DOCSLIB.ORG

Code Injection Vulnerabilities in Web Applications - Exemplified at Cross-Site Scripting Martin Johns

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Code Injection Vulnerabilities in Web Applications - Exemplified at Cross-Site Scripting Martin Johns Dissertation zur Erlangung des akademischen Grades eines Doktors der Naturwissenschaften Code Injection Vulnerabilities in Web Applications - Exemplified at Cross-site Scripting Martin Johns Eingereicht an der Fakult¨atf¨urInformatik und Mathematik der Universit¨atPassau Gutachter: Prof. Dr. Joachim Posegga Prof. Dr. Dieter Gollmann Submitted April 14th 2009, defended July 22nd 2009 2 Abstract The majority of all security problems in today’s Web applications is caused by string- based code injection, with Cross-site Scripting (XSS) being the dominant representative of this vulnerability class. This thesis discusses XSS and suggests defense mechanisms. We do so in three stages: First, we conduct a thorough analysis of JavaScript’s capabilities and explain how these capabilities are utilized in XSS attacks. We subsequently design a systematic, hierarchical classification of XSS payloads. In addition, we present a comprehensive sur- vey of publicly documented XSS payloads which is structured according to our proposed classification scheme. Secondly, we explore defensive mechanisms which dynamically prevent the execution of some payload types without eliminating the actual vulnerability. More specifically, we discuss the design and implementation of countermeasures against the XSS payloads “Session Hijacking”, “Cross-site Request Forgery”, and attacks that target intranet re- sources. We build upon this and introduce a general methodology for developing such countermeasures: We determine a necessary set of basic capabilities an adversary needs for successfully executing an attack through an analysis of the targeted payload type. The resulting countermeasure relies on revoking one of these capabilities, which in turn renders the payload infeasible. Finally, we present two language-based approaches that prevent XSS and related vul- nerabilities: We identify the implicit mixing of data and code during string-based syn- tax assembly as the root cause of string-based code injection attacks. Consequently, we explore data/code separation in web applications. For this purpose, we propose a novel methodology for token-level data/code partitioning of a computer language’s syn- tactical elements. This forms the basis for our two distinct techniques: For one, we present an approach to detect data/code confusion on run-time and demonstrate how this can be used for attack prevention. Furthermore, we show how vulnerabilities can be avoided through altering the underlying programming language. We introduce a dedicated datatype for syntax assembly instead of using string datatypes themselves for this purpose. We develop a formal, type-theoretical model of the proposed datatype and proof that it provides reliable separation between data and code hence, preventing code injection vulnerabilities. We verify our approach’s applicability utilizing a practical implementation for the J2EE application server. 3 4 Acknowledgments This thesis would not exist without the help, advice, inspiration, dialogue, and encour- agement of many, many people. I would like to thank (in no particular order): Joachim Posegga, Dieter Gollmann, Daniel Schreckling, Jan Meier, Jan Seedorf, Christopher Alm, Henrich C. P¨ohls, Bastian Braun, Hannah Lee, Rosemaria Giesecke, Tom Schroer, Thilo Zieschang, Stefan F¨unfrocken, Boris Hemkemeier, Kai Buchholz-Stepputiz, Sashar Paulus, Moritz Jodeit, Justus Winter, Christian Beyerlein, Bj¨ornEngelmann, Jeremias Reith, Christian Weitendorf, Roland Illig, Mieke Hildenbrandt, Christopher Schward, Daniel Kreischer, the CInsects & SecToolers, Siglinde B¨ock, Erika Langer, Marita Ward, Melanie Volkamer, Michael Schrank, Andreas G¨unther, Ingo Desombre, Tim Scharfen- berg, Andre L¨urssen, Andrei Sabelfeld, Frank Piessens, Yves Younan, Ulfar Erlingsson, Helen Wang, Erik Meijer, fukami, Alex Kouzemtchenko, Dragos Ruiu, Wolfgang Koeppl, Martin Wimmer, Hoko Onshi, and last but not least: Team Johns (you rock!). 5 6 Contents Introduction 12 Motivation ...................................... 13 Thesis overview .................................... 15 Thesis outline and contributions .......................... 16 I. Cross-Site Scripting Attacks 21 1. Technical Background 23 1.1. The web application paradigm ........................ 23 1.1.1. The web browser ............................ 24 1.1.2. Uniform Resource Locators ...................... 25 1.2. Web application session management and authentication tracking ..... 26 1.2.1. Browser-level authentication tracking ................ 29 1.2.2. Application-level authentication tracking .............. 30 1.3. JavaScript .................................... 31 1.3.1. The Same Origin Policy (SOP) .................... 31 1.3.2. JavaScript networking capabilities .................. 33 1.3.3. Encapsulation and information hiding ................ 34 2. Cross-Site Scripting (XSS) 35 2.1. Types of XSS .................................. 37 2.1.1. XSS caused by insecure programming ................ 37 2.1.2. XSS caused by insecure infrastructure ................ 39 2.2. Selected XSS techniques ............................ 40 2.3. XSS outside the browser ............................ 43 2.4. Avoiding XSS .................................. 43 3. Exploiting XSS Issues 45 3.1. Browser-based attacks using JavaScript ................... 45 3.1.1. JavaScript Driven Attacks (JSDAs) ................. 45 3.1.2. Defensive browsing ........................... 46 3.2. XSS Payloads .................................. 46 3.2.1. Executing JSDAs in trusted contexts through XSS ......... 46 3.2.2. A malware analogy ........................... 47 3.3. Frequently used attacks techniques ...................... 48 3.3.1. A loophole in the Same Origin Policy ................ 48 7 Contents 3.3.2. Creating state-changing HTTP requests ............... 48 3.3.3. The basic reconnaissance attack (BRA) ............... 49 3.3.4. DNS rebinding ............................. 50 3.4. Systematic overview of JSDAs / XSS Payloads ............... 51 3.4.1. Execution-contexts ........................... 52 3.4.2. Attack-targets ............................. 52 3.4.3. Attack-types and -capabilities ..................... 53 3.4.4. Systematic classification of XSS Payloads .............. 54 3.5. Thesis scope: Countering XSS Payloads ................... 61 4. XSS Payloads: Application Context 63 4.1. Session hijacking ................................ 63 4.1.1. Session ID theft ............................. 64 4.1.2. Browser hijacking ............................ 64 4.1.3. Background XSS propagation ..................... 65 4.2. Password theft ................................. 66 4.2.1. Manipulating the application’s authentication dialogue ....... 67 4.2.2. Abusing the browser’s password manager .............. 68 4.2.3. Spoofing of authentication forms ................... 68 5. XSS Payloads: Browser and Computer Context 71 5.1. Cross-Site Request Forgery .......................... 71 5.1.1. Attack specification .......................... 71 5.1.2. Attack surface ............................. 72 5.1.3. Notable real-world CSRF exploits .................. 73 5.2. Fingerprinting and privacy attacks ...................... 74 5.2.1. Privacy attacks based on cascading style sheets ........... 75 5.2.2. Privacy attacks through timing attacks ............... 76 5.2.3. BRA-based privacy attacks ...................... 78 6. XSS Payloads: Intranet and Internet Context 81 6.1. Intranet reconnaissance and exploitation ................... 81 6.1.1. Using a webpage to execute code within the firewall perimeter .. 81 6.1.2. Intranet reconnaissance attacks .................... 82 6.1.3. Local CSRF attacks on intranet servers ............... 86 6.1.4. Cross protocol communication .................... 87 6.2. DNS rebinding attacks on intranet hosts ................... 87 6.2.1. Leaking intranet content ........................ 87 6.2.2. Breaking the browser’s DNS pinning ................. 88 6.2.3. Further DNS rebinding attacks .................... 90 6.3. Selected XSS Payloads in the internet context ................ 92 6.3.1. Scanning internet web applications for vulnerabilities ........ 92 6.3.2. Assisting worm propagation ...................... 93 6.3.3. Committing click-fraud through DNS rebinding ........... 93 8 Contents II. Mitigating Cross-Site Scripting Attacks 95 7. Protection Against Session Hijacking 99 7.1. Concept overview and methodology ...................... 99 7.2. Practical session hijacking countermeasures .................100 7.2.1. Session ID protection through deferred loading ...........100 7.2.2. One-time URLs .............................103 7.2.3. Subdomain switching .........................106 7.3. Discussion ....................................107 7.3.1. Combination of the methods .....................107 7.3.2. Limitations ...............................108 7.3.3. Transparent implementation ......................108 7.3.4. Client-side protection .........................109 7.4. Conclusion ...................................110 8. Protection Against Cross-Site Request Forgery 113 8.1. Motivation ...................................113 8.2. Current defence .................................113 8.2.1. Flawed protection approaches due to existing misconceptions ...113 8.2.2. Manual protection ...........................115 8.3. Concept overview and methodology ......................116 8.4. Implementation .................................118 8.4.1. Implementation as a client side proxy ................118 8.4.2. Implementation as a browser extension
Load more

Recommended publications
  • Childnodes 1
    Index Home | Projects | Docs | Jargon Bugzilla | LXR | Tree Status | Checkins Feedback | FAQ | Search A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z Index Symbols _content 1 A addEventListener 1 alert() 1 align 1 alinkColor 1 anchors 1 appCodeName 1 appendChild 1 applets 1 appName 1 appVersion 1 attributes 1, 2 http://www.mozilla.org/docs/dom/domref/dom_shortIX.html (1 de 20) [09/06/2003 9:55:09] Index availLeft 1 availTop 1 availWidth 1 B back() 1 bgColor 1 blur 1 blur() 1 body 1 C captureEvents() 1 characterSet 1 childNodes 1 clear 1 clearInterval() 1 clearTimeout() 1 click 1 cloneContents 1 cloneNode 1 cloneRange 1 close 1 http://www.mozilla.org/docs/dom/domref/dom_shortIX.html (2 de 20) [09/06/2003 9:55:09] Index close() 1 closed 1 collapse 1 collapsed 1 colorDepth 1 commonAncestorContainer 1 compareBoundaryPoints 1 Components 1 confirm() 1 contentDocument 1, 2 contentWindow 1, 2 controllers 1 cookie 1 cookieEnabled 1 createAttribute 1 createDocumentFragment 1 createElement 1 createRange 1 createTextNode 1 crypto 1 cssRule 1 cssRule Object 1 http://www.mozilla.org/docs/dom/domref/dom_shortIX.html (3 de 20) [09/06/2003 9:55:09] Index cssRules 1 cssText 1 D defaultStatus 1 deleteContents 1 deleteRule 1 detach 1 directories 1 disabled 1 dispatchEvent 1 doctype 1 document 1 documentElement 1 DOM 1, 2 DOM 2 Range Interface 1 DOM window Interface 1 domain 1 dump() 1 E Elements Interface 1 embeds 1 http://www.mozilla.org/docs/dom/domref/dom_shortIX.html (4 de 20) [09/06/2003 9:55:09]
    [Show full text]
  • International Standard Iso 32000-2
    This preview is downloaded from www.sis.se. Buy the entire standard via https://www.sis.se/std-922178 INTERNATIONAL ISO STANDARD 32000-2 First edition 2017-07 Document management — Portable document format — Part 2: PDF 2.0 Gestion de documents — Format de document portable — Partie 2: PDF 2.0 Reference number ISO 32000-2:2017(E) © ISO 2017 This preview is downloaded from www.sis.se. Buy the entire standard via https://www.sis.se/std-922178 ISO 32000-2:2017(E) COPYRIGHT PROTECTED DOCUMENT © ISO 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form orthe by requester. any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of Ch. de Blandonnet 8 • CP 401 ISOCH-1214 copyright Vernier, office Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 www.iso.org [email protected] ii © ISO 2017 – All rights reserved This preview is downloaded from www.sis.se. Buy the entire standard via https://www.sis.se/std-922178 ISO 32000-2:2017(E) Contents Page Foreword ................................................................................................................................................................. vii Introduction .........................................................................................................................................................
    [Show full text]
  • Operating Systems and Virtualisation Security Knowledge Area (Draft for Comment)
    OPERATING SYSTEMS AND VIRTUALISATION SECURITY KNOWLEDGE AREA (DRAFT FOR COMMENT) AUTHOR: Herbert Bos – Vrije Universiteit Amsterdam EDITOR: Andrew Martin – Oxford University REVIEWERS: Chris Dalton – Hewlett Packard David Lie – University of Toronto Gernot Heiser – University of New South Wales Mathias Payer – École Polytechnique Fédérale de Lausanne © Crown Copyright, The National Cyber Security Centre 2019. Following wide community consultation with both academia and industry, 19 Knowledge Areas (KAs) have been identified to form the scope of the CyBOK (see diagram below). The Scope document provides an overview of these top-level KAs and the sub-topics that should be covered under each and can be found on the project website: https://www.cybok.org/. We are seeking comments within the scope of the individual KA; readers should note that important related subjects such as risk or human factors have their own knowledge areas. It should be noted that a fully-collated CyBOK document which includes issue 1.0 of all 19 Knowledge Areas is anticipated to be released by the end of July 2019. This will likely include updated page layout and formatting of the individual Knowledge Areas. Operating Systems and Virtualisation Security Herbert Bos Vrije Universiteit Amsterdam April 2019 INTRODUCTION In this knowledge area, we introduce the principles, primitives and practices for ensuring security at the operating system and hypervisor levels. We shall see that the challenges related to operating system security have evolved over the past few decades, even if the principles have stayed mostly the same. For instance, when few people had their own computers and most computing was done on multiuser (often mainframe-based) computer systems with limited connectivity, security was mostly focused on isolating users or classes of users from each other1.
    [Show full text]
  • A Solution to Php Code Injection Attacks and Web
    INTERNATIONAL JOURNAL OF RESEARCH IN COMPUTER APPLICATIONS AND ROBOTICS Vol.2 Issue.9, Pg.: 24-31 September 2014 www.ijrcar.com INTERNATIONAL JOURNAL OF RESEARCH IN COMPUTER APPLICATIONS AND ROBOTICS ISSN 2320-7345 A SOLUTION TO PHP CODE INJECTION ATTACKS AND WEB VULNERABILITIES Venkatesh Yerram1, Dr G.Venkat Rami Reddy2 ¹Computer Networks and Information Security, [email protected] ²Computer Science Engineering, 2nd [email protected] JNTU Hyderabad, India Abstract Over the decade web applications are grown rapidly. This leads to cyber crimes. Attacker injects various scripts to malfunction the web application. Attacker injects these scripts to text box of vulnerable web application from various compounds such as search bar, feedback form, login form etc and later which is executed by the server. Sometimes attacker modifies the URL to execute a successful attack. This execution of system calls and API on web server by attacker can damage the file system and or leaks information of web server. PHP is a server side scripting language, dynamic features and functionalities are controlled through the PHP language. Hence, the use of PHP language results in high possibility of successful execution of code injection attacks. The aim of this paper is first to understand the code web application vulnerability related to PHP code injection attack, the scenario has been developed. Secondly defeat the attack and fast incident determination from the developed domain dictionary. This proposed system is helpful for cyber forensics expert to gather and analyze the evidence effectively Keywords: Code Injection, vulnerabilities, Attack, cyber forensics 1. INTRODUCTION The web environment is growing rapidly day by day, the cyber crimes also increasing rapidly.
    [Show full text]
  • Style Sheets CSS
    P1: OSO/OVY P2: OSO/OVY QC: OSO/OVY T1: OSO GTBL013-03 GTBL013-Jackson-v10 July 12, 2006 10:36 CHAPTER 3 Style Sheets CSS As we have learned, HTML markup can be used to indicate both the semantics of a document (e.g., which parts are elements of lists) and its presentation (e.g., which words should be italicized). However, as noted in the previous chapter, it is advisable to use markup predominantly for indicating the semantics of a document and to use a separate mechanism to determine exactly how information contained in the document should be presented. Style sheets provide such a mechanism. This chapter presents basic information about Cascading Style Sheets (CSS), a style sheet technology designed to work with HTML and XML documents. CSS provides a great deal of control over the presentation of a document, but to exercise this control intelligently requires an understanding of a number of features. And, while you as a software developer may not be particularly interested in getting your web page to look “just so,” many web software developers are members of teams that include professional web page designers, some of whom may have precise presentation require- ments. Thus, while I have tried to focus on what I consider key features of CSS, I’ve also included a number of finer points that I believe may be more useful to you in the future than you might expect on first reading. While CSS is used extensively to style HTML documents, it is not the only style- related web technology.
    [Show full text]
  • A the Hacker
    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
    [Show full text]
  • Disable Form Submit Html
    Disable Form Submit Html Which Matteo upholsters so incitingly that Shannon spoon-feeding her implements? Forlorn Kristopher prescriptivists fifthly while Othello always float his armoire legislating affluently, he capes so unpalatably. Quadrilingual Salomon hitch no pierids epilating operosely after Thaddus salve matrimonially, quite villous. Boolean attribute to do if that submit form html attribute Form submits jquery prevent multiple form submit jquery prevent duplicate form submission. Otherwise, turn the state communicate the whale to enabled. Hi thanks to submit click event form submitting again and disables all these values prefilled when creating their computer. This can also give that form submit html. Disable form field button CodePen. And decrease, you include use whatever variety of techniques to obstruct the doctor form elements. Where a alert or padding is salmon, and which second sketch the gradient. This can it and have gone wrong i comment sections in this will work in mind that we encourage you! Review: One And Done For Your Web Hosting? The publication is sweet great source about all things tech and startup. Put those with one is useless when people hit submit button in this element had been solved questions live forever in? On html form submit form html. Simple increase and Disabling Buttons on text by Default. The submit button on a given below to find out how to pick which requires special attention to come up and usage guidelines for this example is! Web developer at html in html form submits like my writing skills and when creating their initial enabled as soon as soon as credit card numbers of.
    [Show full text]
  • Host-Based Code Injection Attacks: a Popular Technique Used by Malware
    Host-Based Code Injection Attacks: A Popular Technique Used By Malware Thomas Barabosch Elmar Gerhards-Padilla Fraunhofer FKIE Fraunhofer FKIE Friedrich-Ebert-Allee 144 Friedrich-Ebert-Allee 144 53113 Bonn, Germany 53113 Bonn, Germany [email protected] [email protected] c 2014 IEEE. Personal use of this material is per- implemented with different goals in mind, they share one mitted. Permission from IEEE must be obtained for all common feature: they all inject code locally into foreign other uses, in any current or future media, including process spaces. One reason for this behaviour is detection reprinting/republishing this material for advertising or avoidance. However, code injections are not limited to tar- promotional purposes, creating new collective works, for geted malware. Mass-malware also uses code injections in resale or redistribution to servers or lists, or reuse of any order to stay under the radar (ZeroAccess, ZeusP2P or Con- copyrighted component of this work in other works. ficker). Detection avoidance is not the only advantage of us- ing code injections from a malware author’s point of view. Abstract Further reasons for using code injections are interception of critical information, privilege escalation or manipulation of Common goals of malware authors are detection avoid- security products. ance and gathering of critical information. There exist The above mentioned examples are all malware fami- numerous techniques that help these actors to reach their lies for Microsoft Windows. However, code injections are goals. One especially popular technique is the Host-Based platform-independent. In fact all established multitasking Code Injection Attack (HBCIA).
    [Show full text]
  • Securing Your Email in 13 Steps: the Email Security Checklist Handbook Securing Your Email in 13 Steps
    HANDBOOK Securing Your Email in 13 Steps: The Email Security Checklist handbook Securing Your Email in 13 Steps overview You’ve hardened your servers, locked down your website and are ready to take on the internet. But all your hard work was in vain, because someone fell for a phishing email and wired money to a scammer, while another user inadvertently downloaded and installed malware from an email link that opened a backdoor into the network. Email is as important as the website when it comes to security. As a channel for social engineering, malware delivery and resource exploitation, a combination of best practices and user education should be enacted to reduce the risk of an email-related compromise. By following this 13 step checklist, you can make your email configuration resilient to the most common attacks and make sure it stays that way. 2 @UpGuard | UpGuard.com handbook Securing Your Email in 13 Steps 1. Enable SPF How do you know if an email is really from who it says it’s from? There are a couple of ways to answer this question, and Sender Policy Framework (SPF) is one. SPF works by publishing a DNS record of which servers are allowed to send email from a specific domain. 1. An SPF enabled email server receives an email from [email protected] 2. The email server looks up example.com and reads the SPF TXT record in DNS. 3. If the originating server of the email matches one of the allowed servers in the SPF record, the message is accepted.
    [Show full text]
  • Imail V12 Web Client Help
    Ipswitch, Inc. Web: www.imailserver.com 753 Broad Street Phone: 706-312-3535 Suite 200 Fax: 706-868-8655 Augusta, GA 30901-5518 Copyrights ©2011 Ipswitch, Inc. All rights reserved. IMail Server – Web Client Help This manual, as well as the software described in it, is furnished under license and may be used or copied only in accordance with the terms of such license. Except as permitted by such license, no part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, without the expressed prior written consent of Ipswitch, Inc. The content of this manual is furnished for informational use only, is subject to change without notice, and should not be construed as a commitment by Ipswitch, Inc. While every effort has been made to assure the accuracy of the information contained herein, Ipswitch, Inc. assumes no responsibility for errors or omissions. Ipswitch, Inc. also assumes no liability for damages resulting from the use of the information contained in this document. Ipswitch Collaboration Suite (ICS), the Ipswitch Collaboration Suite (ICS) logo, IMail, the IMail logo, WhatsUp, the WhatsUp logo, WS_FTP, the WS_FTP logos, Ipswitch Instant Messaging (IM), the Ipswitch Instant Messaging (IM) logo, Ipswitch, and the Ipswitch logo are trademarks of Ipswitch, Inc. Other products and their brands or company names are or may be trademarks or registered trademarks, and are the property of their respective companies. Update History December 2011 v12 April 2011 v11.5 October 2010 v11.03 May 2010 v11.02 Contents CHAPTER 1 Introduction to IMail Web Client About Ipswitch Web Messaging Help ..................................................................................................................
    [Show full text]
  • Introduction to Email
    Introduction to Email gcflearnfree.org/print/email101/introduction-to-email Introduction Do you ever feel like the only person who doesn't use email? You don't have to feel left out. If you're just getting started, you'll see that with a little bit of practice, email is easy to understand and use. In this lesson, you will learn what email is, how it compares to traditional mail, and how email addresses are written. We'll also discuss various types of email providers and the features and tools they include with an email account. Getting to know email Email (electronic mail) is a way to send and receive messages across the Internet. It's similar to traditional mail, but it also has some key differences. To get a better idea of what email is all about, take a look at the infographic below and consider how you might benefit from its use. Email advantages Productivity tools: Email is usually packaged with a calendar, address book, instant messaging, and more for convenience and productivity. Access to web services: If you want to sign up for an account like Facebook or order products from services like Amazon, you will need an email address so you can be safely identified and contacted. Easy mail management: Email service providers have tools that allow you to file, label, prioritize, find, group, and filter your emails for easy management. You can even easily control spam, or junk email. Privacy: Your email is delivered to your own personal and private account with a password required to access and view emails.
    [Show full text]
  • Cross Site Scripting Attacks Xss Exploits and Defense.Pdf
    436_XSS_FM.qxd 4/20/07 1:18 PM Page ii 436_XSS_FM.qxd 4/20/07 1:18 PM Page i Visit us at www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and deliv- ering those books in media and formats that fit the demands of our customers. We are also committed to extending the utility of the book you purchase via additional mate- rials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you may find an assortment of value- added features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations.
    [Show full text]