Copyright
Foreword
Introduction
"We're Secure, We Have a Firewall"
Book Organization
A Final Word
Acknowledgments
Contributor
Part 1 The E-Commerce Playground
Chapter 1. Web Languages The Babylon of the 21st Century
Introduction
Languages of the Web
Java
Summary
Chapter 2. Web and Database Servers
Introduction
Web Servers
Database Servers
Summary
Chapter 3. Shopping Carts and Payment Gateways
Introduction
Evolution of the Storefront
Electronic Shopping
Shopping Cart Systems
Implementation of a Shopping Cart Application
Examples of Poorly Implemented Shopping Carts
Processing Payments
Overview of the Payment Processing System
Interfacing with a Payment Gateway—An Example
Payment System Implementation Issues
PayPal—Enabling Individuals to Accept Electronic Payments
Summary
Chapter 4. HTTP and HTTPS The Hacking Protocols
Introduction
Protocols of the Web
Summary
Chapter 5. URL The Web Hacker's Sword
Introduction
URL Structure
URLs and Parameter Passing
URL Encoding
Abusing URL Encoding
HTML Forms
Summary
Part 2 URLs Unraveled
Chapter 6. Web Under (the) Cover
Introduction
The Components of a Web Application
Wiring the Components
Connecting with the Database
Specialized Web Application Servers
Identifying Web Application Components from URLs
The Basics of Technology Identification
Advanced Techniques for Technology Identification
Identifying Database Servers
Countermeasures
Summary
Chapter 7. Reading Between the Lines
Introduction
Information Leakage Through HTML
What the Browsers Don't Show You
Clues to Look For
HTML Comments
Internal and External Hyperlinks
E-Mail Addresses and Usernames
Keywords and Meta Tags
Hidden Fields
Client-Side Scripts
Automated Source Sifting Techniques
Sam Spade, Black Widow, and Teleport Pro
Summary
Chapter 8. Site Linkage Analysis
Introduction
HTML and Site Linkage Analysis
Site Linkage Analysis Methodology
Step 1 Crawling the Web Site
Step 2 Creating Logical Groups Within the Application Structure
Step 3 Analyzing Each Web Resource
Step 4 Inventorying Web Resources
Summary
Part 3 How Do They Do It
Chapter 9. Cyber Graffiti
Introduction
Defacing Acme Travel, Inc.'s Web Site
What Went Wrong
HTTP Brute-Forcing Tools
Countermeasures Against the Acme Travel, Inc. Hack
Summary
Chapter 10. E-Shoplifting
Introduction
Building an Electronic Store
Evolution of Electronic Storefronts
Robbing Acme Fashions
Overhauling www.acme-fashions.com
Postmortem and Further Countermeasures
Summary
Chapter 11. Database Access
Introduction
A Used Car Dealership Is Hacked
Countermeasures
Summary
Chapter 12. Java Remote Command Execution
Introduction
Java-Driven Technology
Attacking a Java Web Server
Identifying Loopholes in Java Application Servers
Countermeasures
Summary
Chapter 13. Impersonation
Introduction
Session Hijacking A Stolen Identity and a Broken Date
Session Hijacking
Postmortem of the Session Hijacking Attack
Application State Diagrams
HTTP and Session Tracking
Stateless Versus Stateful Applications
Cookies and Hidden Fields
Implementing Session and State Tracking
Summary
Chapter 14. Buffer Overflows On-the-Fly
Introduction
Buffer Overflows
Postmortem Countermeasures
Summary
Part 4 Advanced Web Kung Fu
Chapter 15. Web Hacking Automated Tools
Introduction
Netcat
Whisker
Brutus
Achilles
Cookie Pal
Teleport Pro
Security Recommendations
Summary
Chapter 16. Worms
Introduction
Code Red Worm
Summary
Chapter 17. Beating the IDS
Introduction
IDS Basics
IDS Accuracy
Getting Past an IDS
Secure Hacking—Hacking Over SSL
Polymorphic URLs
Generating False Positives
Potential Countermeasures
Summary
Appendix A. Web and Database Port Listing
Appendix B. HTTP1.1 and HTTP1.0 Method and Field Definitions
Appendix C. Remote Command Execution Cheat Sheet
Appendix D. Source Code, File, and Directory Disclosure Cheat Sheet
Appendix E. Resources and Links
Appendix F. Web-Related Tools
meridia pills