Introduction | HACKING EXPOSED WEB APPLICATIONS, 3rd Edition

Way back in 1999, Hacking Exposed, First Edition introduced many people to the ease with which computer networks and systems are broken into. Although there are still many today who are not enlightened to this reality, large numbers are beginning to understand the necessity for firewalls, secure operating system configuration, vendor patch maintenance, and many other previously arcane fundamentals of information system security.

Unfortunately, the rapid evolution brought about by the Internet has already pushed the goalposts far upfield. Firewalls, operating system security, and the latest patches can all be bypassed with a simple attack against a web application. Although these elements are still critical components of any security infrastructure, they are clearly powerless to stop a new generation of attacks that are increasing in frequency every day now.

Don't just take our word for it. Gartner Group says 75 percent of hacks are at the web app level, and that out of 300 audited sites, 97 percent are vulnerable to attack. Headlines for devastating attacks are now commonplace (we'd cite the 2005 CardSystems computer breach that exposed sensitive information on 40 million consumers), and the list of government investigations into allegedly shoddy computer security practices continues to grow (key examples include BJ's Wholesale Club, Bank of America, Citibank, Lexis-Nexis, ChoicePoint, Microsoft's Passport, Guess Inc., and Eli Lilly).

We cannot put the horse of Internet commerce back in the barn and shut the door. There is no other choice left but to draw a line in the sand and defend the positions staked out in cyberspace by countless organizations and individuals.

For anyone who has assembled even the most rudimentary web site, you know this is a daunting task. Faced with the security limitations of existing protocols like HTTP, as well as the ever-accelerating onslaught of new technologies like XML Web Services, AJAX, and RSS, the act of designing and implementing a secure web application can present a challenge of Gordian complexity.

Meeting The Web APP Security Challenge

We show you how to meet this challenge with the two-pronged approach adapted from the original Hacking Exposed .

First, we catalog the greatest threats your web application will face and explain how they work in excruciating detail. How do we know these are the greatest threats? Because we are hired by the world's largest companies to break into their web applications, and we use them on a daily basis to do our jobs. And we've been doing it for over 30 years (combined), researching the most recently publicized hacks, developing our own tools and techniques, and combining them into what we think is the most effective methodology for penetrating web application (in)security in existence.

Once we have your attention by showing you the damage that can be done, we tell you how to prevent each and every attack. Deploying a web application without understanding the information in this book is roughly equivalent to driving a car without seat beltsdown a slippery road, over a monstrous chasm , with no brakes, and the throttle jammed on full.