Sorry, this item is not available in
Image not available for
Image not available

To view this video download Flash Player

Have one to sell? Sell yours here
Tell the Publisher!
I'd like to read this book on Kindle

Don't have a Kindle? Get your Kindle here, or download a FREE Kindle Reading App.

Web Applications (Hacking Exposed) [Paperback]

Joel Scambray , Mike Shema
4.6 out of 5 stars  See all reviews (12 customer reviews)

Available from these sellers.

Free Two-Day Shipping for College Students with Amazon Student

Shop the New Digital Design Bookstore
Check out the Digital Design Bookstore, a new hub for photographers, art directors, illustrators, web developers, and other creative individuals to find highly rated and highly relevant career resources. Shop books on web development and graphic design, or check out blog posts by authors and thought-leaders in the design industry. Shop now
There is a newer edition of this item:
In Stock.

Book Description

June 19, 2002 007222438X 978-0072224382 1
Get in-depth coverage of Web application platforms and their vulnerabilities, presented the same popular format as the international bestseller, Hacking Exposed. Covering hacking scenarios across different programming languages and depicting various types of attacks and countermeasures, this book offers you up-to-date and highly valuable insight into Web application security.

"Required reading for Web architects and operators." -- Erik Olson, Microsoft Program Manager, Security, ASP.NET

"Just as the original Hacking Exposed revealed the techniques the bad guys were hiding behind, Hacking Exposed Web Applications will do the same for this critical technology. Its methodical approach and appropriate detail will enlighten, educate, and go a long way toward making the Web a safer place in which to do business." -- from the Foreword by Mark Curphey, Chair of the Open Web Application Security Project

"This is a serious technical guide that is also great reading -- scary enough to motivate folks to take Web security seriously but approachable enough to be an effective learning tool. Required reading for Web architects and operators." -- Erik Olson, Program Manager, Security, ASP.NET

"What better way to defend against hackers than to understand the tools and techniques that are used to penetrate your site? Hacking Exposed Web Applications offers a detailed look at common vulnerabilities within your applications and explains how to protect yourself from them." -- Mike Mullins, Ecommerce Security Engineer for a leading specialty apparel retailer

"At last, your personal guide to preventing the next generation of security threats. This book explains in intricate detail how you can do everything right when it comes to network security and still be owned at the Web application layer." -- Chip Andrews,

"If you're involved in writing Web-based applications using ASP/ASP.NET, Java, JSP, PHP, or other languages, the Hacking Exposed series is something you DEFINITELY need to read. Before writing one line of code, this book will spark ideas about how to design and secure your Web applications. There are techniques potential hackers could use that I've never even thought of! Great resource!" -- Steve Schofield, Creator and Managing Editor,

Customers Who Viewed This Item Also Viewed

Editorial Reviews

From the Back Cover

"This book goes a long way in making the Web a safer place to do business." -- Mark Curphey, Chair of the Open Web Application Security Project

Unleash the hackers' arsenal to secure your Web applications

In today's world of pervasive Internet connectivity and rapidly evolving Web technology, online security is as critical as it is challenging. With the enhanced availability of information and services online and Web-based attacks and break-ins on the rise, security risks are at an all time high. Hacking Exposed Web Applications shows you, step-by-step, how to defend against the latest Web-based attacks by understanding the hacker's devious methods and thought processes. Discover how intruders gather information, acquire targets, identify weak spots, gain control, and cover their tracks. You'll get in-depth coverage of real-world hacks--both simple and sophisticated--and detailed countermeasures to protect against them.

What you'll learn:

  • The proven Hacking Exposed methodology to locate, exploit, and patch vulnerable platforms and applications
  • How attackers identify potential weaknesses in Web application components
  • What devastating vulnerabilities exist within Web server platforms such as Apache, Microsoft's Internet Information Server (IIS), Netscape Enterprise Server, J2EE, ASP.NET, and more
  • How to survey Web applications for potential vulnerabilities --including checking directory structures, helper files, Java classes and applets, HTML comments, forms, and query strings
  • Attack methods against authentication and session management features such as cookies, hidden tags, and session identifiers
  • Most common input validation attacks--crafted input, command execution characters, and buffer overflows
  • Countermeasures for SQL injection attacks such as robust error handling, custom stored procedures, and proper database configuration
  • XML Web services vulnerabilities and best practices
  • Tools and techniques used to hack Web clients--including cross-site scripting, active content attacks and cookie manipulation
  • Valuable checklists and tips on hardening Web applications and clients based on the authors' consulting experiences

About the Author

Joel Scambray (Lafayette, CA) is a Manager in the Information Systems Audit and Advisory Services practice of Ernst & Young. Joel has over five years experience working with a variety of computer and communications technologies from both an operational and strategic standpoint--ranging from Director of IS for a major commercial real estate firm to Technology Analyst for Info World Magazine.

Product Details

  • Series: Hacking Exposed
  • Paperback: 386 pages
  • Publisher: McGraw-Hill Osborne Media; 1 edition (June 19, 2002)
  • Language: English
  • ISBN-10: 007222438X
  • ISBN-13: 978-0072224382
  • Product Dimensions: 9.2 x 7.4 x 1.1 inches
  • Shipping Weight: 1.8 pounds
  • Average Customer Review: 4.6 out of 5 stars  See all reviews (12 customer reviews)
  • Amazon Best Sellers Rank: #2,933,060 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews
12 of 13 people found the following review helpful
5.0 out of 5 stars The best web hacking book today September 7, 2003
By phil
I just finished reading Hacking Exposed Web Apps and was coming back to Amazon to fwd the recommendation to a friend who is a CSO at a Fortune 500 firm when I stumbled upon the review from hermie. I have to say that I disagree completely with hermie's assessment, and felt compelled enough to say so in print! First of all, the book does cover a number of web platforms besides IIS -- it's the only one I've seen that talks about web services in any detail (SOAP, UDDI, XML, etc.), and it also devotes entire chapters to both web app management and web client hacking as well (very salient but often overlooked topics in other books). Main author Scambray may be a Windows security expert, but the non-Windows expertise is very visible in the appendix on libwhisker and the chapters on surveying the app, attacking session state, and input validation, etc. This also calls into question the criticisms by hermie of the specific detail versus the depiction of broad concepts -- if you are after ancient security concepts, then you plainly shouldn't be reading the Hacking Exposed series! That's the point of each book in the series -- use fresh, relevant technical details on how to hack to illustrate cutting-edge *concepts* in computer and Internet security. I think hermie really missed the boat here. Finally, the straw that broke the camels back for me was the comparison to "Web Hacking" by McClure. McClure is an executive now running his own start-up, and the knock that I've heard on this book is that it is really non-technical and out-of-date in sections. McClure brought in strong contributors to drive the details, but apparently couldn't glue the right pieces together to make this book competitive. I have a borrowed copy on my shelf, but frankly could not get past the first three or so chapters. Sigh -- I guess that's the breaks when anyone can post their thoughts here in the review section :)
Comment | 
Was this review helpful to you?
16 of 19 people found the following review helpful
3.0 out of 5 stars A decent introduction, but incomplete July 21, 2003
I must admit, I was disappointed with Hacking Exposed Web Applications (HE:WA, as another reviewer called it). Overall, I thought it was basically mediocre.
My main fault with the book was that it was incomplete; equal and fair coverage was not given where it should be. For example, Chapter 9 "Attacking Web Datastores" should have been called "Attacking Microsoft SQL Server." While some of the general techniques (i.e. SQL injection attacks) in Chapter 9 could have been applied to any SQL RDBMS, much of it was very specific to a Windows/IIS/ASP/MSSQL setup. This doesn't help me much to write my bread-and-butter Unix/Apache/Perl/PostgreSQL or even
Java/Oracle apps any better.
It seems like the authors wrote their book to be "Hacking IIS Web Applications Exposed" and at the last minute decided to throw in some Apache and Unix here and there, with a sprinkling of Cold Fusion and Netscape Enterprise, to market the book more broadly. If they had just stuck within their expertise (Joel Scambray wrote for Microsoft TechNet's ironically-titled "Ask Us About... Security" column and wrote "Hacking Windows 2000 Exposed") and produced their original book, I think they'd of come up with a better product.
Another problem I have with HE:WA (and the whole HE series) is that they spend too much time on specific attacks and not enough time on the broader security concepts. For example, how useful is the first HE book today? How useful with HE:WA be in three years? I still recommend "Computer Security Basics" to anybody beginning in the security arena, and that book was published over a dozen years ago. CSB remains in print today because it teaches sound pragmatic security <i>concepts</i> that remain relevant today.
Read more ›
Comment | 
Was this review helpful to you?
8 of 9 people found the following review helpful
5.0 out of 5 stars Yet Another Excellent Hacking Exposed book November 24, 2002
There is an unofficial time cycle called an ohnosecond, which is the amount of time between when you realize you left your keys in the car, and when the car door locks. While its frustrating paying the locksmith $100.00 to open the car door, it is also exasperating to the person paying the $100.00 that a good locksmith can open the car door in under a minute.
While a car door is a entrance to one's automobile, web servers are portals to corporate intranets, e-commerce offerings, and much more. And while a locksmith or thief can open a car door in a minute, so too can adversaries often penetrate corporate web servers with similar ease.
For those that don't accept the comparison, reading Hacking Exposed Web Applications will clearly open one's eyes. Forgetting for a minute the myriad vulnerabilities that effect many software products (including Windows, Apache, ColdFusion, and more), both books show how poorly written software, and misconfigured web servers make the penetration of web servers child's play.
The book provides step-by-step instructions in a easy to read style for hardening web servers against attack. For those that have read previous and are comfortable with books in the Hacking Exposed serious, Hacking Exposed Web Applications uses the same easy to read and well organized style.
The book has a lot of value even for those who are not so security conscious. For those with an interest in security, one's eyes will be open to the myriad places where vulnerabilities lie, from software, to scripts, mark-up files, and more. Anyone concerned with web server security should definitely read this title, or at least ensure their system administrators do. If not, think of your web servers as being Gone in 60 Seconds.
Comment | 
Was this review helpful to you?
Most Recent Customer Reviews
4.0 out of 5 stars Pretty good info, especially for IIS programmers
I program using a Microsoft platform (Classic ASP,, MSSQL Server). Since this book primarily focuses on IIS vulnerabilities (versus Unix), the book's lessons were very... Read more
Published 14 months ago by Thomas W Parsley
5.0 out of 5 stars Hacking exposed: excellent books
This is a general comment regarding Hacking Exposed series. I owned Hacking Exposed (first edition) and then I moved to the more specific Hacking Exposed books, so now I've got... Read more
Published on October 9, 2006 by Luis Carlos
4.0 out of 5 stars A must read, even in 2005/2006+
Covers XSS (Cross-Site Scripting), SQL Injection hacks, and a bunch more!

PROS: Doesn't get deep into code, but shows all the ways that people will peek and poke in your... Read more
Published on December 5, 2005 by Chris Charlton
5.0 out of 5 stars Excellent Addition to Hacking Exposed Series
Companies go to great lengths to segregate their internal networks from the rest of the world. They implement firewalls and DMZ's to protect their computer systems from the... Read more
Published on February 10, 2005 by sixmonkeyjungle
5.0 out of 5 stars A must have for developers serious about security
If you write web applications and are serious about their security, you need this book. The book gets you inside the mind of a hacker and shows you why simply having the latest... Read more
Published on March 28, 2003 by "eric17592"
4.0 out of 5 stars Good read for (beginner-mid-level) security professionals
You should read this book. If it teaches you nothing else, it'll teach you how much you're forgetting, how much you are missing and just don't think of. Read more
Published on March 1, 2003 by Rafal M. Los
5.0 out of 5 stars The book to buy if you have a web server on the Internet
"Hacking Exposed: Web Applications" (HE:WA) is an example of the direction the "Hacking Exposed" series should continue to take. Read more
Published on November 17, 2002 by Richard Bejtlich
5.0 out of 5 stars Unsettling but necessary
Like powerful medicine, the "Hacking Exposed" series of books are unsettling and unnerving, but ultimately required reading for anyone serious about Internet security. Read more
Published on August 27, 2002 by B. Pomeroy
5.0 out of 5 stars An Eye Opener
It's no good burying your head in the sand and pretending your web applications are not vulnerable to attack... particularly not since the publication of this book! Read more
Published on July 26, 2002 by "websiteowner"
Search Customer Reviews
Search these reviews only

Sell a Digital Version of This Book in the Kindle Store

If you are a publisher or author and hold the digital rights to a book, you can sell a digital version of it in our Kindle Store. Learn more


There are no discussions about this product yet.
Be the first to discuss this product with the community.
Start a new discussion
First post:
Prompts for sign-in

Look for Similar Items by Category