Hacking Web Applications - Hacking Exposed

For the past five years a silent but revolutionary shift in focus has been changing the information security industry and the hacking community alike. As people came to grips with technology and process to secure their networks and operating systems using firewalls, intrusion detection systems, and host-hardening techniques, the world started exposing its heart and soul on the Internet via a phenomenon called the World Wide Web. The Web makes access to customers and prospects easier than was ever imaginable before. Sun, Microsoft, and Oracle are betting their whole businesses on the Web being the primary platform for commerce in the 21st century. But it’s akin to a building industry that’s spent years developing sophisticated strong doors and locks, only to wake up one morning and realize that glass is see-through, fragile, and easily broken by the casual house burglar. As security companies and professionals have been busy helping organizations react to the network security concerns, little attention has been paid to applications at a time when they were the fastest and most widely adopted technology being deployed. When I started moderating the Web application security mailing list at www.securityfocus.com two years ago, I think it is safe to say people were confused about the security dangers on the Web. Much was being made about malicious mobile code and the dangers of Web-based trojans. These parlor tricks on users were really trivial compared to the havoc being created by hackers attacking Web applications. Airlines have been duped into selling transatlantic tickets for a few dollars, online vendors have exposed millions of customers’ valid credit card details, and hospitals have revealed patients records, to name but a few. A Web application attack can stop a business in its tracks with one click of the mouse