This book provides comprehensive coverage of Web application security issues.
"This book goes a long way in making the Web a safer place to do business." Mark Curphey, Chair of the Open Web Application Security Project
Unleash the hackers' arsenal to secure your Web applications
In today's world of pervasive Internet connectivity and rapidly evolving Web technology, online security is as critical as it is challenging. With the enhanced availability of information and services online and Web-based attacks and break-ins on the rise, security risks are at an all time high. Hacking Exposed Web Applications shows you, step-by-step, how to defend against the latest Web-based attacks by understanding the hacker's devious methods and thought processes. Discover how intruders gather information, acquire targets, identify weak spots, gain control, and cover their tracks. You'll get in-depth coverage of real-world hacks both simple and sophisticated and detailed countermeasures to protect against them.
What you'll learn:
Forget the delightful charms of secure coding, if you are a web designer or administrator and Hacking Web Applications is not in your library, it is just a matter of time before your website will regret it.
Understanding secure coding and knowing what it really means and what the consequences of any mistakes are provides more than enough motivation to get it right the first time.
Hacking Web Applications builds on a great series and designers and administrators owe it to us, the users to use this book to steel their web applications and protect against security exploits.
This book is one step in the tight direction to securing web applications
My main fault with the book was that it was incomplete; equal and fair coverage was not given where it should be. For example, Chapter 9 "Attacking Web Datastores" should have been called "Attacking Microsoft SQL Server." While some of the general techniques (i.e. SQL injection attacks) in Chapter 9 could have been applied to any SQL RDBMS, much of it was very specific to a Windows/IIS/ASP/MSSQL setup. This doesn't help me much to write my bread-and-butter Unix/Apache/Perl/PostgreSQL or even
Java/Oracle apps any better.
It seems like the authors wrote their book to be "Hacking IIS Web Applications Exposed" and at the last minute decided to throw in some Apache and Unix here and there, with a sprinkling of Cold Fusion and Netscape Enterprise, to market the book more broadly. If they had just stuck within their expertise (Joel Scambray wrote for Microsoft TechNet's ironically-titled "Ask Us About... Security" column and wrote "Hacking Windows 2000 Exposed") and produced their original book, I think they'd of come up with a better product.
Another problem I have with HE:WA (and the whole HE series) is that they spend too much time on specific attacks and not enough time on the broader security concepts. For example, how useful is the first HE book today? How useful with HE:WA be in three years? I still recommend "Computer Security Basics" to anybody beginning in the security arena, and that book was published over a dozen years ago. CSB remains in print today because it teaches sound pragmatic security <i>concepts</i> that remain relevant today.
I will say, however, that HE:WA does do a better job than some of the other HE books about reinforcing broad concepts (like Input Validation) across all platforms and languages. I still do not feel they teach pragmatic security for web app development though, and it's being pragmatic that will save you from tomorrow's attack. (You've got to distrust your OS, double-check whatever your webserver says, hate your database, and ALWAYS validate your input and you'll be immune to almost all vulnerabilities discussed in HE:WA ).
Despite all the problems I have mentioned, this remains an okay book for a novice web developer looking to learn security, especially those of the One-True-Microsoft-Way persuasion. If you're looking for an alternative, I'm half way through "Web Hacking: Attacks and Defense" (co-authored by Hacking Exposed lead author Stuart McClure) on Safari. I like it better than HE:WA so far, and it seems to be fairly comparable on the target audience and topics covered (and it actually covers them!) I would give it a 4/5 or a 5/5 based on what I've read.
In conclusion, if you can only by one book on Web Application security, don't get this one. Otherwise, it is at least worth a skim and a spot on the bookshelf.
While a car door is a entrance to one's automobile, web servers are portals to corporate intranets, e-commerce offerings, and much more. And while a locksmith or thief can open a car door in a minute, so too can adversaries often penetrate corporate web servers with similar ease.
For those that don't accept the comparison, reading Hacking Exposed Web Applications will clearly open one's eyes. Forgetting for a minute the myriad vulnerabilities that effect many software products (including Windows, Apache, ColdFusion, and more), both books show how poorly written software, and misconfigured web servers make the penetration of web servers child's play.
The book provides step-by-step instructions in a easy to read style for hardening web servers against attack. For those that have read previous and are comfortable with books in the Hacking Exposed serious, Hacking Exposed Web Applications uses the same easy to read and well organized style.
The book has a lot of value even for those who are not so security conscious. For those with an interest in security, one's eyes will be open to the myriad places where vulnerabilities lie, from software, to scripts, mark-up files, and more. Anyone concerned with web server security should definitely read this title, or at least ensure their system administrators do. If not, think of your web servers as being Gone in 60 Seconds.