I.1 The Rules.
I.2 The Examples.
I.3 The Chapters.
I.4 What is Not in this Book?
I.5 A Note From the Author.
1. The Basics.
1.5 Do You Want to Know More?
2. Passing Data to Subsystems.
2.1 SQL Injection.
2.2 Shell Command Injection.
2.3 Talking to Programs Written in C/C++.
2.4 The Evil Eval.
2.5 Solving Metacharacter Problems.
3. User Input.
3.1 What is Input Anyway?
3.2 Validating Input.
3.3 Handling Invalid Input.
3.4 The Dangers of Client-side Validation.
3.5 Authorization Problems.
3.6 Protecting Server-generated Input.
4. Output Handling: The Cross-site Scripting Problem.
4.2 The Problem.
4.3 The Solution.
4.4 Browser Character Sets.
4.5 Summary.; 4.6 Do You Want to Know More?
5. Web Trojans.
5.2 The Problem.
5.3 A Solution.
6. Passwords and Other Secrets.
6.2 Password-based Authentication.
6.3 Secret Identifiers.
6.4 Secret Leakage.
6.5 Availability of Server-side Code.
6.7 Do You Want to Know More?
7. Enemies of Secure Code.
7.5 Closing Remarks.
7.6 Do You Want to Know More?
8. Summary of Rules for Secure Coding.
Appendix A: Bugs in the Web Server.
Appendix B: Packet Sniffing.
Appendix C: Sending HTML Formatted E-mails with Forged Sender Address.
Appendix D: More Information.
"?achieves its aims admirably?" (PC Utilities, April 2004)
??should be required reading for web developers?? (about.com, March 2004)
??if you are a web techie you will love this book, I did?? (Infosecurity Today, July 04)
- Identifies the "Achilles Heel" of Web security and directs those who can to do something about it - application programmers
- Advocates preventative as well as curative measures
- Demonstrates the vulnerability of real life sites with actual code samples
- Addresses concepts, not bugs in particular software
- Covers SQL injection attacks, cross-site scripting, data manipulation in order to by-pass authorisation and other attacks that work because of missing pieces of code, or logical errors