"We're Secure, We Have a Firewall"
If only we got a nickel every time we heard a client utter this pithy phrase. On second thought, that would unfortunate as we would probably not be writing this book; we'd be sipping Pina Colada's on some white sand beach by now...Is the web threat real? It's all too real.To Err is Human
After performing hundreds of security reviews over the decades, the authors have known for some time what you are about to know (if you don't already): Nothing can be truly secure. Error is at the heart of every security breach and as the saying goes: to err is human. No level of firewall, intrusion detection system (IDS), or anti-virus software will make you secure. Surprised this type of comment introduces a security book? Don't be. It is the harsh reality that must be accepted before the race to security can be started.
So what should we do, just throw up our hands, turn the power off to our computers and revert back 30 years; forgetting this Internet or the modem or the computer really happened? Sure, you can do that but you would be alone in your efforts. The Internet and all it has to offer is undeniable: increased communication, increased information sharing, connecting with people of all races, creeds, colors, sexes, and intelligence without boundaries or limits. And that's just the home user's benefits. Businesses use the Internet 24 hours a day, 7 days a week, making revenue and transmitting funds around the world at the blink of an eye. Anyone who denies the ubiquity and staying power of the Internet is just kidding themselves.Writing on the Wall
Over three years ago, one of the authors wrote a foreboding article that was indicative of things to come.The writing was on the security wall at that time but no one wanted to believe it, much less talk about it. They were too caught up in either hyped technologies such as Firewalls, IDS, and virtual private networks (VPN), or peripheral technologies that never hit mainstream, such as Public Key Infrastructure (PKI), Distributed Computing Environment (DCE), and single signon.
So why the tremendous interest in the Web and its security now? Because hacking events are frequent in today's connected world. And people are beginning to understand how a single vulnerability in a web application can expose an entire company's jewels to an attacker (a.k.a. Code Red and Nimda worms).Book Organization
This book as been organized into four sections:
The content in each section gets progressively more advanced in its content and delivery, going from a brief web languages introduction (Chapter 1) to finding and exploiting your own buffer overflows (Chapter 14). But don't let the pace derail your learning. If you missed something, you can probably pick it up as you go along.
The first two sections are focused to give the reader a preliminary and then more intermediate introduction into the world of the web. In "E-Commerce Playground" we show you how the web works, its languages, applications, databases, protocols, and syntax. In "URLs Unraveled", we delve into the meaning of the URL, what is important to an attacker, how visible code can be helpful to an attacker, and we show you how mapping web sites can be critical to an attacker's repertoire.In the third section, "How do they do it?" we demystify the art of web hacking, how it is pulled off, and how simple steps at development time can eliminate a significant portion of the threat. This section is bar far the meatier of the sections in terms of information and often provides the greatest clues as to how hackers do what they do. Each chapter provides both a detailed analysis of the hack as well as a countermeasure section at the end which helps prevent the hack.
In the fourth section, "Advanced Web Kung Fu," we discuss some advanced web hacking concepts, methodologies, and tools that simply cannot be missed.
Finally, at the end of the book you will find Appendices that include a listing of common web ports on the Internet, cheat sheets for remote command execution and source code disclosure techniques, among other additions.
"Both novice and seasoned readers will come away with an increased understanding of how Web hacking occurs and enhanced skill at developing defenses against such Web attacks. Technologies covered include Web languages and protocols, Web and database servers, payment systems and shopping carts, and critical vulnerabilities associated with URLs. This book is a virtual battle plan that will help you identify and eliminate threats that could take your Web site off line..."
--From the Foreword by William C. Boni, Chief Information Security Officer, Motorola
"Just because you have a firewall and IDS sensor does not mean you aresecure; this book shows you why."Whether it's petty defacing or full-scale cyber robbery, hackers are moving to the Web along with everyone else. Organizations using Web-based business applications are increasingly at risk. Web Hacking: Attacks and Defense is a powerful guide to the latest information on Web attacks and defense. Security experts Stuart McClure (lead author of Hacking Exposed), Saumil Shah, and Shreeraj Shah present a broad range of Web attacks and defense.
--Lance Spitzner, Founder, The Honeynet Project
"How Do They Do It?" sections show how and why different attacks succeed, including:
Appendices include a listing of Web and database ports, cheat sheets for remote command execution, and source code disclosure techniques.
Web Hacking informs from the trenches. Experts show you how to connect the dots--how to put the stages of a Web hack together so you can best defend against them. Written for maximum brain absorption with unparalleled technical content and battle-tested analysis, Web Hacking will help you combat potentially costly security threats and attacks.
This is a pretty informative book on hacking. After reading this book you will have a good overview of many different attacks and defenses. Read morePublished on Oct. 12 2003
During the last several years we have seen a sharp rise in the number of methods employed to hack into computer systems worldwide. Read morePublished on Sept. 20 2002 by Jim Moran
Web services infrastructure for electronic commerce. So hard to built,
even harder to secure. With this great book, it is sooo easy to
subvert, destroy, corrupt and... Read more
Web Hacking, Attacks and Defense by Stuart McClure, Saumil Shah and Shreeraj Shah is an excellent introductory level book to the world of web hacking. Read morePublished on Aug. 28 2002 by Robin Carver
Although this book's primary purpose is to explain how to defend against web hacking, it's also one of the most thorough descriptions of how web servers, applications servers and... Read morePublished on Aug. 25 2002 by Mike Tarrani