Web applications employ a myriad of different technologies to implement their functionality. This article contains a short primer on the key technologies that you are likely to encounter when attacking web applications. We shall examine the HTTP protocol, the technologies commonly employed on the server and client sides, and the encoding schemes used to represent … Read more
Any useful application needs to be managed and administered, and this facility often forms a key part of the application’s security mechanisms, providing a way for administrators to manage user accounts and roles, access monitoring and audit functions, perform diagnostic tasks, and configure aspects of the application’s functionality. In many applications, administrative functions are implemented … Read more
Anyone designing an application for which security is remotely important must work on the assumption that it will be directly targeted by dedicated and skilled attackers. A key function of the application’s security mechanisms is to be able to handle and react to these attacks in a controlled way. These mechanisms often incorporate a mix … Read more
Recall the fundamental security problem described in Chapter 1: all user input is untrusted. A huge variety of different attacks against web applications involve submitting unexpected input, crafted to cause behavior that was not intended by the application’s designers. Correspondingly, a key requirement for an application’s security defenses is that it must handle user input … Read more
A central security requirement that virtually any application needs to meet is to control users’ access to its data and functionality. In a typical situation, there are several different categories of user; for example, anonymous users, ordinary authenticated users, and administrative users. Further, in many situations different users are permitted to access a different set … Read more
The fundamental security problem with web applications — that all user input is untrusted — gives rise to a number of security mechanisms that applications use to defend themselves against attack. Virtually all applications employ mechanisms that are conceptually similar, although the details of the design and the effectiveness of the implementation differ very widely … Read more
Several years after their widespread adoption, web applications on the Internet today are still rife with vulnerabilities. Understanding of the security threats facing web applications, and effective ways of addressing these, remains immature within the industry. There is currently little indication that the problem factors described previously are going to go away in the near … Read more
As with any new class of technology, web applications have brought with them a new range of security vulnerabilities. The set of most commonly encountered defects has evolved somewhat over time. New attacks have been conceived that were not considered when existing applications were developed. Some problems have become less prevalent as awareness of them … Read more
In the early days of the Internet, the World Wide Web consisted only of web sites. These were essentially information repositories containing static documents, and web browsers were invented as a means of retrieving and displaying those documents, as shown in Figure. The flow of interesting information was one-way, from server to browser. Most sites … Read more
Version Numbering Before digging into programming, we’d like to comment on the version numbering scheme used in Linux and which versions are covered. First of all, note that every software package used in a Linux system has its own release number, and there are often interdependencies across them: you need a particular version of one … Read more