Hack Proofing Your Web Applications: The Only Way to Stop a Hacker Is to Think Like One [DOWNLOAD: PDF] (Digital)

by Syngress (Author)
Key Phrases: code grinder, keystore file, mobile code attacks, Frequently Asked Questions, Internet Explorer, Visual Basic (more...)

Editorial Reviews

Product Description
As a developer, the best possible way to focus on security is to begin to think like a hacker. Examine the methods that hackers use to break into and attack Web sites and use that knowledge to prevent attacks. You already test your code for functionality; one step further is to test it for security—attempt to break into it by finding some hole that you may have unintentionally left in.

About the Author
Julie Traxler is a Senior Software Tester for an Internet software company. During her career, Julie has worked for such organizations as DecisionOne, EXE Technologies, and TV Guide. She has held several positions including Project Manager, Business Analyst, and Technical Writer and has specialized in software systems analysis and design. During her tenure at several organizations, Julie has worked to provide a starting point for software quality assurance and has helped to build QA teams and implement testing processes and strategies. The testing plans she has developed include testing for functionality, usability, requirements, acceptance, release, regression, security, integrity, and performance.

Jeff Forristal is the Lead Security Developer for Neohapsis, a Chicago-based security solution/consulting firm. Apart from assisting in network security assessments and application security reviews (including source code review), Jeff is the driving force behind Security Alert Consensus, a joint security alert newsletter published on a weekly basis by Neohapsis, Network Computing, and the SANS Institute.

Kevin Ziese is a Computer Scientist at Cisco Systems, Inc. Prior to joining Cisco he was a Senior Scientist and Founder of the Wheelgroup Corporation, which was acquired by Cisco Systems in April of 1998. Prior to starting the Wheelgroup Corporation, he was Chief of the Advanced Countermeasures Cell at the Air Force Information Warfare Center. --This text refers to an out of print or unavailable edition of this title.

Product Details

Do you have the free reader for this item?

• Format: Adobe Reader (PDF)
• Printable: Yes. This title is printable
• Mac OS Compatible: OS 9.x or later
• Windows Compatible: Yes
• Handheld Compatible: Yes. Adobe Reader is available for PalmOS, Pocket PC, and Symbian OS.
• Digital: 512 pages
• Publisher: Syngress (May 15, 2001)
• Average Customer Review: 3.0 out of 5 stars See all reviews (3 customer reviews)
• Amazon.com Sales Rank: #3,050,991 in Books (See Bestsellers in Books)

  Popular in these categories: (What's this?)

  #55 in	Books > eDocs > Formats > PDF (printable) > Computers & Internet > Security
  #70 in	Books > eDocs > Subjects > Computers & Internet > Internet
  #75 in	Books > eDocs > Formats > PDF (printable) > Computers & Internet > Web Design & Internet

• Required Free Software: Adobe Reader

Customer Reviews

Most Helpful Customer Reviews

6 of 8 people found the following review helpful:

1.0 out of 5 stars Hack Proofing Your Web Applications, April 6, 2002

By	Peter Burkholder (Denver, CO) - See all my reviews

This review is from: Hack Proofing Your Web Applications (Paperback)

I'm working on a presentation on Web Application Security, and I
picked up this text as a reference. What a mistake! The text is
vague, poorly formatted and rife with errors.

Just one example:
p. 131 shows a sample CGI script for submitting comments to
FreeBSD.org. First of all, the screenshot references a page that
doesn't exist, tarnishing FreeBSD for no good reason. Secondly, the
Perl CGI script doesn't set PATH, doesn't use taint, and doesn't check
exit values. Third, the form uses a hidden field for the submit
address -- making it a juicy spam tool since the user could simply
replace "mcross@freebsd.org" with any address she chooses. And I
could go on and on with just that one script.

Other
gripes:
p. 465, "SSL makes the man-in-the-middle attack fail".
Wrong. ...

How about this: The authors refer to Perl as the
"Practical Extraction and Reporting Language." (p. 151, p. 223) Are
they trying to impress newbies?

SSL & PKI: only 20 pages of 565
are devoted to SSL & PKI, and those are mostly screen shots of Windows
MMC.

I'm not picking nits here, just citing examples that
particularly irk me while flipping through it. The author seems to
have little to say about Securing Web Applications, so he rambles on
with useless background and repeats himself often. This might be
useful had it been edited down to 100 pages.

I recommend Garfinkel
and Spafford's 'Web Security, Privacy & Commerce,' however Forristal
does minimally discuss ASP, which Garfinkel and Spafford neglect.
Also, Forristal has some interesting ideas for code review.

...

1 of 1 people found the following review helpful:

4.0 out of 5 stars Fragmented and a bit self-important, but still useful, July 25, 2003

By	Frank Carver (Ipswich, Suffolk United Kingdom) - See all my reviews

This review is from: Hack Proofing Your Web Applications (Paperback)

This book aims to be a "one stop shop" covering all aspects of web application security, however your app is written: Java. CGI, Perl, PHP, Active X. To a large extent it succeeds, and in a surprisingly readable way. Each chapter covers on aspect of hacking or security, and ends with a summary, a "fast track" checklist, and a FAQ for the topics covered. The book is sold like software - you can register for a "1-year upgrade", to keep the content fresh.

Important topics include both detailed and general hints on how to read and spot security holes in code in different languages; and how to "think like a hacker", and use hacker tools to test your own security. Above all, the book emphasizes the need for creative thinking and to avoid producing code carelessly.

I know from experience that security is often ignored if it's seen as too hard to understand, plan or test. Don't be a victim of your own ignorance, read this book.

4 of 10 people found the following review helpful:

4.0 out of 5 stars Another surprisingly good security book from Syngress, October 17, 2001

By	Richard Bejtlich "TaoSecurity.com" (Washington, DC) - See all my reviews (TOP 500 REVIEWER)    (REAL NAME)

This review is from: Hack Proofing Your Web Applications (Paperback)

I am a senior engineer for network security operations. Since I am not a developer, I was initially reluctant to read and review a book seemingly targeted towards programmers. From a non-developer, security professional standpoint, I believe "Hack Proofing Your Web Applications" (HPYWA) is an excellent book. Because HPYWA provides sufficient background, administrators will find it enlightening. Programmers should find it practical as well.

HPYWA is unique. One sees dozens of general networking and security texts, but few on securing applications. Since attackers are gravitating towards exploiting subtle application flaws, HPYWA's advice is timely and sorely needed. Talented authors (who should be credited chapter-by-chapter) explain security strategies for Visual Basic for Applications, CGI, Java, XML, ActiveX, and Cold Fusion. They tell how to avoid becoming a "code grinder" ("a developer who lacks creativity... bound by rules and primitive techniques"). They also discuss general exploit techniques, but not to the depth of a "Hacking Exposed" volume.

Crucially, throughout the book, the authors do not assume the reader is an expert in all technologies. They instead begin with solid introductions to languages and tools. These help non-programmers understand the issues, and give developers common foundations for code improvement.

I was particularly impressed by chapter 6, which explained how to conduct code audits and reverse engineering. Even without a great deal of programming background, I understood the author's explanations of format string vulnerabilities, cross-site scripting, and related problems. Chapter 7 was also excellent, as it showed how to disassemble Java byte code and alter it with a hex editor.

HPYWA is not perfect, however. Despite offering very strong coding advice, discussions of network-based security issues contained flaws. For example, the descriptions of denial of service on pages 13-14 and 285-286 are confused. On page 171, "SMTP" is not "Sendmail Transfer Protocol." Since I didn't read HPYWA to learn network security techniques, I didn't weigh these errors too heavily.

Developers will probably view HPYWA as a useful reminder of sound programming practices. They will also find the specific recommendations (avoid certain system calls, watch out for these formatting errors, etc.) practical and immediately applicable to their work. System administrators and security professionals will gain an understanding of the underlying weaknesses in the technologies they deploy and maintain. In short, HPYWA has a place on the bookshelves of both communities.[....]