|
Hunting Security Bugs
Learn how to think like an attacker - and identify potential security issues in your software. In this essential guide, security testing experts offer practical, hands-on guidance and code samples to help you find, classify, and assess security bugs before your software is released. Discover how to: *Identify high-risk entry points and create test
cases *Test clients and servers for malicious request/response bugs *Use black box and white box approaches to help reveal security vulnerabilities *Uncover spoofing issues, including identity and user interface spoofing *Detect bugs that can take advantage of your program's logic, such as SQL injection *Test for XML, SOAP, and Web services vulnerabilities *Recognize information disclosure and weak permissions issues *Identify where attackers can directly manipulate memory *Test with alternate data representations to uncover canonicalization issues *Expose COM and ActiveX repurposing attacks PLUS - Get code samples and debugging tools on the Web
CONTENTS:
General approach to security testing
Using threat models for security testing
Finding entry points
Becoming a malicious client
Becoming a malicious server
Spoofing
Information disclosure
Buffer overflows
Format string attacks
HTML scripting attacks
XML issues
Canonicalization issues
Finding weak permissions
Denial of service attacks
Managed code issues
Observation & reverse engineering
ActiveX repurposing attacks
Reporting security bugs
|
