Contents

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Previous Chapter

Acknowledgements

Contents

Acknowledgments

About the Authors

Part I. Web Development Is a Blood Sport—Don’t Wander onto the Field Without a Helmet

Chapter 1. Security Is a Server Issue and Other Myths

Security Is a Server Issue

Security Through Obscurity

Native Session Management Provides Plenty of Security

“My Application Isn’t Major Enough to Get Hacked”

The “Barbarians at the Gate” Syndrome

Part II. Is That Hole Really Big Enough to Drive a Truck Through?

Chapter 2. Error Handling

The Guestbook Application

Users Do the Darnedest Things …

Building an Error-Handling Mechanism

Chapter 3. System Calls

Navigating the Dangerous Waters of exec(), system(), and Backticks

Using escapeshellcmd() and escapeshellarg() to Secure System Calls

Create an API to Handle All System Calls

Patch the Guestbook Application

Part III. What’s In a Name? More Than You Expect

Chapter 4. Buffer Overflows and Variable Sanitation

What Is a Buffer, How Does It Overflow, and Why Should You Care?

Prevent Buffer Overflows by Sanitizing Variables

Patch the Application

Chapter 5. Input Validation

New Feature: Allow Users to Sign Their Guestbook Comments

The Problem: Users Who Give You More than You Asked For

Assumptions: You Know What Your Data Looks Like

The Solution: Regular Expressions to Validate Input

Chapter 6. Filesystem Access: Accessing the Filesystem for Fun and Profit

Creating and Storing Files

Changing File Properties Safely

Patching the Application to Allow User-Uploaded Image Files

Part IV. “Aw Come On Man, You Can Trust Me”

Chapter 7. Authentication

What Is User Authentication?

How to Authenticate Users

Storing Usernames and Passwords

Patching the Application to Authenticate Users

Chapter 8. Encryption

What Is Encryption?

Choosing an Encryption Type

Password Security

Patching the Application to Encrypt Passwords

Chapter 9. Session Security

What is a Session Variable?

Major Types of Session Attacks

Patching the Application to Secure the Session

Chapter 10. Cross-Site Scripting

Patching the Application to Prevent XSS Attacks

Part V. Locking Up for the Night

Chapter 11. Securing Apache and MySQL

Programming Languages, Web Servers, and Operating Systems Are Inherently Insecure

Securing a UNIX, Linux, or Mac OS X Environment

Securing Apache

Chapter 12. Securing IIS and SQL Server

Securing a Windows Server Environment

Securing SQL Server

Chapter 13. Securing PHP on the Server

Using the Latest Version of PHP

Using the Security Features Built into PHP and Apache

Using ModSecurity

Hardening php.ini

Chapter 14. Introduction to Automated Testing

Why are We Talking about Testing in a Security Book?

Testing Framework

Choosing Solid Test Data

Chapter 15. Introduction to Exploit Testing

What Is Exploit Testing?

Testing Toolkits

Proprietary Test Suites

Part VI. “Don’t Get Hacked” Is Not a Viable Security Policy

Chapter 16. Plan A: Designing a Secure Application from the Beginning

Before You Sit Down at the Keyboard …

Identifying Points of Failure

Chapter 17. Plan B: Plugging the Holes in Your Existing Application

Set Up Your Environment

Application Hardening Checklist

Security Is a Lifestyle Choice: Becoming a Better Programmer

Avoid Feature Creep

Write Self-Documenting Code

Use the Right Tools for the Job

Have Your Code Peer-Reviewed

Appendix Additional Resources

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.