HACKING EXPOSED WEB APPLICATIONS, 3rd Edition

.war files, 85

Watchfire AppScan 6, 449450, 451

Watchfire PowerTools, 2223

See also HTTP proxies

Wayback Machine method, 315319

web app hacking

defined, 2

older tools, 24

who hackers are, 10

web application security scanners , 436437

Acunetix Enterprise Web Vulnerability Scanner (WVS) 3.0, 443444

Burp Suite 1.01, 451453

Cenzic Hailstorm 3.0, 444445

Compuware DevPartner SecurityChecker 2.0, 453455

Ecyware GreenBlue Inspector 1.5, 445446

nontechnical issues, 459462

N-Stalker N-Stealth 5.8, 450451, 452

SPI Dynamics WebInspect 5.8, 448449

Syhunt Sandcat Suite 1.6.2.1, 447448

test results, 455459

testbed, 437438

tests, 438443

Watchfire AppScan 6, 449450, 451

web applications

defined, 2

reasons for attacking, 910

resources, 67

weak spots, 1011

web authentication services, 142146

web browsers, 1213, 472

low-privilege browsing, 359360

See also browser extensions

web clients

adware and spyware, 350353

design liabilities, 338345

exploits, 332333

general countermeasures, 353354

and HTML, 78

implementation vulnerabilities, 333338

phishing, 346350

security zones, 354358

server-side countermeasures, 360361

trickery , 346

web content management, 297

developer-driven mistakes, 321327

FrontPage, 298300

FrontPage VSRAD buffer overflow, 300301

FTP, 297

hacking ViewState, 323327

IIS HTR Chunked Encoding Heap Overflow, 309310

include file disclosure, 322323

information leakage, 312321

SSH/scp, 297

unnecessary web server extensions, 308309

web server extension countermeasures, 310312

WebDAV, 301308

web crawling

automated, 6566

tools, 6670, 473

Web Distributed Authoring and Versioning. See WebDAV

web platforms, 80

security best practices, 102117

web services, 8

authentication, 287288

defined, 268269

DISCO, 277279

DISCO and WSDL disclosure attacks, 279281

external entity attacks, 283285

injection attacks, 281283

similarities to web application security, 279

SOAP over HTTP(S), 269271

and SSL, 288

tools, 476

UDDI, 275277

WSDL, 271274

WS-Security, 288290

XML security, 288

XPath injection attacks, 285287

web site, companion to this book, 508

WebCracker, 126, 127

WebDAV, 8

countermeasures to attacks, 306308

methods that can be abused, 302

tools, 476

vulnerabilities, 301306

WebInsta Mailing List manager, 9495

WebScarab, 1819, 20

See also HTTP proxies

WebService Studio, 271

WebSphere, 74

Wget, 6869

white box, 398

See also full-knowledge analysis

Windows Defender, 352

Windows OneCare, 352

worms

Code Red, 104

Lupper/Plupii, 90

Nimda, 104

WSDigger, 271

WSDL, 271274

disclosure attacks, 279281

WS-Security, 288290