Slashdot Mirror

← Back to Stories (view on slashdot.org)

Web Hacking: Attacks and Defense

Posted by timothy on from the attack-of-the-bullet-points dept.

zenomorph writes: "I first heard of this book on amazon.com on a Monday morning, and read the reviews of people who had purchased this book. I noticed that there were no reviews from any person in the web security community had commented on it, either on Amazon or anywhere else (with the exception of two brief comments on the back of the book, of which one was written by the person who wrote the book's foreword). So I decided to pick it up on Friday after I left work and see what it had to offer. After picking up the book I noticed it was co-authored by three people who all work for Foundstone, a very large security company that deals with everything (including web security). This review will cover some of the topics covered in this book, along with things that could or should have been covered in greater detail." Read on for the rest of zenomorph's review. Web Hacking: Attacks and defense author Stuart McClure, Saumil Shah, and Shreeraj Sha pages 492 publisher Addison-Wesley rating 8 reviewer zenomorph ISBN 0201761769 summary Web Application Hacking

Target audience: This book is geared more towards beginners and intermediate users, with a few things the more advanced people will enjoy. It explains concepts and practical examples in an easy to understand manner. Pros:

One portion of the book covered a topic which is rarely mentioned and almost never documented in security texts, which is ASP (Active Server Pages). This primarily covered security involving databases handling and login information. Another rarely documented subject this book covered was ISAPI application security. Additional good points below:

  • Good examples of the types of commands an attacker will execute when remote command execution is possible. Also had a nice little attack fingerprint reference in the back. (Appendix D Page 462)

  • General Tips and tricks for fingerprinting a web server, and database versions. (pages 182-194) Provides this information based on error messages and URL structure.

  • Chapter 12 covers remote command execution threats with Java and Java servers. Definably a book highlight. Not too much documentation currently exists on this ever-growing web technology.

  • Chapter 14 covers buffer overflows in a very easy to understand manner; something not easily accomplished for the less tech-savvy. It also walks through a complete example of bad code, to writing and executing the exploit.
  • One nice section is the "Cheat Sheet" towards the back of the book which provides the most common improperly used functions in ASP, PHP, Java, and Perl. I did notice it left out the ever popular fopen() function in PHP, which is very popular for attackers to exploit when improperly used (Code inclusion attacks).

  • Shows good practical examples of attackers using search engines to help further probe a site.

  • Covers SQL and Oracle security. (Direct, and Injection based attacks)

  • Web Application server security was covered with examples on BEA Weblogic, and Websphere.

  • Provides good examples of using tools such as Netcat, Sam Spade, Teleport Pro, Black Widow, Webcracker, Brutus, Achilles, Cookie Pal, etc.

  • Coveres the threats of Internet worms,including the effect on the Internet of Nimda, and Code Red. Gave details of what exactly they did, and how they could spread.

  • Chapter 17 is a treat. Covers how attackers avoid IDS systems through the use of SSL, and URL encoding (such as Unicode, 2-byte, 3-Byte, and double encoding.) Also covers how to set up an IDS on SSL via reverse proxies.

Cons: This book was released in August of 2002, but I couldn't find any reference to cross-site scripting. Cross-site scripting isn't a new type of attack. In fact, it has been around since the late 1990's. More gripes below:
  • The authors have a tendency to include snippets from IRC conversations. While it's explaining how hackers communicate during attacks I found it a little lame. I'd rather they had mentioned some "hacker" channels, or something along those lines.

  • Neither cookie theft nor poisoning is mentioned, while cookie modification is.

  • I went to the back of the book hoping to gather some good references for further reading and only got a small links section showing 6 links, none of which where technical documents but instead general web links.

  • Web application abuse and spamming aren't covered at all, which is something very important and an ever-growing option for spammers.

  • No references to XML-RPC or SOAP were found but the athors do briefly mention Microsoft's .NET technology without providing any code examples.

  • Lack of web application wrappers and security. CGIWrap and Suexec aren't mentioned anywhere. Nothing about chrooting webservers, or applications for additional security were found.

  • Apache's "Tomcat" server isn't mentioned anywhere, with the exception of an exploit mentioned in Appendix D. (Source Code, File, and Directory Disclosure Cheat sheet)

  • Not a big complaint but it would have been nice if Python or TCL were covered.

Closing:

On a scale of one to ten I give this book an eight. This review was written to give you an idea of the contents, or lack thereof. Perhaps this will help you to decide if this book is what you're looking for, or a waste of time.

You can purchase Web Hacking: Attacks and Defense from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

5 of 126 comments (clear)

  1. FUD by Anonymous Coward · · Score: 5, Interesting

    There are, within the "security
    industry" (whatever that means) people who-- intentionally or
    unintentionally-- sell their customers short. The people create a false
    aura of security wherever they pass, and are unwilling or incapable of
    expanding their capabilities.

    Scanning a network doesn't make it secure, but we've all run into people
    who think it does-- including people who should know better.

    I've long advocated (and tried to design) systems (not just hardware,
    but software and business practices) that *fail well*. Systems designed
    not to be unbreakable-- a fool's pursuit, to be sure-- but to contain
    the inevitable breach. Systems that fail in known modes, so that the
    consequences of an intrusion are known ahead of time, and steps can be
    taken based on that knowledge. Systems that don't eliminate risk, but
    manage risk.

    Unfortunately, most customers aren't interested because systems like
    this are expensive. They're hard to design, hard to build, hard to
    maintain, and require profound knowledge of the components and the
    activities that use them. It's a hard sell, especially when those less
    educated self-labeled experts (and vendors) are pushing silver bullets
    in the form of yet another certification, yet another scanner, yet
    another training course.

    I could be wrong, but I see the current upwelling of vitriol directed at
    these people. They are truly living off the labor of others, and
    providing little of use to anyone, including their customers. But
    they're not everyone.

  2. "Security" books by borgesian · · Score: 3, Interesting

    My guess is that script kiddies salivate over this type of information. Having read similar books, they are basically how-to tutorials, a capable System Administrator will likely know about this issues or learn them elsewhere. Oh well, since it makes the Authors some good bucks....I guess thats Security for them.

    1. Re:"Security" books by larien · · Score: 3, Interesting
      Yup, I agree with the above. You've also got to bear in mind that it's not the skript kiddies you have to worry about; it's the real hackers who know how to write script kiddie tools.

      It's fairly simple to defend against script kiddies by following good practice; defending against "real" hackers takes a lot of work and knowledge.

  3. The truth about security by Anonymous Coward · · Score: 2, Interesting

    It's a simple fact that 95% of "attacks" are quite harmless game-playing by "script kiddies", against which there's no need to defend.

    Virtually all of the remaining five percent are the work of honorable hackers (hackers in the correct sense: Brilliant geeks who like to explore and experiment) motivated solely by intellectual curiosity. As we all know, such true hackers are unable to do harm because their value system precludes it. For a true hacker to do harm is a logical impossibility, a meaningless paradox.

    The hysteria about "security" is mostly an attempt to discredit the hacker community, to misrepresent curious and brilliant techies -- us, in short -- as demons in human form. It's bigotry, pure and simple.

    I'm not surprised when CNN or MSNBC spews out this kind of propaganda, but for a geek site like Slashdot to be propagating the "security" myth is rather discouraging.

  4. Foundstone Trust Level by Anonymous Coward · · Score: 2, Interesting

    Foundstone is essentially a Microsoft subsidiary now, so getting consistently useful information from them is somewhat in question for me. Now, maybe there are still a few people there who haven't compromised their integrity to get a cushy paycheck from MS.. but I'm a skeptic.

    Essentially MS and Symantec have both bought out fairly prominent security "experts" who are taking their knowledge of exploits and hoarding that information.

    And of course Foundstone is one of the "founding" members of OIS, the security through obscurity security notification group. No time limits for public disclosure of vulnerabilities, no documentation of vulnerabilities (.gif "viruses" anyone), and no public discourse unless the vendor is happy with what you're saying.