Apache Security - Ivan Ristic [1]
7.2.2. Digest Authentication
7.2.3. Form-Based Authentication
7.3. Access Control in Apache
7.3.1. Basic Authentication Using Plaintext Files
7.3.2. Basic Authentication Using DBM Files
7.3.3. Digest Authentication
7.3.4. Certificate-Based Access Control
7.3.5. Network Access Control
7.3.6. Proxy Access Control
7.3.7. Final Access Control Notes
7.4. Single Sign-on
7.4.1. Web Single Sign-on
7.4.2. Simple Apache-Only Single Sign-on
8. Logging and Monitoring
8.1. Apache Logging Facilities
8.1.1. Request Logging
8.1.2. Error Logging
8.1.3. Special Logging Modules
8.1.4. Audit Log
8.1.5. Performance Measurement
8.1.6. File Upload Interception
8.1.7. Application Logs
8.1.8. Logging as Much as Possible
8.2. Log Manipulation
8.2.1. Piped Logging
8.2.2. Log Rotation
8.2.3. Issues with Log Distribution
8.3. Remote Logging
8.3.1. Manual Centralization
8.3.2. Syslog Logging
8.3.3. Database Logging
8.3.4. Distributed Logging with the Spread Toolkit
8.4. Logging Strategies
8.5. Log Analysis
8.6. Monitoring
8.6.1. File Integrity
8.6.2. Event Monitoring
8.6.3. Web Server Status
9. Infrastructure
9.1. Application Isolation Strategies
9.1.1. Isolating Applications from Servers
9.1.2. Isolating Application Modules
9.1.3. Utilizing Virtual Servers
9.2. Host Security
9.2.1. Restricting and Securing User Access
9.2.2. Deploying Minimal Services
9.2.3. Gathering Information and Monitoring Events
9.2.4. Securing Network Access
9.2.5. Advanced Hardening
9.2.6. Keeping Up to Date
9.3. Network Security
9.3.1. Firewall Usage
9.3.2. Centralized Logging
9.3.3. Network Monitoring
9.3.4. External Monitoring
9.4. Using a Reverse Proxy
9.4.1. Apache Reverse Proxy
9.4.2. Reverse Proxy by Network Design
9.4.3. Reverse Proxy by Redirecting Network Traffic
9.5. Network Design
9.5.1. Reverse Proxy Patterns
9.5.2. Advanced Architectures
10. Web Application Security
10.1. Session Management Attacks
10.1.1. Cookies
10.1.2. Session Management Concepts
10.1.3. Keeping in Touch with Clients
10.1.4. Session Tokens
10.1.5. Session Attacks
10.1.6. Good Practices
10.2. Attacks on Clients
10.2.1. Typical Client Attack Targets
10.2.2. Phishing
10.3. Application Logic Flaws
10.3.1. Cookies and Hidden Fields
10.3.2. POST Method
10.3.3. Referrer Check Flaws
10.3.4. Process State Management
10.3.5. Client-Side Validation
10.4. Information Disclosure
10.4.1. HTML Source Code
10.4.2. Directory Listings
10.4.3. Verbose Error Messages
10.4.4. Debug Messages
10.5. File Disclosure
10.5.1. Path Traversal
10.5.2. Application Download Flaws
10.5.3. Source Code Disclosure
10.5.4. Predictable File Locations
10.6. Injection Flaws
10.6.1. SQL Injection
10.6.2. Cross-Site Scripting
10.6.3. Command Execution
10.6.4. Code Execution
10.6.5. Preventing Injection Attacks
10.7. Buffer Overflows
10.8. Evasion Techniques
10.8.1. Simple Evasion Techniques
10.8.2. Path Obfuscation
10.8.3. URL Encoding
10.8.4. Unicode Encoding
10.8.5. Null-Byte Attacks
10.8.6. SQL Evasion
10.9. Web Application Security Resources
10.9.1. General Resources
10.9.2. Web Application Security Resources
11. Web Security Assessment
11.1. Black-Box Testing
11.1.1. Information Gathering
11.1.2. Web Server Analysis
11.1.3. Web Application Analysis
11.1.4. Attacks Against Access Control
11.1.5. Vulnerability Probing
11.2. White-Box Testing
11.2.1. Architecture Review
11.2.2. Configuration Review
11.2.3. Functional Review
11.3. Gray-Box Testing
12. Web Intrusion Detection
12.1. Evolution of Web Intrusion Detection
12.1.1. Is Intrusion Detection the Right Approach?
12.1.2. Log-Based Web Intrusion Detection
12.1.3. Real-Time Web Intrusion Detection
12.1.4. Web Intrusion Detection Features
12.2. Using mod_security
12.2.1. Introduction
12.2.2. More Configuration Advice
12.2.3. Deployment Guidelines
12.2.4. Detecting Common Attacks
12.2.5. Advanced Topics
A. Tools
A.1. Learning Environments
A.1.1. WebMaven
A.1.2. WebGoat
A.2.