In This Chapter
Testing Web applications
Hacking with Google
Protecting against SQL injection and cross-site scripting
Preventing login weaknesses
Countering Web application abuse
Analyzing the source code
Web applications are common targets for attack because they're everywhere and often open for anyone to poke and prod. Basic Web sites used for marketing, contact information, document downloads, and so on are common targets for the bad guys to play around with (especially the script-kiddie types). However, for criminal hackers, Web sites that provide a front end to complex applications and databases that store valuable information, such as credit card and Social Security numbers, are especially attractive. This is where the money is, both literally and figuratively.
Why are Web sites and applications so vulnerable? The consensus is that they're vulnerable because of poor software development and testing practices. Sound familiar? It should; this same problem affects operating systems and practically all computer systems. This is the side effect of relying on software compilers to perform error checking, waning user demand for higher-quality software, and emphasizing time-to-market instead of security and stability.
This chapter presents Web site and application hacks to run on your systems. Given all the custom software configuration possibilities, you can test for literally thousands of Web vulnerabilities, but I focus on the ones I see most often ...