front matter

 

preface

I still remember the first time I was exposed to the topic of web application security, although I did not realize the impact at that time. Back around 1997, I was creating web applications (or, rather, websites, back then), but hosting services were really expensive. For one of my projects, the only option I could afford was one where I was allowed to create just one page (!), and I had to use the hosting provider’s tooling for that—no custom HTML or CSS was possible. I had plenty of free space available on a free hosting service but could not use my own domain there; rather, I used something like http://home.someprovider.com/mysite.

One of the very few features available to me was to set the keywords of the page (back in the day, search engines actually parsed that information). If I was using “web application security, hacking,” for instance, this would be turned into the following HTML markup:

<meta name="keywords" content="web application security, hacking">

After some experimenting, I found that I could try the following “keyword”:

"><meta http-equiv="refresh" content="0; url=http://home.someprovider.com/mysite"><"

It turned out that the provider was putting this data verbatim into the <meta> tag, leading to this result (formatted for legibility, with my input in bold):

<meta name="keywords" content="">
<meta http-equiv="refresh" content="0; url=http://home.someprovider.com/mysite">
<"">

acknowledgments

about this book

Who should read this book?

How this book is organized: a roadmap

About the code

liveBook discussion forum

about the author

about the cover illustration