"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." - Sun Tzu, The Art of War.

Take the immortal words of Sun Tzu, know yourself. Or here, know your code. Do you know how your code will react to an attack? Do you know if your application or data is secure, or if there are huge security holes? If your application were under attack, would you even know it?

And what about know the enemy? Do you know how a hacker will attack your application? Do you know what early warning signs to look for, to detect when your applications are being hacked? Have you ever looked at your application as a hacker would, and thought about how you would attack it? As a professional hacker, in this article, I will guide you through the process hackers take to exploit applications and systems.

I'm often asked, "What should I worry about in my code that hackers could exploit?" This is easy enough to answer for risks we know about today, but it doesn't address the real problem. I can tell you about the most popular attack vectors for today's applications, but that will only help you today. To truly help you become more secure, I need to teach you what to look for. I want to enable you to do the analysis. This follows the old proverb, "Give a man a fish and he will be able to eat today; teach a man to fish and he will never go hungry." This is true for security and your applications — well, not the whole fishing part, but the teaching part. You get the idea.

Our Mark

Okay, enough proverbs — let's get down to it. For the purpose of this article, we focus on Web applications. Take any application you can find on the Web. It could be written in ASP.Net, PHP, JSP, ASP, etc. This article is to help free your mind (couldn't resist the reference) to look at your applications as a hacker would, no matter how the applications were written or what language they were written in.

Take any application on the Internet. Perhaps its amazon.com, that allows users to login, make purchases, and search for items to buy. Maybe we are looking at ebay.com, which also allows users to login, search, and list items and descriptions to be shown to potential bidders. Or consider a site like http://forums.station.sony.com/swg, a forums site for online gaming that allows users to post text and potentially pictures.

Enter the Hacker

There are many reasons people are attracted to hacking. The three reasons that seem to always bubble to the top of the list are personal gain, revenge, or power. Some hackers hack to get services or products for free or to steal money. Others hack to get back at the hosting provider or at the employer who spurned them. Most hackers, however, just love the power: the feeling of ultimate control once you manipulate the system, bend the rules of the matrix if you will, allowing you to assert control over a system that seemed otherwise impervious to attack.

As a professional hacker, I can say that there is nothing random about the way a hack is crafted. The beginning of every hack starts with information. For the rest of this section, I would like you to think like a hacker. Picture an application in your head, or visit one on the Web, and look at that application with the full intention of hacking it.

LEGAL DISCLAIMER: Please do not go hacking sites because "Duane told me to do it." I said, just look at the site, don't hack the site.

What's the first thing you do? This is the question that stumps most beginning hackers. People say "Sure, it's easy to hack," but saying it's easy and actually knowing the steps in the dance are two very different things. Let's look at them.