Law Technology News
ALM Properties, Inc.
Page printed from: Law Technology News

Back to Article

Select 'Print' in your browser menu to print this document.

Book Review: 'Hacking Web Apps'

Albert Barsocchini

Law Technology News

12-11-2012


Hacking has quickly turned into a mature market and it has never been easier to initiate a hack with devastating consequences. This is reflected by the number of books and articles coming out every day on computer and network security. Every time you access a website that allows you to accomplish specific taskshack — from online banking to shopping — you risk being attacked and all your personal information hijacked.

Syngress just released Hacking Web Apps that focuses on eight groups of security weaknesses and vulnerabilities most commonly exploited by hackers and more importantly, it explains how to guard against such attacks. Author Mike Schema, a web application security developer at Qualys Inc., presents in each chapter examples of different hacks against web applications and appropriate countermeasures. Schema identifies vulnerabilities in the new HTML5 standard, cross-site scripting (XSS) and covers SQL injection attacks as well as data store manipulation.

 

Anyone who uses the web to check email, shop, or work can benefit from knowing how sensitive information may be compromised or how sites harbor malicious content. This book does a good job of balancing the technical nature of hacking with the basic principles behind them.

For example attorneys are constantly using databases to research and store sensitive information for their practice. So called SQL injection is a common attack vector for hacking databases: injecting malicious code into the programming strings used to define and describe every way that a user may manipulate data in a database.

Countermeasures are surprisingly simple to enact for a database manager, such as staying current with patches; authenticating the user with SSL; validating all user supplied data by matching user data against expected data, e.g., the type, length, format, and range of data expected; and normalizing the data to a baseline character set and rejecting incomplete or unexpected data instead of trying to clean it up. Both the simplicity of the attack and the countermeasures have made this type of attack the "play ground" for the hacking community.

As applications become more dependent on the browser for computing, hackers will become equally focused on browser attacks as they are on website attacks.

After doing a quick read, I came away with a new found appreciation for how easy it is for the bad guy to make our life miserable in the digital age.

:::BIBLIOGRAPHIC DATA:::

Schema, Mike. Hacking Web Apps: Detecting and Preventing Web Application Security ProblemsSyngress, September 12, 2012. Paperback, 296 pp. ISBN No. 978-1-59749-951-4.