Links and Bibliography

1. Apache Security Principles

Richard Bejtlich, http://taosecurity.blogspot.com
Secrets & Lies: Digital Security in a Networked World, by Bruce Schneier (Wiley)
A quantitive study of firewall configuration errors, by Avishai Wool
Threat Modeling, by Frank Swiderski and Window Snyder (Microsoft Press)
Threat Modeling Tool (Microsoft)
Writing Secure Code, by Michael Howard and David LeBlanc (Microsoft Press)
Improving Web Application Security: Threats and Countermeasures (Microsoft Press, free download)
Attack trees, by Bruce Schneier
A Preliminary Classification Scheme for Information System Threats, Attacks, and Defenses; A Cause and Effect Model; and Some Analysis Based on That Model, by Fred Cohen et al.
Attack Modeling for Information Security and Survivability, by Andrew P. Moore, Robert J. Ellison, and Richard C. Linger
Threat Modelling for Web Applications, by Ivan Ristic

2. Installation and Configuration

Apache Online Documentation, http://httpd.apache.org/docs-2.0/
Apache Security Tips, http://httpd.apache.org/docs-2.0/misc/security_tips.html
Apache Benchmark, http://www.cisecurity.org/bench_apache.html
Securing Apache: Step-by-Step, by Artur Maj
Securing Apache 2: Step-by-Step, by Artur Maj
Apache patches, http://www.apache.org/dist/httpd/patches/
Apache back door, http://packetstormsecurity.org/UNIX/penetration/rootkits/apachebd.tgz
mod_backdoor, http://packetstormsecurity.org/advisories/b0f/mod_backdoor.c
mod_rootme, http://packetstormsecurity.org/web/mod_rootme-0.2.tgz
The Apache Slapper Worm: CERT Advisory CA-2002-27 Apache/mod_ssl Worm
CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL
mini_sendmail, http://www.acme.com/software/mini_sendmail/
Apache chroot(2) patch, http://www.devet.org/apache/chroot/
mod_security, http://www.modsecurity.org
mod_chroot, http://core.segfault.pl/~hobbit/mod_chroot/

3. PHP

PHP, http://www.php.net
Attacking Apache with builtin Modules in Multihomed Environments, by andi@void
PHP4 cURL functions bypass open_basedir
PHP CGI Security, http://www.php.net/security.cgi-bin
PHP Safe Mode, http://www.php.net/manual/en/features.safe-mode.php
PHP 5 input filter example, http://cvs.php.net/co.php/php-src/README.input_filter
Hardened-PHP, http://www.hardened-php.net

4. SSL and TLS

Alice and Bob, http://en.wikipedia.org/wiki/Alice_and_Bob
The Gnu Privacy Handbook, http://www.gnupg.org/gph/en/manual.html
GnuPG Keysigning Party HOWTO, http://www.cryptnet.net/fdp/crypto/gpgparty.html
Applied Cryptography, by Bruce Schneier (Wiley)
RFC 2246: Transport Layer Security (TLS), http://www.ietf.org/rfc/rfc2246.txt
Upgrading to TLS Within HTTP/1.1, http://www.ietf.org/rfc/rfc2817.txt
SSL Security Survey, by Eric Murray
dsniff, http://www.monkey.org/~dugsong/dsniff/
DNSSEC, http://www.dnssec.net
OpenSSL, http://www.openssl.org
mod_ssl, http://www.modssl.org
Apache-SSL, http://www.apache-ssl.org
Thawte test certificate, https://www.thawte.com/cgi/server/try.exe
SSL Server Security, by Eric Murray
Rewrite Cookbook, http://rewrite.drbacchus.com/rewritewiki/
OpenCA, http://www.openca.org/openca/
TinyCA, http://tinyca.sm-zone.net
Transport Layer Security: How Much Does It Really Cost?, by George Apostolopoulos et al.
Performance Impact of Using SSL on Dynamic Web Applications, by Vicenç Beltran et al.
High Availability for SSL and Apache, by Mark J. Cox and Geoff Thorpe

5. Denial of Service Attacks

Gibson Research Corporation, http://www.grc.com
Spam king lives large off others' email troubles (Detroit Free Press), by Mike Wendland

Another Millionaire Spammer Story, Slashdot
DOS Attack Via US Postal Service, Slashdot
The Gibson Research Corporation's Denial Of Service Investigation & Exploration Pages
Egress filtering v0.2, http://www.sans.org/y2k/egress.htm
The Packet Storm web site, http://www.packetstormsecurity.org/distributed/
DDoS Attacks/Tools, http://staff.washington.edu/dittrich/misc/ddos/
The Gibson Research Corporation's Distributed Reflection Denial Of Service
Caching Tutorial for Web Authors and Webmasters, by Mark Nottingham
Cacheability Engine, http://www.mnot.net/cacheability/
mod_gzip, http://www.schroepl.net/projekte/mod_gzip/
PHP Zlib Compression Functions, http://www.php.net/zlib
Cyber Activists bring down Immigration web site (Scoop Media)
Econ Forum Site Goes Down (Wired News)
What kind of hardware does Slashdot run on?, http://slashdot.org/faq/tech.shtml
Slashdot effect, http://en.wikipedia.org/wiki/Slashdot_effect
YA Apache DoS Attack, discovered by Dag-Erling Smørgrav
mod_throttle, http://www.snert.com/Software/mod_throttle/
mod_bwshare, http://www.topology.org/src/bwshare/
mod_limitipconn, http://dominia.org/djao/limitipconn.html
mod_dosevasive, http://www.nuclearelephant.com/projects/dosevasive/

6. Sharing Servers

Runtime Process Infection, http://www.phrack.org/phrack/59/p59-0x08.txt
suEXEC, http://httpd.apache.org/docs-2.0/suexec.html
CGIWrap, http://cgiwrap.unixtools.org
SBOX, http://stein.cshl.org/software/sbox/
FastCGI, http://www.fastcgi.com
mod_become, http://www.snert.com/Software/mod_become/
mod_diffprivs, http://sourceforge.net/projects/moddiffprivs/
mod_suid, http://www.jdimedia.nl/igmar/mod_suid/
mod_suid2, http://bluecoara.net/servers/apache/mod_suid2_en.phtml
Metux MPM, http://www.metux.de/mpm/
RFC 2965: HTTP State Management Mechanism, http://www.ietf.org/rfc/rfc2965.txt
Apache Web Server File Descriptor Leakage Vulnerability, http://www.securityfocus.com/bid/7255
Apache mod_php File Descriptor Leakage, http://www.osvdb.org/displayvuln.php?osvdb_id=3215
env_audit, http://www.web-insights.net/env_audit/
mod_vhost_alias, http://httpd.apache.org/docs-2.0/mod/mod_vhost_alias.html
Dynamically configured mass virtual hosting, http://httpd.apache.org/docs-2.0/vhosts/mass.html
CGITelnet.pl, http://www.rohitab.com/cgiscripts/cgitelnet.html
PhpShell, http://mgeisler.net/php-shell/
PerlWebShell, http://yola.in-berlin.de/perlwebshell/
Tiny Shell, http://www.cr0.net:8040/code/network/

7. Access Control

RFC 2617: HTTP Authentication: Basic and Digest Access Authentication, http://www.ietf.org/rfc/rfc2617.txt
Online BASE-64 encoder/decoder, http://makcoder.sourceforge.net/demo/base64.php
Apache httpd versioning rules, http://cvs.apache.org/viewcvs.cgi/httpd-2.0/VERSIONING?view=markup
Apache httpd 2.1 Authentication Project, http://mod-auth.sourceforge.net
Apache module repository, http://modules.apache.org
mod_proxy, http://httpd.apache.org/docs-2.0/mod/mod_proxy.html
Kerberos, http://web.mit.edu/kerberos/www/
mod_auth_kerb, http://modauthkerb.sourceforge.net
.Net Passport, http://www.passport.net
Project Liberty, http://www.projectliberty.org
WebISO Working Group, http://middleware.internet2.edu/webiso/
Shibboleth project, http://shibboleth.internet2.edu
mod_auth_remote, http://puggy.symonds.net/~srp/stuff/mod_auth_remote/
mod_authn_cache (Apache 2.1.x), http://mod-auth.sourceforge.net/docs/mod_authn_cache/
mod_auth_cache (Apache 1.3.x), http://mod-auth-cache.sourceforge.net

8. Logging and Monitoring

mod_log_config, http://httpd.apache.org/docs-2.0/mod/mod_log_config.html
Profiling LAMP Applications with Apache's Blackbox Logs, by Chris Josephes
CoreDumpDirectory directive, http://httpd.apache.org/docs-2.0/mod/mpm_common.html#coredumpdirectory
Apache Debugging Guide, http://httpd.apache.org/dev/debugging.html
mod_whatkilledus and mod_backtrace, http://www.apache.org/~trawick/exception_hook.html
Virtual host error log patch, http://www.gluelogic.com/code/apache/
RFC 3164: The BSD syslog Protocol, http://www.ietf.org/rfc/rfc3164.txt
NTsyslog, http://ntsyslog.sourceforge.net
Syslog-NG, http://www.balabit.com/products/syslog_ng/
Stunnel, http://www.stunnel.org
Linux Server Security, by Michael D. Bauer
Linux Server Security, Chapter 12: System Log Management and Monitoring, http://www.oreilly.com/catalog/linuxss2/chapter/ch12.pdf
mod_log_sql, http://www.outoforder.cc/projects/apache/mod_log_sql/
Spread Toolkit, http://www.spread.org
mod_log_spread, http://www.backhand.org/mod_log_spread/
Fingerprinting Port 80 Attacks: Part I, by Robert Auger
Fingerprinting Port 80 Attacks: Part II, by Robert Auger
Web Application Forensics: The Uncharted Territory, by Ory Segal
Artificial Ignorance, by Marcus J. Ranum
Swatch, http://swatch.sourceforge.net
Simple Event Correlator (SEC), http://www.estpak.ee/~risto/sec/
mod_snmp (Apache 1 only), http://www.mod-snmp.com
Mod-Apache-Snmp (Apache 2 only), http://eplx.homeip.net/mod_apache_snmp/english/index.htm
Apache.org mod_status output, http://www.apache.org/server-status/
Apache.org apache-monitor graphs, http://www.apachesecurity.net/stats/
RRDtool, http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/
mod_watch, http://www.snert.com/mod_watch/
MRTG, http://people.ee.ethz.ch/~oetiker/webtools/mrtg/

9. Infrastructure

Practical Unix & Internet Security, by Simson Garfinkel, Gene Spafford, and Alan Schwartz (O'Reilly)
Internet Site Security, by Erik Schetina, Ken Green, and Jacob Carlson (Addison-Wesley)
Linux Server Security, by Michael D. Bauer (O'Reilly)
Network Security Hacks, by Andrew Lockhart (O'Reilly)
User Mode Linux, http://user-mode-linux.sourceforge.net
Linux VServer, http://www.linux-vserver.org
Tripwire, http://www.tripwire.org
Logwatch, http://www.logwatch.org
Swatch, http://swatch.sourceforge.net
Netfilter kernel module, http://www.netfilter.org
grsecurity, http://www.grsecurity.net
LIDS, http://www.lids.org
Openwall, http://www.openwall.com/linux/
Security-Enhanced Linux (SELinux), http://www.nsa.gov/selinux/
Minimizing Privileges, by David A. Wheeler
Linux Kernel Hardening, by Taylor Merry
Syslog-NG, http://www.balabit.com/products/syslog_ng/
Ntop, http://www.ntop.org
Argus, http://qosient.com/argus/
The Tao of Network Security Monitoring: Beyond Intrusion Detection, by Richard Bejtlich (Addison-Wesley)
Snort, http://www.snort.org
Prelude, http://www.prelude-ids.org
KaVaDo InterDo, http://www.kavado.com
WatchFire AppShield, http://www.watchfire.com
Teros Gateway, http://www.teros.com
OpenNMS, http://www.opennms.org
Nagios, http://www.nagios.org
mod_proxy_html, http://apache.webthing.com/mod_proxy_html/
Running a Reverse Proxy With Apache, by Nick Kew
Reverse Proxy Patterns, by Peter Sommerlad
Perimeter Defense-in-Depth: Using Reverse Proxies and other tools to protect our internal assets, by Lynda L. Morrison
Wikipedia, http://www.wikipedia.org
Scalable Internet Architectures (PPT), by George Schlossnagle and Theo Schlossnagle
Inside LiveJournal's Backend, by Brad Fitzpatrick
Web Search for a Planet: The Google Cluster Architecture (PDF), by Luiz Andre Barroso et al.
The Google Filesystem (PDF), by Sanjay Ghemawat et al.
mmCache, http://turck-mmcache.sourceforge.net
Tuning Apache and PHP for Speed on Unix, http://phplens.com/phpeverywhere/tuning-apache-php
High-Availability Linux Project, http://linux-ha.org
Lbnamed, http://www.stanford.edu/~schemers/docs/lbnamed/lbnamed.html
Wackamole, http://www.backhand.org/wackamole/
Foundry Networks ServerIron, http://www.foundrynet.com/products/webswitches/serveriron/
F5 Networks BigIP, http://www.f5.com/f5products/bigip/
Cisco LocalDirector, http://www.cisco.com/warp/public/cc/pd/cxsr/400/
Linux Virtual Server project, http://www.linuxvirtualserver.org
Website Balancing, Practical approaches to distributing HTTP traffic, by Ralf S. Engelschall
mod_backhand, http://www.backhand.org/mod_backhand/

10. Web Application Security

Persistent Client State: HTTP Cookies (the original Netscape cookie proposal), http://home.netscape.com/newsref/std/cookie_spec.html
RFC 2965: HTTP State Management Mechanism, http://www.ietf.org/rfc/rfc2965.txt
RFC 2964: Use of HTTP State Management, http://www.ietf.org/rfc/2964.txt
Session Fixation Vulnerability in Web-based Applications (PDF), by Mitja Kolsek (ACROS Security)
Brute-Force Exploitation of Web Application Session Ids (PDF), by David Endler (iDEFENSE Labs)
Web Based Session Management: Best practices in managing HTTP Based Client Sessions, by Gunter Ollmann
Anti-Phishing Working Group, http://www.antiphishing.org
The Phishing Guide (PDF), by Gunter Ollmann (NGS)
CVE, http://cve.mitre.org
RFC 2518: Web Distributed Authoring and Versioning (WebDAV), http://www.ietf.org/rfc/rfc2518.txt
SecurityFocus: Multiple Vendor URL JSP Request Source Code Disclosure, http://www.securityfocus.com/bid/2527
SecurityFocus: JBoss Null Byte Request JSP Source Disclosure Vulnerability, http://www.securityfocus.com/bid/7764
SecurityFocus: NT IIS Showcode ASP Vulnerability, http://www.securityfocus.com/bid/167
SQL Injection (PDF), by Kevin Spett (SPI Dynamics)
Advanced SQL Injection in SQL Server Applications (PDF), by Chris Anley (NGS)
(more) Advanced SQL Injection (PDF), by Chris Anley (NGS)
Hackproofing MySQL (PDF), by Chris Anley (NGS)
Blind SQL Injection (PDF), by Kevin Spett (SPI Dynamics)
LDAP Injection (PDF), by Sacha Faust (SPI Dynamics)
Blind XPath Injection (PDF), by Amit Klein (Sanctum)
The Cross Site Scripting FAQ, by Robert Auger
Advisory CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests, by CERT Coordination Center
Understanding Malicious Content Mitigation for Web developers, by CERT Coordination Center
Cross-Site Scripting (PDF), by Kevin Spett (SPI Dynamics)
Cross-Site Tracing (XST) (PDF), by Jeremiah Grossman (WhiteHat Security)
Second-order Code Injection Attacks (PDF), by Gunter Ollmann (NGS)
Divide and Conquer, HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics, by Amit Klein (Sanctum)
The Shellcoder's Handbook: Discovering and Exploiting Security Holes, by Jack Koziol et al. (Wiley)
Practical Code Auditing (PDF), by Lurene A. Grenier
Buffer Overflows Demystified, by Murat Balaban
Smashing The Stack For Fun And Profit, by Aleph One
Advanced Doug Lea's malloc exploits, by jp@corest.com
Taking advantage of non-terminated adjacent memory spaces, by twitch@vicar.org
A look at whisker's anti-IDS tactics, by Rain Forest Puppy,
IDS Evasion Techniques and Tactics, by Kevin Timm
Wikipedia: Unicode, http://en.wikipedia.org/wiki/Unicode
UTF-8, http://www.ietf.org/rfc/rfc2279.txt
Detection of SQL Injection and Cross-site Scripting Attacks, by K. K. Mookhey and Nilesh Burghate
SQL Injection Signatures Evasion, by Ofer Maor and Amichai Shulman
HTTP: The Definitive Guide, by David Gourley and Brian Totty (O'Reilly)
RFC 2616: Hypertext Transfer Protocol HTTP/1.1, http://www.ietf.org/rfc/rfc2616.txt
HTML 4.01, http://www.w3.org/TR/html401/
JavaScript Central, http://devedge.netscape.com/central/javascript/
ECMAScript Language Specification (PDF)
ECMAScript Components Specification (PDF)
Hacking Exposed: Web Applications, by Joel Scambray and Mike Shema (McGraw-Hill/Osborne)
Hack Notes: Web Security Portable Reference, by Mike Shema (McGraw-Hill/ Osborne)
PHP Security, by Chris Shiflett (O’Reilly) - Not published yet
Open Web Application Security Project (OWASP),
Guide to Building Secure Web Applications (OWASP)
SecurityFocus Web Application Security Mailing List (webappsec@securityfocus.com), http://www.securityfocus.com/archive/107
WebGoat, http://www.owasp.org/software/webgoat.html
WebMaven, http://webmaven.mavensecurity.com
SecurityFocus, http://www.securityfocus.com
CGISecurity, http://www.cgisecurity.com
Web Application Security Consortium, http://www.webappsec.org
Web Security Threat Classification, http://www.webappsec.org/threat.html
ModSecurity Resource Center, http://www.modsecurity.org/db/resources/
Web Security Blog, http://www.modsecurity.org/blog/
The World Wide Web Security FAQ, http://www.w3.org/Security/Faq/

11. Web Security Assessment

Passive Information Gathering: The Analysis Of Leaked Network Security Information (PDF), by Gunter Ollmann (NGSS)
Asia-Pacific Network Information Center (APNIC), http://www.apnic.net
American Registry for Internet Numbers (ARIN), http://www.arin.net
Latin American and Caribbean Internet Address Registry (LACNIC), http://www.lacnic.net
RIPE Network Coordination Centre, http://www.ripe.net
Google Web APIs, http://www.google.com/apis/
Google Web API Reference, http://www.google.com/apis/reference.html
Google Hacking Database, http://johnny.ihackstuff.com
Wikto, http://www.sensepost.com/research/wikto/
Social Engineering Fundamentals, Part I: Hacker Tactics, by Sarah Granger
Social Engineering Fundamentals, Part II: Combat Strategies, by Sarah Granger
tcptraceroute, http://michael.toren.net/code/tcptraceroute/
Nmap, http://www.insecure.org/nmap/
NmapW, http://www.syhunt.com/section.php?id=nmapw
Amap, http://www.thc.org/releases.php
Netcraft's "What's this site running?", http://uptime.netcraft.co.uk
Cadaver, http://www.webdav.org/cadaver/
SecurityFocus Bug Database, http://www.securityfocus.com/bid
Secunia, http://www.secunia.com
Hydra, http://thc.org/thc-hydra/
RATS, http://www.securesw.com/rats/

12. Web Intrusion Detection

Zorp, http://www.balabit.com/products/zorp/
Intrusion Detection FAQ (SANS), http://www.sans.org/resources/idfaq/
Managing Security with Snort & IDS Tools, by Kerry J. Cox and Christopher Gerg (O'Reilly)
PCRE documentation, http://www.pcre.org/pcre.txt
Mastering Regular Expressions, by Jeffrey E. F.Friedl (O'Reilly)
Snort, http://www.snort.org
BleedingSnort, http://www.bleedingsnort.com
mod_parmguard, http://www.trickytools.com/php/mod_parmguard.php

Appendix: Tools

WebMaven, http://www.mavensecurity.com/webmaven/
WebGoat, http://www.owasp.org/software/webgoat.html
Cygwin, http://www.cygwin.com
TechnicalInfo, http://www.technicalinfo.net/tools/
Netcraft, http://www.netcraft.co.uk
Sam Spade, http://www.samspade.org/ssw/
Sam Spade Document Library, http://www.samspade.org/d/
SiteDigger, http://www.foundstone.com/resources/proddesc/sitedigger.htm
Foundstone, http://www.foundstone.com
SSLDigger, http://www.foundstone.com/resources/proddesc/ssldigger.htm
Httprint, http://net-square.com/httprint/
An Introduction to HTTP fingerprinting, by Saumil Shah http://net-square.com/httprint/httprint_paper.html
@stake Netcat, http://www.securityfocus.com/tools/137
GNU Netcat, http://netcat.sourceforge.net/
Stunnel, http://www.stunnel.org
Curl, http://curl.haxx.se
The Art Of Scripting HTTP Requests Using Curl, by Daniel Stenberg
Tcpdump, http://www.tcpdump.org
Ethereal, http://www.ethereal.com
Ettercap, http://ettercap.sourceforge.net
Dsniff, http://monkey.org/~dugsong/dsniff/
Ngrep, http://ngrep.sourceforge.net
HTTP Sniffer, http://www.effetech.com/sniffer/
HTTPLook, http://www.httpsniffer.com
SSLDump, http://www.rtfm.com/ssldump/
Nikto, http://www.cirt.net/code/nikto.shtml
Open Source Vulnerability Database (OSVDB), http://www.osvdb.org
Nessus, http://www.nessus.org
NessusWX, http://nessuswx.nessus.org
Paros, http://www.parosproxy.org
Burp proxy, http://www.portswigger.net/proxy/
Brutus, http://www.hoobie.net/brutus/
Burp spider, http://portswigger.net/spider/
Sock, http://portswigger.net/sock/
WebScarab, http://www.owasp.org/software/webscarab.html
SPI Dynamics WebInspect, http://www.spidynamics.com
WatchFire AppScan, http://www.watchfire.com
Kavado ScanDo, http://www.kavado.com
N-Stealth, http://www.nstalker.com
Syhunt TS Security Scanner, http://www.syhunt.com
libwww-perl, http://lwp.linpro.no/lwp/
libcurl, http://curl.haxx.se/libcurl/
libwhisker, http://www.wiretrip.net/rfp/lw.asp
Using Libwhisker, by Neil Desai http://www.securityfocus.com/infocus/1798
Jakarta Commons HttpClient, http://jakarta.apache.org/commons/httpclient/

Apache Security Book Cover