Review of “Web Hacking: Attacks and defense”
Review Revision: 10/02 (Darn typo)
Authors: Stuart McClure, Saumil Shah, and Shreeraj Shah
Pages: 492
Publisher: Addison-Wesley
ISBN: 0201761769
Price: $49.99 Listed although find most places charge $35.00
Summary: Web Application Hacking
Intro
I first heard of this book on amazon.com on a monday morning, and read the reviews of people who had
purchased this book. I couldn’t find a single review from any person in the web security community
either on amazon, or anyplace else (With the exception of two brief comments on the back of the book
in which one was written by the person who wrote the book’s “Forward”). So I decided to pick it up on friday
after I left work and see what it had to offer. After picking up the book I noticed it was co-authored by three
people who all work for Foundstone, a very large security company that deals with everything (including web
security). This review will cover some of the topics covered in this book, along with things that could or
should have been covered in greater detail.
Target audience
This book is geared more towards beginners and intermediates, with a few things the more advanced people
will enjoy. It explains concepts and practical examples in an easy to understand manner.
Pro’s
One portion of the book covered a topic which is rarely mentioned and almost never documented in security
texts, which is ASP (Active Server Pages). This primarily covered security involving database handling and login
information. Another rarely documented subject this book covered was ISAPI application security. Additional
good points below:
-
Good examples of the types of commands an attacker will execute when remote command execution is possible.
Also had a nice little attack fingerprint reference in the back. (Appendix D Page 462) -
General Tips and tricks for fingerprinting a web server, and database versions. (pages 182-194)
Provides this information based off of error messages, and URL structure. -
Chapter 12 covered remote command execution threats with java and java servers. Definably a book highlight.
Not to much documentation currently exists on this ever-growing web technology. -
Chapter 14 covered buffer overflows in a very easy to understand manner; something not easily accomplished for
the less tech savvy. It also walked through a complete example of bad code, to writing and executing the
exploit. -
One nice section was the “Cheat Sheet” towards the back of the book which provided the most common improperly
used functions in asp, php, java, and perl. I did notice it left out the ever popular fopen() function in php
which is very popular for attackers to exploit when improperly used (Code inclusion attacks). -
Showed good practical examples of attackers using search engines to help further probe a site.
-
Covered SQL and Oracle security. (Direct, and Injection based attacks)
-
Web Application server security was covered with examples on BEA Weblogic, and Websphere.
-
Provides good examples of using tools such as Netcat, Sam Spade, Teleport Pro, Black Widow, Webcracker, Brutus,
Achilles, Cookie Pal, etc… -
Covered the threats of internet worms. Covered Nimda, and Code reds impact on the internet. Gave details
of what exactly they did, and how they could spread. -
Chapter 17 was a treat. Covered how attackers avoid IDS systems through the use of SSL, and URL encoding (such
as unicode, 2-byte, 3-Byte, and double encoding.) Also covered how to setup an IDS on SSL via reverse proxies.
Con’s
This book was released in August of 2002, and I couldn’t find any reference to Cross Site Scripting. Cross Site
Scripting isn’t a new type of attack. In fact, it has been around since the late 1990’s. More gripes below:
-
They had a tendancy to include snippets from irc conversations. While it’s explaining how hackers
communicate during attacks I found it a little lame. I’d rather they had mentioned some “hacker”
channels, or something along those lines. -
Neither cookie theft or poisoning was mentioned, while cookie modification was.
-
I went to the back of the book hoping to gather some good references for further reading and only got
a small links section showing 6 links, none of which where technical documents but instead general web links. -
Web application abuse and spamming weren’t covered at all, which is something very important and an ever-growing
option for spammers. -
No references to XML-RPC or Soap were found but they did briefly mention Microsoft’s .NET technology without
providing any code examples. -
Lack of web application wrappers and security. CGIWrap and Suexec weren’t mentioned anywhere. Nothing about
chrooting webservers, or applications for additional security were found. -
Apache’s “Tomcat” server wasn’t mentioned anywhere with the exception of an exploit mentioned in Appendix D.
(Source Code, File, and Directory Disclosure Cheat sheet) -
Not a big complaint but it would have been nice if Python or TCL were covered.
Closing
On a scale of one to ten I give this book an eight. This review was written to give you an idea of the books contents, or lack
thereof. Perhaps this will help you to decide if this book is what you’re looking for, or a waste of time.
The book can be found at amazon here.