Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions (Paperback)

by Rich Cannings (Author), Himanshu Dwivedi (Author), Zane Lackey (Author), Jesse Burns (Technical Editor), Alex Stamos (Collaborator), Chris Clark (Collaborator)
Key Phrases: risk rating, common injection attacks, admin page, Hacking Exposed Web, Test Value, Cross-site Scripting (more...)

Editorial Reviews

Product Description

Lock down next-generation Web services

"This book concisely identifies the types of attacks which are faced daily by Web 2.0 sites, and the authors give solid, practical advice on how to identify and mitigate these threats." --Max Kelly, CISSP, CIPP, CFCE, Senior Director of Security, Facebook

Protect your Web 2.0 architecture against the latest wave of cybercrime using expert tactics from Internet security professionals. Hacking Exposed Web 2.0 shows how hackers perform reconnaissance, choose their entry point, and attack Web 2.0-based services, and reveals detailed countermeasures and defense techniques. You'll learn how to avoid injection and buffer overflow attacks, fix browser and plug-in flaws, and secure AJAX, Flash, and XML-driven applications. Real-world case studies illustrate social networking site weaknesses, cross-site attack methods, migration vulnerabilities, and IE7 shortcomings.

• Plug security holes in Web 2.0 implementations the proven Hacking Exposed way
• Learn how hackers target and abuse vulnerable Web 2.0 applications, browsers, plug-ins, online databases, user inputs, and HTML forms
• Prevent Web 2.0-based SQL, XPath, XQuery, LDAP, and command injection attacks
• Circumvent XXE, directory traversal, and buffer overflow exploits
• Learn XSS and Cross-Site Request Forgery methods attackers use to bypass browser security controls
• Fix vulnerabilities in Outlook Express and Acrobat Reader add-ons
• Use input validators and XML classes to reinforce ASP and .NET security
• Eliminate unintentional exposures in ASP.NET AJAX (Atlas), Direct Web Remoting, Sajax, and GWT Web applications
• Mitigate ActiveX security exposures using SiteLock, code signing, and secure controls
• Find and fix Adobe Flash vulnerabilities and DNS rebinding attacks 
  
  

About the Author

Rich Cannings is a senior information security engineer at Google.

Himanshu Dwivedi is a founding partner of iSEC Partners, an information security organization, and the author of several security books.

Zane Lackey is a senior security consultant with iSEC Partners.

Product Details

• Paperback: 258 pages
• Publisher: McGraw-Hill Osborne Media; 1 edition (December 17, 2007)
• Language: English
• ISBN-10: 0071494618
• ISBN-13: 978-0071494618
• Product Dimensions: 8.9 x 7.3 x 0.7 inches
• Shipping Weight: 1.1 pounds (View shipping rates and policies)
• Average Customer Review: 3.4 out of 5 stars See all reviews (5 customer reviews)
• Amazon.com Sales Rank: #449,614 in Books (See Bestsellers in Books)

  Popular in this category: (What's this?)

  #51 in

  Books > Computers & Internet > Web Development > Web 2.0

Customer Reviews

Most Helpful Customer Reviews

8 of 9 people found the following review helpful:

2.0 out of 5 stars Shallow and weak, January 29, 2008

By	Kornienko Mikhail (Nagoya, Japan) - See all my reviews (REAL NAME)

I'm still in the middle of the book, and I definitely will skim thru all the remaining pages (just because I paid for it), but I wouldn't recommend the book to anyone looking for serious and in-depth study on web security - the book just doesn't offer that. What it does is a list of possible attack vectors and sometimes offers "solutions" which can help to fight with the attacks. However, the attacks descriptions are shallow, solutions are very short and non-extensive and many of them go as far as telling a user to install NoScript extension for Firefox (huh? Web 2.0 doesn't work with no JavaScript).

There are also quadrillions of links to a security-related site (won't list it here) which offers a toolbar to checks your sites again the most common security problems. I don't have anything against links to useful tools of course, but THAT amount of links just makes this book look like an advertisement of the fore-mentioned site. Am not even talking about page space wasted to re-iterate "go to ...., install ...., click .... in order to test for ....." which usually take 0.5-1 pages. Users who read that sort of books can somehow figure out how to use a toolbar, I believe.

I'm not by any means a security expert, and this book did introduce me into the topic, but it didn't do anything beyond that. I still need to read some other book on the topic, and that book will probably contain the same info as the Hacking Web 2.0 Exposed (i.e. the very basic info on web expoits), so.. I actually just recommend to pass on this book at all, and look for something which covers the topic in greater depth.

4 of 4 people found the following review helpful:

3.0 out of 5 stars Disappointing sibling of the Hacking Exposed Series, February 25, 2008

By	James Rogers "Russ Rogers" (Colorado Springs, CO) - See all my reviews (REAL NAME)

Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions (Hacking Exposed)

The Hacking Exposed Web 2.0 book has proven to be a fairly huge disappointment for me. After some quality technical books in this series, the publisher has released what amounts to a sales tool for the author's software.

The front cover states "Web 2.0 Security Secrets and Solutions" but the inside of the book hasn't really lived up to that hype. Normally, when it comes to books by McGraw Hill with the Hacking Exposed title, I can expect a decent amount of technical detail on the topic at hand. With this book, it was a bit different. Now, before you think I'm blasting this book entirely, I want to make perfectly clear that there is valid information in this book, but in my opinion, it's pretty basic stuff. If you're a beginner in the world of web hacking, then this book might be worthwhile. However, if you've done much web hacking at all, I think you'll be discouraged at the basic nature of the information included.

The sales pitch starts right in Chapter 1 as the iSec Partners push their Security QA toolbar for web assessments. If you visit their website, they have two separate sections that contain potential software you can download and use. The Products section will allow you to download the trial version of this toolbar, but you have to talk to a sales person to get pricing on the software. But a good deal of the content they discuss in the book is based on this tool.

Now, with that said, there are good points for the book as well. For example, McGraw-Hill sticks to the tried and true format formula that provides readers with an overall Risk Rating for each topic, which is based on the popularity, simplicity, and impact of each vulnerability. Some of the topics in the book do have a better amount of detail on the vulnerability than others. They do a decent job of covering the basic security models in play when a web browser is loaded, even including information on the Flash security models.

All in all, this book isn't awful, but it's certainly not going to give you a lot of information that you couldn't already get online. Because the book is so thin, the actual desk reference value of this book is a bit thin as well. You would do better to purchase a more comprehensive book that you can use as a desk reference later, as you work through your various projects.

1 of 1 people found the following review helpful:

5.0 out of 5 stars Great Book. Focused, Concise, and To the Point, May 7, 2008

By	Abraham J. Kang "Honest Abe" (San Jose, CA) - See all my reviews (REAL NAME)

The book is a practical guide where every topic is covered completely and succinctly. It does not waste your time with fluff and focuses on cutting edge issues related to Web 2.0 security. This book is not meant to be the end-all for web security. As the title states, it is focused on Web 2.0. If you are an experienced security professional and are looking for a book which will get you up to speed on Web 2.0 security, this is the book for you.