Web Hacking: Attacks and Defense

My role regarding security is more process-oriented, although I have a fairly deep knowledge of the technical aspects. I, like many others, assumed that HTTP (port 80 services) poses nominal security exposures. Before I was finished with the first chapter that erroneous belief had been completely destroyed. What make the magnitude of the risks and exposures of seemingly secure aspects of web systems behind a firewall so real is the way you're walked through how to breach backend systems via HTTP. In addition, each language and scripting environment commonly used in web systems are examined for security implications. Seeing these was the second major surprise in the book.

As the book progresses the technical detail gets deeper, and the ways systems can be breached get more sophisticated. Each of the exposures that the book highlights can be independently verified by following the procedures given on test systems (of someone else's system if you have a malicious bent).

Even if security isn't your major concern you'll greatly benefit from this book because the authors completely explain how web systems work at a deep technical level, and do clearly. If you are involved in security you'll find exposures and risks in places you never suspected, such in intrusion detection systems, firewalls, and even comments in scripts and mark-up files.

This book can be read and understood by moderately technical readers, such as IT managers, and should be read by developers who want to harden their code, auditors and security assessment team members, and systems and network administrators who need to plug the holes left by product defaults or are targets for intruders.

Rating:
Summary: Hacking - Readers Are Shown How It's Done!
Review: During the last several years we have seen a sharp rise in the number of methods employed to hack into computer systems worldwide. The frequency of such attacks is alarming and the consequences are staggering. Clever minds, basic computer and programming skills, and knowledge of system exploits coupled with the intent to cause harm of one kind or another is a hard combination to beat.

Stuart McClure, Saumil Shah, and Shreeraj Shah have written Web Hacking: Attacks and Defense to provide solid insight into the very strategies involved to successfully hack into vulnerable computer systems. This book features extensive coverage of popular and lesser known exploits that allows successful hacking to take place. Readers will read up on them, they can actually challenge them - hopefully against their own systems, and they can prepare their own strategies to counter possible future hacking attempts against their own systems.

I was truly amazed as I read one system exploit after another - it seemed so easy for people to go hacking these days. Case studies were intriguing - Website defacement, intercepting and deleting e-mail messages, determining passwords, stealing identities, shopping cart shoplifting, credit card fraud, and more. I easily concluded that just about anyone with basic programming skills could have a serious go at hacking into a computer system if armed with the information provided in this book.

The authors walk readers through actual hacking processes using programming code lines, screen shots, graphical diagram analysis, and they discuss in plain English how hacking attempts and other forms of mischief takes place. In short - readers are put in the hacker's seat and shown how to do it. Readers are also introduced to a number of popular hacking tools used to apply the hacking craft - username and password crackers, Web proxies, cookie programs, and other tools used to insert and extract useful information.

The intention of the book is clear - to create serious awareness of hacking threats and to offer readers - individuals, IT department professionals, Web developers, business leaders, and other concerned parties, the information they need to adequately safeguard their systems and client data. They will learn how various servers, server software, and program languages work and how best to deploy them for optimum security. Although no computer system may be 100% hack-proof, taking serious precautions and putting into use the countermeasures and advice provided in this book will reduce the likelihood of major intrusion attempts.

Although the contents of this book appears overwhelming at times, readers should take heart in knowing that they are learning about the serious nature of hacking and criminal activity associated with it. Some hackers are people with easily obtained computer tools who are out to prove their skills while others want to steal or exact revenge. Regardless of their skill levels and intentions, they pose serious threats to a lot of people. The content of this book is essential reading. There's much to be gained by reading and applying it to current Web communication and commerce strategies. It's highly recommended.

Rating:
Summary: Rehash of basic web technologies
Review: I was dissapointed in what this book had to offer. I was hoping for a full text of web exploits and how to defend against them. Instead the first half of the book covers information such as languages of the web and how to read URL's. It is as if the author assumes the reader has no knowledge of web technolgies and systems. I am finding this to be a common problem with network security books, they are written for readers with little real knowledge of networking, let alone network security. Surly they sell many copies because "hacking" is in the title though.
This is not the book for the serious IT proffesional, you would do better to look elsewhere for security insights.

Rating:
Summary: Eclectic
Review: So you heard all this hype on Web Hacking, and want to know more about this matter.

Well, if you think about the web as an e-commerce platform, then just Buy 'Web Security, Privacy & Commerce' by Garfinkel and Spafford, an excellent and classic book.

Are you interested in 'pure hacking'? I mean 'perl scripts', cross site and traversal attacks, hackers jargon, and all the related issues..... then buy 'Hacking Web Applications Exposed' by Scambray and Shema. Excellent book too, and excellent authors. But beware, it is not for newbies. You MUST have a lot of background to fully understand the attacks.

Now, what about an easier generic book, covering the same issues as the others but in a step by step and kinder way.? A book to start from zero, but leading to understand all the currently related themes. Well, if this is what you want, then 'Web Hacking' is your book. It covers all that need to be covered in this area. In an easy and well structured way. The reading is very light and the authors 'break down' of the matter, makes the contents very intuitive.

The book is structured into four main sections (covering the same areas as the previously referred books) :

** The E-commerce Playground
** URLs Unraveled
** How Do They Do It?
** Advanced Web Kung Fu

It includes also, several interesting appendixes (specially useful the 'cheat sheet' appendix).

A lot of simple case studies (of the kind 'Bob and Alice') are presented as well as some more technical analyses (Code Red, Nimda etc.)

If I were to select a book as a reference for a first course on web security, 'Web Hacking' would be my choise. Definitively.

Rating:
Summary: Eclectic
Review: So you heard all this hype on Web Hacking, and want to know more about this matter.

Well, if you think about the web as an e-commerce platform, then just Buy 'Web Security, Privacy & Commerce' by Garfinkel and Spafford, an excellent and classic book.

Are you interested in 'pure hacking'? I mean 'perl scripts', cross site and traversal attacks, hackers jargon, and all the related issues..... then buy 'Hacking Web Applications Exposed' by Scambray and Shema. Excellent book too, and excellent authors. But beware, it is not for newbies. You MUST have a lot of background to fully understand the attacks.

Now, what about an easier generic book, covering the same issues as the others but in a step by step and kinder way.? A book to start from zero, but leading to understand all the currently related themes. Well, if this is what you want, then 'Web Hacking' is your book. It covers all that need to be covered in this area. In an easy and well structured way. The reading is very light and the authors 'break down' of the matter, makes the contents very intuitive.

The book is structured into four main sections (covering the same areas as the previously referred books) :

** The E-commerce Playground
** URLs Unraveled
** How Do They Do It?
** Advanced Web Kung Fu

It includes also, several interesting appendixes (specially useful the 'cheat sheet' appendix).

A lot of simple case studies (of the kind 'Bob and Alice') are presented as well as some more technical analyses (Code Red, Nimda etc.)

If I were to select a book as a reference for a first course on web security, 'Web Hacking' would be my choise. Definitively.

Rating:
Summary: Excellent, a _must_ read
Review: This book has a wealth of information on the subject of Web Hacking. As an administrator responsible for the well-being of various web servers, it is important for me to keep up with the vulnerabilities and know the tactics of crackers, and this book filled me in with more than enough knowledge.

The book starts out with good introduction on the topic of web languages, and leads you to various topics such as finding and exploiting buffer overflows. There is a _lot_ of ground covered in this book including databases, cracking tools, SQL code injection, countermeasures, etc.

If you are responsible for any host sitting on the internet, this is your bible.

Rating:
Summary: Excellent
Review: This book is an excellent start. While you can find alot of usefull hacking material on the web, this book gives it to you well organized.

Rating:
Summary: Good Overview Of Attacks & Defense
Review: This is a pretty informative book on hacking. After reading this book you will have a good overview of many different attacks and defenses. It's a great book for beginners and an entertaining read.