Fuzzing: Brute Force Vulnerability Discovery und über 1,5 Millionen weitere Bücher verfügbar für Amazon Kindle. Erfahren Sie mehr
  • Statt: EUR 58,45
  • Sie sparen: EUR 0,02
  • Alle Preisangaben inkl. MwSt.
Nur noch 2 auf Lager (mehr ist unterwegs).
Verkauf und Versand durch Amazon.
Geschenkverpackung verfügbar.
Menge:1
Fuzzing: Brute Force Vuln... ist in Ihrem Einkaufwagen hinzugefügt worden
+ EUR 3,00 Versandkosten
Gebraucht: Gut | Details
Verkauft von betterworldbooks__
Zustand: Gebraucht: Gut
Kommentar: Versand aus den USA. Lieferungszeit ca. 2-3 Wochen. Wir bieten Kundenservice auf Deutsch! Geringe Abnutzungserscheinungen und minimale Markierungen im Text. 100%ige Kostenrueckerstattung garantiert Ueber eine Million zufriedene Kunden! Ihr Einkauf unterstuetzt world literacy!
Ihren Artikel jetzt
eintauschen und
EUR 10,75 Gutschein erhalten.
Möchten Sie verkaufen?
Zur Rückseite klappen Zur Vorderseite klappen
Anhören Wird wiedergegeben... Angehalten   Sie hören eine Probe der Audible-Audioausgabe.
Weitere Informationen
Dieses Bild anzeigen

Fuzzing: Brute Force Vulnerability Discovery (Englisch) Taschenbuch – 29. Juni 2007


Alle 2 Formate und Ausgaben anzeigen Andere Formate und Ausgaben ausblenden
Amazon-Preis Neu ab Gebraucht ab
Kindle Edition
"Bitte wiederholen"
Taschenbuch
"Bitte wiederholen"
EUR 58,43
EUR 52,49 EUR 24,44
6 neu ab EUR 52,49 6 gebraucht ab EUR 24,44

Hinweise und Aktionen

  • Große Hörbuch-Sommeraktion: Entdecken Sie unsere bunte Auswahl an reduzierten Hörbüchern für den Sommer. Hier klicken.


Wird oft zusammen gekauft

Fuzzing: Brute Force Vulnerability Discovery + The Art of Software Security Assessment
Preis für beide: EUR 104,38

Die ausgewählten Artikel zusammen kaufen
Jeder kann Kindle Bücher lesen — selbst ohne ein Kindle-Gerät — mit der KOSTENFREIEN Kindle App für Smartphones, Tablets und Computer.



Produktinformation


Mehr über den Autor

Entdecken Sie Bücher, lesen Sie über Autoren und mehr

Produktbeschreibungen

Synopsis

FUZZING Master One of Today's Most Powerful Techniques for Revealing Security Flaws! Fuzzing has evolved into one of today's most effective approaches to test software security. To "fuzz," you attach a program's inputs to a source of random data, and then systematically identify the failures that arise. Hackers have relied on fuzzing for years: Now, it's your turn. In this book, renowned fuzzing experts show you how to use fuzzing to reveal weaknesses in your software before someone else does. Fuzzing is the first and only book to cover fuzzing from start to finish, bringing disciplined best practices to a technique that has traditionally been implemented informally. The authors begin by reviewing how fuzzing works and outlining its crucial advantages over other security testing methods. Next, they introduce state-of-the-art fuzzing techniques for finding vulnerabilities in network protocols, file formats, and web applications; demonstrate the use of automated fuzzing tools; and present several insightful case histories showing fuzzing at work.Coverage includes: / Why fuzzing simplifies test design and catches flaws other methods miss / The fuzzing process: from identifying inputs to assessing "exploitability" / Understanding the requirements for effective fuzzing / Comparing mutation-based and generation-based fuzzers / Using and automating environment variable and argument fuzzing / Mastering in-memory fuzzing techniques / Constructing custom fuzzing frameworks and tools / Implementing intelligent fault detection Attackers are already using fuzzing.

You should, too. Whether you're a developer, security engineer, tester, or QA specialist, this book teaches you how to build secure software. Foreword xix Preface xxi Acknowledgments xxv About the Author xxvii PARTI BACKGROUND 1 Chapter 1 Vulnerability Discovery Methodologies 3 Chapter 2 What Is Fuzzing?2

1 Chapter 3 Fuzzing Methods and Fuzzer Types 33 Chapter 4 Data Representation and Analysis 45 Chapter 5 Requirements for Effective Fuzzing 61 PART II TARGETS AND AUTOMATION 71 Chapter 6 Automation and Data Generation 73 Chapter 7 Environment Variable and Argument Fuzzing 89 Chapter 8 Environment Variable and Argument Fuzzing: Automation 103 Chapter 9 Web Application and Server Fuzzing 113 Chapter 10 Web Application and Server Fuzzing: Automation 137 Chapter 11 File Format Fuzzing 169 Chapter 12 File Format Fuzzing: Automation on UNIX 181 Chapter 13 File Format Fuzzing: Automation on Windows 197 Chapter 14 Network Protocol Fuzzing 223 Chapter 15 Network Protocol Fuzzing: Automation on UNIX 235 Chapter 16 Network Protocol Fuzzing: Automation on Windows 249 Chapter 17 Web Browser Fuzzing 267 Chapter 18 Web Browser Fuzzing: Automation 283 Chapter 19 In-Memory Fuzzing 301 Chapter 20 In-Memory Fuzzing: Automation 315 PART III ADVANCED FUZZING TECHNOLOGIES 349 Chapter 21 Fuzzing Frameworks 351 Chapter 22 Automated Protocol Dissection 419 Chapter 23 Fuzzer Tracking 437 Chapter 24 Intelligent Fault Detection 471 PART IV LOOKING FORWARD 495 Chapter 25 Lessons Learned 497 Chapter 26 Looking Forward 507 Index 519

Über den Autor und weitere Mitwirkende

MICHAEL SUTTON

Michael Sutton is the Security Evangelist for SPI Dynamics. As Security Evangelist, Michael is responsible for identifying, researching, and presenting on emerging issues in the web application security industry. He is a frequent speaker at major information security conferences, has authored numerous articles, and is regularly quoted in the media on various information security topics.Michael is also a member of the Web Application Security Consortium (WASC), where he is project lead for the Web Application Security Statistics project.

Prior to joining SPI Dynamics,Michael was a Director for iDefense/VeriSign, where he headed iDefense Labs, a team of world class researchers tasked with discovering and researching security vulnerabilities.Michael also established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda. He holds degrees from the University of Alberta and The George Washington University. Michael is a proud Canadian who understands that hockey is a religion and not a sport. Outside of the office, he is a Sergeant with the Fairfax Volunteer Fire Department.

 

ADAM GREENE

Adam Greene is an engineer for a large financial news company based in New York City. Previously, he served as an engineer for iDefense, an intelligence company located in Reston, VA. His interests in computer security lie mainly in reliable exploitation methods, fuzzing, and UNIX-based system auditing and exploit development.

 

PEDRAM AMINI

Pedram Amini currently leads the security research and product security assessment team at TippingPoint. Previously, he was the assistant director and one of the founding members of iDefense Labs. Despite the fancy titles, he spends much of his time in the shoes of a reverse engineerâ developing automation tools, plug-ins, and scripts. His most recent projects (a.k.a. â babiesâ ) include the PaiMei reverse engineering framework and the Sulley fuzzing framework.

In conjunction with his passion, Pedram launched OpenRCE.org, a community website dedicated to the art and science of reverse engineering. He has presented at RECon, BlackHat, DefCon, ShmooCon, and ToorCon and taught numerous sold out reverse engineering courses. Pedram holds a computer science degree from Tulane University.

 


Welche anderen Artikel kaufen Kunden, nachdem sie diesen Artikel angesehen haben?

Kundenrezensionen

Es gibt noch keine Kundenrezensionen auf Amazon.de
5 Sterne
4 Sterne
3 Sterne
2 Sterne
1 Sterne

Die hilfreichsten Kundenrezensionen auf Amazon.com (beta)

Amazon.com: 4 Rezensionen
18 von 19 Kunden fanden die folgende Rezension hilfreich
Great on Theory...Pretty Good on Execution 29. Juli 2007
Von Chris Gates - Veröffentlicht auf Amazon.com
Format: Taschenbuch
I anxiously awaited reading and putting this book to use. Fuzzing is one of those "mystical" concepts that the people cranking out exploits were doing and I wanted to be able to use some of the publicly available fuzzers to fuzz for vulnerabilities and join the ranks.

From the back cover: "...Now, its your turn. In this book, renowned fuzzing experts show you how to use fuzzing to reveal weaknesses in your software before someone else does."

I thought the book excellently covered the theory portions of fuzzing. The format of theory/background of a fuzzing method (Environment Variable and Argument Fuzzing, Web Application and Server fuzzing, File Format Fuzzing, Network Protocol Fuzzing, Web Browser Fuzzing, and In-Memory Fuzzing) followed with that fuzzing method Automation or on Unix and then on Windows worked perfectly. It was a good structure and informative. The Automation or Unix and Windows sections fit in well with the theory sections before it.

I think the book falls a bit short on practical execution (case studies) of using the fuzzing tools. Granted I say this based on my own expectations of what I would like to see from a fuzzing book but also from what the authors say in the preface that we will get out of the book. They say, "We detail numerous vulnerabilities throughout the book and discuss how they might have been identifies through fuzzing." Some of the case studies are exactly what I expected like case studies in Chapter 10, the fuzzing with SPIKE section in Chapter 15, and the Complete Walkthru with Sulley in Chapter 21. Some of the others fall a bit short. I expected a lot more out of the ActiveX fuzzing sections (chapter 18), the Shockwave Flash example in Chapter 21 was useful for the discussion of creating a test case for a protocol but after 11 pages of mostly code in the last section we basically get told to load it into PaiMei and "go fuzz", and while the theory parts of chapter's 7 & 8 were great, telling me to find an AIX 5.3 box to see some example environment variables and argument vulnerabilities was less than useful. It would have been much more useful to use some of today's fuzzing tools to find some old vulnerabilities in something like *BSD or old RedHat distributions, something I might have in the lab or at least something I could install in VMWare.

Likes: Theory, background, discussion of how and why they built the "author built" fuzzers they cover in the book, some of the case studies gave me everything I needed to reproduce on my own in the lab. Providing the fuzzers on the companion website was great as well. The George Bush quotes were hilarious as well and made me look forward to each chapter so I could get another quote.

Dislikes: some of the case studies I don't think went into enough detail (no step by step instructions), I think the explanations of the blocks of code could have been better and numbering lines so we could refer to them in the text would have helped. The discussion of the existing frameworks was a little bit light (but we do get told to go the companion website for more info). Ideally we would have walked thru a couple of easy examples using multiple fuzzer frameworks to get us from advisory to EIP= 0x41414141. That would have been nice to see.

Overall a great book, it has a place on the bookshelf next to shellcoder's handbook and some other programming books and it will be used (many times) as a reference to play with the various fuzzers available out there.
5 von 5 Kunden fanden die folgende Rezension hilfreich
Excellent introduction to fuzzing 18. Februar 2008
Von Kristy M. Westphal - Veröffentlicht auf Amazon.com
Format: Taschenbuch
Perhaps a more appropriate title would be: "Fuzzing for Dummies" or "Fuzzing 101"- but I mean this in a really good way. Why I say this is because of how the book is set up, starting with the background history of fuzzing, and many variations of what fuzzing really is. These are excellent so those who may not have this background don't jump in blindly to this area. For example, Chapter 3 goes into the Fuzzing Methods and Chapter 4 discusses Data Representation. While not lengthy discussions, they are good to set up for the actual doing part in the rest of the book

I liked that the book starts out with what fuzzing is good for, the steps that you have to take for it to be successful, and what fuzzing is not good at. It explains how vectors like access control issues, and design flaws fit into this category. Knowing this up front saves a lot of head banging later on down the road. It's also good that the authors point out that they are merely defining fuzzing in their specific realm: talk to others and you are going to find a whole different explanation. This is OK though- most of the security industry is like that.

Part II of the book starts to get into the heart of things, discussing the components required for fuzzing, more details into the tool they built called "WebFuzz" and then dive into the tests themselves. The author's openness in telling us what they did, then how it works, then tell you all the things to make it better makes this book even more valuable. Good efforts to share useful things and make them a community effort with proper guidance are never a bad thing. Plus, if you are interested in helping, this guidance gives you somewhere to start.

Essentially, this book gives you the blueprint of fuzzing and a bunch of ideas on how to get started down a more advanced path. Well written with good explanations of how the authors got where they got to as well a useful tool to get you started (located on their companion website), this book gives you the toolkit of building blocks for your future fuzzing endeavors.
3 von 4 Kunden fanden die folgende Rezension hilfreich
Mostly good 12. Dezember 2008
Von PorcusFortunae - Veröffentlicht auf Amazon.com
Format: Taschenbuch Verifizierter Kauf
I loved the layout of the book, with explanations, practical applications, and (mostly) working examples. There were two things I didn't like about the book. First, not all the examples worked. Specifically, the Protocol Informatics (PI) example will not run on any machine I have. When I searched for a solution, it led me to the second thing I don't like about the book: it appears the authors cribbed their section on PI from PI's own documentation. It's clear they didn't even try to run it on their own. It makes me question whether they really understand it; if not, why are they writing about it in their book? I also wonder what else they cribbed. I also wish they'd update the book's website more, as much as they refer to it in the text.

All that aside, I really did enjoy and appreciate the book as a whole, and it certainly gave me a great foundational knowledge of fuzzing.
6 von 14 Kunden fanden die folgende Rezension hilfreich
Great book 29. August 2007
Von Justine Aitel - Veröffentlicht auf Amazon.com
Format: Taschenbuch
In this book the authors do a number of things that are worth reading:
o Document how and why SPIKE works (and implement their own block-based fuzzer sulley)
o Go through the process of writing a .flv fuzzer
o Go through the process of writing a Python ActiveX fuzzer, which was probably my favorite part.
o Talk about the downsides of various kinds of fuzzing. For example, when is fuzzing with a genetic algorithm not the right thing to do?

That alone made this a great book.
Waren diese Rezensionen hilfreich? Wir wollen von Ihnen hören.