Innocent Code : A Security Wake-Up Call for Web Programmers

Sverre H. Huseby

  • 出版商: Wiley
  • 出版日期: 2004-01-30
  • 定價: $2,100
  • 售價: 9.5$1,995
  • 語言: 英文
  • 頁數: 248
  • 裝訂: Paperback
  • ISBN: 0470857447
  • ISBN-13: 9780470857441
  • 相關分類: 資訊安全
  • 立即出貨 (庫存 < 4)



This book is much more than a wake-up call. It is also an eye-opener. Even for those who are already awake to the problems of Web server security, it is a serious guide for what to do and what not to do, with many well-chosen examples. The set of fundamental rules is highly relevant.

Peter G. Neumann, Author of Computer-Related Risks,and moderator of the Internet Risks Forum (

This concise and practical book will show where code vulnerabilities lie and how best to fix them. Its value is in showing where code may be exploited to gain access to - or break - systems, but without delving into specific architectures, programming or scripting languages or applications. It provides illustrations with real code.

Innocent Code is an entertaining read showing how to change your mindset from website construction to website destruction so as to avoid writing dangerous code. Abundant examples from susceptible sites will bring the material alive and help you to guard against:

  • SQL Injection, shell command i njection and other attacks based on mishandling meta-characters
  • bad input
  • cross-site scripting
  • attackers who trick users into performing actions
  • leakage of server-side secrets
  • hidden enemies such as project deadlines, salesmen, messy code and tight budgets

All web programmers need to take precautions against producing websites vulnerable to malicious attack. This is the book which tells you how without trying to turn you into a security specialist.

Table of Contents




I.1 The Rules.

I.2 The Examples.

I.3 The Chapters.

I.4 What is Not in this Book?

I.5 A Note From the Author.

I.6 Feedback.

1. The Basics.

1.1 HTTP.

1.2 Sessions.

1.3 HTTPS.

1.4 Summary.

1.5 Do You Want to Know More?

2. Passing Data to Subsystems.

2.1 SQL Injection.

2.2 Shell Command Injection.

2.3 Talking to Programs Written in C/C++.

2.4 The Evil Eval.

2.5 Solving Metacharacter Problems.

2.6 Summary.

3. User Input.

3.1 What is Input Anyway?

3.2 Validating Input.

3.3 Handling Invalid Input.

3.4 The Dangers of Client-side Validation.

3.5 Authorization Problems.

3.6 Protecting Server-generated Input.

3.7 Summary.

4. Output Handling: The Cross-site Scripting Problem.

4.1 Examples.

4.2 The Problem.

4.3 The Solution.

4.4 Browser Character Sets.

4.5 Summary.; 4.6 Do You Want to Know More?

5. Web Trojans.

5.1 Examples.

5.2 The Problem.

5.3 A Solution.

5.4 Summary.

6. Passwords and Other Secrets.

6.1 Crypto-stuff.

6.2 Password-based Authentication.

6.3 Secret Identifiers.

6.4 Secret Leakage.

6.5 Availability of Server-side Code.

6.6 Summary.

6.7 Do You Want to Know More?

7. Enemies of Secure Code.

7.1 Ignorance.

7.2 Mess.

7.3 Deadlines.

7.4 Salesmen.

7.5 Closing Remarks.

7.6 Do You Want to Know More?

8. Summary of Rules for Secure Coding.

Appendix A: Bugs in the Web Server.

Appendix B: Packet Sniffing.

Appendix C: Sending HTML Formatted E-mails with Forged Sender Address.

Appendix D: More Information.






Peter G. Neumann,《與電腦相關的風險》的作者,互聯網風險論壇(的主持人。


《Innocent Code》是一本有趣的讀物,展示了如何改變你的思維方式,從網站的建設轉向網站的破壞,以避免編寫危險的代碼。豐富的易受攻擊網站示例將使材料生動起來,並幫助你防範以下情況:

  • SQL注入、shell命令注入和其他基於處理元字符不當的攻擊

  • 不良輸入

  • 跨站腳本攻擊

  • 欺騙用戶執行操作的攻擊者

  • 服務器端秘密洩露

  • 項目期限、銷售員、混亂代碼和緊張預算等隱藏的敵人






I.1 規則。

I.2 例子。

I.3 章節。

I.4 本書未涉及的內容。

I.5 作者的一封信。

I.6 反饋。

1. 基礎知識。

1.1 HTTP。

1.2 會話。

1.3 HTTPS。

1.4 總結。

1.5 你想了解更多嗎?

2. 將數據傳遞給子系統。

2.1 SQL注入。

2.2 shell命令注入。

2.3 與C/C++編寫的程序對話。

2.4 邪惡的評估。

2.5 解決元字符問題。

2.6 總結。

3. 用戶輸入。

3.1 什麼是輸入?

3.2 驗證輸入。

3.3 處理無效輸入。

3.4 客戶端驗證的危險性。

3.5 授權問題。

3.6 保護服務器生成的輸入。

3.7 總結。

4. 輸出處理:跨站腳本問題。

4.1 例子。

4.2 問題。

4.3 解決方案。

4.4 瀏覽器字符集。

4.5 總結;4.6 你想了解更多嗎?

5. 網絡特洛伊。

5.1 例子。

5.2 問題。

5.3 解決方案。

5.4 總結。

6. 密碼和其他秘密。

6.1 加密。

6.2 基於密碼的身份驗證。

6.3 秘密標識符。

6.4 秘密洩露。

6.5 服務器端代碼的可用性。

6.6 總結。

6.7 你想了解更多嗎?

7. 安全代碼的敵人。

7.1 無知。

7.2 混亂。

7.3 期限。

7.4 銷售員。

7.5 結語。

7.6 你想了解更多嗎?

8. 安全編碼的規則總結。