The only end-to-end guide to securing Apache Web servers and Web applications Apache can be hacked. As companies have improved perimeter security, hackers have increasingly focused on attacking Apache Web servers and Web applications. Firewalls and SSL won’t protect you: you must systematically harden your Web application environment. Preventing Web Attacks with Apache brings together all the information you’ll need to do that: step-by-step guidance, hands-on examples, and tested configuration files. Building on his groundbreaking SANS presentations on Apache security, Ryan C. Barnett reveals why your Web servers represent such a compelling target, how significant exploits are performed, and how they can be defended against. Exploits discussed include: buffer overflows, denial of service, attacks on vulnerable scripts and programs, credential sniffing and spoofing, client parameter manipulation, brute force attacks, web defacements, and more. Barnett introduces the Center for Internet Security Apache Benchmarks, a set of best-practice Apache security configuration actions and settings he helped to create. He addresses issues related to IT processes and your underlying OS; Apache downloading, installation, and configuration; application hardening; monitoring, and more. He also presents a chapter-length case study using actual Web attack logs and data captured “in the wild.” For every sysadmin, Web professional, and security specialist responsible for Apache or Web application security.

"The complete guide to securing your Apache web server"--Cover.

"Do you learn best by example and experimentation? This book is ideal. Have your favorite editor and compiler ready–you'll encounter example code you'll want to try right away. You've picked the right book–this is sure to become the de facto standard guide to writing Apache modules." –Rich Bowen, coauthor, Apache Administrators Handbook, Apache Cookbook, and The Definitive Guide to Apache mod_rewrite "A first-rate guide to getting the most out of Apache as a modular application platform–sure to become a must-read for any Apache programmer, from beginner to experienced professional. It builds up carefully and meticulously from the absolute basics, while including chapters on everything from the popular Apache DBD Framework to best practices, security, and debugging." –Noirin Plunkett, documentation committer to the Apache httpd project, and member of the ASF conference committee The Only Comprehensive Guide to Developing Apache 2.x Modules and Applications Apache is more than the world's most popular Web server–it's also an extraordinarily powerful and extensible development platform. Now, ApacheTutor.org's Nick Kew has written The Apache Modules Book, the first start-to-finish, example-rich guide for every developer who wants to make the most of Apache. Kew begins with detailed, accessible introductions to Apache's architecture and API, then illuminates all the techniques you'll need, from request processing through code security. He brings together the best of both worlds: powerful C-based techniques for accomplishing tasks Perl or PHP can't handle, implemented with tools that deliver all the productivity you'd expect from higher-level languages. Utilizing realistic code samples, Kew introduces techniques documented in no other book-and, often, nowhere else at all. Coverage includes Using Apache Portable Runtime (APR) to streamline C development and avoid its pitfalls Leveraging Apache DBD to build applications far more scalable than classic LAMP software Working with the latest Apache 2.x features: filter modules, XML support, and smart proxies Mastering best practices, from thread safety to multi-platform development Utilizing the Apache Authentication Framework Tracing and debugging problems in both Apache and your custom modules Foreword Preface Acknowledgments About the Author Chapter 1 Applications Development with Apache Chapter 2 The Apache Platform and Architecture Chapter 3 The Apache Portable Runtime Chapter 4 Programming Techniques and Caveats Chapter 5 Writing a Content Generator Chapter 6 Request Processing Cycle and Metadata Handlers Chapter 7 AAA: Access, Authentication, and Authorization Chapter 8 Filter Modules Chapter 9 Configuration for Modules Chapter 10 Extending the API Chapter 11 The Apache Database Framework Chapter 12 Module Debugging Appendix A Apache License Appendix B Contributor License Agreements Appendix C Hypertext Transfer Protocol: HTTP/1.1 Index About the Web Site ApacheTutor.org contains code examples from the book, all designed for easy use and integration into existing applications.

Defending your web applications against hackers and attackers The top-selling book Web Application Hacker's Handbook showed how attackers and hackers identify and attack vulnerable live web applications. This new Web Application Defender's Cookbook is the perfect counterpoint to that book: it shows you how to defend. Authored by a highly credentialed defensive security expert, this new book details defensive security methods and can be used as courseware for training network security personnel, web server administrators, and security consultants. Each "recipe" shows you a way to detect and defend against malicious behavior and provides working code examples for the ModSecurity web application firewall module. Topics include identifying vulnerabilities, setting hacker traps, defending different access points, enforcing application flows, and much more. Provides practical tactics for detecting web attacks and malicious behavior and defending against them Written by a preeminent authority on web application firewall technology and web application defense tactics Offers a series of "recipes" that include working code examples for the open-source ModSecurity web application firewall module Find the tools, techniques, and expert information you need to detect and respond to web application attacks with Web Application Defender's Cookbook: Battling Hackers and Protecting Users.

IBWAS 2009, the Iberic Conference on Web Applications Security, was the first international conference organized by both the OWASP Portuguese and Spanish ch- ters in order to join the international Web application security academic and industry communities to present and discuss the major aspects of Web applications security. There is currently a change in the information systems development paradigm. The emergence of Web 2. 0 technologies led to the extensive deployment and use of W- based applications and Web services as a way to develop new and flexible information systems. Such systems are easy to develop, deploy and maintain and they demonstrate impressive features for users, resulting in their current wide use. The “social” features of these technologies create the necessary “massification” effects that make millions of users share their own personal information and content over large web-based int- active platforms. Corporations, businesses and governments all over the world are also developing and deploying more and more applications to interact with their bu- nesses, customers, suppliers and citizens to enable stronger and tighter relations with all of them. Moreover, legacy non-Web systems are being ported to this new intrin- cally connected environment. IBWAS 2009 brought together application security experts, researchers, educators and practitioners from industry, academia and international communities such as OWASP, in order to discuss open problems and new solutions in application security. In the context of this track, academic researchers were able to combine interesting results with the experience of practitioners and software engineers.

The Presidentâe(tm)s life is in danger! Jimmy Sniffles, with the help of a new invention, shrinks down to miniature size to sniff out the source of the problem.

Web applications are used every day by millions of users, which is why they are one of the most popular vectors for attackers. Obfuscation of code has allowed hackers to take one attack and create hundreds-if not millions-of variants that can evade your security measures. Web Application Obfuscation takes a look at common Web infrastructure and security controls from an attacker's perspective, allowing the reader to understand the shortcomings of their security systems. Find out how an attacker would bypass different types of security controls, how these very security controls introduce new types of vulnerabilities, and how to avoid common pitfalls in order to strengthen your defenses. Named a 2011 Best Hacking and Pen Testing Book by InfoSec Reviews Looks at security tools like IDS/IPS that are often the only defense in protecting sensitive data and assets Evaluates Web application vulnerabilties from the attacker's perspective and explains how these very systems introduce new types of vulnerabilities Teaches how to secure your data, including info on browser quirks, new attacks and syntax tricks to add to your defenses against XSS, SQL injection, and more