Hacking the Code: ASP.NET Web Application Security [Illustrated] [Hardcover]

Mark Burnett (Author)

Book Description

ISBN-10: 1932266658 | ISBN-13: 978-1932266658 | Publication Date: May 8, 2004 | Edition: 1

Hacker Code will have over 400 pages of dedicated exploit, vulnerability, and tool code with corresponding instruction. Unlike other security and programming books that dedicate hundreds of pages to architecture and theory based flaws and exploits, HC1 will dive right into deep code analysis. Previously undisclosed security research in combination with superior programming techniques from Foundstone and other respected organizations will be included in both the Local and Remote Code sections of the book.

The book will be accompanied with a FREE COMPANION CD containing both commented and uncommented versions of the source code examples presented throughout the book. In addition to the book source code, the CD will also contain a copy of the author-developed Hacker Code Library v1.0. The Hacker Code Library will include multiple attack classes and functions that can be utilized to quickly create security programs and scripts. These classes and functions will simplify exploit and vulnerability tool development to an extent never before possible with publicly available software.

* Learn to quickly create security tools that ease the burden of software testing and network administration
* Find out about key security issues regarding vulnerabilities, exploits, programming flaws, and secure code development
* Discover the differences in numerous types of web-based attacks so that developers can create proper quality assurance testing procedures and tools
* Learn to automate quality assurance, management, and development tasks and procedures for testing systems and applications
* Learn to write complex Snort rules based solely upon traffic generated by network tools and exploits

Editorial Reviews

From the Publisher

Are Your Web Applications Really Secure? This unique book walks you through the many threats to your web application code, from managing and authorizing users and encrypting private data to filtering user input and securing XML. For every defined threat, it provides a menu of solutions and coding considerations. And, it offers coding examples and a set of security policies for each of the corresponding threats. Know the threats to your applications:

* Develop secure password policies and how to securely manage user passwords in your web application.

* Establish a secure procedure for resetting lost or forgotten passwords and discover how to properly use secret questions in that process.

* Securely authenticate and authorize users, taking advantage of the advanced capabilities in ASP.NET

* Limit exposure to credential harvesting and brute force password attacks.

* Securely manage user sessions and learn how to create strong user authentication tokens.

* Work with the built-in state providers and securely implement view state in your forms.

* Make sense of the extensive encryption features in ASP.NET and employ symmetric and asymmetric encryption for sensitive data.

* Properly encrypt and store secrets to the registry, a file, or the protected store.

* Filter user input to prevent from SQL injection, directory traversal, cross-site scripting and other application-level attacks.

* Apply techniques such as pattern matching and data reflecting to control exposure to malicious input attacks.

* Configure honey drops to detect attacks on your web application

* Configure IIS and ASP.NET to constrain buffer overflow, denial of service, and other attacks.

* Write secure database access code.

* Secure databases and database drivers.

* Construct secure HTML markup to limit exposure to cross-site scripting and cross-site request forgery attacks.

* Use structured error handling to prevent failure conditions that open holes or reveal sensitive information.
· Integrate XML encryption and apply XML digital signatures. Your Solutions Membership Gives You Access to:
Comprehensive FAQ page that consolidates all of the key points of this book into an easy to search web page
"From the Author" Forum where the authors post timely updates and links to related sites
The complete code listings from the book
These downloadable e-booklets:
Stealing The Network: How to Own a Continent: Product of Fate: The Evolution of a Hacker
Special Ops: Host and Network Security for Microsoft, Unix, and Oracle: Hacking Custom Web Applications
CYA: Securing IIS: Configuring Advanced Web Server Security
IT Ethics Handbook: Programmers and Analysts

About the Author

Mark Burnett (Microsoft MVP) is an independent security consultant, freelance writer, and a specialist in securing Windows-based IIS Web servers. Mark is co-author of Maximum Windows Security and is a contributor to Dr. Tom Shinder's ISA Server and Beyond: Real World Security Solutions for Microsoft Enterprise Networks (Syngress Publishing, ISBN: 1-931836-66-3). He is a contributor and technical editor for Syngress Publishing's Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle (ISBN: 1-931836-69-8). Mark speaks at various security conferences and has published articles in Windows & .NET, Information Security, Windows Web Solutions, Security Administrator, and is a regular contributor at SecurityFocus.com. Mark also publishes articles on his own Web site, IISSecurity.info.

James C. Foster (Technical Editor) is the Deputy Director, Global Security Development for Computer Sciences Corporation where he is leading the task of developing and delivering managed, educational, informational, consulting, and outsourcing security services. Prior to joining CSC, Foster was the Director of Research and Development for Foundstone Inc. and was responsible for all aspects of product and corporate R&D including corporate strategy and international market expansion. Preceding Foundstone, Foster was a Senior Advisor and Research Scientist with Guardent Inc. (acquired by Verisign in 2004 for $135 Million) and an adjunct author at Information Security Magazine (acquired for an undisclosed amount by TechTarget in 2003.) He is commonly asked to comment on pertinent security issues and has been sited in USAToday, Information Security Magazine, Baseline, Computer World, Secure Computing, and the MIT Technologist. James has co-authored or contributed to Snort 2.0 Intrusion Detection (Syngress, ISBN: 1931836744), and Special Ops Host and Network Security for Microsoft, Unix, and Oracle (Syngress, ISBN: 1931836698) as well as Hacking Exposed, Fourth Edition, Advanced Intrusion Detection, Anti-Hacker Toolkit Second Edition, and Anti-Spam Toolkit. James has attended Yale, Harvard, and the University of Maryland and has an AS, BS, MBA and is currently a Fellow at the University of Pennsylvania's Wharton School of Business.

Product Details

• Hardcover: 472 pages
• Publisher: Syngress; 1 edition (May 8, 2004)
• Language: English
• ISBN-10: 1932266658
• ISBN-13: 978-1932266658
• Product Dimensions: 8.9 x 7.4 x 1.1 inches
• Shipping Weight: 1.4 pounds (View shipping rates and policies)
• Average Customer Review: 4.4 out of 5 stars  See all reviews (10 customer reviews)
• Amazon Best Sellers Rank: #1,324,126 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

4 of 4 people found the following review helpful:

5.0 out of 5 stars Highly recommended, September 26, 2004

By 

D. Bilby (Auckland, New Zealand) - See all my reviews
(REAL NAME)   

This review is from: Hacking the Code: ASP.NET Web Application Security (Hardcover)

I picked up this book after briefly meeting Mark Burnett at Blackhat this year. I've got to say it is really well written, well laid out and covers off all the major .NET issues in impressive detail. I review web application security for a living and I still learnt a thing or two :)
The way in which he covers each of the common web programming flaws means it would still be useful to those who aren't already familiar with the details of application security.
By using a lot of useful code examples, and the excellent summary sections make it a good reference book which will stay handy on my shelf for a long while.

3 of 3 people found the following review helpful:

5.0 out of 5 stars Great security ideas, October 3, 2004

By 

ueberhund "ueberhund" (Salt Lake City, UT United States) - See all my reviews
(VINE VOICE)   

This review is from: Hacking the Code: ASP.NET Web Application Security (Hardcover)

This is a great book with a lot of really good ideas on improving ASP.NET applications and ASP.NET security. The book is organized into "ideas" which can help secure an ASP.NET (or really any) application. Beneath each idea is a list of what type of threats the specific idea mitigates, followed by the actual ASP.NET implementation. One thing I really liked about this book is that it's presented in a way which helps illustrate how hackers could infiltrate your web applications. I found this to be very effective in driving home a security lesson.

The book is organized into ten different sections on aspects of ASP.NET security, which range from user management (which includes how to handle user names, passwords, and the like) to developing applications with security in mind (which includes issues like cross-site scripting attacks and error logging). Many sites with user management features provide a "Secret Question", which is used in case you forget your password. The secret questions often include questions like "What is the name of your favorite pet?" or "What city were you born in?". The book goes on to show that the secret question concept goes against everything security experts have been saying by demonstrating how hackers can use brute-force attacks along with educated guesses to gain unauthorized access.

This book even discussed connection string issues and encryption in config files, which is an issue I am currently struggling with. Code examples are provided for all of the ideas presented, which are generally quite clever in and of themselves.

If you are serious about improving the security in your ASP.NET applications, then do yourself a favor and read this book. I think you will find it was time well-spent.

3 of 3 people found the following review helpful:

5.0 out of 5 stars Must read for people of all technical levels, September 23, 2004

By 

Scott Forsyth "Scott Forsyth" (Charlotte, NC) - See all my reviews
(REAL NAME)   

This review is from: Hacking the Code: ASP.NET Web Application Security (Hardcover)

I can't say enough good things about Mark Burnett's book Hacking the Code. From beginning to end it is a great read and a great resource. What impressed me from the beginning is how he was able to take such a wide range of difficult topics and make them sound so down to earth. The writing style is so polished and friendly that you almost forget that you are reading about pretty intensive topics.

I was continually impressed at how well formatted the book was. Now, that almost seems unimportant to mention but it's not. Each section gives the goals of that section, the topic thoroughly covered, and then a summary, worth reading I must add, to close off the section. This impressed me because it is easy to read this from cover to cover and quickly grasp the subject matter. Or, if you are reviewing the section, you can use the summary to be reminded of the key points.

VB.Net and C# code examples are plentiful, completely usable and easy to understand.

This book is a must read. Even with the topics that I already had a good handle on, I felt that I was continually picking up new pieces of information and being challenged to review the security I already had in place.

Hacking the Code is an easy read covering difficult topics in a consistent, complete and concise manner. I highly recommend this book without reservation.