HACKING EXPOSED WEB APPLICATIONS, 3rd Edition

identity management, 148

credential management attacks, 152

user registration attacks, 149151

identity theft, 153

IE Headers, 14

See also browser extensions

IEWatch, 14, 15

See also browser extensions

IIS

authorization, 201202

detailed error messages, 105

disabling web server extensions, 310311

hardening, 104110

HTR Chunked Encoding Heap Overflow, 309310

overload, 458459

Permissions Wizard, 108

securing WebDAV configuration on, 307308

unused extension mappings, 105107

IIS Lockdown, 107108, 485490, 505506

rolling back, 490492

unattended installation, 492

impact, 405

implementation vulnerabilities, 333334

countermeasures to attacks, 337338

Java, 334335

web image parser vulnerabilities, 335337

include files

disclosure attacks, 322323

protecting, 76

information leakage, file, path , and user disclosure, 312320

infrastructure profiling, 2840

initial sequence numbers . See ISNs

input validation, 210

attack vectors, 212213

boundary checks, 224225

buffer overflow attacks, 213215

bypassing client-side validation routines, 213

canonicalization (dot-dot-slash), 215220

command execution, 226228

common side-effects to attacks, 230

countermeasures to attacks, 230231

encoding abuse, 228229

HTML injection, 220224

libraries, 430

manipulating application behavior, 225226

PHP global variables , 229230

popular characters for testing, 477478

SQL injection and datastore attacks, 226

tools and techniques, 477

unexpected forms of attack, 210212

web services injection attacks, 281283

Internet Explorer

attacking the Local Machine Zone (LMZ), 339341

browser extensions, 1314

Browser Helper Object (BHO), 352

Enhanced Security Configuration (ESC), 360

extensions for HTTP/S analysis, 472

Protected Mode IE (PMIE), 360

security zones, 354358

intrusion detection systems, 392

IP address, authorization, 201202

ISNs, 179182