HACKNOTESTM Web Security Portable Reference

The World Wide Web brings together information, commerce, personalities, and more. The applications that populate the Web reflect the desires of persons who wish to buy, sell, trade, or just talk. Consequently, web application security is not just about protecting your credit card because a site uses 128-bit encryption. It is about how the application takes your credit card, stores it in a database, and later retrieves it from the database. After all, if a malicious user can perform
a SQL injection attack that steals database information using only a web browser, then the use of SSL is moot.
Of course, protecting financial data is not the only reason to create a secure web application. Information needs to be protected as well. Neither personal information, such as your home address, nor public information, such as a posting to a forum, should be exposed to an insecure application. You could become either the victim of identity theft or the target of a character assassination.
Web-based applications handle more than just money; it’s important to realize that any application vulnerability can have a serious effect.

HOW THIS BOOK IS ORGANIZED
Each chapter in this book covers a unique topic in order to make it easyfor you to flip to whatever section you need most.
Parts
This book is split into three major sections separated by a handy Reference Center.
Part I: Hacking Techniques and Defenses
The book begins with a detailed methodology and techniques for testing
a web application. The techniques are presented in the order of general
to specific. The first step is to enumerate each of the application’s
pages and variables. Then, these chapters lead you into methods for
identifying, validating, and exploiting vulnerabilities such as SQL injection,
cross-site scripting, and session hijacking. Each attack is paired
with a specific countermeasure.
Part II: Host Assessment & Hardening
The second part of the book focuses on techniques for creating a secure
application from the beginning rather than patching the application. It
provides checklists for deploying the platform and programs needed to
support the application. Instead of repeating the simple steps you might
find on a web site, these chapters provide detailed reasons and recommendations
for different countermeasures. The goal is to provide a set
of techniques that apply to each part of the web application.
Part III: Special Topics
This section provides readers with more information on secure coding,
dealing with load balancers, and that “little extra” sometimes necessary
to make an attack successful. The secure coding section covers the pitxx
HackNotes Web Security Portable Reference
falls and countermeasures found in today’s most popular web programming
languages.
The Reference Center
You won’t find a useless list of port numbers that could be easily obtained
by checking the /etc/services file on your system. Instead, the
Reference Center contains checklists for character encoding, SQL injection
strings, and a comprehensive application security checklist that
covers everything from spidering the site to checking session state
mechanisms.
HACKING ATTACKS AND DEFENSES
This book addresses tactical and strategic countermeasures that can be
deployed against most Web application attacks. The majority of Chapter
2 deals with specific, tactical attacks and defensive countermeasures.
Consequently, that is where you will find the majority of our highlighted
techniques.
A FINAL WORD TO THE READER
Just the hacks. Just the defenses. The goal of this book is to be a quick reference
while you perform a security review of an application or are still
designing the application on a white-board. Its level of detail should be
wrapped in enough methodology that anyone who is a little familiar
with HTML and a browser can begin testing security.