第1页 / 共554页
第2页 / 共554页
第3页 / 共554页
第4页 / 共554页
第5页 / 共554页
第6页 / 共554页
第7页 / 共554页
第8页 / 共554页
Web Application Defender's Cookbook: Battling Hackers and Protec....pdf
Web Application Defender's Cookbook: Battling Hackers and Protecting Users
Introduction
Foreword
Part I: Preparing the Battle Space
Chapter 1: Application Fortification
Recipe 1-1: Real-time Application Profiling
Recipe 1-2: Preventing Data Manipulation with Cryptographic Hash Tokens
Recipe 1-3: Installing the OWASP ModSecurity Core Rule Set (CRS)
Recipe 1-4: Integrating Intrusion Detection System Signatures
Recipe 1-5: Using Bayesian Attack Payload Detection
Recipe 1-6: Enable Full HTTP Audit Logging
Recipe 1-7: Logging Only Relevant Transactions
Recipe 1-8: Ignoring Requests for Static Content
Recipe 1-9: Obscuring Sensitive Data in Logs
Recipe 1-10: Sending Alerts to a Central Log Host Using Syslog
Recipe 1-11: Using the ModSecurity AuditConsole
Chapter 2: Vulnerability Identification and Remediation
Recipe 2-1: Passive Vulnerability Identification
Recipe 2-2: Active Vulnerability Identification
Recipe 2-3: Manual Scan Result Conversion
Recipe 2-4: Automated Scan Result Conversion
Recipe 2-5: Real-time Resource Assessments and Virtual Patching
Chapter 3: Poisoned Pawns (Hacker Traps)
Recipe 3-1: Adding Honeypot Ports
Recipe 3-2: Adding Fake robots.txt Disallow Entries
Recipe 3-3: Adding Fake HTML Comments
Recipe 3-4: Adding Fake Hidden Form Fields
Recipe 3-5: Adding Fake Cookies
Part II: Asymmetric Warfare
Chapter 4: Reputation and Third-Party Correlation
Recipe 4-1: Analyzing the Client’s Geographic Location Data
Recipe 4-2: Identifying Suspicious Open Proxy Usage
Recipe 4-3: Utilizing Real-time Blacklist Lookups (RBL)
Recipe 4-4: Running Your Own RBL
Recipe 4-5: Detecting Malicious Links
Chapter 5: Request Data Analysis
Recipe 5-1: Request Body Access
Recipe 5-2: Identifying Malformed Request Bodies
Recipe 5-3: Normalizing Unicode
Recipe 5-4: Identifying Use of Multiple Encodings
Recipe 5-5: Identifying Encoding Anomalies
Recipe 5-6: Detecting Request Method Anomalies
Recipe 5-7: Detecting Invalid URI Data
Recipe 5-8: Detecting Request Header Anomalies
Recipe 5-9: Detecting Additional Parameters
Recipe 5-10: Detecting Missing Parameters
Recipe 5-11: Detecting Duplicate Parameter Names
Recipe 5-12: Detecting Parameter Payload Size Anomalies
Recipe 5-13: Detecting Parameter Character Class Anomalies
Chapter 6: Response Data Analysis
Recipe 6-1: Detecting Response Header Anomalies
Recipe 6-2: Detecting Response Header Information Leakages
Recipe 6-3: Response Body Access
Recipe 6-4: Detecting Page Title Changes
Recipe 6-5: Detecting Page Size Deviations
Recipe 6-6: Detecting Dynamic Content Changes
Recipe 6-7: Detecting Source Code Leakages
Recipe 6-8: Detecting Technical Data Leakages
Recipe 6-9: Detecting Abnormal Response Time Intervals
Recipe 6-10: Detecting Sensitive User Data Leakages
Caution
Recipe 6-11: Detecting Trojan, Backdoor, and Webshell Access Attempts
Chapter 7: Defending Authentication
Recipe 7-1: Detecting the Submission of Common/Default Usernames
Recipe 7-2: Detecting the Submission of Multiple Usernames
Recipe 7-3: Detecting Failed Authentication Attempts
Recipe 7-4: Detecting a High Rate of Authentication Attempts
Recipe 7-5: Normalizing Authentication Failure Details
Recipe 7-6: Enforcing Password Complexity
Recipe 7-7: Correlating Usernames with SessionIDs
Chapter 8: Defending Session State
Recipe 8-1: Detecting Invalid Cookies
Recipe 8-2: Detecting Cookie Tampering
Recipe 8-3: Enforcing Session Timeouts
Recipe 8-4: Detecting Client Source Location Changes During Session Lifetime
Recipe 8-5: Detecting Browser Fingerprint Changes During Sessions
Chapter 9: Preventing Application Attacks
Recipe 9-1: Blocking Non-ASCII Characters
Recipe 9-2: Preventing Path-Traversal Attacks
Recipe 9-3: Preventing Forceful Browsing Attacks
Recipe 9-4: Preventing SQL Injection Attacks
Recipe 9-5: Preventing Remote File Inclusion (RFI) Attacks
Recipe 9-6: Preventing OS Commanding Attacks
Recipe 9-7: Preventing HTTP Request Smuggling Attacks
Recipe 9-8: Preventing HTTP Response Splitting Attacks
Recipe 9-9: Preventing XML Attacks
Chapter 10: Preventing Client Attacks
Recipe 10-1: Implementing Content Security Policy (CSP)
Recipe 10-2: Preventing Cross-Site Scripting (XSS) Attacks
Recipe 10-3: Preventing Cross-Site Request Forgery (CSRF) Attacks
Recipe 10-4: Preventing UI Redressing (Clickjacking) Attacks
Recipe 10-5: Detecting Banking Trojan (Man-in-the-Browser) Attacks
Chapter 11: Defending File Uploads
Recipe 11-1: Detecting Large File Sizes
Recipe 11-2: Detecting a Large Number of Files
Recipe 11-3: Inspecting File Attachments for Malware
Chapter 12: Enforcing Access Rate and Application Flows
Recipe 12-1: Detecting High Application Access Rates
Recipe 12-2: Detecting Request/Response Delay Attacks
Recipe 12-3: Identifying Inter-Request Time Delay Anomalies
Recipe 12-4: Identifying Request Flow Anomalies
Recipe 12-5: Identifying a Significant Increase in Resource Usage
Part III: Tactical Response
Chapter 13: Passive Response Actions
Recipe 13-1: Tracking Anomaly Scores
Recipe 13-2: Trap and Trace Audit Logging
Recipe 13-3: Issuing E‑mail Alerts
Recipe 13-4: Data Sharing with Request Header Tagging
Chapter 14: Active Response Actions
Recipe 14-1: Using Redirection to Error Pages
Recipe 14-2: Dropping Connections
Recipe 14-3: Blocking the Client Source Address
Recipe 14-4: Restricting Geolocation Access Through Defense Condition (DefCon) Level Changes
Recipe 14-5: Forcing Transaction Delays
Recipe 14-6: Spoofing Successful Attacks
Recipe 14-7: Proxying Traffic to Honeypots
Recipe 14-8: Forcing an Application Logout
Recipe 14-9: Temporarily Locking Account Access
Chapter 15: Intrusive Response Actions
Recipe 15-1: JavaScript Cookie Testing
Recipe 15-2: Validating Users with CAPTCHA Testing
Recipe 15-3: Hooking Malicious Clients with BeEF
Index
The Web Application
Defender’s Cookbook
The Web Application
Defender’s Cookbook
Battling Hackers and
Protecting Users
Ryan Barnett
The Web Application Defender’s Cookbook: Battling Hackers and Protecting Users
Published by
John Wiley & Sons, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2013 by Ryan Barnett
Published simultaneously in Canada
ISBN: 978-1-118-36218-1
ISBN: 978-1-118-56871-2 (ebk)
ISBN: 978-1-118-41705-8 (ebk)
ISBN: 978-1-118-56865-1 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as
permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior
written permission of the Publisher, or authorization through payment of the appropriate per-copy
fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax
(978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions
Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax
(201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or
warranties with respect to the accuracy or completeness of the contents of this work and specifically
disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No
warranty may be created or extended by sales or promotional materials. The advice and strategies con-
tained herein may not be suitable for every situation. This work is sold with the understanding that the
publisher is not engaged in rendering legal, accounting, or other professional services. If professional
assistance is required, the services of a competent professional person should be sought. Neither the
publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or
Web site is referred to in this work as a citation and/or a potential source of further information does
not mean that the author or the publisher endorses the information the organization or website may
provide or recommendations it may make. Further, readers should be aware that Internet websites
listed in this work may have changed or disappeared between when this work was written and when it
is read.
For general information on our other products and services please contact our Customer Care
Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax
(317) 572-4002.
Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Not all con-
tent that is available in standard print versions of this book may appear or be packaged in all book
formats. If you have purchased a version of this book that did not include media that is referenced by
or accompanies a standard print version, you may request this media by visiting http://booksupport
.wiley.com. For more information about Wiley products, visit us at www.wiley.com.
Library of Congress Control Number: 2012949513
Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons,
Inc. and/or its affiliates, in the United States and other countries, and may not be used without written
permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is
not associated with any product or vendor mentioned in this book.
This book is dedicated to my incredible daughter, Isabella. You are so full of imagination,
kindness, and humor that I have a constant smile on my face. You are my Supergirl-flying,
tae-kwon-do-kicking, fairy princess! I thank God every day for bringing you into my life
and for allowing me the joy and privilege of being your father.
I love you Izzy, and I am so proud of you.
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
