Hunting Security Bugs

Hunting Security Bugs

by Bryan Jeffries, Tom Gallagher, Lawrence Landauer
Released June 2006
Publisher(s): Microsoft Press
ISBN: 9780735621879

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Learn how to think like an attacker—and identify potential security issues in your software. In this essential guide, security testing experts offer practical, hands-on guidance and code samples to help you find, classify, and assess security bugs before your software is released.

Discover how to:

  • Identify high-risk entry points and create test cases
  • Test clients and servers for malicious request/response bugs
  • Use black box and white box approaches to help reveal security vulnerabilities
  • Uncover spoofing issues, including identity and user interface spoofing
  • Detect bugs that can take advantage of your program’s logic, such as SQL injection
  • Test for XML, SOAP, and Web services vulnerabilities
  • Recognize information disclosure and weak permissions issues
  • Identify where attackers can directly manipulate memory
  • Test with alternate data representations to uncover canonicalization issues
  • Expose COM and ActiveX repurposing attacks


PLUS—Get code samples and debugging tools on the Web

Publisher resources

View/Submit Errata

Table of contents

  1. Hunting Security Bugs
  2. Dedication
  3. Foreword
  4. Introduction
    1. Who Is This Book For?
    2. Organization of This Book
    3. System Requirements
    4. Technology Updates
    5. Code Samples and Companion Content
    6. Support for This Book
      1. Questions and Comments
    7. Acknowledgments
  5. 1. General Approach to Security Testing
    1. Different Types of Security Testers
    2. An Approach to Security Testing
      1. Understanding Deeply What You Are Testing
        1. Taking It Apart
      2. Thinking Maliciously About Your Target
        1. Callback Verification
        2. Merchandise Returns at a Retail Store
        3. Software Returns
      3. Attacking the Product
      4. Stay Informed About New Attacks
    3. Summary
  6. 2. Using Threat Models for Security Testing
    1. Threat Modeling
    2. How Testers Can Leverage a Threat Model
    3. Data Flow Diagrams
    4. Enumeration of Entry Points and Exit Points
    5. Enumeration of Threats
    6. How Testers Should Use a Completed Threat Model
      1. Threats May Be Erroneously Dismissed
        1. Test Cases for the Spam Threat
        2. Test Cases for the Mail Bombing Threat
        3. Test Cases for the Repudiation Threat
        4. Test Cases for Denial of Service and Code Execution Threats
    7. Implementation Rarely Matches the Specification or Threat Model
    8. Summary
  7. 3. Finding Entry Points
    1. Finding and Ranking Entry Points
      1. Assessing the Risk of Entry Points
    2. Common Entry Points
      1. Files
        1. Importance to an Attacker
        2. Registered File Types
        3. Unregistered File Types
        4. How to Find This Entry Point
          1. Files Being Accessed by the Application
          2. File Permissions
          3. Filename Extension Information
      2. Sockets
        1. Importance to an Attacker
        2. How to Find This Entry Point
          1. Enumerating the Open Sockets
          2. Monitoring the Network Traffic
      3. HTTP Requests
        1. Importance to an Attacker
        2. How to Find This Entry Point
      4. Named Pipes
        1. Importance to an Attacker
        2. How to Find This Entry Point
        3. Checking the Permissions
        4. Hijacking a Named Pipe
        5. Impersonating the Client
        6. Client Security
      5. Pluggable Protocol Handlers
        1. Importance to an Attacker
        2. How to Find This Entry Point
      6. Malicious Server Responses
        1. Importance to an Attacker
        2. How to Find This Entry Point
      7. Programmatic Interfaces
        1. Importance to an Attacker
        2. How to Find This Entry Point
      8. SQL
        1. Importance to an Attacker
      9. Registry
        1. Importance to an Attacker
        2. How to Find This Entry Point
          1. Determining the Registry Keys Being Accessed
          2. Determining Permissions of Registry Keys
      10. User Interfaces
        1. Importance to an Attacker
        2. How to Find This Entry Point
      11. E-mail
        1. Importance to an Attacker
        2. How to Find This Entry Point
      12. Command-Line Arguments
        1. Importance to an Attacker
        2. How to Find This Entry Point
      13. Environment Variables
        1. Importance to an Attacker
        2. How to Find This Entry Point
    3. Summary
  8. 4. Becoming a Malicious Client
    1. Client/Server Interaction
      1. Finding Requests the Server Normally Accepts
        1. Sniffing Network Traffic
      2. Manipulating Network Requests
        1. Using a Proxy to Modify TCP Traffic
    2. Testing HTTP
      1. Understanding a Stateless Protocol
      2. Testing Methods of Receiving Input
        1. Understanding HTML Forms
          1. Form Controls
        2. Tampering with URL Query String Parameters
        3. Tampering with POST Data
        4. Tampering with Cookies
          1. Key Properties of Cookies
          2. How Cookies Are Issued by the Server
          3. Retrieving Cookies
          4. Testing Cookies
        5. Tampering with HTTP Headers
    3. Testing Specific Network Requests Quickly
    4. Testing Tips
    5. Summary
  9. 5. Becoming a Malicious Server
    1. Understanding Common Ways Clients Receive Malicious Server Responses
    2. Does SSL Prevent Malicious Server Attacks?
    3. Manipulating Server Responses
      1. Common Vulnerabilities Found When Sending Malicious Responses
    4. Examples of Malicious Response Bugs
      1. Example: Telnet Client Environment Variable Disclosure
      2. Example: File Caching Allows Arbitrary Code Execution
    5. Myth: It Is Difficult for an Attacker to Create a Malicious Server
      1. EvilServer
    6. Understanding Downgrade MITM Attacks
    7. Testing Tips
    8. Summary
  10. 6. Spoofing
    1. Grasping the Importance of Spoofing Issues
      1. Caller ID Spoofing
        1. Spoofing as a Social Engineering Aide
        2. Compromising Voice Mail Using Spoofing
    2. Finding Spoofing Issues
    3. General Spoofing
      1. IP Address Spoofing
        1. TCP
        2. UDP
      2. MAC Address Spoofing
      3. Spoofing Using Network Protocols
        1. Reverse DNS Lookups
        2. SMTP E-mail Messages
        3. HTTP Referer
        4. HTTP User-Agent
    4. User Interface Spoofing
      1. Rewording Dialog Boxes
      2. Reformatting Using Control Characters
        1. Wildcard DNS
      3. Z-Order Spoofing
      4. Misleading URLs and Filenames
        1. Homograph Attacks
        2. URL Redirection Attacks
        3. Username@URL Syntax Attacks
    5. Testing Tips
    6. Summary
  11. 7. Information Disclosure
    1. Problems with Information Disclosure
    2. Locating Common Areas of Information Disclosure
      1. Disclosure in Files
        1. Finding Which Files Are Used
          1. Process Explorer
          2. File Monitor
        2. How Files Are Stored
          1. Ensure Data Is Written to a Safe Location
          2. Ensure the Permissions Are Not Weak
          3. Check Predictability of a Filename or Path
        3. Inspecting the Contents of Files
          1. Embedded Metadata
          2. Viewing the Data
      2. Disclosures over a Network
        1. Determine What Data Goes over the Network
        2. Providing Too Much Information
          1. HTTP Referer
          2. Web Beacons
        3. Error Messages
    3. Identifying Interesting Data
      1. Obfuscating Data
      2. Implied Disclosures
    4. Summary
  12. 8. Buffer Overflows and Stack and Heap Manipulation
    1. Understanding How Overflows Work
      1. Stack Overflows
      2. Integer Overflows
      3. Heap Overruns
      4. Other Attacks
    2. Testing for Overruns: Where to Look for Cases
      1. Network
      2. Documents and Files
      3. Information Shared Between Users with Higher and Lower Privileges
      4. Programmable Interfaces
    3. Black Box (Functional) Testing
      1. Determining What Data Is Expected
      2. Using Data You Recognize
      3. Knowing the Limits and Bounds
        1. Asking or Reading the Code
        2. Trying the Maximum Intended Allowable Lengths
        3. Using Common Limits
        4. Slowly Growing the Input
        5. Using an Iterative Approach
      4. Maintaining Overall Data Integrity
        1. Encodings/Compression/Encryption
        2. Compound Documents
        3. Offsets/Sizes
        4. References
        5. Fixed-Width Fields
        6. Limited Values (Enumerations)
        7. Dependencies
        8. Delimiters
      5. Strategies for Transforming Normal Data into Overruns
        1. Replacing Null Values
        2. Inserting vs. Overwriting
        3. Adjusting String Lengths
        4. Recognizing Data Structures
      6. Testing Both Primary and Secondary Actions
        1. Prioritizing Test Cases
      7. What to Look For
        1. Crashes
        2. Exceptions
        3. Memory Spikes
        4. Changes in Behavior
      8. Runtime Tools
        1. Bounds Checker
        2. Debugger
        3. Gflags.exe
      9. Fuzzing
    4. White Box Testing
      1. Things to Look For
        1. Data Copying
        2. Duplicate Lengths or Size Data
        3. Parsers
        4. In-Place Expansion of Data
          1. ANSI/OEM to and from Unicode
          2. Relative Path Expansion
          3. Encoding or Decoding
        5. Failing to Null Terminate
        6. Failing to Reset Freed Pointers
      2. Overflow Exploitability
      3. Unicode Data
      4. Filtered Data
    5. Additional Topics
      1. Noncode Execution Overflows Can Be Serious, Too
      2. /GS Compiler Switch
        1. Testing Whether the Binary Was Compiled Using /GS
        2. /GS Information Disclosure Vulnerability
    6. Testing Tips
    7. Summary
  13. 9. Format String Attacks
    1. What Are Format Strings?
    2. Understanding Why Format Strings Are a Problem
      1. Anatomy of a printf Call
      2. Misinterpreting the Stack
      3. Overwriting Memory
    3. Testing for Format String Vulnerabilities
      1. Reviewing Code
      2. Black Box Testing
    4. Walkthrough: Seeing a Format String Attack in Action
      1. Finding the Format String Bug
      2. Analyzing Exploitability
      3. Digging Deeper: Working Around Exploitability Problems
        1. Problem: Getting ECX to a Useful Value
        2. Overwriting the Stack Return Address
        3. Problem: Limits on Output per Format Specifier
        4. Problem: No Null Bytes Allowed
        5. Another Format String Specifier Challenge
      4. Building a Simple Payload
        1. The Compiler Is the Payload Coder’s Friend
          1. Draft Exploit Based on WinExec Disassembly
        2. Filling in the Details: What Do You Want to Run Today?
        3. Testing the Payload
    5. Testing Tips
    6. Summary
  14. 10. HTML Scripting Attacks
    1. Understanding Reflected Cross-Site Scripting Attacks Against Servers
      1. Example: Reflected XSS in a Search Engine
      2. Understanding Why XSS Attacks Are a Security Concern
      3. Exploiting Server-Reflected XSS Bugs
      4. POSTs Are Exploitable, Too
        1. Example: Exploiting POST Data in helloPostDemo.asp
          1. Getting Victims to Submit Malicious POST Data
          2. Creating a Test to Exploit This Vulnerability
    2. Understanding Persistent XSS Attacks Against Servers
      1. Example: Persistent XSS in a Web Guestbook
      2. Exploiting Persistent XSS Against Servers
    3. Identifying Attackable Data for Reflected and Persistent XSS Attacks
      1. Sometimes More Than the <script> Tag Is Needed
    4. Common Ways Programmers Try to Stop Attacks
      1. HTML-Encoded Data Doesn’t Always Stop the Attack
        1. Stuck in a Script Block
        2. Using Events
        3. Using Styles
        4. Scripting Protocols
    5. Understanding Reflected XSS Attacks Against Local Files
      1. Example: Local HTML File Reflected XSS
      2. Exploiting Reflected XSS Bugs in Local Files
      3. Understanding Why Local XSS Bugs Are an Issue
      4. Using Local XSS Bugs to Run Binaries on the Victim’s Machine
      5. HTML Resources
        1. Finding HTML Resources in Files
        2. Example of Running Script Through HTML Resources
      6. Compiled Help Files
        1. Using HTML Help Workshop to Decompile a CHM File
        2. Example of XSS in a CHM File
        3. Exploiting CHMs Using Protocol Handlers
      7. Finding XSS Bugs in Client-Side Script
    6. Understanding Script Injection Attacks in the My Computer Zone
      1. Example: Script Injection in Winamp Playlist
      2. Non-HTML Files Parsed as HTML
    7. Ways Programmers Try to Prevent HTML Scripting Attacks
      1. Filters
        1. Removing Strings from Input Before Returning It
        2. Blocking Breaking Out of an Attribute by Escaping
      2. Gaining In-Depth Understanding of the Browser’s Parser
      3. Comments in Styles
        1. Character Sets
      4. ASP.NET Built-in Filters
    8. Understanding How Internet Explorer Mitigates XSS Attacks Against Local Files
      1. Links from the Internet to the My Computer Zone Are Blocked
      2. Script Disabled in the My Computer Zone by Default
    9. Identifying HTML Scripting Vulnerabilities
    10. Finding HTML Scripting Bugs Through Code Review
      1. Identifying All Places Content Is Returned to the Web Browser or File System
      2. Determining Whether Output Contains Attacker-Supplied Data
      3. Verifying That Attacker Data Is Properly Validated and/or Encoded
      4. ASP.NET Automatically Encodes the Data... Sometimes
    11. Summary
  15. 11. XML Issues
    1. Testing Non-XML Security Issues in XML Input Files
      1. Well-Formed XML
      2. Valid XML
      3. Including Nonalphanumeric Data in XML Input
        1. CDATA
        2. Character References
        3. Testing Really Simple Syndication
    2. Testing XML-Specific Attacks
      1. Entities
        1. Infinite Entity Reference Loops
        2. XML Bombs
        3. External Entities
      2. XML Injection
        1. XML Data Injection
        2. Extensible Stylesheet Language (XSL)
        3. XPath/XQuery Injection
      3. Large File References
    3. Simple Object Access Protocol
      1. Testing SOAP
        1. SOAP Array DoS Attacks
        2. SOAP XML Bombs
    4. Testing Tips
    5. Summary
  16. 12. Canonicalization Issues
    1. Understanding the Importance of Canonicalization Issues
    2. Finding Canonicalization Issues
    3. File-Based Canonicalization Issues
      1. Directory Traversal
      2. Defeating Filename Extension Checks
        1. Understanding Filename Extension Precedence
        2. Using Trailing Characters
        3. NTFS Data Streams
        4. When Filename Extensions Do Not Matter
      3. Other Common Mistakes That Lead to Canonicalization Issues
        1. Using Short Filenames vs. Long Filenames
        2. Exploiting Casing Issues
        3. Specifying DOS Device Names
        4. Accessing UNC Shares
        5. Understanding Search Paths
    4. Web-Based Canonicalization Issues
      1. Encoding Issues
        1. Using Hexadecimal Escape Codes
        2. Using Overlong UTF-8 Encoding
        3. Using UCS-2 Unicode Encoding
        4. Selecting Other Character Encodings
        5. Double Encoding Characters
        6. Using HTML Escape Codes
          1. HTML Entities
      2. URL Issues
        1. Handling SSL URLs
        2. Handling Domain Name Parsing
          1. Dotless IP Addresses
          2. IPv6 Formats
        3. Handling Credentials in a URL
    5. Testing Tips
    6. Summary
  17. 13. Finding Weak Permissions
    1. Understanding the Importance of Permissions
    2. Finding Permissions Problems
    3. Understanding the Windows Access Control Mechanism
      1. What Is a Securable Object?
      2. What Is a Security Descriptor?
      3. What Is an ACL?
      4. What Is an ACE?
    4. Finding and Analyzing Permissions on Objects
      1. Using the Windows Security Properties Dialog Box
      2. Using AccessEnum
      3. Using Process Explorer
      4. Using ObjSD
      5. Using AppVerifier
    5. Recognizing Common Permissions Problems
      1. Weak DACLs
        1. Giving Everyone Access
        2. Giving Large Groups Access
        3. Giving Too Much Access to the Container
        4. Using a Deny ACE
      2. NULL DACLs
      3. Improper Ordering of ACEs
      4. Object Creator
      5. Accessing Resources Indirectly
      6. Forgetting to Revert Permissions
      7. Squatting Attacks
      8. Exploiting Race Conditions
      9. File Links
        1. Symbolic Links
        2. Junctions
        3. Hard Links
        4. Security Concerns with File Links
    6. Determining the Accessibility of Objects
      1. Remotely Accessible Objects
        1. Windows Services
        2. DCOM Objects
      2. Locally Accessible Objects
    7. Other Permissions Considerations
      1. .NET Permissions
      2. SQL Permissions
        1. SQL Triggers
        2. SQL Security Functions
        3. Global Temporary Stored Procedures
      3. Role-Based Security
    8. Summary
  18. 14. Denial of Service Attacks
    1. Understanding Types of DoS Attacks
      1. Finding Implementation Flaws
        1. Application Crashes
        2. Poorly Designed Features
        3. Resource Leaks
        4. DOS Device Names Handling
        5. Connection Timeouts
      2. Finding Resource Consumption Flaws
        1. CPU Consumption
          1. Analyzing Algorithm Costs
          2. Understanding Recursive Calls
        2. Memory Consumption
        3. Disk Space Consumption
          1. Disk Quota
          2. Logging Errors
          3. Decompression Bombs
        4. Bandwidth Consumption
      3. Finding Solutions for a Hard Problem
    2. Testing Tips
    3. Summary
  19. 15. Managed Code Issues
    1. Dispelling Common Myths About Using Managed Code
      1. Myth 1: Buffer Overflows Don’t Exist in Managed Code
      2. Myth 2: ASP.NET Web Controls Prevent Cross-Site Scripting
      3. Myth 3: Garbage Collection Prevents Memory Leaks
      4. Myth 4: Managed Code Prevents SQL Injection
    2. Understanding the Basics of Code Access Security
      1. User Security vs. Code Security
      2. Overview of CAS
      3. Assemblies
        1. Microsoft Intermediate Language
        2. Strong Names
      4. Evidence
      5. Permissions
      6. Policies
        1. Code Groups
          1. Policy Example
        2. FullTrust
        3. Partial Trust
        4. Sandboxing
      7. Global Assembly Cache
      8. Stack Walks
        1. Full Demands
        2. Link Demands
        3. Inheritance Demands
      9. Stack Walk Modifiers
        1. Assert
        2. Deny
        3. PermitOnly
    3. Finding Problems Using Code Reviews
      1. Calling Unsafe Code
        1. Using Unverifiable Code
        2. Using Win32 APIs
        3. Marshaling Data
      2. Finding Problems with Asserts
        1. Complement an Assert with a Demand
        2. Don’t Assert Too Much Permission
        3. Reduce the Scope of the Assert
      3. Finding Problems with Link Demands
        1. Calling the Public Method Does Not Enforce the Link Demand
        2. The Interface the Method Implements Does Not Have the Link Demand
      4. Recognizing Poor Exception Handling
        1. Finding Elevation of Privilege Bugs
        2. Finding Information Disclosure Bugs
    4. Understanding the Issues of Using APTCA
      1. Determining If an Assembly Is Marked APTCA
      2. Understanding Why the Assembly Is Marked APTCA
      3. Understanding What Functionality the Public Interface Provides
      4. Testing for Luring Attacks
    5. Decompiling .NET Assemblies
    6. Testing Tips
    7. Summary
  20. 16. SQL Injection
    1. Exactly What Is SQL Injection?
    2. Understanding the Importance of SQL Injection
      1. Assessing the Vulnerability of Applications
    3. Finding SQL Injection Issues
      1. Using a Black Box Testing Approach
        1. Determine Which SQL Statements Are Executed
        2. Determine Whether User-Supplied Data Is Used in SQL Statements
        3. Using Techniques to Break Out of SQL Queries
          1. String Fields
          2. Number Fields
          3. Using SQL Comments
          4. ORDER BY Clause
          5. LIKE Clause
          6. SQL Functions
          7. Using Square Brackets
          8. Using Double Quotation Marks
          9. Injection in Stored Procedures
          10. Injection by Data Truncation
          11. Batch Transactions
      2. Using Code Reviews
        1. Identifying Places That Construct and Execute SQL Statements
        2. Sanitizing User-Supplied Data
    4. Avoiding Common Mistakes About SQL Injection
      1. Escape Single Quotation Marks in Input
      2. Remove Semicolons to Block Multiple Statements
      3. Use Only Stored Procedures
      4. Remove Unwanted Stored Procedures
      5. Place the Computer That Runs SQL Server Behind a Firewall
    5. Understanding Repurposing of SQL Stored Procedures
      1. Example: Backing Up Documents
      2. Hunting for Stored Procedure Repurposing Issues
    6. Recognizing Similar Injection Attacks
    7. Testing Tips
    8. Summary
  21. 17. Observation and Reverse Engineering
    1. Observation Without a Debugger or Disassembler
      1. Comparing Output
        1. Output Can Become Input
        2. How Does Comparing Output Help Your Testing?
      2. Using Monitoring Tools
        1. Logger/Log Viewer
    2. Using a Debugger to Trace Program Execution and Change its Behavior
      1. Modifying Execution Flow to Bypass Restrictions
        1. Patching Binaries
          1. Example: Challenging the Robustness of a Copy Protection Check from a Binary
      2. Reading and Modifying Memory Contents Under a Debugger
        1. Example: Setting a Breakpoint on Memory to Understand How User Input Is Used
    3. Using a Decompiler or Disassembler to Reverse Engineer a Program
      1. Understanding Differences Between Native Code and Bytecode Binaries
      2. Spotting Insecure Function Calls Without Source Code
        1. Example: Finding Format String Vulnerabilities Without Source Code
      3. Reverse Engineering Algorithms to Identify Security Flaws
        1. Example: Finding an Implementation Flaw in Authentication Code
    4. Analyzing Security Updates
    5. Testing Tips
    6. Legal Considerations
    7. Summary
  22. 18. ActiveX Repurposing Attacks
    1. Understanding ActiveX Controls
      1. Creating ActiveX Controls in Internet Explorer
      2. Initializing and Scripting ActiveX Controls
      3. Repurposing ActiveX Controls
        1. Using ActiveX SiteLock
        2. ActiveX Repurposing: Causes
      4. Understanding the ActiveX Control Security Model
        1. Installation
        2. Instantiation (Instance Creation)
        3. Initialization
        4. Scripting
      5. Using the ActiveX Control Testing Methodology
        1. Discovering How the Control Works
        2. Tools of Interest
          1. Tool: Object Browser
          2. Tool: OLEView
          3. Tool: ActiveX Control Test Container
          4. Tool: COMRaider
        3. Member-Level Threat Modeling
      6. Additional Testing Tricks and Techniques
        1. Exception Handlers: Using try-catch
        2. Return Values
        3. Nested Objects
        4. Control Persistence – Browser Helper Objects (BHOs)
        5. Server Redirection
        6. Bypassing Browser Security Settings
        7. Namespaces and Behaviors
    2. ActiveX Control Testing Walkthrough
      1. Clear
      2. ClipboardCopy
      3. ClipboardPaste
      4. InvokeRTFEditor
        1. How Can an Attacker Specify the Editor InvokeRTFEditor Uses?
        2. Can an Attacker Bypass the Prompt?
        3. Can an Attacker Spoof the Prompt?
        4. How Is the Editor Launched?
        5. Which Component Creates the TomCC9.tmp File?
        6. Where Is the TomCC9.tmp File Stored?
        7. Is Data from the Control Pumped into the Editor? How?
        8. But Wait, There Is More!
      5. LoadRTF
      6. NumChars
      7. RTFEditor Property
      8. RTFEditor PARAM
      9. RTFEditorOverride
      10. Challenge
    3. Testing Tips
    4. Summary
  23. 19. Additional Repurposing Attacks
    1. Understanding Document Formats That Request External Data
      1. Common Mitigation for Document Formats Requesting External Data
      2. Testing Document Formats That Request External Data
    2. Web Pages Requesting External Data
      1. CSRF Through Query String URLs
      2. CSRF Through POST Data
      3. Common Ways to Prevent CSRF Attacks
      4. CSRF Through SOAP Data
      5. Testing for CSRF Attacks
    3. Understanding Repurposing of Window and Thread Messages
      1. Testing for Shatter Attacks
    4. Summary
  24. 20. Reporting Security Bugs
    1. Reporting the Issue
    2. Contacting the Vendor
    3. What to Expect After Contacting the Vendor
      1. Dealing with Unresponsive Vendors
    4. Public Disclosure
      1. Deciding on the Amount of Detail
      2. Timing the Disclosure
    5. Addressing Security Bugs in Your Product
      1. Communicating with Bug Finders
      2. Identifying the Root Cause
      3. Looking for Related Bugs
      4. Determining Affected Products and Versions
      5. Testing the Fix
      6. Determining Mitigations and Workarounds
      7. Releasing Patches Simultaneously for All Affected Products and Versions
    6. Summary
  25. A. Tools of the Trade
    1. General
    2. ActiveX/COM
    3. Canonicalization
    4. Code Analysis
    5. Debugging
    6. Documents and Binaries
    7. Fuzzers
    8. Memory/Runtime
    9. Network
    10. Permissions
    11. SQL
  26. B. Security Test Cases Cheat Sheet
    1. Network Requests and Responses
      1. Sample Test Cases
    2. Spoofing
      1. Sample Test Cases
    3. Information Disclosures
      1. Sample Test Cases
    4. Buffer Overflows
      1. Sample Test Cases
    5. Format Strings
      1. Sample Test Cases
    6. Cross-Site Scripting and Script Injection
      1. Sample Test Cases
    7. XML
      1. Sample Test Cases
    8. SOAP
      1. Sample Test Cases
    9. Canonicalization Issues
      1. Sample Test Cases
    10. Weak Permissions
      1. Sample Test Cases
    11. Denial of Service
      1. Sample Test Cases
    12. Managed Code
      1. Sample Test Cases
    13. SQL Injection
      1. Sample Test Cases
    14. ActiveX
      1. Sample Test Cases
  27. C.
    1. Tom Gallagher
    2. Bryan Jeffries
    3. Lawrence Landauer
  28. Index
  29. About the Authors
  30. Copyright

Product information

  • Title: Hunting Security Bugs
  • Author(s): Bryan Jeffries, Tom Gallagher, Lawrence Landauer
  • Release date: June 2006
  • Publisher(s): Microsoft Press
  • ISBN: 9780735621879