|
 |
|
 |
 |
Hacking Exposed Web Applications, 2nd Ed. (Hacking Exposed)
|
by Joel Scambray, Mike Shema, and Caleb Sima
Sales Rank: 158927
|
Discount: 37 %
List Price: $49.99
$31.49
At Amazon
|
|
Paperback: 520 pages
Publisher: McGraw-Hill Osborne Media; 2 edition June 5, 2006
Language: English
ISBN-10: 0072262990
ISBN-13: 978-0072262995
Product Dimensions:
9.1 x 7.2 x 1.3 inches
Shipping Weight: 2 pounds
Book Description
Implement bulletproof e-business security the proven Hacking Exposed way
Defend against the latest Web-based attacks by looking at your Web applications through the eyes of a malicious intruder. Fully revised and updated to cover the latest Web exploitation techniques, Hacking Exposed Web Applications, Second Edition shows you, step-by-step, how cyber-criminals target vulnerable sites, gain access, steal critical data, and execute devastating attacks. All of the cutting-edge threats and vulnerabilities are covered in full detail alongside real-world examples, case studies, and battle-tested countermeasures from the authors' experiences as gray hat security professionals.
Back Cover Copy
Implement bulletproof e-business security the proven Hacking Exposed way
Defend against the latest Web-based attacks by looking at your Web applications through the eyes of a malicious intruder. Fully revised and updated to cover the latest Web exploitation techniques, Hacking Exposed Web Applications, Second Edition shows you, step-by-step, how cyber-criminals target vulnerable sites, gain access, steal critical data, and execute devastating attacks. All of the cutting-edge threats and vulnerabilities are covered in full detail alongside real-world examples, case studies, and battle-tested countermeasures from the authors' experiences as gray hat security professionals. - Find out how hackers use infrastructure and application profiling to perform reconnaissance and enter vulnerable systems
- Get details on exploits, evasion techniques, and countermeasures for the most popular Web platforms, including IIS, Apache, PHP, and ASP.NET
- Learn the strengths and weaknesses of common Web authentication mechanisms, including password-based, multifactor, and single sign-on mechanisms like Passport
- See how to excise the heart of any Web application's access controls through advanced session analysis, hijacking, and fixation techniques
- Find and fix input validation flaws, including cross-site scripting (XSS), SQL injection, HTTP response splitting, encoding, and special character abuse
- Get an in-depth presentation of the newest SQL injection techniques, including blind attacks, advanced exploitation through subqueries, Oracle exploits, and improved countermeasures
- Learn about the latest XML Web Services hacks, Web management attacks, and DDoS attacks, including click fraud
- Tour Firefox and IE exploits, as well as the newest socially-driven client attacks like phishing and adware
Customer Reviews & Comments
I recently received copies of Hacking Exposed: Web Applications, 2nd Ed (HE:WA2E) by Joel Scambray, Mike Shema, and Caleb Sima, and Professional Pen Testing for Web Applications (PPTFWA) by Andres Andreu. I read HE:WA2E first, then PPTFWA. Both are excellent books, but I expect potential readers want to know which is best for them. I could honestly recommend readers buy either (or both) books. Most people should start by reading HE:WA2E, and then fill in gaps by reading PPTFWA. Before proceeding I should note I used to work with the two ex-Foundstone authors of HE:WA2E, although I haven't been afraid in the past to review books honestly. I read and reviewed the first edition of HE:WA about four years ago, and I rated that book five stars. Authors like Scambray and Shema exemplify the best aspects of the HE series: explaining technology, then showing how to exploit it. Frequently the first time security people hear about new applications is when they are being attacked. By digesting books in the core HE series, readers become familiar with the latest services, their flaws, and attacks against those technologies. HE:WA2E continues this tradition. I was pleased to see HE:WA2E is largely a thorough reworking of the first edition. (This has not always been the case with HE books, considering there are five editions.) In one case, however, this worked against the authors. Ch 8 (Attacking XML Web Services) references non-existent material in Ch 1. Ch 1 in HE:WA2E is completely different from Ch 1 in the first edition, which contains the referenced diagram. A positive aspect of the rewrite is the frequent reference to outside material, instead of repeating techniques and tools already published. Combined with the extensive chapter-ending references list, this makes for a book packed with value. Note that the second edition still offers 520 pp, vastly exceeding the 386 pp of the first. HE:WA2E is very consulting-oriented, which delivers some excellent real-world experience. For example, Ch 2 (Profiling) explains how to identify and deal with load balancers and web application firewalls. This seems to contrast with PPTFWA which says, for "IDS/IPS Systems," "[m]ake sure your client disables these." I thought HE:WA2E took a more realistic approach to this problem. HE:WA2E's major weakness is its coverage of Web Services. PPTFWA does a better job addressing this important area. In fact, HE:WA2E's Web Services coverage seems fairly similar to the first edition's material. PPTFWA also includes a larger variety of attacks and tools, albeit in a manner not as organized as HE:WA2E. Ch 12 of HE:WA2E would be conceptually stronger if so-called "threat trees" were called "attack trees," as originally developed by Bruce Schneier in 1999. Furthermore, the list of "threats" on pp 404-5 are mostly vulnerabilities. The figures of Ollydbg in Ch 12 are also too small. Despite these issues, I think HE:WA2E is the best general-purpose Web application security book available. I would definitely add it to your HE library. In other words, if you have HE:5E, you still need HE:WA2E. If you have the first edition of HE:WA, it's time for an update. After reading HE:WA2E, read PPTFWA. Perhaps both sets of authors could collaborate on a comprehensive Web app attack, defend, and test virtual machine, building on the one Andres Andreu built?
Comment | Permalink |
(Report this)
|
Hacking Exposed Web Applications, 2nd Ed. (Hacking Exposed)
List Price: $49.99
Discount: 37 %
Available from Amazon
Price: $31.49
| |
|
|
|
|
