Archive

Foreword to the First Edition, by Mark Curphey
Foreword to the Second Edition, by Jeremiah Grossman
Past Contributors
News Archive

Foreword to the First Edition

But its akin to a building industry thats spent years developing sophisticated strong doors and locks, only to wake up one morning and realize that glass is see thru, fragile and easily broken by the casual house burglar. As security companies and professionals have been busy helping organizations react to the network security concerns, little attention has been paid to applications at a time when they were the fastest and most widely adopted technology being deployed. When I started moderating the web application security mailing list at www.securityfocus.com two years ago, I think it is safe to say people were confused about the security dangers on the web. Much was being made about malicious mobile code and the dangers of web based trojans. These parlor tricks on users were really trivial compared to the havoc being created by hackers attacking web applications. Airlines have been duped into selling transatlantic tickets for a few dollars, online vendors have exposed millions of customers valid credit card details and hospitals have revealed patients records to name but a few. A web application attack can stop a business in its tracks with one click of the mouse.

Just as the original Hacking Exposed series revealed the techniques the bad guys were hiding behind, I am confident "Hacking Web Applications Exposed" will do the same for this critical technology. Its methodical approach and appropriate detail will be both enlighten and educate and should go a long way to make the web a safer place in which to do business.

-- Mark Curphey, June 2002
Vice President, Foundstone Professional Services,
Former Chair of the Open Web Application Security Project

Foreword to the Second Edition

by Jeremiah Grossman, March, 2006
Founder and CTO of WhiteHat Security
Co-Founder of the Web Application Security Consortium (WASC)

Hacking a web application is like performing a magic trick. If you know the right techniques and practice you could break into just about any online bank, credit union, stock trader, e-commerce store, or social networking website. Simply use a Web browser as your magic wand and as fast as you can say, "Open sesame!" you're in. And that's exactly what this book is all about -- industry-leading web application experts revealing their best-kept web hacking secrets so people can begin defending themselves. The legendary magician Harry Houdini would be impressed with the techniques described in these pages.

The authors, as well all web application security experts, look at websites differently than most. With seemingly magical abilities they can determine the operating system, programming language, web server version, and even the location of the vulnerabilities just by looking at a URL. Most experts will also admit that when they personally do business on-line, it's a painful and sometimes tempting experience. They're compelled by the curiosity of what happens when you inject a few special characters into the browser location bar. Could you dump the entire credit card database? How about when a purchase confirmation email arrives - can we see other people's orders by simply changing numbers in the URL? "Yes," is the likely answer, since most websites can be compromised if you breathe on them too hard. Web application security is often so poor that experts occasionally find their hands covering up the location bar for fear of discovering vulnerabilities in their personal Web bank. It's true that even the experts bury their heads in the sand now and then.

But the eyes of the criminals are wide open. Gone are the good ol' days where we only had to worry about prankster hackers vandalizing homepages with leet speak, and plastering offensive JPEGs where your logo used to be. Criminal hackers have taken over where the recreational breed left off. Every day they voraciously steal credit card numbers, passwords, birth dates, social security numbers, bank accounts, and anything else they can cash-in on. The bad guys are willing, eager, and already blackmailing businesses at an alarming rate. And with hundreds of thousands of business in some way dependent on the Web, this is not an area of security we can afford to ignore. Have you sat down and seriously considered how much damage an intrusion would cause your operation in terms of downtime, fines, legal liability, loss of customer confidence, and brand damage?

The motivating factors of intruders have shifted over the years, but unsurprisingly one thing remains the same - the criminal mind takes the path of least resistance. Today this path is the website, or specifically, the web applications because 8 in 10 have serious vulnerabilities. This is so serious that any sensitive data you hold could be lost. Also, prominent industry reports are placing web attacks and vulnerability disclosures at the top of the list. This means most, if not all websites will be attacked. It's just a matter of when, who does it, and how long before the attacks succeed. If you happen to be one of the 80% of insecure websites, then you're simply playing a waiting game and your unlucky number will eventually come up.

That's why websites claiming to take security seriously citing only the use of SSL, network-layer firewalls, and spiffy certification stickers are unimpressive. Those are 20th century solutions and make little difference defending against popular 21st century attacks such Cross-Site Scripting, SQL Injection, and Insufficient Authorization. Clearly we need a more effective approach, which is diligent implementation of secure software development best practices, platform security standards, application vulnerability scanning, and web application firewalls. As the situation currently stands, we are a long way away from a place where the security posture of most websites is a deterrent or even a frustration to malicious hackers. Fortunately for those who truly want security, those who don't want to be the next Corporate victim or be listed in tomorrow's headline, this book holds the information you need.

The Hacking Exposed: Web Applications (2nd edition) authors are well-known and respected industry experts who've lived on the digital battlefield. They know what works from firsthand experience pen-testing hundreds of web applications over the last decade. Collectively they've researched hundreds (maybe thousands) of technical white papers, security books, articles, vulnerability advisories. Each of them have published multiple works on security. They'll show you how to investigate a web applications internals from outside and in, how to spot and exploit its weak points, and most importantly, they'll describe the security measures that really make a difference. Joel, Mike and Caleb have done a remarkable job capturing and presenting technical material in an easy-to-understand and engaging format. One thing is for certain: after you are done reading this book, you'll never look at a website the same way again.

Past Contributors

The following individuals have contributed to past editions of Hacking Exposed Web Applications.

Mike Shema was co-author of the first 2 editions of Hacking Exposed Web Applications. formerly Chief Security Officer at NTOBJECTives. Prior to joining NT OBJECTives, Mike was a Principal Consultant of Foundstone Inc. where he performed dozens of Web application security reviews for clients including Fortune 100 companies, financial institutions, and large software development companies. He has field-tested methodologies against numerous Web application platforms, as well as developing support tools to automate many aspects of testing. His work has led to the discovery of vulnerabilities in commercial Web software. Mike has also written technical columns about Web server security for Security Focus and DevX. He has also applied his security experience as a co-author for The Anti-Hacker Toolkit. In his spare time, Mike is an avid role-playing gamer. He holds B.S. degrees in Electrical Engineering and French from Penn State University.

Nishchal Bhalla, founder of Security Compass, is a specialist in product, code, web application, host, and network reviews. Nish has co-authored Buffer Overflow Attacks: Detect, Exploit & Prevent and is a contributing author for Windows XP Professional Security, HackNotes: Network Security, and Writing Security Tools and Exploits. Nish has also been involved in open source projects such as YASSP and OWASP, and is the chair of the Toronto Chapter. He has also written articles for SecurityFocus and is a frequent speaker on emerging security issues.

Samuel Bucholtz is a founding member of Casaba Security, a computer security consulting firm based in Seattle, Washington. Samuel specializes in application testing, design reviews, and system/network architecture implementation. Prior to Casaba Security, Samuel worked as a security consultant for Foundstone, performing security reviews and penetration tests for Global 1000 clients, managing tests of more than one hundred web applications, and training students in network and web application security. Before Foundstone, Samuel was a security engineer responsible for building and operating multimillion-user web sites for a large Internet consulting firm. Samuel has taught at Black Hat, CSI (Computer Security Institute), and has instructed private classes for clients. He has a bachelor's degree in Computer Science and Economics from New York University and has participated in a network security internship with the Department of Defense.

David Wong is currently a manager in Ernst & Young Attack and Penetration practice. David has over seven years of security experience and has performed hundreds of attack and penetration tests for companies in the financial services, energy, telecom, and software industries. David has previously held the position of Director of Application Security at a financial services firm and started his career working on security research at Lucent Technologies. David is a Certified Information Systems Security Professional (CISSP) and graduated with a BS in Engineering from Cooper Union.

Arian Evans has spent the last eight years pondering how he fell into information security. His focus has been on application security and IDS. Arian is currently researching and developing new methodologies for evaluating the security posture of applications and databases, in addition to helping clients design, deploy, and defend their applications. Arian works for FishNet Security with clients worldwide on appsec issues, and has also worked with the Center for Internet Security, FBI, and numerous commercial organizations on web application security and related hacking incident-response.

Edward Tracy was Technical Editor of the 2nd Edition. Edward is a CISSP whose career has focused on the problem of application security, primarily within web applications. Mr. Tracy began his career with the National Security Agency, where he was exposed to advanced computer security research. He went on to co-found Aspect Security, Inc., a consulting firm that focuses on application security. While at Aspect Security, Mr. Tracy led the penetration-testing service, performed code and design reviews, consulted on security in the SDLC, and taught application security classes around the United States, including guest lecturing at Johns Hopkins University.

Mr. Tracy has been the DC Chapter lead for the Open Web Application Security Project (OWASP) and has contributed to OWASP's honeypot web application, WebGoat. He has also performed research and engineering on application scanning technologies and static code analysis. Mr. Tracy currently works with Booz Allen Hamilton, continuing to provide application security services through the firm's information assurance practice.

News Archive

12/21/05 - Google UTF-7 encoded cross-site scripting (XSS) vulnerabilities
Watchfire Corporation published an advisory concerning two cross-site scripting (XSS) vulnerabilities in google.com. The first exploits a URL redirection script http://www.google.com/url?q=, and the second concerns Google's 404 NOT FOUND mechanism at http://www.google.com/NOTFOUND. Although Google blocks common XSS injetion techniques, both URLs are vulnerable to UTF-7 encoded XSS exploits. Internet Explorer will automatically set UTF-7 encoding if it encounters UTF-7 encoded content in the first 4096 characters of an HTTP response. A example image link encoded with UTF-7 is as follows: +ADw-img src+AD0AIg-javascript:alert('Vulnerable')+ADsAIgA+-

11/08/05 - "Lupper/Plupii" PHP worm spreading widely
The worm exploits three vulnerabilities: the XML-RPC for PHP Remote Code Injection vulnerability; AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability; and Darryl Burgdorf's Webhints Remote Command Execution vulnerability, according to Symantec (who calls it "Plupii"). McAfee, who calls it "Lupper," says it has received reports of remote control back doors being delivered via worm infection. The firms rate the worm as "medium" and "low" risk, but Zone-H reports of compromised Linux sites spiked considerably in the last 2-3 days, according to readers.

6/24/02 - HE Web Apps makes "Product of the Week" on Sunbelt.com!
As always, hats off to Stu Sjouwerman's class W2K security newsletter.

6/21/02 - Hacking Exposed Web Apps published!
It's official as of June 21, 2002. See our Products page to get your copy.