Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and Addison-Wesley was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals.

The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein.

The publisher offers discounts on this book when ordered in quantity for bulk purchases and special sales. For more information, please contact:

U.S. Corporate and Government Sales

(800) 382-3419

For sales outside of the U.S., please contact:

International Sales

(317) 581-3793

Visit Addison-Wesley on the Web:

Library of Congress Control Number: 2002107711

Copyright © 2003 by Pearson Education, Inc.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior consent of the publisher. Printed in the United States of America. Published simultaneously in Canada.

For information on obtaining permission for use of material from this work, please submit a written request to:

Pearson Education, Inc.

Rights and Contracts Department

75 Arlington Street, Suite 300

Boston, MA 02116

Fax: (617) 848-7047

Text printed on recycled paper

1 2 3 4 5 6 7 8 9 10—CRS—0605040302

First printing, July 2002


To those close to me: your unwavering support makes everything possible.

—Stuart McClure

This book is dedicated to dear Rajalbhai for his academic guidance and love.

—Shreeraj Shah

To my family, my friends, and my country.

—Saumil Shah



In your hands is a book that is an essential companion safeguarding the increasingly critical Web sites and e-commerce systems that are the cornerstone of global e-businesses. Web Hacking: Attacks and Defense offers the distilled experience of leading security consultants that will help level the playing field for the beleaguered security and IT staff challenged with fending off the hacker onslaught—those who see the Internet as a faster and more efficient mechanism for stealing from and abusing others. If you read and apply the lessons offered here, some of the most disreputable people on the Internet are going to be severely disappointed, as some of their most effective tricks will be useless against your sites. They will have to be much more creative and work a lot harder to compromise the security of your applications. These pages are filled with the knowledge and distilled experience of some of the world's best white-hat hackers, the stalwart consultants of Foundstone.

The authors have delivered eye-opening and dazzling insights into the world of Web site and application hacking. Some of the most devastating tools and techniques that have been used by cyber criminals and hackers to lay waste to Web sites around the planet are discussed in this book. The part opener case studies and chapter examples lay out in stunning detail the consequences of failing to understand and anticipate the many methods that are available and in use by the "dark side." The countermeasures necessary to combat these depredations are detailed with clinical efficiency. To defeat thieves, it helps to know where, how, and why they strike and the weak points they favor. Web Hacking is your guidebook to these techniques.

The book is a technical tour de force chock full of valuable descriptions of how, when, where, and why elements of the Web site will be attacked. It balances accurate and complete technical exposition with explanations that help less technically knowledgeable readers grasp the essential elements of the attacks and essential defenses.

Shocking in some places, it describes how even well-trained Web site designers and operators often make crucial mistakes in implementing sites. By the time you have read this book, you will have learned dozens of ways that Web sites can be attacked and manipulated. The first and most important step is to accept the fact that the threat to Web sites is real and ever increasing. Given that, the Internet provides the perfect environment for hacking, and this book helps e-commerce and online businesses to understand and guard against these global risks.

The chapters are replete with examples that drive home the lesson that the Internet really is a dangerous place to operate a business. When virtual storefronts meet real criminals operating in cyberspace even seemingly minor errors (the way sites are coded and how components are linked) can create huge vulnerabilities. Recent research by the Honeynet ( project has proven that an inadequately secured site will be attacked within minutes after it becomes visible on the Internet. What is worse, commercial Web sites with high-risk vulnerabilities will be exploited by criminals who may never be identified, and even if they are found, could well be out of reach of traditional law enforcement agencies. Even nonprofit sites may be defaced or abused to provide online storage for illegal transactions such as cracked software.

We live in an age reminiscent of the American Old West, and it's too often a case of survival of the fittest. When classic law enforcement methods do little to prevent attacks, IT managers and Web site designers and operators cannot rely on luck alone to defend their vital e-business environments. Knowledge truly is power, so equip yourself and your organization with the insights of some of the best ethical hackers to be found anywhere. This book is a virtual battle plan that will help you identify and eliminate threats that could take your Web site off line due to cyber fraud, defacement, unauthorized access, modification, or destruction. Let the insights of these expert security consultants work for you and sleep better knowing that you and your organization are doing your part to reduce the potential for cyber crime.

William C. Boni
Chief Information Security Officer, Motorola
July 2002