Web Hacking
From the Foreword by William C. Boni, Chief Information Security Officer, Motorola: "Both novice and seasoned readers will come away with an increased understanding of how Web hacking occurs and enhanced skill at developing defenses against such Web attacks. Technologies covered include Web languages and protocols, Web and database servers, payment systems and shopping carts, and critical vulnerabilities associated with URLs. This book is a virtual battle plan that will help you identify and eliminate threats that could take your Web site off line..."
Whether it's petty defacing or fullscale cyber robbery, hackers are moving to the Web along with everyone else. Organizations using Web-based business applications are increasingly at risk. Web Hacking: Attacks and Defense is a powerful guide to the latest information on Web attacks and defense. Security experts Stuart McClure (lead author of Hacking Exposed), Saumil Shah, and Shreeraj Shah present a broad range of Web attacks and defense.
Features include: overview of the Web and what hackers go after; complete Web application security methodologies; detailed analysis of hack techniques; countermeasures; what to do at development time to eliminate vulnerabilities; new case studies and eye-opening attack scenarios; advanced Web hacking concepts, methodologies, and tools.
Experts show you how to connect the dots, how to put the stages of a Web hack together so you can best defend against them. Written for maximum brain absorption with unparalleled technical content and battle-tested analysis, Web Hacking will help you combat potentially costly security threats and attacks.
Review By: Gretchen Henrich, CSQE, CSTE
07/21/2003This book is an excellent introductory level book to the world of Web hacking. The chapters are clearly laid out. They include code with explanations of the weaknesses, referrals to more in-depth study, and precautionary measures you can take to help secure your site, and a look at the various tools available to harden your site. Although this book's primary purpose is to explain how to defend against Web hacking, it's also one of the most thorough descriptions of how Web servers, applications servers, and database servers work. As the book progresses the technical detail gets deeper. Each of the exposures that the book highlights can be independently verified by following the procedures given on test systems.
The book starts out with a good introduction on the topic of Web languages, and leads you to various topics such as finding and exploiting buffer overflows. There is a lot of ground covered in this book including databases, cracking tools, SQL code injection, and countermeasures. IIS and Apache are reviewed, along with Oracle and SQL Server. It explains some of the more popular Web Servers and Databases, how they work, how they are exploited, and ways to harden them against attack. The protocols used by the Web, Web programming languages, and an explanation of how a browser interprets commands are graphically laid out with examples presented. The reader will learn how various servers, server software, and program languages work and how best to deploy them for optimum security. Although no computer system is 100 percent hack-proof, taking serious precautions and putting into use the countermeasures and advice provided in this book, will reduce the likelihood of major intrusion attempts.
I do not have experience in Web security and found the examples (code and screen shots) to be very helpful. The authors walk readers through actual hacking processes using programming code lines, screen shots, graphical diagram analysis. They discuss in plain English, how hacking attempts and other forms of mischief take place. The book provides step-by-step instructions in an easy to read style for hardening Web servers against attack. In short, readers are put in the hacker’s seat and shown how to do it. Readers are also introduced to a number of popular hacking tools used to apply the hacking craft. These tools include, username and password crackers, Web proxies, cookie programs, and other tools used to insert and extract useful information. Case studies were intriguing: Web site defacement, intercepting and deleting email messages, determining passwords, stealing identities, shopping cart shoplifting, credit card fraud, and more. I easily concluded that just about anyone with basic programming skills could have a serious go at hacking into a computer system if armed with the information provided in this book.
The layout of the book (as shown below) is also very useful. If a particular section is of interest, the reader can start there and obtain information about the subject.
The book is structured into four main sections:
- The E-commerce Playground
- URLs Unraveled
- How Do They Do It?
- Advanced Web Kung Fu