December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
Recipe 6-9: Detecting Abnormal Response Time Intervals
This recipe shows you how to figure out when applications experience abnormal delays in sending their responses to clients.
Ingredients
- ModSecurity
- DURATION variable
Web application owners and developers often obsess over application performance. But this occurs for a perfectly valid reason. Web application users have extremely low tolerance for latency and will quickly leave your site for a competitor’s site if yours is too slow. With this in mind, we can leverage the fact that the web applications will process the request and respond rather quickly. Yes, variance between resources and back-end processing will occur, but latency will be minimized as much as possible.
So why am I talking about application latency? What does this have to do with web security monitoring? I’m glad you asked! Chapter 10 discusses SQL Injection attacks and defense in more depth, but one aspect is appropriate to cover now—blind SQL Injection. In this scenario, the attacker still can send the SQL Injection payload and have it be executed by the back-end database. However, the application has been configured to not send detailed error messages. This means that the attacker must instruct the database to conditionally execute certain code if the result of the query is either true or false. A favorite technique of attackers is to use the waitfor delay command. It simply tells the database to sit idle for a specified period of time before completing ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.