The Web Application Defender s Cookbook

Similar documents
Programming Interviews Exposed: Secrets to Landing Your Next Job

Graph Analysis and Visualization

These materials are the copyright of John Wiley & Sons, Inc. and any dissemination, distribution, or unauthorized use is strictly prohibited.

Ukulele In A Day. by Alistair Wood FOR. A John Wiley and Sons, Ltd, Publication

AutoCAD 2015 and AutoCAD LT Essentials

COVERS ALL TOPICS IN LEVEL I CFA EXAM REVIEW CFA LEVEL I FORMULA SHEETS

HUMAN RESOURCES MANAGEMENT FOR PUBLIC AND NONPROFIT ORGANIZATIONS


Building Performance Dashboards and Balanced Scorecards with SQL Server Reporting Services

Praise for Launch. Hands on and generous, Michael shows you precisely how he does it, step by step. Seth Godin, author of Linchpin

ModSecurity as Universal Cross-platform Web Protection Tool

How To Build Your Empire of Affiliate Business

Fundamentals of Financial Planning and Management for mall usiness

Mastering Australian Payroll with Xero In A Day

Statistics for Experimenters

Web Marketing ALL-IN-ONE FOR. DUMmIES 2ND EDITION

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

ARCHITECTING THE CLOUD

Praise for Agile Contracts

International Marketing Research

Limit of Liability/Disclaimer of Warranty:

Limit of Liability/Disclaimer of Warranty:

R49 Using SAP Payment Engine for payment transactions. Process Diagram

Computer Forensics JumpStart. Second Edition

NICK SMITH AND ROBERT WOLLAN WITH CATHERINE ZHOU. John Wiley & Sons, Inc.

How To Make Your Software More Secure

The Security Development Lifecycle at SAP How SAP Builds Security into Software Products

Understanding the Predictive Analytics Life Cycle

AN INTRODUCTION TO OPTIONS TRADING. Frans de Weert

CBEST/STAR Threat Intelligence

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Analysis of Financial Time Series

ModSecurity as Universal Cross- pla6orm Web Protec;on Tool. Ryan Barne? Greg Wroblewski

A BVR Special Report. Excerpt from. Key Trends in the Valuation of Government Contracting Firms BVR. What It s Worth

Wireshark Certified Network Analyst Official Exam Prep Guide Second Edition

Partner Certification to Operate SAP Solutions and SAP Software Environments

Module 1: Introduction to Designing Security

CS Ethical Hacking Spring 2016

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Information Security Services

Syllabus: AIT Information Systems Infrastructure Lifecycle Management

BE SMARTER THAN YOUR LAWYER AND VENTURE CAPITALIST

Warwick Analytics: Building Powerful Software Certified to Integrate with SAP HANA

Driving the Business Forward with Human Capital Management. Five key points to consider before you invest

MANAGEMENT OF DATA IN CLINICAL TRIALS

Tableau Your Data! Fast and Easy Visual Analysis with Tableau Software. Daniel G. Murray and the InterWorks BI Team

Symantec Advanced Threat Protection: Network

Studio Visual Steps. Windows Defender. For Windows XP, Vista and 7

Cyber Security Operations Associate

How I went from $0 business credit to over $300,000

Reference Architecture: Enterprise Security For The Cloud

The Protection Mission a constant endeavor

Mitigating Card System Breaches. October 11, :00 pm 2:50 pm

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS

Epsilon Sigma Phi Conference Session. Maximize your Professional Relationships Through Coaching with EI

Lanelle Henderson Marketing Expert Professional Speaker!

Price and Revenue Management - Manual Price Changes. SAP Best Practices for Retail

Surrey County Council: Better Business Intelligence with Help from SAP Enterprise Support

The Edge Editions of SAP InfiniteInsight Overview

CHECKLIST: Top 10 reasons to move to the cloud

Protecting Data with a Unified Platform

AvePoint CRM Migration Manager for Microsoft Dynamics CRM. Release Notes

Protect Your Connected Business Systems by Identifying and Analyzing Threats

Achieving Success as a CTO

SAP Solution Manager: The IT Solution from SAP for IT Service Management and More

This page has been left blank intentionally

Swedish Armed Forces: Modernizing Inventory Management Technology with SAP Mobile Platform

Ernesto F. Rojas CISSP, DFCP, IAM, IEM, DABRI, PSC, MBA

Reporting and Incident Management for Firewalls

CREATING A MILLION-DOLLAR- A-YEAR SALES INCOME

Microsoft Dynamics GP. Payroll Connect

ATB Financial: Performing the First Full Release Software Upgrade with Zero Downtime with SAP MaxAttention

how can I improve performance of my customer service level agreements while reducing cost?

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Learning Without Limits

SuccessFactors Global Human Capital Management (HCM) Academy and Admin Training Schedule (Q3 Q4 2014)

Key Benefits: Minimize lead times and maximize on-time deliveries to customers. Respond quickly to changes in demand for materials and capacity

Active Directory was compromised, now what?

Women Fortune 500. Held to Higher Standards. Jeremey Donovan

The Art of Company Valuation and Financial Statement Analysis

Beyond the Hype: Advanced Persistent Threats

Transcription:

The Web Application Defender s Cookbook

The Web Application Defender s Cookbook Battling Hackers and Protecting Users Ryan Barnett

The Web Application Defender s Cookbook: Battling Hackers and Protecting Users Published by John Wiley & Sons, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright 2013 by Ryan Barnett Published simultaneously in Canada ISBN: 978-1-118-36218-1 ISBN: 978-1-118-56871-2 (ebk) ISBN: 978-1-118-41705-8 (ebk) ISBN: 978-1-118-56865-1 (ebk) Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that Internet websites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Not all content that is available in standard print versions of this book may appear or be packaged in all book formats. If you have purchased a version of this book that did not include media that is referenced by or accompanies a standard print version, you may request this media by visiting http://booksupport.wiley.com. For more information about Wiley products, visit us at www.wiley.com. Library of Congress Control Number: 2012949513 Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

This book is dedicated to my incredible daughter, Isabella. You are so full of imagination, kindness, and humor that I have a constant smile on my face. You are my Supergirl-flying, tae-kwon-do-kicking, fairy princess! I thank God every day for bringing you into my life and for allowing me the joy and privilege of being your father. I love you Izzy, and I am so proud of you.

Credits Executive Editor Carol Long Project Editor Ed Connor Technical Editor Michael Gregg Production Editor Daniel Scribner Copy Editor Gayle Johnson Editorial Manager Mary Beth Wakefield Freelancer Editorial Manager Rosemarie Graham Associate Director of Marketing David Mayhew Marketing Manager Ashley Zurcher Business Manager Amy Knies Vice President and Executive Group Publisher Richard Swadley Vice President and Executive Publisher Neil Edde Associate Publisher Jim Minatel Project Coordinator, Cover Katie Crocker Compositor Craig Johnson, Happenstance Type-O-Rama Proofreader Nicole Hirschman Indexer Ron Strauss Cover Image Mak_Art / istockphoto Cover Designer Ryan Sneed Production Manager Tim Tate

About the Author Ryan Barnett is renowned in the web application security industry for his unique expertise. After a decade of experience defending government and commercial web sites, he joined the Trustwave SpiderLabs Research Team. He specializes in application defense research and leads the open source ModSecurity web application firewall project. In addition to his commercial work at Trustwave, Ryan is also an active contributor to many community-based security projects. He serves as the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set project leader and is a contributor on the OWASP Top Ten and AppSensor projects. He is a Web Application Security Consortium Board Member and leads the Web Hacking Incident Database and the Distributed Web Honeypot projects. At the SANS Institute, he is a certified instructor and contributor on the Top 20 Vulnerabilities and CWE/SANS Top 25 Most Dangerous Programming Errors projects. Ryan is regularly consulted by news outlets that seek his insights into and analysis of emerging web application attacks, trends, and defensive techniques. He is a frequent speaker and trainer at key industry events including Black Hat, SANS AppSec Summit, and OWASP AppSecUSA.

About the Technical Editor Michael Gregg is the CEO of Superior Solutions, Inc. (www.thesolutionfirm.com), a Houston-based IT securityconsulting firm. His organization performs security assessments and penetration testing for Fortune 1000 firms. He is frequently cited by major and trade print publications as a cyber security expert. He has appeared as an expert commentator for network broadcast outlets and print publications and has spoken at major security conferences such as HackerHalted, Fusion, and CA World.

Acknowledgments I must begin by thanking my wonderful wife, Linda. When I came to her with the idea of writing another book, she was fully supportive even though she understood the sacrifice it would require. I thank her for her continued patience and for enduring many late nights of angry typing. She has always encouraged and supported me both professionally and personally. The completion of this book is not my accomplishment alone but our whole family s because it was truly a team effort. I love you Linda and am honored that you are my partner for life. I would like to thank Nick Percoco, Senior VP of Trustwave SpiderLabs, for his unwavering support of ModSecurity and for appointing me as its manager. I am fortunate to work with intelligent, clever and funny people. Unfortunately I cannot list them all here, however, I must single out Breno Silva Pinto. Breno is the lead developer of ModSecurity and we have worked closely on the project for 2 years. I am constantly impressed with his insights, ingenuity and technical skill for web application security. This book would not have been possible without Breno s contributions to ModSecurity features and capabilities. I would also like to thank two specific ModSecurity community members who epitomize the giving back philosophy of the open source community. Thanks to Christian Bockermann for developing many ModSecurity support tools such as the AuditConsole and to Josh Zlatin for always helping users on the mail-list and for contributions to the OWASP ModSecurity CRS. Last but not least, I want to specifically thank OWASP members: Tom Brennan, Jim Manico, and Sarah Baso. Your tireless work ethic and commitment to the OWASP mission is undeniable. I would also like to thank Michael Coates for starting the AppSensor project and both Colin Watson and John Melton for expanding its capabilities.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information