Joel Scambray - Hacking Exposed Web Applications

Praise for Hacking Exposed Web Applications:
Web Application Security Secrets and Solutions, Third Edition

Whether you are a business leader attempting to understand the threat space for your business, or an engineer tasked with writing the code for those sites, or a security engineer attempting to identify and mitigate the threats to your applications, this book will be an invaluable weapon in your arsenal.

From the Foreword by Chris Peterson
Senior Director of Application Security, Zynga Game Network
Former Director of Security Assurance, Microsoft Corporation

I cut my teeth reading Joels work, and this book is no disappointment. People often ask where to find high-quality content that will help them gain a foothold in this daunting industry. This is the kind of desk reference every web application security practitioner needs. It will certainly hold a place of prominence in my personal library.

Robert RSnake Hansen
CEO SecTheory and founder of ha.ckers.org

An eye-opening resource for realizing the realities of todays web application security landscape, this book explores the latest vulnerabilities as well as exploitation techniques and tradecraft being deployed against those vulnerabilities. This book is a valuable read for both the aspiring engineer who is looking for the first foray into the world of web application security and the seasoned application-security, penetration-testing expert who wants to keep abreast of current techniques.

Chad Greene
Director, eBay Global Information Security

As our businesses push more of their information and commerce to their customers through web-applications, the confidentiality and integrity of these transactions is our fundamental, if not mandatory, responsibility. Hacking Exposed Web Applications provides a comprehensive blueprint for application developers and security professionals charged with living up to this responsibility. The authors research, insight, and 30+ years as information security experts, make this an invaluable resource in the application and information protection toolkit. Great Stuff!

Ken Swanson
CISM, IS Business Solution Manager, regionally based P&C insurance company

This book is so much more then the authoritative primer on web application security; its also an opportunity to accompany the foremost industry experts in an apprenticeship that even seasoned professionals will enjoy.

Andrew Stravitz, CISSP
Director of Information Security, Barnes & Noble.com

A very timely reference, as cloud computing continues to expand into the enterprise and web security emerges as the new battleground for attackers and defenders alike. This comprehensive text is the definitive starting point for understanding the contemporary landscape of threats and mitigations to web applications. Particularly notable for its extensive treatment of identity management, marking the first time that challenges around authentication have been surveyed in-depth and presented in such an accessible fashion.

Cem Paya
Google Security Team

THIRD EDITION

JOEL SCAMBRAY
VINCENT LIU
CALEB SIMA

Copyright 2011, by Joel Scambray. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher.

ISBN: 978-0-07-174042-5

MHID: 0-07-174042-2

The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-174064-7, MHID: 0-07-174064-3.

All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps.

McGraw-Hill eBooks are available at special quantity discounts to use as premiums and sales promotions, or for use in corporate training programs. To contact a representative please e-mail us at bulksales@mcgraw-hill.com.

Information has been obtained by McGraw-Hill from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill, or others, McGraw-Hill does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.

TERMS OF USE

This is a copyrighted work and The McGraw-Hill Companies, Inc. (McGraw-Hill) and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hills prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms.

THE WORK IS PROVIDED AS IS. McGRAW-HILL AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting there from. McGraw-Hill has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise.

To Jane, thanks for getting Hacking Exposed off the ground and sustaining it for
so many years.
Joel

To Heather, for keeping me laughing and smiling through it all.
Vinnie

To my Mom and Dad (thanks for putting up with me), my brothers Jonathon, RJ,
and Andrew, and my sister Emily. Finally, to all the people of SPI who changed
my life and helped build a great company.
Caleb

Joel Scambray