Home > Store

Web Hacking: Attacks and Defense

Register your product to gain access to bonus material or receive a coupon.

Web Hacking: Attacks and Defense


  • Sorry, this book is no longer in print.
Not for Sale



  • Keen analysis on how hackers infiltrate web commerce systems, including database servers and payment systems.
  • Case studies are a unique feature, effectively communicating to students what they need to know.
  • Complete methodologies show actual techniques and attacks and give the students a chance to learn by experiencing how the hacker actually works.


  • Copyright 2003
  • Dimensions: 7-3/8" x 9-1/4"
  • Pages: 528
  • Edition: 1st
  • Book
  • ISBN-10: 0-201-76176-9
  • ISBN-13: 978-0-201-76176-4

In the evolution of hacking, firewalls are a mere speed bump. Hacking continues to develop, becoming ever more sophisticated, adapting and growing in ingenuity as well as in the damage that results. Web attacks running over web ports strike with enormous impact. Stuart McClure's new book focuses on Web hacking, an area where organizations are particularly vulnerable. The material covers the web commerce "playground', describing web languages and protocols, web and database servers, and payment systems. The authors bring unparalleled insight to both well- known and lesser known web vulnerabilities. They show the dangerous range of the many different attacks web hackers harbor in their bag of tricks -- including buffer overflows, the most wicked of attacks, plus other advanced attacks. The book features complete methodologies, including techniques and attacks, countermeasures, tools, plus case studies and web attack scenarios showing how different attacks work and why they work.

Sample Content

Online Sample Chapter


Downloadable Sample Chapter

Click below for Sample Chapter(s) related to this title:
Sample Chapter 10

Table of Contents

(NOTE: Each chapter begins with an Introduction and concludes with a Summary.)



“We're Secure, We Have a Firewall”.

To Err Is Human.

Writing on the Wall.

Book Organization.



A Final Word.




Case Study: Acme Art, Inc. Hacked!
1. Web Languages: The Babylon of the 21st Century.

Languages of the Web.


Dynamic HTML (DHTML).






Active Server Pages.



2. Web and Database Servers.

Web Servers.


Microsoft's Internet Information Server (IIS).

Database Servers.

Microsoft SQL Server.


3. Shopping Carts and Payment Gateways.

Evolution of the Storefront.

Electronic Shopping.

Shopping Cart Systems.

Scope and Lifetime of an Electronic Shopping Cart.

Collecting, Analyzing, and Comparing Selected Components.

Keeping Track of the Total Cost.

Change of Mind.

Processing the Purchase.

Implementation of a Shopping Cart Application.

Product Catalog.

Session Management.

Database Interfacing.

Integration with the Payment Gateway.

Examples of Poorly Implemented Shopping Carts.

Carello Shopping Cart.

DCShop Shopping Cart.

Hassan Consulting's Shopping Cart.

Cart32 and Several Other Shopping Carts.

Processing Payments.

Finalizing the Order.

Method of Payment.

Verification and Fraud Protection.

Order Fulfillment and Receipt Generation.

Overview of the Payment Processing System.

Innovative Ways to Combat Credit Card Fraud.

Order Confirmation Page.

Payment Gateway Interface.

Transaction Database Interface.

Interfacing with a Payment Gateway—An Example.

Payment System Implementation Issues.


Temporary Information.


Storing User Profiles.

Vulnerabilities Caused by Poor Integration of Shopping Cart and Payment Gateway.

PayPal—Enabling Individuals to Accept Electronic Payments.

4. HTTP and HTTPS: The Hacking Protocols.

Protocols of the Web.



5. URL: The Web Hacker's Sword.

URL Structure.

Web Hacker Psychology.

URLs and Parameter Passing.

URL Encoding.


Specifying Special Characters on the URL String.

Meta-Characters and Input Validation.

Unicode Encoding.

The Acme Art, Inc. Hack.

Abusing URL Encoding.

Unicode Encoding and Code Red's Shell Code.

Unicode Vulnerability.

The Double-Decode or Superfluous Decode Vulnerability.

HTML Forms.

Anatomy of an HTML Form.

Input Elements.

Parameter Passing Via GET and POST.


Case Study: Reconnaissance Leaks Corporate Assets.
6. Web: Under (the) Cover.

The Components of a Web Application.

The Front-End Web Server.

The Web Application Execution Environment.

The Database Server.

Wiring the Components.

The Native Application Processing Environment.

Web Server APIs and Plug-Ins.

URL Mapping and Internal Proxying.

Proxying with a Back-End Application Server.


Connecting with the Database.

The Craftiest Hack of Them All.

Using Native Database APIs.


Using ODBC.

Using JDBC.

Specialized Web Application Servers.

Identifying Web Application Components from URLs.

The Basics of Technology Identification.


More Examples.

Advanced Techniques for Technology Identification.


Identifying Database Servers.


Rule 1: Minimize Information Leaked from the HTTP Header.

Rule 2: Prevent Error Information from Being Sent to the Browser.

7. Reading Between the Lines.

Information Leakage Through HTML.

What the Browsers Don't Show You .

Netscape Navigator—View | Page Source.

Internet Explorer—View | Source.

Clues to Look For.

HTML Comments.

Revision History.

Developer or Author Details.

Cross-References to Other Areas of the Web Application.

Reminders and Placeholders.

Comments Inserted by Web Application Servers.

Old “Commented-Out” Code.

Internal and External Hyperlinks.

E-mail Addresses and Usernames.

UBE, UCE, Junk Mail, and Spam.

Keywords and Meta Tags.

Hidden Fields.

Client-Side Scripts.

Automated Source Sifting Techniques.

Using wget.

Using grep.

Sam Spade, Black Widow, and Teleport Pro.

8. Site Linkage Analysis.

HTML and Site Linkage Analysis.

Site Linkage Analysis Methodology.

Step 1: Crawling the Web Site .

Crawling a Site Manually.

A Closer Look at the HTTP Response Header.

Some Popular Tools for Site Linkage Analysis.

Step-1 Wrap-Up.

Crawlers and Redirection.

Step 2: Creating Logical Groups Within the Application Structure.

Step-2 Wrap-Up.

Step 3: Analyzing Each Web Resource.

1. Extension Analysis.

2. URL Path Analysis.

3. Session Analysis.

4. Form Determination.

5. Applet and Object Identification.

6. Client-Side Script Evaluation.

7. Comment and E-Mail Address Analysis.

Step-3 Wrap-Up.

Step 4: Inventorying Web Resources.


Case Study: How Boris Met Anna's Need for Art Supplies.
9. Cyber Graffiti.

Defacing Acme Travel, Inc.'s Web Site.

Mapping the Target Network.

Throwing Proxy Servers in Reverse.

Brute Forcing HTTP Authentication.

Directory Browsing.

Uploading the Defaced Pages.

What Went Wrong?

HTTP Brute-Forcing Tools.


WebCracker 4.0.

Countermeasures Against the Acme Travel, Inc. Hack.

Turning Off Reverse Proxying.

Using Stronger HTTP Authentication Passwords.

Turning off Directory Browsing.

10. E-Shoplifting.

Building an Electronic Store.

The Store Front-End.

The Shopping Cart.

The Checkout Station.

The Database.

Putting It All Together.

Evolution of Electronic Storefronts.

Robbing Acme Fashions, Inc.

Setting Up Acme's Electronic Storefront.

Tracking Down the Problem.

Bypassing Client-Side Validation.

Using Search Engines to Look for Hidden Fields.

Overhauling www.acme-fashions.com.

Facing a New Problem with the Overhauled System.

Postmortem and Further Countermeasures.

Shopping Carts with Remote Command Execution.

11. Database Access.

Direct SQL Attacks.

A Used Car Dealership Is Hacked.

Input Validation.


12. Java: Remote Command Execution.

Java-Driven Technology.

Architecture of Java Application Servers.

Attacking a Java Web Server.

Identifying Loopholes in Java Application Servers.

Example: Online Stock Trading Portal.

Invoking FileServlet.


Harden the Java Web Server.

Other Conceptual Countermeasures.

13. Impersonation.

Session Hijacking: A Stolen Identity and a Broken Date.

March 5, 7:00 A.M.—Alice's Residence.

8:30 A.M.—Alice's Workplace.

10:00 A.M.—Bob's Office.

11:00 A.M.—Bob's Office.

12:30 P.M.—Alice's Office.

9:30 P.M.-Bertolini's Italian Cuisine.

Session Hijacking.

Postmortem of the Session Hijacking Attack.

Application State Diagrams.

HTTP and Session Tracking.

Stateless Versus Stateful Applications.

Cookies and Hidden Fields.

Cookie Control, Using Netscape on a Unix Platform.


Hidden Fields.

Implementing Session and State Tracking.

Session Identifiers Should Be Unique.

Session Identifiers Should Not Be “Guessable”.

Session Identifiers Should Be Independent.

Session Identifiers Should Be Mapped with Client-Side Connections.

14. Buffer Overflows: On-the-Fly.


Buffer Overflows.

Buffer Overflow: Its Simplest Form.

Buffer Overflow: An Example.

Postmortem Countermeasures.


Case Study.
15. Web Hacking: Automated Tools.



Brute Force.



Cookie Pal.

Teleport Pro.

Security Recommendations.

16. Worms.

Code Red Worm.

January 26, 2000.

June 18, 2001: The First Attack.

July 12, 2001.

July 19, 2001.

August 4, 2001.

Nimda Worm.

Combatting Worm Evolution.

React and Respond.

17. Beating the IDS.

IDS Basics.

Network IDSs.

Host-Based IDSs.

IDS Accuracy.

Getting Past an IDS.

Secure Hacking-Hacking Over SSL.


Tunneling Attacks via SSL.

Intrusion Detection via SSL.

Sniffing SSL Traffic.

Polymorphic URLs.

Hexadecimal Encoding.

Illegal Unicode/Superfluous Encoding.

Adding Fake Paths.

Inserting Slash-Dot-Slash Strings.

Using Nonstandard Path Separators.

Using Multiple Slashes.

Mixing Various Techniques.

Generating False Positives.

IDS Evasion in Vulnerability Checkers.

Potential Countermeasures.

SSL Decryption.

URL Decoding.

Appendix A: Web and Database Port Listing.Appendix B: HTTP/1.1 and HTTP/1.0 Method and Field Definitions.Appendix C: Remote Command Execution Cheat Sheet.Appendix D: Source Code, File, and Directory Disclosure Cheat Sheet.Appendix E: Resources and Links.Appendix F: Web-Related Tools.Index. 0201761769T07312002


"We're Secure, We Have a Firewall"

If only we got a nickel every time we heard a client utter this pithy phrase. On second thought, that would unfortunate as we would probably not be writing this book; we'd be sipping Pina Colada's on some white sand beach by now...

For those skeptics among you, all warm and cozy next to your firewall, just remember this: over 65% of reported attacks occur over TCP port 80, the traditional web port (http://www.incidents.org). Is the web threat real? It's all too real.

To Err is Human

After performing hundreds of security reviews over the decades, the authors have known for some time what you are about to know (if you don't already): Nothing can be truly secure. Error is at the heart of every security breach and as the saying goes: to err is human. No level of firewall, intrusion detection system (IDS), or anti-virus software will make you secure. Surprised this type of comment introduces a security book? Don't be. It is the harsh reality that must be accepted before the race to security can be started.

So what should we do, just throw up our hands, turn the power off to our computers and revert back 30 years; forgetting this Internet or the modem or the computer really happened? Sure, you can do that but you would be alone in your efforts. The Internet and all it has to offer is undeniable: increased communication, increased information sharing, connecting with people of all races, creeds, colors, sexes, and intelligence without boundaries or limits. And that's just the home user's benefits. Businesses use the Internet 24 hours a day, 7 days a week, making revenue and transmitting funds around the world at the blink of an eye. Anyone who denies the ubiquity and staying power of the Internet is just kidding themselves.

Writing on the Wall

Over three years ago, one of the authors wrote a foreboding article that was indicative of things to come. The column printed on August 9, 1999 and was titled "Bane of e-commerce: We're secure: We allow only Web traffic through our firewall" (http://www.infoworld.com/articles/op/xml/99/08/09/990809opsecwatch.xml). The writing was on the security wall at that time but no one wanted to believe it, much less talk about it. They were too caught up in either hyped technologies such as Firewalls, IDS, and virtual private networks (VPN), or peripheral technologies that never hit mainstream, such as Public Key Infrastructure (PKI), Distributed Computing Environment (DCE), and single signon.

So why the tremendous interest in the Web and its security now? Because hacking events are frequent in today's connected world. And people are beginning to understand how a single vulnerability in a web application can expose an entire company's jewels to an attacker (a.k.a. Code Red and Nimda worms).

Book Organization

This book as been organized into four sections:

  • E-Commerce Playground
  • URLs Unraveled
  • How do they do it?
  • Advanced Web Kung Fu
  • The content in each section gets progressively more advanced in its content and delivery, going from a brief web languages introduction (Chapter 1) to finding and exploiting your own buffer overflows (Chapter 14). But don't let the pace derail your learning. If you missed something, you can probably pick it up as you go along.

    The first two sections are focused to give the reader a preliminary and then more intermediate introduction into the world of the web. In "E-Commerce Playground" we show you how the web works, its languages, applications, databases, protocols, and syntax. In "URLs Unraveled", we delve into the meaning of the URL, what is important to an attacker, how visible code can be helpful to an attacker, and we show you how mapping web sites can be critical to an attacker's repertoire.

    In the third section, "How do they do it?" we demystify the art of web hacking, how it is pulled off, and how simple steps at development time can eliminate a significant portion of the threat. This section is bar far the meatier of the sections in terms of information and often provides the greatest clues as to how hackers do what they do. Each chapter provides both a detailed analysis of the hack as well as a countermeasure section at the end which helps prevent the hack.

    In the fourth section, "Advanced Web Kung Fu," we discuss some advanced web hacking concepts, methodologies, and tools that simply cannot be missed.

    Finally, at the end of the book you will find Appendices that include a listing of common web ports on the Internet, cheat sheets for remote command execution and source code disclosure techniques, among other additions.



    Click below to download the Index file related to this title:

    More Information

    InformIT Promotional Mailings & Special Offers

    I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


    Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

    This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

    Collection and Use of Information

    To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

    Questions and Inquiries

    For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

    Online Store

    For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


    Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

    Contests and Drawings

    Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


    If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

    Service Announcements

    On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

    Customer Service

    We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

    Other Collection and Use of Information

    Application and System Logs

    Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

    Web Analytics

    Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

    Cookies and Related Technologies

    This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

    Do Not Track

    This site currently does not respond to Do Not Track signals.


    Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


    This site is not directed to children under the age of 13.


    Pearson may send or direct marketing communications to users, provided that

    • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
    • Such marketing is consistent with applicable law and Pearson's legal obligations.
    • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
    • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

    Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

    Correcting/Updating Personal Information

    If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


    Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

    Sale of Personal Information

    Pearson does not rent or sell personal information in exchange for any payment of money.

    While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

    Supplemental Privacy Statement for California Residents

    California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

    Sharing and Disclosure

    Pearson may disclose personal information, as follows:

    • As required by law.
    • With the consent of the individual (or their parent, if the individual is a minor)
    • In response to a subpoena, court order or legal process, to the extent permitted or required by law
    • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
    • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
    • To investigate or address actual or suspected fraud or other illegal activities
    • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
    • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
    • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


    This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

    Requests and Contact

    Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

    Changes to this Privacy Notice

    We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

    Last Update: November 17, 2020