Hacking Web Apps
Author: Mike Shema
Web security impacts applications, servers and browsers. Successful attacks against Web applications and sites means bad news for their owners, developers and users. This book explains the ins and outs of eight types of security weaknesses and flaws most commonly exploited by hackers, and advises on how to fix them.
About the author
Mike Shema develops web application security solutions at Qualys. His current work is focused on an automated web assessment service, but his security background ranges from network penetration testing, wireless security, code review, and web security.
Inside the book
The book rightfully starts with a comprehensive chapter on HTML5. As this latest version of the language on which the entire Web is based slowly moves towards becoming the de facto standard, it will simplify the life of web developers as well as provide more guidance on security practices and stricter rules for HTML parsing. The author has done a good job explaining the adopted changes and pointing out the security considerations web developers should think about in order to avoid implementation errors.
The topic of HTML injection and cross-site scripting (XSS) attacks is addressed next: how they are executed, why they are so prevalent and still so difficult to defeat, and what to do to protect your web resources and its visitors from them.
The third chapter deals with Cross-Site Request Forgery (CSRF) attacks, during which hackers take advantage of the users’ already established relationship with a site, “impersonate” them, and execute fraudulent transactions, “steal” their clicks, and more.
SQL injection and data store manipulation attacks have been tackled in the fourth chapter. Even though it’s easy to apply countermeasures against SQL injections, we still keep hearing how websites and databases get compromised with this type of attacks. The author beautifully explains why that is still happening, and what to do about it, making this a chapter that every web developer should know by heart.
The same can be said about the following chapter about attacks aimed at breaking authentication schemes (mainly password authentication) – session token replaying or reverse engineering, brute forcing, sniffing, and others. Here you can brush up on some of your encryption knowledge, as well as learn about a number of alternate authentication frameworks such as OAuth 2.0 or OpenID.
The last two chapters deal with design deficiencies’ abuse, logic attacks, application, system and network weaknesses and how they are usually exploited.
The final chapter addresses browser and privacy attacks, and teaches about how malware attacks browsers and how you can better protect your privacy and data online. Recommended countermeasures are a mix of advice on setting configuration, online browsing behavior, and recommendations of various online services and plugins, and this last part could definitely be of use to every Internet user.
Throughout the book the author adds handy tips and “Epic Fail” stories that help draw the readers’ attention to potential mistakes and drive home certain points that are best to be remembered.
I found this book to be a great source of information and very easy to read. The author explained the subject matter well, and stopped (perfectly) short of delving into the minute technical intricacies.
Given the effectiveness of the attacks addressed in the book, I should think that even seasoned web developers might want to consider taking a peek and see if they had been ignoring some of the things in it.