Evaluating the [In]security of Web Applications

The web is a war zone! We cannot escape from it, we are not even soldiers and no one can assure our safety. Surprisingly, almost nobody seems to care: the only thing that matters is to have a presence in the web to communicate with partners and do business. Security issues have cascading effects within enterprises, with dramatic consequences to the dependability of the services they should provide, and it may irreversibly affect the company competitiveness, brand, partners and clients. To deal with this problem, this book is directed towards the evaluation of web application security mechanisms. It presents a field study to analyze and classify a large number of the most important web application vulnerabilities that are SQL Injection and XSS. This field study allowed the proposal of a methodology to inject realistic vulnerabilities in web applications. And this ability turns out to be a critical part of an attack injector for web applications that is also proposed. This tool can be used to evaluate security mechanisms, pointing out their weaknesses and ways of improvement. In the book, one of such security mechanism is also proposed: an IDS for (web application) databases.