[...]... (Appendix D); and a brief word about the companion Web site to this book, www.webhackingexposed.com (Appendix E) Preface Chapters: The Web Hacking Exposed Methodology Chapters make up each part, and the chapters in this book follow a definite plan of attack That plan is the methodology of the malicious hacker, adapted from Hacking Exposed: w Profiling s Web server hacking s Surveying the application s Attacking... attacking Web applications Airlines have been duped into selling transatlantic tickets for a few dollars, online vendors have exposed millions of customers’ valid credit card details, and hospitals have revealed patients records, to name but a few A Web application attack can stop a business in its tracks with one click of the mouse xvii xviii Hacking Exposed Web Applications Just as the original Hacking Exposed. .. address is: http://www.webhackingexposed.com It also provides a forum to talk directly with the authors via e-mail: joel@webhackingexposed.com mike@webhackingexposed.com We hope that you return to the site frequently as you read through these chapters to view any updated materials, gain easy access to the tools that we mentioned, and otherwise keep up with the ever-changing face of Web security Otherwise,... most rudimentary Web site, you know this is a daunting task Faced with the security limitations of existing protocols like HTTP, as well as the ever-accelerating onslaught of new technologies like WebDAV and XML Web Services, the act of designing and implementing a secure Web application can present a challenge of Gordian complexity xxi xxii Hacking Exposed Web Applications Meeting the Web App Security... Figure 1-1 The end-to-end components of a typical Web application architecture 5 6 Hacking Exposed Web Applications A Brief Word about HTML Although HTML is becoming a much less critical component of Web applications as we write this, it just wouldn’t seem appropriate to omit mention of it completely since it was so critical to the early evolution of the Web We’ll give a very brief overview of the language... a Web Service? Transport: SOAP over HTTP(S) WSDL Directory Services: UDDI and DISCO Sample Web Services Hacks Basics of Web Service Security Similarities to Web Application Security Web Services Security Measures Summary References and Further Reading 218 220 220 221 222 w 11 Hacking Web. .. developments may jeopardize your applications before you can defend yourself against them xxv xxvi Hacking Exposed Web Applications A FINAL WORD TO OUR READERS There are a lot of late nights and worn-out mouse pads that went into this book, and we sincerely hope that all of our research and writing translates to tremendous time savings for those of you responsible for securing Web applications We think you’ve... hiding behind, I am confident Hacking Exposed Web Applications will do the same for this critical technology Its methodical approach and appropriate detail will both enlighten and educate and should go a long way to make the Web a safer place in which to do business —Mark Curphey Chair of the Open Web Application Security Project (http://www.owasp.org), moderator of the “webappsec” mailing list at securityfocus.com,... 261 262 262 263 263 263 264 265 265 265 270 271 274 275 275 xiii xiv Hacking Exposed Web Applications w 12 Web Client Hacking The Problem of Client-Side Security Attack Methodologies Active Content Attacks Java and JavaScript ActiveX Cross-Site... orchestrate a carefully calculated fusillade of attempts to gain unauthorized access to Web applications III: Appendixes A collection of references, including a Web application security checklist (Appendix A); a cribsheet of Web hacking tools and techniques (Appendix B); a tutorial and sample scripts describing the use of the HTTP -hacking tool libwhisker (Appendix C); step-by-step instructions on how to deploy . . . . . . . . . . . . . . 95 x Hacking Exposed Web Applications ProLib8 / Hacking Exposed Web Applications / Scambray, Shema / 222438-x / Front Matter P:10Comp Hacking 438-xfm.vp Thursday,. . . . . . . . . . . . 218 xii Hacking Exposed Web Applications ProLib8 / Hacking Exposed Web Applications / Scambray, Shema / 222438-x / Front Matter P:10Comp Hacking 438-xfm.vp Thursday,. 275 P:10Comp Hacking 438-xfm.vp Thursday, May 30, 2002 2:17:22 PM Color profile: Generic CMYK printer profile Composite Default screen xiv Hacking Exposed Web Applications ProLib8 / Hacking Exposed Web Applications