Web Hacking: Attacks and Defense
by Aleksandar Stancin - for Help Net Security - Thursday, 22 August 2002.
Authors: Stuart McClure, Saumil Shah and Shreeraj Shah
Pages: 528
Publisher: Addison-Wesley
ISBN: 0-201-761769

Available for download is chapter 10 entitled "e-Shoplifting".


This review was made by reading the final manuscript of the book before it's publication. That's the reason why the cover image is somewhat different from what you get when you buy the now released book.

An interesting piece of information I found in the book is the fact that over 65% of reported system attacks occur over port 80. That's your average web port, if you're not aware of it. And no firewall or IDS will help you there as it has to be kept open for traffic, otherwise it's pretty much useless. So, one may assume that your first line of defense would be to tighten your system and server to give as little as possible manoeuvring space for the attacker to tamper with. In order to fight the possible intruder, you must learn as much as you can. After you've done that, you'll know how to defend yourself properly. This is just the purpose of the book, it gives you the knowledge you need to defend your server properly. It's not intended to increase the population of malicious hackers or script kiddies, but to get you acquainted with all the bad things that can be done to your server, and how so you don't get caught sleeping.

About the authors

Stuart McClure is President/CTO of Foundstone Inc., with over 12 years of experience in IT and security, lead author of the best-selling security book "Hacking Exposed: Network Security Secrets and Solutions". These facts alone offer a great deal of guarantee that he knows what he's talking about here.

Co-authors Saumil Shah and Shreeraj Shah are also notable names in the world of IT security, so you might say that those three united their knowledge and skills for the benefit of all of us who have and who will read this book. So much about the esteemed authors, just in case if you had any doubts about them.

We've interviewed two of the authors, Stuart McClure and Saumil Shah.

Inside the book

The book consists of four major parts, counting seventeen chapters and appendices in total, for maximum fun and reading enjoyment. The author of the foreword is William C. Boni, chief information security officer at Motorola. If the authors names were not enough to get you convinced, a fact like this should prove you that you're on the right track to the port 80 misuse extravaganza.

The book itself spreads on some 500+ pages of useful material, so let us move on to the content itself, to verify how good it actually is since. It's easy to pick up a wrong book these days since there's a tidal of wave of *hacking books (replace the wildcard with any topic you like) flooding the market. Good marketing does miracles, doesn't it?

Part one, aptly named 'The e-commerce playground' gives you a clue what you're on to here. What we have here is a chapter with hands-on basics on e-commerce such as: web languages, database servers, payment systems and shopping carts (I can already tell you're very eager to get this book by now :)), HTTP and HTTP over SSL. It also touches the world of URL a bit, letting you enter the web hacking world through the back door. While an average web surfer looks onto the the URL as a way to find things and browse the vast oceans of information that is WWW, you know that it can be used for other purposes, don't you?

As you've slowly started deciphering the sometimes cryptical URL's, the second part of the books hits you so quickly that it even goes unnoticed by your center for perception as it drags you deeper into the URL world, giving you insights into many wonderful things. Things you usually overlook, such as reading between the lines, information leakage through HTML, comments, hyperlinks, meta tags, identifying web components and databases from URL's, technology identification, analysing URL's to a microscopic extent, and so on. Scary stuff there, it shows what information your web server can give away to anyone, making a possible compromise easier. Excellent, especially if you're curious of what goes behind a browser searching your web page for small details, clues and hints that can be used against you. If you want to defend yourself properly, this chapter is a must read in order for you to look at your web from the attackers viewpoint.

Part three, well 'How do they do it?' says it all. How's about that for a well-picked name? I bet many of you will spot it and will look there first, hoping to find some quick fix to indulge your crave for hacking knowledge. Well, don't expect to be guided by your hand into the world of web hacking. If you want a script kiddies kind of a step-by-step tutorial, look elsewhere. Usage of brain is required here. It contains a lot of useful information, hints, tips and tricks, and of course, countermeasures that can be taken against various misdoings. What you'll find in this part of the book, to name the few appetizers, are things such as: web defacements, database access, remote command execution, social engineering in form of an impersonation, buffer overflows and similar. Sounds nice, doesn't it? I knew you'd like it.

The fourth part of the book, after you're done with the first three, is light reading material, as it deals with some advanced concepts, and automated tools of the trade, appropriately named 'Web Kung Fu'. Tools such as netcat, whisker, various brute force attacks tools are covered, as are various worms, and most importantly, a section named 'beating the IDS' which needs not to be explained, does it? As usual, countermeasures are also there, so be sure not to miss them.

You'll also find 6 useful appendices, about web and database port listening, HTTP 1.0/1.1 method and field definitions, remote execution and source code, file and directory disclosure cheat sheet with commonly used commands and examples, and of course resources and web links.

So, what gives?

First of all, let me tell you that this is an excellent follow up to the authors previous bestseller, 'Hacking Exposed', and you'll definitely not end up disappointed if you decide to go out and buy, even more, I encourage you to get the book ASAP. What you have here is an essential collection of web hacking techniques and, most importantly, countermeasures against them, all in one book. Sort of an all around guide on web hacking, with methods and techniques demystified, along with a reference quide to more resources. Familiar with Tour de France? Well, this is Tour de Web hacking.

The book is easy to read and follow, giving the chance to less technically inclined readers to understand it, along with explaining them the basics of what needs to be explained at an early stage. Intermediate users will love its attention to details and the references.

With web hacking being so common and popular these days, a book like this cannot go unnoticed. If you're familiar with the threats, you'll know how to defend yourself and respond adequately, not just relying on your firewall, .htaccess, SSL, and fooling yourself into thinking you're safe. Nothing is safe, it can be safer to some extent, but absolute security? No such thing. So, instead of being overly paranoid or feeling sorry for yourself, why not go and educate yourself on the subject? This book will help you figure out what needs to be protected, from who, and most importantly, how.

I could go on and sing praises, but the mere fact is that this book is an excellent reading material, for both curious readers and IT personnel facing everyday challenges of running some sort of a web service. Get it. Two or more thumbs up!


Key trends and opportunities in the information security profession

The security of businesses is being threatened by reports of understaffed teams dealing with the complexity of multiple security technologies.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Apr 20th