Web Application Obfuscation: '-/WAFs.. Evasion.. Filters//alert(/Obfuscation/)-'

This book takes a look at common Web infrastructure and security controls from an attacker's perspective, allowing the reader to understand the shortcomings of their security systems.

Web applications are used every day by millions of users, which is why they are one of the most popular vectors for attackers. Obfuscation of code has allowed hackers to take one attack and create hundreds-if not millions-of variants that can evade your security measures.

Find out how an attacker would bypass different types of security controls, how these very security controls introduce new types of vulnerabilities, and how to avoid common pitfalls in order to strengthen your defenses.
Looks at security tools like IDS/IPS that are often the only defense in protecting sensitive data and assets
Evaluates Web application vulnerabilties from the attacker's perspective and explains how these very systems introduce new types of vulnerabilities
Teaches how to secure your data, including info on browser quirks, new attacks and syntax tricks to add to your defenses against XSS, SQL injection, and more.

Contents
Acknowledgments
About the Authors
About the Technical editor
CHAPTER 1 Introduction
Audience
Filtering basics
Regular expressions
Book organization
Chapter 2: “HTML”
Chapter 3: “JavaScript and VBScript”
Chapter 4: “Nonalphanumeric JavaScript”
Chapter 5: “CSS”
Chapter 6: “PHP”
Chapter 7: “SQL”
Chapter 8: “Web application firewalls and client-side filters”
Chapter 9: “Mitigating bypasses and attacks”
Chapter 10: “Future developments”
Updates
Summary
CHAPTER 2 HTML
History and overview
The document type definition
The doctype declaration
Tags
Entities
CDATA sections
Comments
Markup today
Why markup obfuscation?
Basic markup obfuscation
Structure of valid markup
Playing with the markup
More ways to execute JavaScript
Advanced markup obfuscation
Conditional comments
URIs
JavaScript URIs
Broken protocol handlers
Data URIs
Beyond HTML
XML
Summary
CHAPTER 3 JavaScript and VBScript
Syntax
JavaScript background
Browser quirks
Encodings
Unicode escapes
Hexadecimal escapes
Octal escapes
Combining encodings
Javascript Variables
User-defined variables
Built-in variables
VBScript
Comments
Events
Functions
End of statement
VBScript encoding
The execScript function in VBScript
JScript
The jscript.compact value
The jscript.encode value
Conditional comments
The execScript function in JScript
E4X
Summary
CHAPTER 4 Nonalphanumeric JavaScript
Nonalphanumeric JavaScript
Advanced nonalphanumeric JavaScript
Creating characters
Use cases
Minimalistic sets
Summary
CHAPTER 5 CSS
Syntax
At-rules
Rulesets and selectors
Declarations
Algorithms
Attacks
UI redressing attacks
Syntax attacks
Attacks using the CSS attribute reader
History attacks
Remote stylesheet inclusion attacks
Summary
CHAPTER 6 PHP
History and overview
Obfuscation in PHP
PHP and numerical data types
Strings
Summary
CHAPTER 7 SQL
SQL: A short introduction
Relevant SQL language elements
Strings in SQL
Comments
Browser databases
Summary
CHAPTER 8 Web application firewalls and client-side filters
Bypassing WAFs
Effectiveness
Client-side filters
Bypassing client-side filters
Denial of service with regular expressions
Summary
CHAPTER 9 Mitigating bypasses and attacks
Protecting against code injections
HTML injection and cross-site scripting
Server-side code execution
Protecting the DOM
Sandboxing
Proxying
Summary
CHAPTER 10 Future developments
Impact on current applications
Current security model of the web
HTML5
Extending same origin policy
Origin of JavaScript URLs
New attributes for Iframe
The text/html-sandboxed content type
XML bindings
Other extensions
The X-Frame-Options header
The X-XSS-Protection header
The Strict-Transport-Security header
The Content-Security-Policy header
Plug-ins
The flash plug-in
The Java Plug-in
Summary
Index