Foreword

Foreword

In your hands is a book that is an essential companion safeguarding the increasingly critical Web sites and e-commerce systems that are the cornerstone of global e-businesses. Web Hacking: Attacks and Defense offers the distilled experience of leading security consultants that will help level the playing field for the beleaguered security and IT staff challenged with fending off the hacker onslaught those who see the Internet as a faster and more efficient mechanism for stealing from and abusing others. If you read and apply the lessons offered here, some of the most disreputable people on the Internet are going to be severely disappointed, as some of their most effective tricks will be useless against your sites. They will have to be much more creative and work a lot harder to compromise the security of your applications. These pages are filled with the knowledge and distilled experience of some of the world's best white-hat hackers, the stalwart consultants of Foundstone.

The authors have delivered eye-opening and dazzling insights into the world of Web site and application hacking. Some of the most devastating tools and techniques that have been used by cyber criminals and hackers to lay waste to Web sites around the planet are discussed in this book. The part opener case studies and chapter examples lay out in stunning detail the consequences of failing to understand and anticipate the many methods that are available and in use by the "dark side." The countermeasures necessary to combat these depredations are detailed with clinical efficiency. To defeat thieves, it helps to know where, how, and why they strike and the weak points they favor. Web Hacking is your guidebook to these techniques.

The book is a technical tour de force chock full of valuable descriptions of how, when, where, and why elements of the Web site will be attacked. It balances accurate and complete technical exposition with explanations that help less technically knowledgeable readers grasp the essential elements of the attacks and essential defenses.

Shocking in some places, it describes how even well-trained Web site designers and operators often make crucial mistakes in implementing sites. By the time you have read this book, you will have learned dozens of ways that Web sites can be attacked and manipulated. The first and most important step is to accept the fact that the threat to Web sites is real and ever increasing. Given that, the Internet provides the perfect environment for hacking, and this book helps e-commerce and online businesses to understand and guard against these global risks.

The chapters are replete with examples that drive home the lesson that the Internet really is a dangerous place to operate a business. When virtual storefronts meet real criminals operating in cyberspace even seemingly minor errors (the way sites are coded and how components are linked) can create huge vulnerabilities. Recent research by the Honeynet (www.honeynet.org) project has proven that an inadequately secured site will be attacked within minutes after it becomes visible on the Internet. What is worse, commercial Web sites with high-risk vulnerabilities will be exploited by criminals who may never be identified, and even if they are found, could well be out of reach of traditional law enforcement agencies. Even nonprofit sites may be defaced or abused to provide online storage for illegal transactions such as cracked software.

We live in an age reminiscent of the American Old West, and it's too often a case of survival of the fittest. When classic law enforcement methods do little to prevent attacks, IT managers and Web site designers and operators cannot rely on luck alone to defend their vital e-business environments. Knowledge truly is power, so equip yourself and your organization with the insights of some of the best ethical hackers to be found anywhere. This book is a virtual battle plan that will help you identify and eliminate threats that could take your Web site off line due to cyber fraud, defacement, unauthorized access, modification, or destruction. Let the insights of these expert security consultants work for you and sleep better knowing that you and your organization are doing your part to reduce the potential for cyber crime.

William C. Boni
Chief Information Security Officer, Motorola
July 2002