Preface

I n mid-2010, Dr. Zhang Chunyu, editor of IT sector from www.broadview.com, asked

me if I could write a book on cloud computing. While the concept of cloud computing
is very popular, there is not enough written material on how to handle this. Though I have
kept myself up to date with this technology, I declined Zhang’s request as the prospects in
the field were not clear and instead wrote this book on web security.

MY JOURNEY INTO THE SECURITY WORLD

My interest in security got kindled when I was a student, after I got a book on hack-
ing with no ISBN from the black market. The book had a teaching course on coolfire,
which intrigued me. Ever since, I have been hooked to hacking and have taken much inter-
est in practicing the techniques covered in these types of books.
In 2000, I joined Xi’an Jiaotong University. Fortunately for me, the computer room at
the university was open even after school hours. Though the price of online browsing was
high, I invested most of my living expenses in the computer room. In return, I was gaining
more knowledge in this field.
With the momentum gained at university, I soon got my first computer with the help of
my parents. This only helped to increase my interest in the field. In a short while, I collabo-
rated with my friends to set up a technical organization called ph4nt0m.org, named after
my favorite comic character. Though the organization did not last long, it helped groom
top talents through communication forums that it initiated. This was the proudest achieve-
ment in the 20 years of my life.
Due to the openness of the Internet and the advances in technology, I have witnessed
nearly all the developments in Internet security in the last decade. During the first five
years, I witnessed the technology in penetrating tests, cache overflow, and web hacking; for
the five years that followed, I devoted myself to web security.

JOINING ALIBABA
Joining Alibaba caused a dramatic change in my life—I was recommended for an inter-
view by a close friend to Alibaba. The interview was funny: When the interviewer wanted
me to show my talent, I acquired access to the router of an operator and turned it off, which
caused the internal network to shut down. After the interview, the director who inter-
viewed me asked the operator to re-sign the availability agreement with Alibaba.

xvii
xviii ◾ Preface

As fate would have it, my hobby in college turned out to be my profession. The fact that
no universities provided majors in network security only strengthened my resolve to take
up security as a career.
In Alibaba, I soon gained prominence. I spoofed the e-mail password of our develop-
ment manager in the internal network, paralyzed the company network in a pressure test,
obtained the privilege of the domain-controlled server several times, and was able to access
any computer as an administrator.
But, apart from these, what I am most proud of is the piles of security assessment reports,
because I am well aware that every vulnerability in a network affects millions of users. I get
immense job satisfaction by ensuring that the benefits reach so many users. While I was
starting out, the web was becoming immensely popular as the core of the Internet; I thus
feel happy to have been involved in the wave of web research.
I became the youngest technical expert in the history of Alibaba at 23, even though there
are no official records maintained. In 2010, I took part in the development of the security
department from scratch. At around the same time, Taobao and Alipay also started from
scratch, and I was invited to be one of the security experts to set up the foundation for their
security development process.

REFLECTIONS ON NETWORK SECURITY

With professional experience, I realized the major difference between Internet companies
and traditional network security as well as information security. The challenge for develop-
ers in an enormous environment with millions of users is to search and identify problems.
With an increase in quantity there will be a change in quality. Managing 10 servers is not
the same as managing 10,000 servers! Likewise, managing the code of 10 developers and
the code of 1000 developers is considerably different.
Internet companies specialize in user experience, performance of product, and the
release time of the product, and thus the traditional security solution will not work well in
this environment. This poses a greater challenge for security developers.
All of this makes me believe that Internet security will become a new science or that
security will be industrialized. But the books published so far are either too academic or
too entertaining (like hacking tool instructions). There are few informative books that dis-
cuss security principles or technology. Thus, due to this lack of knowledge, various prob-
lems may occur in this new field.
Therefore, I decided to write this book in which I could share my experience. The book
covers the applications of security technology in enterprises and should be of practical
value to developing engineers in top Internet companies. So when Zhang Chunyu sug-
gested I write a book on that subject, I agreed without any hesitation.
We, as core users of the Internet, are the best carriers for the future of cloud computing
and mobile Internet. Thus, web security should be the focus of all Internet companies and
has been my main research field in the last few years. Though this book is mainly about
web security, it covers all aspects of the Internet.
 Preface ◾ xix

With the right way of thinking, every problem can be solved. A security engineer’s strength
lies not in his skills or in the number of 0 days attacks he knows, but in the intensity of his
understanding about security issues. I have always believed in this idea and have put this into
practice. Therefore, the value of the book is not in the solutions it provides but rather in the
thinking that goes behind these solutions. We want not just solutions, but excellent solutions.

SECURITY ENLIGHTENMENT
Internet companies do not attach much importance to security issues. Statistics reveal that
Internet companies invest not more than 1% on security.
At the end of 2011, Chinese Internet companies were overwhelmed by one of the big-
gest security crises in the history of the Internet. On December 21, 2011, the biggest online
community for developers, the Chinese Software Developer Network (CSDN), was hacked,
and 6 million registered user’s data were released. The worst part was that CSDN saved all
user passwords in plaintext. The ensuing events were catastrophic, with all the databases
such as Netease, Renren, Tianya, Mop, Duowan, and so on being hacked. Within a short
period of time, everyone became alert to the risks that breach of privacy posed.
The data that had been hacked had been transported in the black market for years,
forming a black industry chain. This exposed the lack of preparedness of Chinese Internet
security.
I did not comment on this at the time because this was the consequence that Internet
companies had to face for neglecting security; second, in order to solve the problem of drag
library, we have to solve the problem of the whole Internet industry. Securing one database
is certainly not enough to address this just as one paragraph or one article is not enough to
explain (refer to the details in this book for better solutions).
I hope that this crisis serves as a warning to the Chinese Internet industry and forces
it to come out of its slumber. It could also serve as a new beginning and inspire a security
revolution in the industry.
This is my first book, and I hold myself responsible for any errors. Writing is not an easy
job. Due to my busy schedule, I wrote this book in my spare time, but this could never have
been achieved without the help of my family and friends.

ABOUT WHITE HAT

In the world of web security, we have two types of hackers—white hat hackers and black
hat hackers.
Black hat hackers are those who hack with the intention of causing damage, whereas
white hat hackers study security issues and have no intent of causing damage. All white hat
hackers aim to construct a more secure environment for the Internet.
Since 2008, I have tried to propagate the concept of white hat hacking in the Internet
industry, and together with security experts, I have been able to set up a community of white
hat hackers. This community can share their experiences in all aspects of security and can
discuss and analyze the various protective measures used in the industry. In general, I hope
the concept of white hat hacking can be popularized in the Chinese Internet industry.
xx ◾ Preface

STRUCTURE OF THIS BOOK

This book consists of 4 sections divided into 18 chapters. The following text provides a
more detailed account of the content of each of the sections. I have also attached a few of
my blogs at the end of some of the chapters to extend my views.
Section I, My View of Web Security, sets the tone for the rest of the book. It begins with
the history of IT security and then discusses my working style and my way of thinking.
This should help readers understand why I choose some solutions instead of others.
Section II, Safety of Client Security, covers the state of the art in the field. With advances
in security, hackers will try and attack through client script as they will find it difficult to
breach injection script operations.
The security of client script is closely associated with browser features, and thus learning
about browsers can help find security solutions in client script.
If readers find it difficult to follow the material presented in this section, for example,
if they have to start from scratch, I recommend them to go directly to Section III, which
might be more relevant to their needs.
Section III, Application Security in Servers, covers basic issues at the beginning
of security program development that will cause serious problems if not dealt with
properly. In order to avoid these types of problems, the material in this section is highly
recommended.
Section IV, Security Operation in Internet Companies, is a sustainable process, and
security engineers should ensure that it is result oriented. Some of the material discussed
in this section is even more critical than vulnerabilities in Internet companies.
The section consists of two chapters, which discuss the process of security development,
based on my own work experience, and the core responsibilities of a security team and how
to build a comprehensive security system. Readers can refer to this book whenever they
meet with specific problems. I hope you enjoy reading it.

ACKNOWLEDGMENTS
I thank my wife for all her support. During the last few days of the completion of this book,
I was by her sick bed, memories of which will be with me for the rest of my life.
I thank my parents for their encouragement and for allowing me to pursue my career
freely. This is what has given me the opportunity to write a book.
I am grateful to my company Alibaba, which has provided me a platform to display
my talent. I am also grateful to the following colleagues for their support: Wei Xingguo,
Tang Cheng, Liu Zhisheng, Hou Xinjie, Lin Songying, Nie Wanqua, Xie Xiongqin, Xu Min,
Liu Qun, Li Zeyang, Xiao Li, and Ye Yikai.
I thank Ji Xinhua for writing the foreword. He has always been a great model for all
security workers.
I thank Zhang Chunyu and his team, who worked together to make this book a reality.
Their suggestions were very helpful.
 Preface ◾ xxi

Last but not least, I am indebted to my colleague Zhou Tuo, whose ideas inspired me
tremendously.
Contact:
Email: [email protected]
Blog: http://hi.baidu.com/aullik5
Weibo: http://t.qq.com/aullik5

Wu Hanqing
Hangzhou, China