ebook img

XSS Attacks: Cross Site Scripting Exploits and Defense PDF

866 Pages·2007·13.04 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview XSS Attacks: Cross Site Scripting Exploits and Defense

www.sharexxx.net - free books & magazines 436_XSS_FM.qxd 4/20/07 1:18 PM Page ii 435_Sec2e_FM.qxd 5/7/07 3:00 PM Page i INCLUDES FREE WEB-BASED TESTING! SSEECCOONNDD EEDDIITTIIOONN 435_Sec2e_FM.qxd 5/7/07 3:00 PM Page ii Elsevier,Inc.,the author(s),and any person or firm involved in the writing,editing,or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind,expressed or implied,regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights,which vary from state to state. In no event will Makers be liable to you for damages,including any loss of profits,lost savings,or other incidental or consequential damages arising out from the Work or its contents.Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages,the above limitation may not apply to you. You should always use reasonable care,including backup and other appropriate precautions,when working with computers,networks,data,and files. Syngress Media®,Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,” and “Hack Proofing®,”are registered trademarks of Elsevier,Inc.“Syngress:The Definition of a Serious Security Library”™,“Mission Critical™,”and “The Only Way to Stop a Hacker is to Think Like One™”are trademarks of Elsevier,Inc.Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 BPOQ48722D 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing,Inc. Elsevier,Inc. 30 Corporate Drive Burlington,MA 01803 Security+ Study Guide & DVD Training System, Second Edition Copyright © 2007 by Elsevier,Inc.All rights reserved.Printed in the United States of America.Except as permitted under the Copyright Act of 1976,no part of this publication may be reproduced or distributed in any form or by any means,or stored in a database or retrieval system,without the prior written permission of the publisher,with the exception that the program listings may be entered,stored,and executed in a computer system,but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN 10: 978-1-59749-154-9 Publisher:Amorette Pedersen Page Layout and Art:Patricia Lupien Acquisitions Editor:Andrew Williams Copy Editor:Judith Eby Technical Editor:Ido Dubrawsky Indexer:Michael Ferreira Cover Designer:Michael Kavish For information on rights,translations,and bulk sales,contact Matt Pedersen,Commercial Sales Director and Rights,email [email protected]. 435_Sec2e_FM.qxd 5/7/07 3:00 PM Page iii Contributing Authors Michael Cross (MCSE,MCP+I,CNA,Network+) is an Internet Specialist/Computer Forensic Analyst with the Niagara Regional Police Service (NRPS).He performs computer forensic examinations on computers involved in criminal investigation.He also has consulted and assisted in cases dealing with computer-related/Internet crimes.In addition to designing and maintaining the NRPS Web site at www.nrps.com and the NRPS intranet,he has provided sup- port in the areas of programming,hardware,and network administration.As part of an information technology team that provides support to a user base of more than 800 civilian and uniform users,he has a theory that when the users carry guns, you tend to be more motivated in solving their problems. Michael also owns KnightWare (www.knightware.ca),which provides com- puter-related services such as Web page design,and Bookworms (www.book- worms.ca),where you can purchase collectibles and other interesting items online. He has been a freelance writer for several years,and he has been published more than three dozen times in numerous books and anthologies.He currently resides in St.Catharines,Ontario,Canada,with his lovely wife,Jennifer,his darling daughter,Sara,and charming son,Jason. Jeremy Faircloth (Security+,CCNA,MCSE,MCP+I,A+,etc.) is an IT Manager for EchoStar Satellite L.L.C.,where he and his team architect and main- tain enterprisewide client/server and Web-based technologies.He also acts as a technical resource for other IT professionals,using his expertise to help others expand their knowledge.As a systems engineer with over 13 years of real-world IT experience,he has become an expert in many areas,including Web development, database administration,enterprise security,network design,and project manage- ment.Jeremy has contributed to several Syngress books,including Microsoft Log Parser Toolkit (Syngress,ISBN:1932266526),Managing and Securing a Cisco SWAN (ISBN:1932266917),C# for Java Programmers (ISBN:193183654X),Snort 2.0 Intrusion Detection (ISBN:1931836744),and Security+ Study Guide & DVD Training System (ISBN:1931836728). Eli Faskha (Security+,Check Point Certified Master Architect,CCSI,CCSE, CCSE+,MCP).Based in Panama City,Panama,Eli is Founder and President of Soluciones Seguras,a company that specializes in network security and is a Check iii 435_Sec2e_FM.qxd 5/7/07 3:00 PM Page iv Point Gold Partner and Nokia Authorized Partner.He was Assistant Technical Editor for Syngress’Configuring Check Point NGX VPN-1/Firewall-1 (ISBN: 1597490318) book and Contributing Author for Syngress’ Building DMZs for the Enterprise (ISBN:1597491004).Eli is the most experienced Check Point Certified Security Instructor and Nokia Instructor in the region,and has taught participants from over twenty different countries,in both English and Spanish.A 1993 grad- uate of the University of Pennsylvania’s Wharton School and Moore School of Engineering,he also received an MBA from Georgetown University in 1995.He has more than 8 years of Internet development and networking experience, starting with web development of the largest Internet portal in Panama in 1999 and 2000,managing a Verisign affiliate in 2001,and running his own company since then.Eli has written several articles for the local media and has been recog- nized for his contributions to Internet development in Panama.He can be reached at [email protected]. Michael Gregg (CISSP,CISA,MCSE,MCT,CTT+,A+,N+,Security+,CNA, CCNA,CIW Security Analyst,CCE,CEH,CHFI,DCNP,ES Dragon IDS, TICSA) is the founder and Chief Operating Officer of Superior Solutions,Inc.,a Houston-based IT security consulting firm. Superior Solutions performs security assessments and penetration testing for Fortune 1000 firms.Michael is responsible for working with organizations to develop cost effective and innovative technology solutions to security issues and for evaluating emerging technologies. Michael supervises client engagements to ensure high quality solutions are developed for software design issues,systems administration concerns,policy development,and security systems testing. Michael has more than 20 years experience in the IT field and holds two asso- ciate’s degrees,a bachelor’s degree,and a master’s degree. He has written or co- written a number of other books including Que’s Certified Ethical Hacker Exam Prep 2 and Inside Network Security Assessment by Sam’s publishing.He is the author of Hack the Stack:Using Snort and Ethereal to Master the 8 Layers of an Insecure Network (Syngress,ISBN:1597491098).He is a member of the American College of Forensic Examiners,the Independent Computer Consulting Association,and the Texas Association for Educational Technology. Alun Jones (MVP,MCP) is the President of Texas Imperial Software.Texas Imperial Software develops secure networking software and provides security engi- neering consulting services.Texas Imperial Software’s flagship product is WFTPD Pro,a secure FTP server for Windows,written entirely by Alun. iv 435_Sec2e_FM.qxd 5/7/07 3:00 PM Page v Alun entered the security engineering field as more and more of WFTPD’s support needs indicated that few companies were trying to meet their needs for security on the Internet.His current day job is as an Information Systems Security Engineer at Premera Blue Cross,a health insurance provider based in the Pacific Northwest of the USA. Alun has attended,but not completed,University at Corpus Christi College, Cambridge,and Bath University,and now lives in Seattle,Washington,with his wife,Debbie,and son,Colin. Marc Perez (MCSE:Security,Security+) is a senior consultant of Networked Information Systems in Boston,MA.Representing Network Information Systems’ Microsoft practice,he provides strategic and technical consulting services to mid- size and enterprise-level clients located throughout the Northeast.Focusing on securely integrating directory services with messaging and collaboration solutions, he provides the guidance necessary for enterprises to leverage their technology investments toward more effective communication with an emphasis on presence. Educated at the University of Southern Maine,Marc has consulted privately for several organizations in the Boston area and has held roles throughout New England,including four years as an Information Security Manager for MBNA America Bank.He currently lives on the North Shore with his wife,Sandra,and his two sons,Aidan and Lucas. Contributing Author and Technical Editor Ido Dubrawsky (CISSP,CCNA,CCDA) is the Chief Security Advisor for Microsoft’s Communication Sector North America,a division of the Mobile and Embedded Devices Group.Prior to working at Microsoft,Ido was the acting Security Consulting Practice Lead at AT&T’s Callisma subsidiary and a Senior Security Consultant.Before joining AT&T,Ido was a Network Security Architect for Cisco Systems,Inc.,SAFE Architecture Team.He has worked in the systems and network administration field for almost 20 years in a variety of environments v 435_Sec2e_FM.qxd 5/7/07 3:00 PM Page vi from government to academia to private enterprise.He has a wide range of expe- rience in various networks,from small to large and relatively simple to complex. Ido is the primary author of three major SAFE white papers and has written,and spoken,extensively on security topics.He is a regular contributor to the SecurityFocus website on a variety of topics covering security issues.Previously,he worked in Cisco Systems,Inc.Secure Consulting Group,providing network secu- rity posture assessments and consulting services for a wide range of clients.In addi- tion to providing penetration-testing consultation,he also conducted security architecture reviews and policy and process reviews.He holds a B.Sc.and a M.Sc. in Aerospace Engineering from the University of Texas at Austin. Contributing Author and Technical Reviewer Christopher A.Crayton (MCSE,MCP+I,A+,Network+),is a Certified A+/Network+ Instructor,recognized as “Teacher of the Year”by Keiser College in 2000.He resides in Sarasota,Florida,where he serves as Network Administrator for Protocol,an ECRM company. vi 435_Sec2e_TOC.qxd 5/7/07 3:01 PM Page vii Contents Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv Chapter 1General Security Concepts: Access Control, Authentication, and Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Introduction to AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 What is AAA? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 MAC/DAC/RBAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 DAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 RBAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 CHAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 Username/Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Multi-factor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Mutual Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 Auditing Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 System Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 Disabling Non-essential Services,Protocols,Systems and Processes . . . . . . . . . . . . . . . . . . . .38 Non-essential Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 Non-essential Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Disabling Non-essential Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Disabling Non-essential Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 Disabling Non-Essential Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 Chapter 2General Security Concepts: Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 55 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56 Active Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 DoS and DDoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Resource Consumption Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59 SYN Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 Software Exploitation and Buffer Overflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 MITM Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66 TCP/IP Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67 Replay Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 Spoofing Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 IP Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 E-mail Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71 Web Site Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 Wardialing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 Dumpster Diving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 vii 435_Sec2e_TOC.qxd 5/7/07 3:01 PM Page viii viii Contents Vulnerability Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 Passive Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78 Sniffing and Eavesdropping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Password Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79 Brute Force Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 Dictionary-based Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81 Malicious Code Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81 Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84 Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85 Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 Back Doors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 Logic Bombs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89 Spyware and Adware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89 Summary of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91 Exam Objectives Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91 Exam Objectives Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94 Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 Self Test Quick Answer Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100 Chapter 3Communication Security: Remote Access and Messaging. . . . . . 103 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104 The Need for Communication Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105 Communications-based Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106 Remote Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111 Media Access Control Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114 Site-to-site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115 Remote Access VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117 RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117 Authentication Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119 TACACS/+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 TACACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 XTACACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121 PPTP/L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122 PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123 L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 How SSH Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130 IPSec Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 ISAKMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134 Eavesdropping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134 Data Modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134 Identity Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134 User Vulnerabilities and Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135 Administrator Vulnerabilities and Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135 E-mail Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 MIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138 S/MIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 How PGP Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 SMTP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146 E-mail and Mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147 E-mail and Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148 Spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150 Hoaxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152

Description:
This is a good book for getting started with XSS, with comprehensive information about the subject, but with quite a few significant drawbacks: - There are a lot of spelling errors (almost one per page) - There's not a straightforward structure of content - It's very apparent that this has been writ
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.