The latest Web app attacks and countermeasures from world-renowned practitioners Protect your Web applications from malicious attacks by mastering the weapons and thought processes of today's hacker. Written by recognized security practitioners and thought leaders, Hacking Exposed Web Applications, Third Edition is fully updated to cover new infiltration methods and countermeasures. Find out how to reinforce authentication and authorization, plug holes in Firefox and IE, reinforce against injection attacks, and secure Web 2.0 features. Integrating security into the Web development lifecycle (SDL) and into the broader enterprise information security program is also covered in this comprehensive resource. Get full details on the hacker's footprinting, scanning, and profiling tools, including SHODAN, Maltego, and OWASP DirBuster See new exploits of popular platforms like Sun Java System Web Server and Oracle WebLogic in operation Understand how attackers defeat commonly used Web authentication technologies See how real-world session attacks leak sensitive data and how to fortify your applications Learn the most devastating methods used in today's hacks, including SQL injection, XSS, XSRF, phishing, and XML injection techniques Find and fix vulnerabilities in ASP.NET, PHP, and J2EE execution environments Safety deploy XML, social networking, cloud computing, and Web 2.0 services Defend against RIA, Ajax, UGC, and browser-based, client-side exploits Implement scalable threat modeling, code review, application scanning, fuzzing, and security testing procedures

Implement bulletproof e-business security the proven Hacking Exposed way Defend against the latest Web-based attacks by looking at your Web applications through the eyes of a malicious intruder. Fully revised and updated to cover the latest Web exploitation techniques, Hacking Exposed Web Applications, Second Edition shows you, step-by-step, how cyber-criminals target vulnerable sites, gain access, steal critical data, and execute devastating attacks. All of the cutting-edge threats and vulnerabilities are covered in full detail alongside real-world examples, case studies, and battle-tested countermeasures from the authors' experiences as gray hat security professionals. Find out how hackers use infrastructure and application profiling to perform reconnaissance and enter vulnerable systems Get details on exploits, evasion techniques, and countermeasures for the most popular Web platforms, including IIS, Apache, PHP, and ASP.NET Learn the strengths and weaknesses of common Web authentication mechanisms, including password-based, multifactor, and single sign-on mechanisms like Passport See how to excise the heart of any Web application's access controls through advanced session analysis, hijacking, and fixation techniques Find and fix input validation flaws, including cross-site scripting (XSS), SQL injection, HTTP response splitting, encoding, and special character abuse Get an in-depth presentation of the newest SQL injection techniques, including blind attacks, advanced exploitation through subqueries, Oracle exploits, and improved countermeasures Learn about the latest XML Web Services hacks, Web management attacks, and DDoS attacks, including click fraud Tour Firefox and IE exploits, as well as the newest socially-driven client attacks like phishing and adware

The latest wireless security solutions Protect your wireless systems from crippling attacks using the detailed security information in this comprehensive volume. Thoroughly updated to cover today's established and emerging wireless technologies, Hacking Exposed Wireless, second edition reveals how attackers use readily available and custom tools to target, infiltrate, and hijack vulnerable systems. This book discusses the latest developments in Wi-Fi, Bluetooth, ZigBee, and DECT hacking, and explains how to perform penetration tests, reinforce WPA protection schemes, mitigate packet injection risk, and lock down Bluetooth and RF devices. Cutting-edge techniques for exploiting Wi-Fi clients, WPA2, cordless phones, Bluetooth pairing, and ZigBee encryption are also covered in this fully revised guide. Build and configure your Wi-Fi attack arsenal with the best hardware and software tools Explore common weaknesses in WPA2 networks through the eyes of an attacker Leverage post-compromise remote client attacks on Windows 7 and Mac OS X Master attack tools to exploit wireless systems, including Aircrack-ng, coWPAtty, Pyrit, IPPON, FreeRADIUS-WPE, and the all new KillerBee Evaluate your threat to software update impersonation attacks on public networks Assess your threat to eavesdropping attacks on Wi-Fi, Bluetooth, ZigBee, and DECT networks using commercial and custom tools Develop advanced skills leveraging Software Defined Radio and other flexible frameworks Apply comprehensive defenses to protect your wireless devices and infrastructure

Security Smarts for the Self-Guided IT Professional “Get to know the hackers—or plan on getting hacked. Sullivan and Liu have created a savvy, essentials-based approach to web app security packed with immediately applicable tools for any information security practitioner sharpening his or her tools or just starting out.”—Ryan McGeehan, Security Manager, Facebook, Inc. Secure web applications from today's most devious hackers. Web Application Security: A Beginner's Guide helps you stock your security toolkit, prevent common hacks, and defend quickly against malicious attacks. This practical resource includes chapters on authentication, authorization, and session management, along with browser, database, and file security--all supported by true stories from industry. You'll also get best practices for vulnerability detection and secure development, as well as a chapter that covers essential security fundamentals. This book's templates, checklists, and examples are designed to help you get started right away. Web Application Security: A Beginner's Guide features: Lingo--Common security terms defined so that you're in the know on the job IMHO--Frank and relevant opinions based on the authors' years of industry experience Budget Note--Tips for getting security technologies and processes into your organization's budget In Actual Practice--Exceptions to the rules of security explained in real-world contexts Your Plan--Customizable checklists you can use on the job now Into Action--Tips on how, why, and when to apply new skills and techniques at work

The latest tactics for thwarting digital attacks “Our new reality is zero-day, APT, and state-sponsored attacks. Today, more than ever, security professionals need to get into the hacker’s mind, methods, and toolbox to successfully deter such relentless assaults. This edition brings readers abreast with the latest attack vectors and arms them for these continually evolving threats.” --Brett Wahlin, CSO, Sony Network Entertainment “Stop taking punches--let’s change the game; it’s time for a paradigm shift in the way we secure our networks, and Hacking Exposed 7 is the playbook for bringing pain to our adversaries.” --Shawn Henry, former Executive Assistant Director, FBI Bolster your system’s security and defeat the tools and tactics of cyber-criminals with expert advice and defense strategies from the world-renowned Hacking Exposed team. Case studies expose the hacker’s latest devious methods and illustrate field-tested remedies. Find out how to block infrastructure hacks, minimize advanced persistent threats, neutralize malicious code, secure web and database applications, and fortify UNIX networks. Hacking Exposed 7: Network Security Secrets & Solutions contains all-new visual maps and a comprehensive “countermeasures cookbook.” Obstruct APTs and web-based meta-exploits Defend against UNIX-based root access and buffer overflow hacks Block SQL injection, spear phishing, and embedded-code attacks Detect and terminate rootkits, Trojans, bots, worms, and malware Lock down remote access using smartcards and hardware tokens Protect 802.11 WLANs with multilayered encryption and gateways Plug holes in VoIP, social networking, cloud, and Web 2.0 services Learn about the latest iPhone and Android attacks and how to protect yourself

Secure today's mobile devices and applications Implement a systematic approach to security in your mobile application development with help from this practical guide. Featuring case studies, code examples, and best practices, Mobile Application Security details how to protect against vulnerabilities in the latest smartphone and PDA platforms. Maximize isolation, lockdown internal and removable storage, work with sandboxing and signing, and encrypt sensitive user information. Safeguards against viruses, worms, malware, and buffer overflow exploits are also covered in this comprehensive resource. Design highly isolated, secure, and authenticated mobile applications Use the Google Android emulator, debugger, and third-party security tools Configure Apple iPhone APIs to prevent overflow and SQL injection attacks Employ private and public key cryptography on Windows Mobile devices Enforce fine-grained security policies using the BlackBerry Enterprise Server Plug holes in Java Mobile Edition, SymbianOS, and WebOS applications Test for XSS, CSRF, HTTP redirects, and phishing attacks on WAP/Mobile HTML applications Identify and eliminate threats from Bluetooth, SMS, and GPS services Himanshu Dwivedi is a co-founder of iSEC Partners (www.isecpartners.com), an information security firm specializing in application security. Chris Clark is a principal security consultant with iSEC Partners. David Thiel is a principal security consultant with iSEC Partners.

Seven Deadliest Web Application Attacks highlights the vagaries of web security by discussing the seven deadliest vulnerabilities exploited by attackers. This book pinpoints the most dangerous hacks and exploits specific to web applications, laying out the anatomy of these attacks including how to make your system more secure. You will discover the best ways to defend against these vicious hacks with step-by-step instruction and learn techniques to make your computer and network impenetrable. Each chapter presents examples of different attacks conducted against web sites. The methodology behind the attack is explored, showing its potential impact. The chapter then moves on to address possible countermeasures for different aspects of the attack. The book consists of seven chapters that cover the following: the most pervasive and easily exploited vulnerabilities in web sites and web browsers; Structured Query Language (SQL) injection attacks; mistakes of server administrators that expose the web site to attack; brute force attacks; and logic attacks. The ways in which malicious software malware has been growing as a threat on the Web are also considered. This book is intended for information security professionals of all levels, as well as web application developers and recreational hackers. - Knowledge is power, find out about the most dominant attacks currently waging war on computers and networks globally - Discover the best ways to defend against these vicious attacks; step-by-step instruction shows you how - Institute countermeasures, don't be caught defenseless again, and learn techniques to make your computer and network impenetrable

The latest Windows security attack and defense strategies "Securing Windows begins with reading this book." --James Costello (CISSP) IT Security Specialist, Honeywell Meet the challenges of Windows security with the exclusive Hacking Exposed "attack-countermeasure" approach. Learn how real-world malicious hackers conduct reconnaissance of targets and then exploit common misconfigurations and software flaws on both clients and servers. See leading-edge exploitation techniques demonstrated, and learn how the latest countermeasures in Windows XP, Vista, and Server 2003/2008 can mitigate these attacks. Get practical advice based on the authors' and contributors' many years as security professionals hired to break into the world's largest IT infrastructures. Dramatically improve the security of Microsoft technology deployments of all sizes when you learn to: Establish business relevance and context for security by highlighting real-world risks Take a tour of the Windows security architecture from the hacker's perspective, exposing old and new vulnerabilities that can easily be avoided Understand how hackers use reconnaissance techniques such as footprinting, scanning, banner grabbing, DNS queries, and Google searches to locate vulnerable Windows systems Learn how information is extracted anonymously from Windows using simple NetBIOS, SMB, MSRPC, SNMP, and Active Directory enumeration techniques Prevent the latest remote network exploits such as password grinding via WMI and Terminal Server, passive Kerberos logon sniffing, rogue server/man-in-the-middle attacks, and cracking vulnerable services See up close how professional hackers reverse engineer and develop new Windows exploits Identify and eliminate rootkits, malware, and stealth software Fortify SQL Server against external and insider attacks Harden your clients and users against the latest e-mail phishing, spyware, adware, and Internet Explorer threats Deploy and configure the latest Windows security countermeasures, including BitLocker, Integrity Levels, User Account Control, the updated Windows Firewall, Group Policy, Vista Service Refactoring/Hardening, SafeSEH, GS, DEP, Patchguard, and Address Space Layout Randomization

Secure Your Systems Using the Latest IT Auditing Techniques Fully updated to cover leading-edge tools and technologies, IT Auditing: Using Controls to Protect Information Assets, Second Edition, explains, step by step, how to implement a successful, enterprise-wide IT audit program. New chapters on auditing cloud computing, outsourced operations, virtualization, and storage are included. This comprehensive guide describes how to assemble an effective IT audit team and maximize the value of the IT audit function. In-depth details on performing specific audits are accompanied by real-world examples, ready-to-use checklists, and valuable templates. Standards, frameworks, regulations, and risk management techniques are also covered in this definitive resource. Build and maintain an internal IT audit function with maximum effectiveness and value Audit entity-level controls, data centers, and disaster recovery Examine switches, routers, and firewalls Evaluate Windows, UNIX, and Linux operating systems Audit Web servers and applications Analyze databases and storage solutions Assess WLAN and mobile devices Audit virtualized environments Evaluate risks associated with cloud computing and outsourced operations Drill down into applications to find potential control weaknesses Use standards and frameworks, such as COBIT, ITIL, and ISO Understand regulations, including Sarbanes-Oxley, HIPAA, and PCI Implement proven risk management practices

Essential Skills--Made Easy! Learn how to create data models that allow complex data to be analyzed, manipulated, extracted, and reported upon accurately. Data Modeling: A Beginner's Guide teaches you techniques for gathering business requirements and using them to produce conceptual, logical, and physical database designs. You'll get details on Unified Modeling Language (UML), normalization, incorporating business rules, handling temporal data, and analytical database design. The methods presented in this fast-paced tutorial are applicable to any database management system, regardless of vendor. Designed for Easy Learning Key Skills & Concepts--Chapter-opening lists of specific skills covered in the chapter Ask the expert--Q&A sections filled with bonus information and helpful tips Try This--Hands-on exercises that show you how to apply your skills Notes--Extra information related to the topic being covered Self Tests--Chapter-ending quizzes to test your knowledge Andy Oppel has taught database technology for the University of California Extension for more than 25 years. He is the author of Databases Demystified, SQL Demystified, and Databases: A Beginner's Guide, and the co-author of SQL: A Beginner's Guide, Third Edition, and SQL: The Complete Reference, Third Edition.