Hacking a web application is like performing a magic trick. If you know the right techniques and practice you could break into just about any online bank, credit union, stock trader, e-commerce store, or social networking website. Simply use a Web browser as your magic wand and as fast as you can say, "Open sesame!" you're in. And that's exactly what this book is all about -- industry-leading web application experts revealing their best-kept web hacking secrets so people can begin defending themselves. The legendary magician Harry Houdini would be impressed with the techniques described in these pages.

The authors, as well all web application security experts, look at websites differently than most. With seemingly magical abilities they can determine the operating system, programming language, web server version, and even the location of the vulnerabilities just by looking at a URL. Most experts will also admit that when they personally do business on-line, it's a painful and sometimes tempting experience. They're compelled by the curiosity of what happens when you inject a few special characters into the browser location bar. Could you dump the entire credit card database? How about when a purchase confirmation email arrives - can we see other people's orders by simply changing numbers in the URL? "Yes," is the likely answer, since most websites can be compromised if you breathe on them too hard. Web application security is often so poor that experts occasionally find their hands covering up the location bar for fear of discovering vulnerabilities in their personal Web bank. It's true that even the experts bury their heads in the sand now and then.

But the eyes of the criminals are wide open. Gone are the good ol' days where we only had to worry about prankster hackers vandalizing homepages with leet speak, and plastering offensive JPEGs where your logo used to be. Criminal hackers have taken over where the recreational breed left off. Every day they voraciously steal credit card numbers, passwords, birth dates, social security numbers, bank accounts, and anything else they can cash-in on. The bad guys are willing, eager, and already blackmailing businesses at an alarming rate. And with hundreds of thousands of business in some way dependent on the Web, this is not an area of security we can afford to ignore. Have you sat down and seriously considered how much damage an intrusion would cause your operation in terms of downtime, fines, legal liability, loss of customer confidence, and brand damage?

The motivating factors of intruders have shifted over the years, but unsurprisingly one thing remains the same - the criminal mind takes the path of least resistance. Today this path is the website, or specifically, the web applications because 8 in 10 have serious vulnerabilities. This is so serious that any sensitive data you hold could be lost. Also, prominent industry reports are placing web attacks and vulnerability disclosures at the top of the list. This means most, if not all websites will be attacked. It's just a matter of when, who does it, and how long before the attacks succeed. If you happen to be one of the 80% of insecure websites, then you're simply playing a waiting game and your unlucky number will eventually come up.

That's why websites claiming to take security seriously citing only the use of SSL, network-layer firewalls, and spiffy certification stickers are unimpressive. Those are 20th century solutions and make little difference defending against popular 21st century attacks such Cross-Site Scripting, SQL Injection, and Insufficient Authorization. Clearly we need a more effective approach, which is diligent implementation of secure software development best practices, platform security standards, application vulnerability scanning, and web application firewalls. As the situation currently stands, we are a long way away from a place where the security posture of most websites is a deterrent or even a frustration to malicious hackers. Fortunately for those who truly want security, those who don't want to be the next Corporate victim or be listed in tomorrow's headline, this book holds the information you need.

The Hacking Exposed: Web Applications (2nd edition) authors are well-known and respected industry experts who've lived on the digital battlefield. They know what works from firsthand experience pen-testing hundreds of web applications over the last decade. Collectively they've researched hundreds (maybe thousands) of technical white papers, security books, articles, vulnerability advisories. Each of them have published multiple works on security. They'll show you how to investigate a web applications internals from outside and in, how to spot and exploit its weak points, and most importantly, they'll describe the security measures that really make a difference. Joel, Mike and Caleb have done a remarkable job capturing and presenting technical material in an easy-to-understand and engaging format. One thing is for certain: after you are done reading this book, you'll never look at a website the same way again.

(Foreword to the First Edition...)