Networking & Telecommunications, Computer Business & Culture, True Crime

Web Hacking: Attacks and Defense

Name: Web Hacking: Attacks and Defense
Author: Stuart McClure
ISBN: 9780201761764

by Stuart McClure, Saumil Shah, Shreeraj Shah

Write a review

Overview

"Both novice and seasoned readers will come away with an increased understanding of how Web hacking occurs and enhanced skill at developing defenses against such Web attacks. Technologies covered include Web languages and protocols, Web and database servers, payment systems and shopping carts, and critical vulnerabilities associated with URLs. This book is a virtual battle plan that will help you identify and eliminate threats that could take your Web site off line..."
--From the Foreword by William C. Boni, Chief Information Security Officer, Motorola

"Just because you have a firewall and IDS sensor does not mean you aresecure; this book shows you why."
--Lance Spitzner, Founder, The Honeynet Project

Whether it's petty defacing or full-scale cyber robbery, hackers are moving to the Web along with everyone else. Organizations using Web-based business applications are increasingly at risk. Web Hacking: Attacks and Defense is a powerful guide to the latest information on Web attacks and defense. Security experts Stuart McClure (lead author of Hacking Exposed), Saumil Shah, and Shreeraj Shah present a broad range of Web attacks and defense.

Features include:

Overview of the Web and what hackers go after
Complete Web application security methodologies
Detailed analysis of hack techniques
Countermeasures
What to do at development time to eliminate vulnerabilities
New case studies and eye-opening attack scenarios
Advanced Web hacking concepts, methodologies, and tools

"How Do They Do It?" sections show how and why different attacks succeed, including:

Cyber graffiti and Web site defacements
e-Shoplifting
Database access and Web applications
Java application servers; how to harden your Java Web Server
Impersonation and session hijacking
Buffer overflows, the most wicked of attacks
Automated attack tools and worms

Appendices include a listing of Web and database ports, cheat sheets for remote command execution, and source code disclosure techniques.

Web Hacking informs from the trenches. Experts show you how to connect the dots--how to put the stages of a Web hack together so you can best defend against them. Written for maximum brain absorption with unparalleled technical content and battle-tested analysis, Web Hacking will help you combat potentially costly security threats and attacks.

0201761769B07192002

Synopsis

"Both novice and seasoned readers will come away with an increased understanding of how Web hacking occurs and enhanced skill at developing defenses against such Web attacks. Technologies covered include Web languages and protocols, Web and database servers, payment systems and shopping carts, and critical vulnerabilities associated with URLs. This book is a virtual battle plan that will help you identify and eliminate threats that could take your Web site off line..."
—From the Foreword by William C. Boni, Chief Information Security Officer, Motorola"Just because you have a firewall and IDS sensor does not mean you aresecure; this book shows you why."
—Lance Spitzner, Founder, The Honeynet ProjectWhether it's petty defacing or full-scale cyber robbery, hackers are moving to the Web along with everyone else. Organizations using Web-based business applications are increasingly at risk. Web Hacking: Attacks and Defense is a powerful guide to the latest information on Web attacks and defense. Security experts Stuart McClure (lead author of Hacking Exposed), Saumil Shah, and Shreeraj Shah present a broad range of Web attacks and defense.

Features include:

Overview of the Web and what hackers go after
Complete Web application security methodologies
Detailed analysis of hack techniques
Countermeasures
What to do at development time to eliminate vulnerabilities
New case studies and eye-opening attack scenarios
Advanced Web hacking concepts, methodologies, and tools

"How Do They Do It?" sections show how and why different attacks succeed, including:

Cyber graffiti and Web site defacements
e-Shoplifting
Database access and Web applications
Java™ application servers; how to harden your Java™ Web Server
Impersonation and session hijacking
Buffer overflows, the most wicked of attacks
Automated attack tools and worms

Appendices include a listing of Web and database ports, cheat sheets for remote command execution, and source code disclosure techniques.

Web Hacking informs from the trenches. Experts show you how to connect the dots—how to put the stages of a Web hack together so you can best defend against them. Written for maximum brain absorption with unparalleled technical content and battle-tested analysis, Web Hacking will help you combat potentially costly security threats and attacks.

Booknews

Since human error keeps computers vulnerable despite such precautions as firewalls, the lead author of Hacking Exposed (Osborne McGraw-Hill, 2001) and his colleagues at an enterprise vulnerability management firm introduce the "e-commerce playground," hackers' modus operandi, and "advanced Web kung fu" for protecting against such attacks. They list popular Web and database servers; method and field definitions for Http1.0 and 1.1; and Web resources and tools. The book includes cheat sheets for remote command execution and source codes, files, and directories. Annotation c. Book News, Inc., Portland, OR

About the Author, Stuart McClure

Stuart McClure, President/CTO, Foundstone, Inc., brings over 12 years of IT and security experience to Foundstone. Stuart is a successful security author, speaker, and teacher whose writings have been translated into dozens of languages around the world.

Stuart is the lead author of the best-selling security book Hacking Exposed: Network Security Secrets and Solutions, which has been translated into 19 languages, and has received critical acclaim around the world. In addition, it was ranked the #4 computer book sold on Amazon in 2001, positioning it as the best selling security book ever sold.

Prior to co-founding Foundstone, Stuart was a Senior Manager with Ernst & Young's National Security Profiling Team responsible for project management, attack and penetration reviews, and security technology evaluations. Prior to Ernst & Young, Stuart was a Security Analyst for the InfoWorld Test Center where he covered the security industry and evaluated over 100 network and security products specializing in firewalls, security auditing, intrusion detection, and public key infrastructure (PKI). Prior to InfoWorld, Stuart was the IT manager for State and Local Governments, supporting Novell, NT, Solaris, AIX, and AS/400 platforms.

Stuart holds a B.A. degree from the University of Colorado, Boulder and numerous certifications including ISC2's CISSP, Novell's CNE, and Check Point's CCSE.

Saumil continues to lead the efforts in e-commerce security research at Net-Square. His focus is on researching vulnerabilities with various e-commerce and Web-based application systems. Saumil also provides information security consulting services to Net-Square clients, specializing in ethical hacking and security architecture. He holds a designation of Certified Information Systems Security Professional. Saumil has had more than eight years experience with system administration, network architecture, integrating heterogenous platforms and information security, and has perfomed numerous ethical hacking exercises for many significant companies in the IT area. Saumil is a regular speaker at security conferences such as BlackHat, RSA, etc.

Previously, Saumil was the Director of Indian Operations for Foundstone Inc, where he was instrumental in developing their Web application security assessment methodology, the Web assessment component of FoundScan—Foundstone's Managed Security Services software and was instrumental in pioneering Foundstone's Ultimate Web Hacking training class.

Prior to joining Foundstone, Saumil was a senior consultant with Ernst & Young, where he was responsible for the company's ethical hacking and security architecture solutions. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant and is currently a visiting faculty member there.

Saumil graduated from Purdue University with a master's degree in computer science and a strong research background in operating systems, networking, information security, and cryptography. At Purdue, he was a research assistant in the COAST (Computer Operations, Audit and Security Technology) laboratory. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is also the author of The Anti-Virus Book (Tata McGraw-Hill, 1996).

Shreeraj leads the software development and research arm of Net-Square. His role is to develop new methodologies for Web application security assessment and defense. In the past, he has been involved in several Web application assessment projects, protocol analysis, code reviews, ethical Web hacking, etc. He has also been a speaker at RSA and BlackHat.

Shreeraj has vast experience in the fields of security, application development, and network administration in addition to his strong technical background, client management skills, project management, and research methodologies. He was a member of the core development team for the Web application assessment engine at Foundstone. Shreeraj also worked with Chase Manhattan Bank in their middleware application division. Prior to joining Chase, Shreeraj worked with IBM's Domino Application Server team.

Shreeraj graduated from Marist College with a master's degree in computer science. He received his MBA at the Nirma Institute of Managment, India. He got his bachelor's degree in instrumentation and controls engineering from Gujarat University, India. Shreeraj has also authored quite a few white papers during his academic period both in India and USA.

Reviews

There are no reviews yet. Log in to write one.

Editorials

From Barnes & Noble

The Barnes & Noble Review
It’s so obvious, it’s hardly worth saying: The Web is a cracker’s playground. All those sites, all those unfixed vulnerabilities, all those easy-to-guess passwords and easy-to-steal credit card databases. All those system administrators who think they’re OK because they’re running a firewall. (Ninety-five percent of all attacks occur in spite of a working firewall!)

If you’re responsible for a web site, you desperately need web security guidance from someone who can pull together all the information you need, and all the solutions. You need Web Hacking.

Lead author Stuart McClure cowrote Hacking Exposed, the classic general hands-on guide to hacking and information security. If you’re a Fortune 500 IT professional, you may also know him as president of Foundstone, a leading provider of security assessments, vulnerability protection, consulting, and education.

In Web Hacking, McClure and two of his colleagues turn their attention specifically to web hacking. Like Hacking Exposed, this book covers the full range of attacks web administrators are likely to face. It also presents start-to-finish attack scenarios that show how multiple attacks build on each other.

You’ll start by thoroughly reviewing the vulnerabilities of every element of an e-commerce site: web scripting languages; web servers; database servers; payment systems; shopping carts; and the HTTP and HTTPS protocols.

Some pre-packaged shopping systems have proven notoriously insecure -- especially those widely used by smaller sites. For example, it’s common for shopping cart systems to send critical information such as product IDs and prices via hidden fields in HTML forms. But once the web server sends its HTML response to the browser, the server loses all control over the data sent, and it can’t rely on the data it receives back -- it’s easy for a buyer to change the price tag on an item and go unnoticed. Many systems respond by providing client-side validation, but client-side scripts are just as vulnerable as hidden HTML form fields.

In fact, McClure and company walk through a whole laundry list of shopping system vulnerabilities: metacharacters sent from clients to cause buffer overflows; information retrieval from easy-to-compromise temporary files on the server; weak encryption; file system directory exposure; improper privilege escalation; customer information disclosure; opportunities to alter both products and orders; and, of course, denial-of-service attacks.

There’s a full section on the security risks associated with URLs (more than you may imagine). For example, there’s the IIS vulnerability (since fixed, if you religiously patch your systems) which allows hackers to use URLs with invalid Unicode UTF-8 sequences to change directories on your server, find one where scripts are executable, and run whatever scripts suit their fancy.

Next, you’ll walk step-by-step through a sophisticated web site defacement attack. These come in many varieties; in McClure’s example, a hacker finds a proxy server that permits reverse HTTP proxying (a no-no); then exploits HTTP’s weak encryption to obtain user-level access; finds directory listings; locates a “staging script” that automatically updates web pages on a predefined schedule; then substitutes his own web pages, and waits for the script to run automatically.

The book contains equally detailed coverage of compromising web databases; executing Java code remotely; impersonation; on-the-fly buffer overflows; worms; and techniques for defeating intrusion detection systems. Outside the hacker underground, we’ve never seen this much web security information in a form so useful to working administrators. Bill Camarda

Bill Camarda is a consultant, writer, and web/multimedia content developer. His 15 books include Special Edition Using Word 2000 and Upgrading & Fixing Networks For Dummies®, Second Edition.