NCC Members have free access to this Guideline on the Principia website.

Web application hacking is a recent new threat, which has evolved due to increasingly complex business applications that are now being deployed on the Internet by both large companies and SMEs.

These web applications are typically multi-tiered with direct access to powerful databases such as Microsoft SQL, Oracle and DB2. These databases provide functionality that can be manipulated to gain access to sensitive information, such as credit card information, or even execute commands on the hosting server.

Web applications are growing with increasing complexity and integrating new technologies such as XML, Web Services, and Business Process Management. Business applications are transacting business with each other using SOAP (Simple Object Access Protocol) over the Internet without any direct human intervention. These new technologies are bringing substantial business and customer benefits however at the same time have significantly increased business risk from application hacking.

Application hacking is the art of manipulating an application's functionality to compromise the application: to steal confidential information, to perform unauthorised transactions, to modify database information or to compromise the hosting server(s). How it is important to realise that many hackers concentrate on performing denial of service attacks at the application layer. These attacks prevent other users from accessing a website and can lead to a substantial loss of business.