Hacking Exposed- Web Applications.pdf

HACKING EXPOSED ™

WEB APPLICATIONS

JOEL SCAMBRAY

MIKE SHEMA

McGraw-Hill /Osborne

New York Chicago San Francisco

Lisbon London Madrid Mexico City Milan

New Delhi San Juan Seoul Singapore Sydney Toronto

ABOUT THE AUTHORS

Joel Scambray

Joel Scambray is co-author of Hacking Exposed (http://www

.hackingexposed.com), the international best-selling Internet security book that

reached its third edition in October 2001. He is also lead author of Hacking Ex-

posed Windows 2000 , the definitive insider’s analysis of Microsoft product security,

released in September 2001 and now in its second foreign language translation.

Joel’s past publications have included his co-founding role as InfoWorld’s Secu-

rity Watch columnist, InfoWorld Test Center Analyst, and inaugural author of

Microsoft’s TechNet Ask Us About...Security forum.

Joel’s writing draws primarily on his years of experience as an IT security

consultant for clients ranging from members of the Fortune 50 to newly minted startups, where he

has gained extensive, field-tested knowledge of numerous security technologies, and has designed

and analyzed security architectures for a variety of applications and products. Joel’s consulting ex-

periences have also provided him a strong business and management background, as he has per-

sonally managed several multiyear, multinational projects; developed new lines of business

accounting for substantial annual revenues; and sustained numerous information security enter-

prises of various sizes over the last five years. He also maintains his own test laboratory, where he

continues to research the frontiers of information system security.

Joel speaks widely on information system security for organizations including The Computer

Security Institute, ISSA, ISACA, private companies, and government agencies. He is currently

Managing Principal with Foundstone Inc. (http://www.foundstone.com), and previously held po-

sitions at Ernst & Young, InfoWorld, and as Director of IT for a major commercial real estate firm.

Joel’s academic background includes advanced degrees from the University of California at Davis

and Los Angeles (UCLA), and he is a Certified Information Systems Security Professional (CISSP).

—Joel Scambray can be reached at joel@webhackingexposed.com.

Mike Shema

Mike Shema is a Principal Consultant of Foundstone Inc. where he has performed dozens of Web

application security reviews for clients including Fortune 100 companies, financial institutions,

and large software development companies. He has field-tested methodologies against numerous

Web application platforms, as well as developing support tools to automate many aspects of test-

ing. His work has led to the discovery of vulnerabilities in commercial Web software. Mike has also

written technical columns about Web server security for Security Focus and DevX. He has also ap-

plied his security experience as a co-author for The Anti-Hacker Toolkit. In his spare time, Mike is an

avid role-playing gamer. He holds B.S. degrees in Electrical Engineering and French from Penn

State University.

—Mike Shema can be reached at mike@webhackingexposed.com.

About the Contributing Authors

Yen-Ming Chen

Yen-Ming Chen (CISSP, MCSE) is a Principal Consultant at Foundstone, where he provides secu-

rity consulting service to clients. Yen-Ming has more than four years experience administrating

UNIX and Internet servers. He also has extensive knowledge in the area of wireless networking,

cryptography, intrusion detection, and survivability. His articles have been published on

SysAdmin , UnixReview , and other technology-related magazines. Prior to joining Foundstone,

Yen-Ming worked in the CyberSecurity Center in CMRI, CMU, where he worked on an

agent-based intrusion detection system. He also participated actively in an open source project,

“snort,” which is a light-weighted network intrusion detection system. Yen-Ming holds his B.S. of

Mathematics from National Central University in Taiwan and his M.S. of Information Networking

from Carnegie Mellon University. Yen-Ming is also a contributing author of Hacking Exposed,

Third Edition .

David Wong

David is a computer security expert and is Principal Consultant at Foundstone. He has performed

numerous security product reviews as well as network attack and penetration tests. David has pre-

viously held a software engineering position at a large telecommunications company where he de-

veloped software to perform reconnaissance and network monitoring. David is also a contributing

author of Hacking Exposed Windows 2000 and Hacking Exposed, Third Edition .

McGraw-Hill /Osborne

2600 Tenth Street

Berkeley, California 94710

U.S.A.

To arrange bulk purchase discounts for sales promotions, premiums, or fund-raisers,

please contact McGraw-Hill/ Osborne at the above address. For information on transla-

tions or book distributors outside the U.S.A., please see the International Contact Infor-

mation page immediately following the index of this book.

Hacking Exposed™ Web Applications

United States of America. Except as permitted under the Copyright Act of 1976, no part of

this publication may be reproduced or distributed in any form or by any means, or stored

in a database or retrieval system, without the prior written permission of publisher, with

the exception that the program listings may be entered, stored, and executed in a com-

puter system, but they may not be reproduced for publication.

1234567890 FGR FGR 0198765432

ISBN 0-07-222438-X

Publisher

Brandon A. Nordin

Vice President & Associate Publisher

Scott Rogers

Senior Acquisitions Editor

Jane Brownlow

Project Editor

Patty Mon

Acquisitions Coordinator

Emma Acker

Technical Editor

Yen-Ming Chen

Copy Editor

Claire Splan

Proofreader

Paul Tyler

Indexer

Valerie Perry

Computer Designers

Elizabeth Jang

Melinda Moore Lytle

Illustrators

Michael Mueller

Lyssa Wald

Series Design

Dick Schwartz

Peter F. Hancik

Cover Series Design

Dodie Shoemaker

This book was composed with Corel VENTURA™ Publisher.

Information has been obtained by McGraw-Hill /Osborne from sources believed to be reliable. However, because of the

possibility of human or mechanical error by our sources, McGraw-Hill /Osborne, or others, McGraw-Hill /Osborne does not

guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the

results obtained from the use of such information.

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: