet
Chapter 1. Security Is a Server Issue and Other Myths
Native Session Management Provides Plenty of Security
“My Application Isn’t Major Enough to Get Hacked”
The “Barbarians at the Gate” Syndrome
Part II. Is That Hole Really Big Enough to Drive a Truck Through?
Users Do the Darnedest Things …
Building an Error-Handling Mechanism
Navigating the Dangerous Waters of exec(), system(), and Backticks
Using escapeshellcmd() and escapeshellarg() to Secure System Calls
Create an API to Handle All System Calls
Patch the Guestbook Application
Part III. What’s In a Name? More Than You Expect
Chapter 4. Buffer Overflows and Variable Sanitation
What Is a Buffer, How Does It Overflow, and Why Should You Care?
Prevent Buffer Overflows by Sanitizing Variables
New Feature: Allow Users to Sign Their Guestbook Comments
The Problem: Users Who Give You More than You Asked For
Assumptions: You Know What Your Data Looks Like
The Solution: Regular Expressions to Validate Input
Chapter 6. Filesystem Access: Accessing the Filesystem for Fun and Profit
Changing File Properties Safely
Patching the Application to Allow User-Uploaded Image Files
Part IV. “Aw Come On Man, You Can Trust Me”
Storing Usernames and Passwords
Patching the Application to Authenticate Users
Patching the Application to Encrypt Passwords
Major Types of Session Attacks
Patching the Application to Secure the Session
Chapter 10. Cross-Site Scripting
Patching the Application to Prevent XSS Attacks
Part V. Locking Up for the Night
Chapter 11. Securing Apache and MySQL
Programming Languages, Web Servers, and Operating Systems Are Inherently Insecure
Securing a UNIX, Linux, or Mac OS X Environment
Chapter 12. Securing IIS and SQL Server
Securing a Windows Server Environment
Chapter 13. Securing PHP on the Server
Using the Latest Version of PHP
Using the Security Features Built into PHP and Apache
Chapter 14. Introduction to Automated Testing
Why are We Talking about Testing in a Security Book?
Chapter 15. Introduction to Exploit Testing
Part VI. “Don’t Get Hacked” Is Not a Viable Security Policy
Chapter 16. Plan A: Designing a Secure Application from the Beginning
Before You Sit Down at the Keyboard …
Chapter 17. Plan B: Plugging the Holes in Your Existing Application
Application Hardening Checklist
Security Is a Lifestyle Choice: Becoming a Better Programmer