net, 31
HEAD method, 81
Header manipulation, 160
HEX filtering, 99
Hidden field manipulation, 159??“163
Hidden URLs, 192
Hird, Shane, 214
HistoryThief, 95??“96
HMAC, 128, 129
Hoffman, Billy, 97
Howard, Michael, 208
HTML (HyperText Markup Language):
and AJAX, 43
JavaScript as, 47??“49
HTML entity encoding, 49
HTML injection attacks, 32??“44, 47??“49
and AJAX, 41??“42
clicking, 49
in error messages, 42
in Flash, 232
Flash applications for, 43??“44
with GIFs and JPGs, 42??“43
with MIME type mismatch, 42??“43, 48
in mobile applications, 41
on MySpace, 55??“66
for obscuring links, 47??“49
redirected, 33??“41
reflected, 33, 36
and Same Origin Policy, 24
stored, 33, 37??“41
with UTF-7 encodings, 42
HTML TextField.htmlText, 232??“233
HtmlEncode method, 125
HTTP GET:
and AJAX, 150
and CSRF attacks, 80??“81
in Flash, 225
from links, 73
upstream traffic, 150
as user input, 4
HTTP header, 50
HTTP packets, 43
HTTP POST, 81
and AJAX, 150??“151
upstream traffic, 150??“151
as user input, 4
HTTP response splitting, 38??“39
HTTP/1.1 (see Hypertext Transfer Protocol)
HttpOnly (cookie), 27, 173
HTTPS requirement:
for ActiveX controls, 209
for SSL protections, 244
Hyperlinks:
in cross-domain actions, 72??“73
and HTML injections, 47??“49
and HTTP GET, 73
obscuring, 47??“49
HyperText Markup Language (see under HTML)
Hypertext Transfer Protocol (HTTP/1.
Pages:
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437