Foreword

"My brain is the key that sets my mind free."
Harry Houdini

Hacking a web application is like performing a magic trick. If you know the right techniques and practice, you could break into just about any online bank, credit union, stock trader , e-commerce store, or social networking web site. Simply use a web browser as your magic wand and as fast as you can say, Open sesame!, you're in. And that's exactly what this book is all aboutindustry-leading web application experts revealing their best-kept web hacking secrets so people can begin defending themselves . The legendary magician Harry Houdini would be impressed with the techniques described in these pages.

The authors, as well all web application security experts, look at web sites differently than do most other people. With seemingly magical abilities , they can determine the operating system, programming language, web server version, and even the location of the vulnerabilities just by looking at a URL. Most experts will also admit that when they do business online, it's a painful and sometimes tempting experience. They're compelled by the curiosity of what happens when you inject a few special characters into the browser location bar. Could you dump the entire credit card database? How about when a purchase confirmation e-mail arrivescan we see other people's orders by simply changing numbers in the URL? Yes, is the likely answer, since most web sites can be compromised if you breathe on them too hard. Web application security is often so poor that experts occasionally find their hands covering up the location bar for fear of discovering vulnerabilities in their personal web bank. It's true that even the experts bury their heads in the sand now and then.

But the eyes of the criminals are wide open. Gone are the good ol' days when we only had to worry about prankster hackers vandalizing homepages with leet speak, and plastering offensive JPEGs where your logo used to be. Criminal hackers have taken over where the recreational breed left off. Every day they voraciously steal credit card numbers, passwords, birth dates, social security numbers, bank accounts, and anything else they can cash in on. The bad guys are willing, eager , and already blackmailing businesses at an alarming rate. And with hundreds of thousands of businesses in some way dependent on the Web, this is not an area of security we can afford to ignore. Have you sat down and seriously considered how much damage an intrusion would cause your operation in terms of downtime, fines , legal liability, loss of customer confidence, and brand damage?

The motivating factors of intruders have shifted over the years , but unsurprisingly one thing remains the samethe criminal mind takes the path of least resistance. Today this path is the web site, or specifically , the web applications because eight in ten have serious vulnerabilities. This is so serious that any sensitive data you hold could be lost. Also, prominent industry reports are placing web attacks and vulnerability disclosures at the top of the list. This means most, if not all web sites, will be attacked . It's just a matter of when, who does it, and how long before the attacks succeed. If yours happens to be one of the 80 percent of insecure web sites, then you're simply playing a waiting game and your unlucky number will eventually come up.

That's why web sites that claim to take security seriously, citing only the use of SSL, network-layer firewalls, and spiffy certification stickers, are unimpressive. Those are 20 ^th century solutions and make little difference defending against popular 21 ^st century attacks such Cross-Site Scripting, SQL Injection, and Insufficient Authorization. Clearly, we need a more effective approach, which is diligent implementation of secure software development best practices, platform security standards, application vulnerability scanning, and web application firewalls. As the situation currently stands, we are a long way away from a place where the security posture of most web sites is a deterrent or even a frustration to malicious hackers. Fortunately for those who truly want securitythose who don't want to be the next corporate victim or be listed in tomorrow's headlinethis book holds the information you need.

The Hacking Exposed Web Applications, Second Edition authors are well-known and respected industry experts who've lived on the digital battlefield. They know what works from firsthand experience pen-testing hundreds of web applications over the last decade . Collectively, they've researched hundreds (maybe thousands) of technical white papers, security books, articles, and vulnerability advisories. Each of them has published multiple works on security. They'll show you how to investigate web application internals from outside and in, how to spot and exploit the weak points, and most importantly, they'll describe the security measures that really make a difference. Joel, Mike, and Caleb have done a remarkable job capturing and presenting technical material in an easy-to-understand and engaging format. One thing is for certain: after you are done reading this book, you'll never look at a web site the same way again.

Jeremiah Grossman
Founder and CTO of WhiteHat Security
Co-Founder of the Web Application Security Consortium (WASC)
March 2006