Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'

Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'
By Mario Heiderich, Eduardo Alberto Vela Nava, Gareth Heyes, David Lindsay

Price: $49.95 Details

Availability: Usually ships in 24 hours
Ships from and sold by Amazon.com

21 new or used available from $2.99

Average customer review:
(10 customer reviews)

Product Description

Web applications are used every day by millions of users, which is why they are one of the most popular vectors for attackers. Obfuscation of code has allowed hackers to take one attack and create hundreds-if not millions-of variants that can evade your security measures. Web Application Obfuscation takes a look at common Web infrastructure and security controls from an attacker's perspective, allowing the reader to understand the shortcomings of their security systems. Find out how an attacker would bypass different types of security controls, how these very security controls introduce new types of vulnerabilities, and how to avoid common pitfalls in order to strengthen your defenses.

  • Named a 2011 Best Hacking and Pen Testing Book by InfoSec Reviews
  • Looks at security tools like IDS/IPS that are often the only defense in protecting sensitive data and assets
  • Evaluates Web application vulnerabilties from the attacker's perspective and explains how these very systems introduce new types of vulnerabilities
  • Teaches how to secure your data, including info on browser quirks, new attacks and syntax tricks to add to your defenses against XSS, SQL injection, and more


Product Details

  • Amazon Sales Rank: #1983212 in Books
  • Brand: Brand: Syngress
  • Published on: 2010-12-10
  • Released on: 2010-12-10
  • Original language: English
  • Number of items: 1
  • Dimensions: 9.25" h x .66" w x 7.50" l, 1.32 pounds
  • Binding: Paperback
  • 282 pages

Features

  • Used Book in Good Condition

Editorial Reviews

Review

"As the data stored in Web application systems becomes critical to business, the attacks against them are becoming increasingly complex. If you want to move your understanding beyond 'or 1=1--' this book provides the knowledge needed to bypass both filters and detection, crucial for both attack and defence." -- Andrew Waite, Security Researcher, InfoSanity Research

"Intended for advanced network security administrators, penetration testers and web application developers, this guide to web obfuscation presents an in depth technical discussion of the latest methods in site intrusion and Internet attacks. Chapters examine state of the art obfuscation attacks on major website components such as HTML, JavaScript and VBScript, CSS, PHP, SQL and web application firewalls. A final chapter discusses future problems such as the new HTML 5 standards and plug-in vulnerabilities. Chapters include numerous code examples in a variety of languages and formats. Heiderich is a web developer, Nava is a security researcher for Google, Heyes is a security contractor and Lindsay is a security consultant."--SciTechBookNews

"This is a very frightening book and I would advise any security architect to purchase a copy. It’s aimed at the bleeding edge of the technical security market, however, it really does hammer home how difficult security can become when faced with complex applications and protocols. The techniques used in the book are not trivial, but they do show us that the age of the firewall and the IDS may well be over, and the age of security by design has only just begun."--InfoSecReviews.com

"This is a deep technical read and anyone buying it should have a solid understanding of web technologies and some experience of web programming. I would say it is targeted at penetration testers and security architects, but to the security generalist it also opens up new frontiers when it comes to designing for security."--Best Hacking and Pen Testing Books in InfoSecReviews Book Awards

From the Back Cover

Web applications are used every day by millions of users, which is why they are one of the most popular vectors for attackers. Obfuscation of code has allowed hackers to take one attack and create hundreds-if not millions-of variants that can evade your security measures. Web Application Obfuscation takes a look at common Web infrastructure and security controls from an attacker's perspective, allowing the reader to understand the shortcomings of their security systems. Find out how an attacker would bypass different types of security controls, how these very security controls introduce new types of vulnerabilities, and how to avoid common pitfalls in order to strengthen your defenses.

About the Author
Mario Heiderich is a Cologne, Germany-based freelancer and entrepreneur who is devoted to Web application development and security and is currently working on several projects while earning his Ph.D. at Ruhr University in Bochum. He graduated from the University of Applied Sciences in Friedberg/Hessen with a degree in media informatics, and has been working for several German and international companies as a developer and security consultant. In addition to being lead developer for the PHPIDS and author of a German book about Web application security, he has been a speaker at several conferences and a trainer for Web security classes around the world. His work is focused on client-side attacks and defense, especially markup, CSS, and JavaScript, on all major user agents.

Eduardo Alberto Vela Nava (Application Security Specialist) works as an information security researcher at Google, Inc., with the task of improving the security of Google and the Internet as a whole, by researching security problems and creating solutions to them. His primary focus is Web application security and browser/plug-in security. He has been a presenter focusing on Web security at several conferences around the world. He previously worked at Alibaba Cloud Computing and Hi5 Networks.

Gareth Heyes is based in the United Kingdom and does Web security contracting work and the occasional Web development project. He has been a speaker at the Microsoft BlueHat, Confidence Poland, and OWASP conferences, and is the author of many Web-based tools and sandboxes, including Hackvertor, JSReg, CSSReg, and HTMLReg.

David Lindsay is a senior security consultant with Cigital Inc., where he works with industry-leading financial, healthcare, and software companies helping to secure their critical applications. He provides professional assessments and remediation assistance in the form of penetration tests, architecture risk analysis, code review, and security training. He researches Web application security vulnerabilities focusing on emerging security issues related to new standards, frameworks, and architectures. He has spoken at many leading security events over the past few years, including the Microsoft BlueHat, BlackHat, and OWASP conferences.

David graduated from the University of Utah with a master's degree in mathematics.


Customer Reviews

Most helpful customer reviews

0 of 0 people found the following review helpful.
5Very nice!
By Marius Glasberg
A must read for web developpers who use Php.
Very good and informative book, like no other!
Thanks to the authors!

1 of 3 people found the following review helpful.
1Very limited in scope
By steven
This book spends 90% of its time showing you ways to evade filters, which may sound exactly like what you would expect. But the problem is the author never goes into details onto what you should do to address the problem. He suggests using a WAF (Web Application Firewall), but then goes on to say that any good hacker can get past it without much trouble. I would have enjoyed this book if the author would have presented some original thoughts on solutions rather than just copy & paste well know exploits from 'script kiddies'.

8 of 8 people found the following review helpful.
4I bought this book on faith and it delivered
By Richard Bejtlich
I had really no idea what to expect when I started reading Web Application Obfuscation (WAO). I hoped it would address attacks on Web technologies, perhaps including evasion methods, but beyond that I didn't even really know how to think about whatever problem this book might address. After finishing WAO, it's only appropriate to say "wow." In short, I had no idea that Web browsers (often called "user agents" in WAO) are so universally broken. Web browser developers would probably reply that they're just trying to handle as much broken HTML as possible, but the WAO authors show this approach makes Web "security" basically impossible. I recommend reading WAO to learn just how crazy one can be when interacting with Web apps.

Speaking of crazy: ch 4 was off the hook. For example, p 121 speaks of the "great Javascript Charwall" by saying: "6 is the fewest number of characters possible which allow arbitrary Javascript to be executed." What!? I had no idea anyone spent time on these sorts of issues, and worse, that intruders could use these techniques to evade a slew of security mechanisms. This was a primary strength of WAO: bringing the reader into a world where obfuscation is an obsession.

I liked many other aspects of WAO. The book was very thorough. For one example, check the table on p 27. For another, see the regex explanation with examples in ch 1. The book has many such sections where the authors offer great detail on the subject at hand. I also enjoyed the many references to outside work. Authors of all technical books should follow WAO's lead, because 1) it gives credit where due and 2) it shows the authors are aware of outside influences and up-to-date.

WAO also does a nice job explaining how we arrived at the current state of broken Web technologies. Their history lesson of the browser wars in ch 2 set the stage for the chaos that follows. I'll finish my praises by mentioning the Web site the authors created as a companion to the book, complete with errata and code listings; it's a nice addition to the book.

If you're wondering why I rated WAO four instead of five stars, the reason involves the audience. I think too often the authors advance pretty far beyond the uninitiated reader. You have to admit that if obfuscation is your world, you're probably not going to read this book. However, if you're a newbie like me, you need the authors to spend more time explaining what they're doing and more importantly, WHY. Just what is the purpose of this technique or that attack? I think if the authors recruited some outside help to walk through the book, slow them down, and answer some basic questions, a second edition would be an easy five star work.

On the production side, a new edition should redraw figures 5.2 - 5.14. They look like they came straight from a PowerPoint pitch.

Overall, WAO is a great book to shatter any assumptions you may have about how Web clients and servers render content. Maybe the authors would care to describe how best one can operate in such a dangerous environment, i.e., is their an OpenBSD for Web technologies? All of the engines seem bad -- what's a user to do?

See all 10 customer reviews...

Connect with defaultLogic
What We've Done
Led Digital Marketing Efforts of Top 500 e-Retailers.
Worked with Top Brands at Leading Agencies.
Successfully Managed Over $50 million in Digital Ad Spend.
Developed Strategies and Processes that Enabled Brands to Grow During an Economic Downturn.
Taught Advanced Internet Marketing Strategies at the graduate level.



Manage research, learning and skills at defaultLogic. Create an account using LinkedIn or facebook to manage and organize your IT knowledge. defaultLogic works like a shopping cart for information -- helping you to save, discuss and share.


  Contact Us