Synopses & Reviews
Implement bulletproof e-business security the proven Hacking Exposed way
Defend against the latest Web-based attacks by looking at your Web applications through the eyes of a malicious intruder. Fully revised and updated to cover the latest Web exploitation techniques, Hacking Exposed Web Applications, Second Edition shows you, step-by-step, how cyber-criminals target vulnerable sites, gain access, steal critical data, and execute devastating attacks. All of the cutting-edge threats and vulnerabilities are covered in full detail alongside real-world examples, case studies, and battle-tested countermeasures from the authors' experiences as gray hat security professionals.
- Find out how hackers use infrastructure and application profiling to perform reconnaissance and enter vulnerable systems
- Get details on exploits, evasion techniques, and countermeasures for the most popular Web platforms, including IIS, Apache, PHP, and ASP.NET
- Learn the strengths and weaknesses of common Web authentication mechanisms, including password-based, multifactor, and single sign-on mechanisms like Passport
- See how to excise the heart of any Web application's access controls through advanced session analysis, hijacking, and fixation techniques
- Find and fix input validation flaws, including cross-site scripting (XSS), SQL injection, HTTP response splitting, encoding, and special character abuse
- Get an in-depth presentation of the newest SQL injection techniques, including blind attacks, advanced exploitation through subqueries, Oracle exploits, and improved countermeasures
- Learn about the latest XML Web Services hacks, Web management attacks, and DDoS attacks, including click fraud
- Tour Firefox and IE exploits, as well as the newest socially-driven client attacks like phishing and adware
Get in-depth coverage of Web application platforms and their vulnerabilities, presented the same popular format as the international bestseller, Hacking Exposed
. Covering hacking scenarios across different programming languages and depicting various types of attacks and countermeasures, this book offers you up-to-date and highly valuable insight into Web application security.
"Required reading for Web architects and operators." -- Erik Olson, Microsoft Program Manager, Security, ASP.NET
"Just as the original Hacking Exposed revealed the techniques the bad guys were hiding behind, Hacking Exposed Web Applications will do the same for this critical technology. Its methodical approach and appropriate detail will enlighten, educate, and go a long way toward making the Web a safer place in which to do business." -- from the
Foreword by Mark Curphey, Chair of the Open Web Application Security Project
"This is a serious technical guide that is also great reading -- scary enough to motivate folks to take Web security seriously but approachable enough to be an effective learning tool. Required reading for Web architects and operators." -- Erik Olson, Program Manager, Security, ASP.NET
"What better way to defend against hackers than to understand the tools and techniques that are used to penetrate your site? Hacking Exposed Web Applications offers a detailed look at common vulnerabilities within your applications and explains how to protect yourself from them." -- Mike Mullins, Ecommerce Security Engineer for a leading specialty apparel retailer
"At last, your personal guide to preventing the next generation of security threats. This book explains in intricate detail how you can do everything right when it comes to network security and still be owned at the Web application layer." -- Chip Andrews, www.sqlsecurity.com
"If you're involved in writing Web-based applications using ASP/ASP.NET, Java, JSP, PHP, or other languages, the Hacking Exposed series is something you DEFINITELY need to read. Before writing one line of code, this book will spark ideas about how to design and secure your Web applications. There are techniques potential hackers could use that I've never even thought of! Great resource!" -- Steve Schofield, Creator and Managing Editor, ASPFree.com
"This book goes a long way in making the Web a safer place to do business." -- Mark Curphey, Chair of the Open Web Application Security Project
Unleash the hackers' arsenal to secure your Web applications
In today's world of pervasive Internet connectivity and rapidly evolving Web technology, online security is as critical as it is challenging. With the enhanced availability of information and services online and Web-based attacks and break-ins on the rise, security risks are at an all time high. Hacking Exposed Web Applications shows you, step-by-step, how to defend against the latest Web-based attacks by understanding the hacker's devious methods and thought processes. Discover how intruders gather information, acquire targets, identify weak spots, gain control, and cover their tracks. You'll get in-depth coverage of real-world hacks--both simple and sophisticated--and detailed countermeasures to protect against them.
What you'll learn:
- The proven Hacking Exposed methodology to locate, exploit, and patch vulnerable platforms and applications
- How attackers identify potential weaknesses in Web application components
- What devastating vulnerabilities exist within Web server platforms such as Apache, Microsoft's Internet Information Server (IIS), Netscape Enterprise Server, J2EE, ASP.NET, and more
- How to survey Web applications for potential vulnerabilities --including checking directory structures, helper files, Java classes and applets, HTML comments, forms, and query strings
- Attack methods against authentication and session management features such as cookies, hidden tags, and session identifiers
- Most common input validation attacks--crafted input, command execution characters, and buffer overflows
- Countermeasures for SQL injection attacks such as robust error handling, custom stored procedures, and proper database configuration
- XML Web services vulnerabilities and best practices
- Tools and techniques used to hack Web clients--including cross-site scripting, active content attacks and cookie manipulation
- Valuable checklists and tips on hardening Web applications and clients based on the authors' consulting experiences
From the coauthor of the international bestseller Hacking Exposed, proven techniques for securing Web applications against cyber attacks
In this fully revised bestseller, IT security professionals will find the latest insights into the core security issues that plague online business platforms of all sizes. Hacking Exposed Web Applications, Second Edition, applies the bestselling Hacking Exposed computer security methodologies, technical rigor, and “from-the-trenches” experience to making the Web a safer, more secure place in which to do business.
About the Author
Joel Scambray, is a senior director in Microsoft Corporation’s MSN Security group, where he faces daily the full brunt of the Internet’s most notorious denizens, from spammers to Slammer. He is most widely recognized as co-author of Hacking Exposed: Network Security Secrets & Solutions, the international best-selling Internet security book, as well as related titles on Windows and web application security. Before joining Microsoft in August 2002, Joel helped launch security services startup Foundstone, Inc. to a highly regarded position in the industry, and he previously held positions as a manager for Ernst & Young, security columnist for Microsoft TechNet, editor at large for InfoWorld Magazine, and director of IT for a major commercial real estate firm. He has spoken widely on information security to organizations including CERT, The Computer Security Institute (CSI), ISSA, ISACA, SANS, private corporations, and government agencies, including the FBI and the RCMP. Joel has maintained CISSP accreditation since 1999.
Mike Shema, is CSO of NT Objectives, where he is working on improving the accuracy and scope of application security testing techniques and tools. He joined NT Objectives from Foundstone, Inc., where he was a principle consultant and trainer. He has performed security tests ranging from network penetrations to firewall and VPN reviews to web application reviews. Mr. Shema is intimately familiar with current security tools, vulnerabilities, and trends. Mr. Shema has also discovered and submitted to Buqtraq several zero-day exploits as a result of his extensive experience with web application testing.Prior to joining Foundstone, Mr. Shema worked at a product development company where he configured and deployed high-capacity Apache Web and Oracle database servers for numerous Internet clients. Mr. Shema previously worked at Booz Allen Hamilton on information assurance projects and performed several security assessments for government and military sites in addition to developing security training material.Mr. Shema holds a B.S. in Electrical Engineering and a B.S. in French from Penn State University. Mr. Shema has co-authored Hacking Exposed: Web Applications and Anti-Hacker Toolkit, Third Edition and authored Hack Notes: Web Security.
Caleb Sima, is the co-founder and CTO of SPI Dynamics, a Web application security products company. Caleb has been engaged in the Internet security arena since 1996, a time when the concept of Internet security was just emerging. Since then, he has become widely recognized within the industry as an expert in penetration testing, and for identifying emerging security threats. Caleb is a frequent speaker and press resource on Internet attacks and is a contributing author to various magazines, and has been featured in the Associated Press.
Table of Contents
Chapter 1: Hacking Web Apps 101
Chapter 2: Profiling
Chapter 3: Hacking Web Platforms
Chapter 4: Attacking Web Authentication
Chapter 5: Attacking Web Authorization
Chapter 6: Input Validation Attacks
Chapter 7: Attacking Web Datastores
Chapter 8: Attacking XML Web Services
Chapter 9: Attacking Web Application Management
Chapter 10: Hacking Web Clients
Chapter 11: Denial-of-Service (DoS) Attacks
Chapter 12: Full-Knowledge Analysis
Chapter 13: Web Application Security Scanners
APPENDIX A: WEB APPLICATION SECURITY CHECKLIST
APPENDIX B: WEB HACKING TOOLS AND TECHNIQUES CRIBSHEET
APPENDIX C: URLScan AND ModSecurity
APPENDIX D: ABOUT THE COMPANION WEB SITE