|
 |
|
 |
 |
Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions (Hacking Exposed)
|
by Rich Cannings, Himanshu Dwivedi, Zane Lackey, and Alex Stamos
Sales Rank: 284386
|
List Price: $49.99
$31.49
At Amazon
|
|
Paperback: 258 pages
Publisher: McGraw-Hill Osborne Media; 1 edition December 17, 2007
Language: English
ISBN-10: 0071494618
ISBN-13: 978-0071494618
Product Dimensions:
8.9 x 7.3 x 0.7 inches
Shipping Weight: 1.1 pounds
Product Description
Lock down next-generation Web services
"This book concisely identifies the types of attacks which are faced daily by Web 2.0 sites, and the authors give solid, practical advice on how to identify and mitigate these threats." --Max Kelly, CISSP, CIPP, CFCE, Senior Director of Security, Facebook
Protect your Web 2.0 architecture against the latest wave of cybercrime using expert tactics from Internet security professionals. Hacking Exposed Web 2.0 shows how hackers perform reconnaissance, choose their entry point, and attack Web 2.0-based services, and reveals detailed countermeasures and defense techniques. You'll learn how to avoid injection and buffer overflow attacks, fix browser and plug-in flaws, and secure AJAX, Flash, and XML-driven applications. Real-world case studies illustrate social networking site weaknesses, cross-site attack methods, migration vulnerabilities, and IE7 shortcomings.- Plug security holes in Web 2.0 implementations the proven Hacking Exposed way
- Learn how hackers target and abuse vulnerable Web 2.0 applications, browsers, plug-ins, online databases, user inputs, and HTML forms
- Prevent Web 2.0-based SQL, XPath, XQuery, LDAP, and command injection attacks
- Circumvent XXE, directory traversal, and buffer overflow exploits
- Learn XSS and Cross-Site Request Forgery methods attackers use to bypass browser security controls
- Fix vulnerabilities in Outlook Express and Acrobat Reader add-ons
- Use input validators and XML classes to reinforce ASP and .NET security
- Eliminate unintentional exposures in ASP.NET AJAX (Atlas), Direct Web Remoting, Sajax, and GWT Web applications
- Mitigate ActiveX security exposures using SiteLock, code signing, and secure controls
Find and fix Adobe Flash vulnerabilities and DNS rebinding attacks
About The Author
Rich Cannings is a senior information security engineer at Google.
Himanshu Dwivedi is a founding partner of iSEC Partners, an information security organization, and the author of several security books.
Zane Lackey is a senior security consultant with iSEC Partners.
Customer Reviews & Comments
Thanks to McGraw-Hill for my review copy. Based on my review criteria this book should have easily been a 4 or 5 star book, but I gave it 3 stars for its major flaw. Its major flaw is that it only talks about iSec partner's SecurityQA Toolbar as a tool for testing for the different types of web application vulnerabilities. Only discussing one closed source, for pay tool, that only runs on Windows is really disappointing from a security professional standpoint. I really expected a good snapshot in time on the DIFFERENT tools and techniques for doing web 2.0 auditing. There are tons of "for-pay" and more importantly FREE web application scanners and tools that look for the same vulnerabilities discussed in the book and the fact that they don't mention any other tools or methods is very disappointing. Now that the above is out of the way...lets get on with the likes and dislikes. Likes: -The analysis of the samy worm is excellent. They break the code apart and really analyze what's going on and why it worked at the time. -The chapter on ActiveX security is excellent. It covers a lot of ground on why ActiveX controls are bad, how to fuzz them and how to defend against them. -The whole first part of the book on Web 1.0 vulnerabilities is well written, I had just finished XSS attacks and having that background helped a lot with the relevant chapters in HE Web 2.0. Dislikes: -The book is short, about 246 pages, that's probably too short for the price for a security book. -A good chunk of the chapters cover over and over installing and using their SecurityQA Toolbar, I only need it once, if that. -I think the book stops a bit short of actually exploiting Web 2.0 vulnerabilities. It talks a lot about identifying which 2.0 framework an application was built with and identifying different methods in that application, if debug functionality is enabled, and finding hidden URLs but how I exploit SQL injection issues or XPATH injection or LDAP injection issues IN web 2.0 applications is missing. That was the core problem with web 1.0, its still a valid and dangerous entry point for web 2.0 and should have been covered. Hacking Exposed is generally about exploiting vulnerabilities and not stopping at identifying them which is where the book seems to have stopped. Overall the authors are obviously very knowledgeable about the subject. One of the other reviewers mentioned that it goes from technically very easy to very difficult even within chapters and I think this is true. The code sample for the examples they give are great and their explanations of web 1.0 and the web 2.0 threats is very well written with good examples. Like I said, had it not been for their fixation with their own tool as the only option we have for web 1.0 and 2.0 testing this would have easily been a 4 star book. For those a bit more interested in web 2.0 I would recommend checking out Shreeraj Shah's Web 2.0 Security and Hacking Web Services books and his website which has free web 2.0 auditing tools.
Comment (1) | Permalink |
(Report this)
|
Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions (Hacking Exposed)
List Price: $49.99
Available from Amazon
Price: $31.49
| |
|
|
|
|
