"Web Application Obfuscation: '-/WAFs.. Evasion.. Filters//alert(/Obfuscation/)-'" by Mario Heiderich, Eduardo Alberto Vela Nava, Gareth Heyes, David Lindsay
Elsevier, Syngress | 2011 | ISBN: 1597496049 9781597496049 | 290 pages | PDF/djvu | 2/3 MB
This book takes a look at common Web infrastructure and security controls from an attacker's perspective, allowing the reader to understand the shortcomings of their security systems.
Web applications are used every day by millions of users, which is why they are one of the most popular vectors for attackers. Obfuscation of code has allowed hackers to take one attack and create hundreds-if not millions-of variants that can evade your security measures.
Find out how an attacker would bypass different types of security controls, how these very security controls introduce new types of vulnerabilities, and how to avoid common pitfalls in order to strengthen your defenses.
Looks at security tools like IDS/IPS that are often the only defense in protecting sensitive data and assets
Evaluates Web application vulnerabilties from the attacker's perspective and explains how these very systems introduce new types of vulnerabilities
Teaches how to secure your data, including info on browser quirks, new attacks and syntax tricks to add to your defenses against XSS, SQL injection, and more. Contents
About the Authors
About the Technical editor
CHAPTER 1 Introduction
Chapter 2: "HTML"
Chapter 5: "CSS"
Chapter 6: "PHP"
Chapter 7: "SQL"
Chapter 8: "Web application firewalls and client-side filters"
Chapter 9: "Mitigating bypasses and attacks"
Chapter 10: "Future developments"
CHAPTER 2 HTML
History and overview
The document type definition
The doctype declaration
Why markup obfuscation?
Basic markup obfuscation
Structure of valid markup
Playing with the markup
Advanced markup obfuscation
Broken protocol handlers
End of statement
The execScript function in VBScript
The jscript.compact value
The jscript.encode value
The execScript function in JScript
CHAPTER 5 CSS
Rulesets and selectors
UI redressing attacks
Attacks using the CSS attribute reader
Remote stylesheet inclusion attacks
CHAPTER 6 PHP
History and overview
Obfuscation in PHP
PHP and numerical data types
CHAPTER 7 SQL
SQL: A short introduction
Relevant SQL language elements
Strings in SQL
CHAPTER 8 Web application firewalls and client-side filters
Bypassing client-side filters
Denial of service with regular expressions
CHAPTER 9 Mitigating bypasses and attacks
Protecting against code injections
HTML injection and cross-site scripting
Server-side code execution
Protecting the DOM
CHAPTER 10 Future developments
Impact on current applications
Current security model of the web
Extending same origin policy
New attributes for Iframe
The text/html-sandboxed content type
The X-Frame-Options header
The X-XSS-Protection header
The Strict-Transport-Security header
The Content-Security-Policy header
The flash plug-in
The Java Plug-in
with TOC BookMarkLinks