Dafydd Stuttard and Marcus Pinto | Reviewed by Upesh Parekh, CISA
The use of the Internet has evolved a great deal in the last two decades. A few year ago, web sites were mere information repositories with the primary objective of disseminating information. In today’s world, the Internet and World Wide Web have become a hub of online commercial transactions. So much so that global e-commerce revenues are expected to reach US $963 billion by 2013.1
The importance of web applications cannot be underestimated in this growing e-world. Web applications are the genre of applications that are accessed via a web browser.
Web applications are very popular for many reasons, including the ease of reach and use. Almost all web users have at least one web browser installed on their computer. Users are familiar with navigation using a browser, which means that web application owners are saved from the trouble of distributing and installing the client interface of the software at the user’s end and also training the user. It is easy to develop a web application with the availability of a wide range of easy-to-use development tools.
However, web applications are not without weaknesses. There is a range of security vulnerabilities associated with the use of web applications. If these security vulnerabilities are not handled properly, it exposes the back-end servers and databases, resulting in further losses—financial and nonfinancial. Gartner has noted that almost 75 percent of attacks are tunneling through web applications.2 In turn, this means that security of web applications is as important, if not more so, as security of other components of a web solution, such as network security.
To secure web applications, the developers would have to visit the enemy’s camp.
The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, 2nd Edition, is a repository of tools and techniques to hack any web application. It allows the reader to step into the shoes of hackers and see the world through their eyes.
The book should be read by anyone with responsibility for ensuring the security of web applications. Because it is technical in nature, the book would be most beneficial to those who have hands-on experience working on security features of any web application. The book is domain-independent, thus the concepts can be extended to any domains that employ web applications for critical and sensitive functions.
This is the second edition of the book and, as such, it covers changes in technology and emerging vulnerabilities since the first edition. The second edition also facilitates trying out certain concepts.3 There are 21 chapters in the book with the bulk of it dedicated to explaining the tools and techniques of breaking any web application.
The security of web applications will remain important as long as e-commerce is around. With the changing times, new technologies introduce new vulnerabilities, but, ironically, existing vulnerabilities will be further exploited by perpetrators to enhance their gains. This book is a handy weapon in the armory of security consultants as they secure web applications.
1 De Lange, Jip; Alessandro Longoni; Adriana Screpnic; “Online Payments 2012—Moving Beyond the Web,” InnoPay, 20122 Verton, Dan; “Airline Web Sites Seen As Riddled With Security Holes,” Computerworld, 4 February 2002, www.computerworld.com/securitytopics/security/story/0,10801,67973,00.html3 The online labs are subscription-based.
The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, 2nd Edition is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in this Journal, visit www.isaca.org/bookstore, email email@example.com or telephone +1.847.660.5650.
Reviewed by Upesh Parekh, CISA, a governance and risk professional with more than 10 years of experience in the fields of IT risk management and audit. He is based in Pune, India, and works for Barclays Technology Centre, India. He can be reached at firstname.lastname@example.org.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.