Slashdot Mirror

← Back to Stories (view on slashdot.org)

Web Hacking: Attacks and Defense

Posted by timothy on from the attack-of-the-bullet-points dept.

zenomorph writes: "I first heard of this book on amazon.com on a Monday morning, and read the reviews of people who had purchased this book. I noticed that there were no reviews from any person in the web security community had commented on it, either on Amazon or anywhere else (with the exception of two brief comments on the back of the book, of which one was written by the person who wrote the book's foreword). So I decided to pick it up on Friday after I left work and see what it had to offer. After picking up the book I noticed it was co-authored by three people who all work for Foundstone, a very large security company that deals with everything (including web security). This review will cover some of the topics covered in this book, along with things that could or should have been covered in greater detail." Read on for the rest of zenomorph's review. Web Hacking: Attacks and defense author Stuart McClure, Saumil Shah, and Shreeraj Sha pages 492 publisher Addison-Wesley rating 8 reviewer zenomorph ISBN 0201761769 summary Web Application Hacking

Target audience: This book is geared more towards beginners and intermediate users, with a few things the more advanced people will enjoy. It explains concepts and practical examples in an easy to understand manner. Pros:

One portion of the book covered a topic which is rarely mentioned and almost never documented in security texts, which is ASP (Active Server Pages). This primarily covered security involving databases handling and login information. Another rarely documented subject this book covered was ISAPI application security. Additional good points below:

  • Good examples of the types of commands an attacker will execute when remote command execution is possible. Also had a nice little attack fingerprint reference in the back. (Appendix D Page 462)

  • General Tips and tricks for fingerprinting a web server, and database versions. (pages 182-194) Provides this information based on error messages and URL structure.

  • Chapter 12 covers remote command execution threats with Java and Java servers. Definably a book highlight. Not too much documentation currently exists on this ever-growing web technology.

  • Chapter 14 covers buffer overflows in a very easy to understand manner; something not easily accomplished for the less tech-savvy. It also walks through a complete example of bad code, to writing and executing the exploit.
  • One nice section is the "Cheat Sheet" towards the back of the book which provides the most common improperly used functions in ASP, PHP, Java, and Perl. I did notice it left out the ever popular fopen() function in PHP, which is very popular for attackers to exploit when improperly used (Code inclusion attacks).

  • Shows good practical examples of attackers using search engines to help further probe a site.

  • Covers SQL and Oracle security. (Direct, and Injection based attacks)

  • Web Application server security was covered with examples on BEA Weblogic, and Websphere.

  • Provides good examples of using tools such as Netcat, Sam Spade, Teleport Pro, Black Widow, Webcracker, Brutus, Achilles, Cookie Pal, etc.

  • Coveres the threats of Internet worms,including the effect on the Internet of Nimda, and Code Red. Gave details of what exactly they did, and how they could spread.

  • Chapter 17 is a treat. Covers how attackers avoid IDS systems through the use of SSL, and URL encoding (such as Unicode, 2-byte, 3-Byte, and double encoding.) Also covers how to set up an IDS on SSL via reverse proxies.

Cons: This book was released in August of 2002, but I couldn't find any reference to cross-site scripting. Cross-site scripting isn't a new type of attack. In fact, it has been around since the late 1990's. More gripes below:
  • The authors have a tendency to include snippets from IRC conversations. While it's explaining how hackers communicate during attacks I found it a little lame. I'd rather they had mentioned some "hacker" channels, or something along those lines.

  • Neither cookie theft nor poisoning is mentioned, while cookie modification is.

  • I went to the back of the book hoping to gather some good references for further reading and only got a small links section showing 6 links, none of which where technical documents but instead general web links.

  • Web application abuse and spamming aren't covered at all, which is something very important and an ever-growing option for spammers.

  • No references to XML-RPC or SOAP were found but the athors do briefly mention Microsoft's .NET technology without providing any code examples.

  • Lack of web application wrappers and security. CGIWrap and Suexec aren't mentioned anywhere. Nothing about chrooting webservers, or applications for additional security were found.

  • Apache's "Tomcat" server isn't mentioned anywhere, with the exception of an exploit mentioned in Appendix D. (Source Code, File, and Directory Disclosure Cheat sheet)

  • Not a big complaint but it would have been nice if Python or TCL were covered.

Closing:

On a scale of one to ten I give this book an eight. This review was written to give you an idea of the contents, or lack thereof. Perhaps this will help you to decide if this book is what you're looking for, or a waste of time.

You can purchase Web Hacking: Attacks and Defense from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

12 of 126 comments (clear)

  1. Get ... by NWT · · Score: 5, Funny

    ... THIS!

    --
    Life sucks.
  2. Heh... by $0+31337 · · Score: 5, Funny

    The authors have a tendency to include snippets from IRC conversations. While it's explaining how hackers communicate during attacks I found it a little lame. I'd rather they had mentioned some "hacker" channels, or something along those lines.

    I didn't realize that hacker communication was that interesting, even during an attack. Heh... It could be kind of funny I suppose if the "hackers" were script kiddies.

    Hacker #1: D00Zs! I just hax0red this windoze box!
    Hacker #2: No way! Fuckin' Awesome guy!
    Hacker #1: YeAh, I woulda Hax0red more but mom made me go to bed
    Hacker #2: Damn, That be harsh.

  3. What Kind of Security by TrollBridge · · Score: 0, Funny
    "There are, within the "security industry" (whatever that means)"

    Model for maintaining security:

    1. Publish book with questionable, though feel-good information about network security.

    2. Sell lots of copies of it.

    3. Profit!

    By security, I of course am referring to JOB security.

    --
    There's a Mercedes gap too. I want one and can't afford one, but it's not government's job to do anything about it.
  4. They struck! by dr_dank · · Score: 3, Funny

    I noticed that there were no reviews from any person in the web security community had commented on it

    See? Those web hackers are pretty good, no?

    --
    Where does the school board find them and why do they keep sending them to ME?
  5. Slight Error by Anonymous Coward · · Score: 3, Funny

    This story DOES NOT belong in the Reviews section.

    The book got an "8." All books in the Reviews section get a "9." Therefore it does not belong.

  6. Updated Aliens script by mav[LAG] · · Score: 5, Funny

    Hudson Is this going to be a standup job sir, or just another bug-hunt?

    Gorman: All we know is there's still no contact with the colony's Web server. In the meantime I want you all to look at this book on Web security. It's just been reviewed by zenomorph.

    Apone: Excuse me sir - who?

    Gorman: zenomorph.

    Hicks (aside to Hudson) It's a bug hunt.

    --
    --- Hot Shot City is particularly good.
  7. You slow learner by Pac · · Score: 5, Funny

    So you haven't yet managed the modern learning techiques available? How do you expect to find or keep your job if you can't extract all useful content from a book by perusing the index and reading two or three careful selected pages plus the command reference table at Apendix A? I am really concerned about your future, mister, really concerned. Clearly you wouldn't have survived for a day during the dot.com boom. What if the economy becomes irrationaly exuberant again? What will you do when they discover you can't learn Magic Bullet v10.3 in two hours and have a presentation for marketing to give the client by the end of the day?

  8. They forgot Chapter 18 by erik1474 · · Score: 1, Funny

    "Distributed DOS attacks"

    Post link to target site on slashdot front page. Wait a couple minutes.

    The End.

  9. Re:Translation: by Anonymous Coward · · Score: 1, Funny

    I wrote all that stuff from scratch asshole. I posted it before but I wrote ever line. I am a developer of many multimillion dollar products, many entirely authored by ME.

    In addition I have run hack proof distributed-load-web servers for over 5 years, on macs.

    You are a closed minded linux lover who hates FACTS that show that NO MAC HAS EVER BEEN EXPLOITED!

    EVER.

  10. Translation: by PFactor · · Score: 5, Funny

    I wrote all that stuff from scratch asshole

    I pulled this out of my ass.

    In addition I have run hack proof distributed-load-web servers for over 5 years, on macs.

    I have a website that nobody's ever visited.

    You are a closed minded linux lover who hates FACTS that show that NO MAC HAS EVER BEEN EXPLOITED!


    I am bigoted against linux users. Plus, I firmly believe that shouting makes my arguments more persuasive.

    EVER.

    Sometimes I use complete sentences.

    --
    Don't believe anything I say. I crash test crack pipes for a living.
  11. Re:at least you weren't hasty... by angst_ridden_hipster · · Score: 4, Funny

    I've spent a lot of time and a lot of money on technical books. In order to save time and money, I've developed a rough analysis approach that will assess the quality of a technical book without having to read the whole thing before buying.

    In general, if you go into one of the large, corporate McBooks outlets, and scan the technical titles, the following analysis will vet a 95% or better evaluation rate:

    1. Font size. Inversely proportional to quality of the text.

    2. Screen shots. Quality of the text is inversely proportional to the total area dedicated to screen shots. Windows dialog boxes count as double their physical area.

    3. Quick Reference Icons. Sometimes the author feels necessary to come up with special icons which will be placed on a page to show you what's important. The quality of the book is inversely proportional to the number of these icons multiplied by the size of the icons.

    4. Index. The quality of the book is proportional to the number of serious entries in the index. If there are less than five humorous entries, these humorous entries may be included in the above count. If there are more than ten humorous entries in the index, each should be considered as reducing the "serious" count by 10%.

    5. Included stuff from the 'net. The quality score for the book is reduced for each appendix which merely includes reprints of stuff that's readily available online. Extra points off for reprinting publically available APIs. If I was going to code in an offline environment, I might want this, but I'm not going to code without a net connection.

    Follow this system, and you won't be ripped off again!

    --
    Eloi, Eloi, lema sabachtani?
    www.fogbound.net
  12. How can I get /. to help me make money off clicks? by Hyped01 · · Score: 2, Funny
    Neat!!! /. is now allowing people to post "reviews" of books and links to a paid referral purchase link!!!

    How can I get in on this great deal???

    www.BinFeeds.com
    The best online XXX Newsgroup Binary Galleries
    Thumbnailed for ease of use!! Click here and help /. help me make money!!!

    --

    WebMaster:
    BinFeeds
    XXX Thumbnailed Image Newsgroups but