Contents -- Acknowledgments -- About the Author -- Introduction -- 1 Web 2.0 Introduction and Security -- Web 2.0-An Agent of Change -- Driving Factors for Web 2.0 and Its Impact on Security -- Path of Evolution: A Look Back in Time and a Peek Ahead -- Web 2.0: Technology Vectors and Architecture -- Web 2.0 Application Information Sources and Flow -- Real-Life Web 2.0 Application Examples -- Growing Web 2.0 Security Concerns -- Web 2.0 Real-Life Security Cases -- Conclusion -- 2 Overview of Web 2.0 Technologies -- Web 2.0 Technology Layers: Building Blocks for Next Generation Applications -- Client Layer -- Rich Internet Applications -- Protocol Layer -- Structure Layer -- Server Layer -- Conclusion -- 3 Web 2.0 Security Threats, Challenges, and Defenses -- Web 2.0 Security Landscape -- Web 2.0 Security Cycle and Changing Vectors -- Web 2.0 Attack Points and Layered Threats -- Conclusion -- 4 Web 2.0 Security Assessment Approaches, Methods, and Strategies -- Web 2.0 Security Assessment -- Web 2.0 Application Assessment Methods -- Conclusion -- 5 Web 2.0 Application Footprinting -- Web 2.0 Footprinting Basics -- Web Services Footprinting -- Footprinting Countermeasures -- Conclusion -- 6 Web 2.0 Application Discovery, Enumeration, and Profiling -- Web 2.0 Application Discovery: Problem Domain -- Web 2.0 Application Discovery with Protocol Analysis -- Dynamic DOM Event Manipulation -- Crawling Ajax-Based Pages -- Page Profiling and Linkage Analysis -- Web Services Discovery and Profiling -- Conclusion -- 7 Cross-Site Scripting with Web 2.0 Applications -- XSS -- XSS Basics -- XSS and Serialization with Applications -- Conclusion -- 8 Cross-Site Request Forgery with Web 2.0 Applications -- CSRF Overview -- CSRF with the POST Method -- Web 2.0 Applications and CSRF -- CSRF and Getting Cross-Domain Information Access -- Conclusion.

9 RSS, Mashup, and Widget Security -- Cross-Domain Security -- RSS Security and Attacks -- Mashup Security -- Widget Security -- Conclusion -- 10 Web 2.0 Application Scanning and Vulnerability Detection -- Fingerprinting Web 2.0 Technologies -- Ajax Framework and Vulnerabilities -- Fingerprinting RIA Components -- Scanning Ajax Code for DOM-Based XSS -- RIA- and Flash-Based Component Decompilation -- CSRF Vulnerability Detection with Web 2.0 Applications -- JavaScript Client-Side Scanning for Entry Points -- Debugging JavaScript for Vulnerability Detection -- Conclusion -- 11 SOA and Web Services Security -- Real-Life Example of SOA -- SOA Layered Architecture -- SOA Server-Side Architecture and Code -- Web Services and SOA Security Framework -- XML Message: A Torpedo of Web 2.0 Applications -- SOA Threat Framework -- SOA Security Challenges and Technology Vectors -- Conclusion -- 12 SOA Attack Vectors and Scanning for Vulnerabilities -- Profiling and Invoking Web Services -- Technology Fingerprinting and Enumeration -- XML Poisoning -- Parameter Tampering -- SQL Injection with SOAP Manipulation -- XPATH Injection -- LDAP Injection with SOAP -- Directory Traversal and Filesystem Access Through SOAP -- Operating System Command Execution Using Vulnerable Web Services -- SOAP Message Brute Forcing -- Session Hijacking with Web Services -- Conclusion -- 13 Web 2.0 Application Fuzzing for Vulnerability Detection and Filtering for Countermeasures -- Web 2.0 Application Fuzzing -- Web 2.0 Application Firewall and Filtering -- Conclusion -- 14 Web 2.0 Application Defenses by Request Signature and Code Scanning -- Ajax Request Signature for Web 2.0 Applications: Defense Against CSRF and XSS -- Source Code Review and Vulnerability Identification -- Conclusion -- 15 Resources for Web 2.0 Security: Tools, Techniques, and References.

Discovery and Analysis Through a Proxy -- Browser Plug-Ins for HTTP Traffic -- JavaScript and Greasemonkey -- Browser Automation -- XSS Exploitation -- Metasploit 3.0 and the Web 2.0 Layer -- DOM and Developer Tools -- XSS Attacks and Assistant -- XSS and CSRF Defense Reference -- SOAP Clients in Various Languages -- SOAP Quick Reference -- WSDL Quick Reference -- UDDI Quick Reference -- SOA Technologies -- Web 2.0-Specific Resource Extensions for Files -- SOA Checklist -- Ajax Security Checklist -- Web 2.0-Related Published Vulnerabilities -- Index -- A -- B -- C -- D -- E -- F -- G -- H -- I -- J-K -- L -- M -- N -- O -- P-Q -- R -- S -- T -- U -- V -- W -- X-Z.