The highly successful security book returns with a new edition, completely updated

Web applications are the front door to most organizations, exposing them to attacks that may disclose personal information, execute fraudulent transactions, or compromise ordinary users. This practical book has been completely updated and revised to discuss the latest step-by-step techniques for attacking and defending the range of ever-evolving web applications. You'll explore the various new technologies employed in web applications that have appeared since the first edition and review the new attack techniques that have been developed, particularly in relation to the client side.

* Reveals how to overcome the new technologies and techniques aimed at defending web applications against attacks that have appeared since the previous edition

* Discusses new remoting frameworks, HTML5, cross-domain integration techniques, UI redress, framebusting, HTTP parameter pollution, hybrid file attacks, and more

* Features a companion web site hosted by the authors that allows readers to try out the attacks described, gives answers to the questions that are posed at the end of each chapter, and provides a summarized methodology and checklist of tasks

Focusing on the areas of web application security where things have changed in recent years, this book is the most current resource on the critical topic of discovering, exploiting, and preventing web application security flaws.

MARCUS PINTO delivers security consultancy and training on web application attack and defense to leading global organizations in the financial, government, telecom, gaming, and retail sectors.
The authors cofounded MDSec, a consulting company that provides training in attack and defense-based security.

Web applications are everywhere, and they're insecure. Banks, retailers, and others have deployed millions of applications that are full of holes, allowing attackers to steal personal data, carry out fraud, and compromise other systems. This book shows you how they do it.

This fully updated edition contains the very latest attack techniques and countermeasures, showing you how to break into today's complex and highly functional applications. Roll up your sleeves and dig in.

• Discover how cloud architectures and social networking have added exploitable attack surfaces to applications

• Leverage the latest HTML features to deliver powerful cross-site scripting attacks

• Deliver new injection exploits, including XML external entity and HTTP parameter pollution attacks

• Learn how to break encrypted session tokens and other sensitive data found in cloud services

• Discover how technologies like HTML5, REST, CSS and JSON can be exploited to attack applications and compromise users

• Learn new techniques for automating attacksand dealing with CAPTCHAs and cross-site request forgery tokens

• Steal sensitive data across domains using seemingly harmless application functions and new browser features

Find help and resources at http://mdsec.net/wahh

• Source code for some of the scripts in the book

• Links to tools and other resources

• A checklist of tasks involved in most attacks

• Answers to the questions posed in each chapter

• Hundreds of interactive vulnerability labs

Introduction xxiii

Chapter 1 Web Application (In)security 1

The Evolution of Web Applications 2

Web Application Security 6

Summary 15

Chapter 2 Core Defense Mechanisms 17

Handling User Access 18

Handling User Input 21

Handling Attackers 30

Managing the Application 35

Summary 36

Questions 36

Chapter 3 Web Application Technologies 39

The HTTP Protocol 39

Web Functionality 51

Encoding Schemes 66

Next Steps 70

Questions 71

Chapter 4 Mapping the Application 73

Enumerating Content and Functionality 74

Analyzing the Application 97

Summary 114

Questions 114

Chapter 5 Bypassing Client-Side Controls 117

Transmitting Data Via the Client 118

Capturing User Data: HTML Forms 127

Capturing User Data: Browser Extensions 133

Handling Client-Side Data Securely 154

Summary 156

Questions 157

Chapter 6 Attacking Authentication 159

Authentication Technologies 160

Design Flaws in Authentication Mechanisms 161

Implementation Flaws in Authentication 185

Securing Authentication 191

Summary 201

Questions 202

Chapter 7 Attacking Session Management 205

The Need for State 206

Weaknesses in Token Generation 210

Weaknesses in Session Token Handling 233

Securing Session Management 248

Summary 254

Questions 255

Chapter 8 Attacking Access Controls 257

Common Vulnerabilities 258

Attacking Access Controls 266

Securing Access Controls 278

Summary 284

Questions 284

Chapter 9 Attacking Data Stores 287

Injecting into Interpreted Contexts 288

Injecting into SQL 291

Injecting into NoSQL 342

Injecting into XPath 344

Injecting into LDAP 349

Summary 354

Questions 354

Chapter 10 Attacking Back-End Components 357

Injecting OS Commands 358

Manipulating File Paths 368

Injecting into XML Interpreters 383

Injecting into Back-end HTTP Requests 390

Injecting into Mail Services 397

Summary 402

Questions 403

Chapter 11 Attacking Application Logic 405

The Nature of Logic Flaws 406

Real-World Logic Flaws 406

Avoiding Logic Flaws 428

Summary 429

Questions 430

Chapter 12 Attacking Users: Cross-Site Scripting 431

Varieties of XSS 433

XSS Attacks in Action 442

Finding and Exploiting XSS Vulnerabilities 451

Preventing XSS Attacks 492

Summary 498

Questions 498

Chapter 13 Attacking Users: Other Techniques 501

Inducing User Actions 501

Capturing Data Cross-Domain 515

The Same-Origin Policy Revisited 524

Other Client-Side Injection Attacks 531

Local Privacy Attacks 550

Attacking ActiveX Controls 555

Attacking the Browser 559

Summary 568

Questions 568

Chapter 14 Automating Customized Attacks 571

Uses for Customized Automation 572

Enumerating Valid Identifiers 573

Harvesting Useful Data 583

Fuzzing for Common Vulnerabilities 586

Putting It All Together: Burp Intruder 590

Barriers to Automation 602

Summary 613

Questions 613

Chapter 15 Exploiting Information Disclosure 615

Exploiting Error Messages 615

Gathering Published ...