Web Hacking: Attacks and Defense

zenomorph writes: "I first heard of this book on amazon.com on a Monday morning, and read the reviews of people who had purchased this book. I noticed that there were no reviews from any person in the web security community had commented on it, either on Amazon or anywhere else (with the exception of two brief comments on the back of the book, of which one was written by the person who wrote the book's foreword). So I decided to pick it up on Friday after I left work and see what it had to offer. After picking up the book I noticed it was co-authored by three people who all work for Foundstone, a very large security company that deals with everything (including web security). This review will cover some of the topics covered in this book, along with things that could or should have been covered in greater detail." Read on for the rest of zenomorph's review. Web Hacking: Attacks and defense author Stuart McClure, Saumil Shah, and Shreeraj Sha pages 492 publisher Addison-Wesley rating 8 reviewer zenomorph ISBN 0201761769 summary Web Application Hacking

Target audience: This book is geared more towards beginners and intermediate users, with a few things the more advanced people will enjoy. It explains concepts and practical examples in an easy to understand manner. Pros:

One portion of the book covered a topic which is rarely mentioned and almost never documented in security texts, which is ASP (Active Server Pages). This primarily covered security involving databases handling and login information. Another rarely documented subject this book covered was ISAPI application security. Additional good points below:

• Good examples of the types of commands an attacker will execute when remote command execution is possible. Also had a nice little attack fingerprint reference in the back. (Appendix D Page 462)

• General Tips and tricks for fingerprinting a web server, and database versions. (pages 182-194) Provides this information based on error messages and URL structure.

• Chapter 12 covers remote command execution threats with Java and Java servers. Definably a book highlight. Not too much documentation currently exists on this ever-growing web technology.

• Chapter 14 covers buffer overflows in a very easy to understand manner; something not easily accomplished for the less tech-savvy. It also walks through a complete example of bad code, to writing and executing the exploit.
• One nice section is the "Cheat Sheet" towards the back of the book which provides the most common improperly used functions in ASP, PHP, Java, and Perl. I did notice it left out the ever popular fopen() function in PHP, which is very popular for attackers to exploit when improperly used (Code inclusion attacks).

• Shows good practical examples of attackers using search engines to help further probe a site.

• Covers SQL and Oracle security. (Direct, and Injection based attacks)

• Web Application server security was covered with examples on BEA Weblogic, and Websphere.

• Provides good examples of using tools such as Netcat, Sam Spade, Teleport Pro, Black Widow, Webcracker, Brutus, Achilles, Cookie Pal, etc.

• Coveres the threats of Internet worms,including the effect on the Internet of Nimda, and Code Red. Gave details of what exactly they did, and how they could spread.

• Chapter 17 is a treat. Covers how attackers avoid IDS systems through the use of SSL, and URL encoding (such as Unicode, 2-byte, 3-Byte, and double encoding.) Also covers how to set up an IDS on SSL via reverse proxies.

Cons: This book was released in August of 2002, but I couldn't find any reference to cross-site scripting. Cross-site scripting isn't a new type of attack. In fact, it has been around since the late 1990's. More gripes below:

• The authors have a tendency to include snippets from IRC conversations. While it's explaining how hackers communicate during attacks I found it a little lame. I'd rather they had mentioned some "hacker" channels, or something along those lines.

• Neither cookie theft nor poisoning is mentioned, while cookie modification is.

• I went to the back of the book hoping to gather some good references for further reading and only got a small links section showing 6 links, none of which where technical documents but instead general web links.

• Web application abuse and spamming aren't covered at all, which is something very important and an ever-growing option for spammers.

• No references to XML-RPC or SOAP were found but the athors do briefly mention Microsoft's .NET technology without providing any code examples.

• Lack of web application wrappers and security. CGIWrap and Suexec aren't mentioned anywhere. Nothing about chrooting webservers, or applications for additional security were found.

• Apache's "Tomcat" server isn't mentioned anywhere, with the exception of an exploit mentioned in Appendix D. (Source Code, File, and Directory Disclosure Cheat sheet)

• Not a big complaint but it would have been nice if Python or TCL were covered.

Closing:

On a scale of one to ten I give this book an eight. This review was written to give you an idea of the contents, or lack thereof. Perhaps this will help you to decide if this book is what you're looking for, or a waste of time.

You can purchase Web Hacking: Attacks and Defense from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

FUD

There are, within the "security
industry" (whatever that means) people who-- intentionally or
unintentionally-- sell their customers short. The people create a false
aura of security wherever they pass, and are unwilling or incapable of
expanding their capabilities.

Scanning a network doesn't make it secure, but we've all run into people
who think it does-- including people who should know better.

I've long advocated (and tried to design) systems (not just hardware,
but software and business practices) that *fail well*. Systems designed
not to be unbreakable-- a fool's pursuit, to be sure-- but to contain
the inevitable breach. Systems that fail in known modes, so that the
consequences of an intrusion are known ahead of time, and steps can be
taken based on that knowledge. Systems that don't eliminate risk, but
manage risk.

Unfortunately, most customers aren't interested because systems like
this are expensive. They're hard to design, hard to build, hard to
maintain, and require profound knowledge of the components and the
activities that use them. It's a hard sell, especially when those less
educated self-labeled experts (and vendors) are pushing silver bullets
in the form of yet another certification, yet another scanner, yet
another training course.

I could be wrong, but I see the current upwelling of vitriol directed at
these people. They are truly living off the labor of others, and
providing little of use to anyone, including their customers. But
they're not everyone.

Re:FUD

[extagboy]

Scanning a network doesn't make it secure, but we've all run into people
who think it does-- including people who should know better.


I agree that scanning a network doesn't make it secure but rather it is the first step in identifying where it is insecure. It's an important step that should not be overlooked. As far as the book goes, anything to help people realize that security is important is a good thing.

Re:FUD

[yatest5]

The problem I have with these reviews and those that are found on Amazon, is that there is no context for the review. Specifically, what's great to you might suck to me. We have no knowledge of the reviewers skill level or experience.

It would be far better if the reviewers would give a little background information about themselves, along with the review.

What is Zenomorph's skill level? How long have they worked in this field? What related hardware and software are they proficient with? What other books on the subject has this person read and what was their opinion of those books? Without this information the review carries no more weight than one from Jon Katz.

I have spoken.

Re:FUD

[5KVGhost]

Unfortunately, most customers aren't interested because systems like this are expensive.

And becasue some customers might really not need them for their particular circumstances. A failure or security breach isn't necessarily the end of the world. If your window gets shattered once a year by a thrown stone you can spend a bunch on unbreakable glass or metal shutters, or just keep of stock of replacement panes around. So it is with securityt; they may believe that it's cheaper, easier, and more practical to just fix things when they inevitably get broken. Sure, sometimes that's false economy based on bad estimates and wishful thinking, but sometimes it might be valid.

Re:FUD

but rather it is the first step in identifying where it is insecure.

no shit. it's like walking around your building and noting where the weak points are. thinking you know something (such as what is/isnt running on your network) is different than actually looking. i might think there is only one door into the server room snce thats what the architects told me, but unless i go and look, how do i know for sure?

now if i gather that information and dont use it, i'm a DUMBASS. but i use the info i gather, so im not a dumbass (well, for that reason at least).

while scanning by itself doesn't make a network more secure, not scanning is foolish.

Re:FUD

[RagManX]

I agree that scanning a network doesn't make it secure but rather it is the first step in identifying where it is insecure.

Well, actually, it isn't a first step. The first step is reviewing policies. If no policies are in place, knowing what is secure or insecure is almost irrelevent. Once you've analyzed the policies, go over what is missing, clarify what is unclear, ensure that what is required is sensible, and work through everything to make sure the policy is clear and enforced.

Now, once you know what is and isn't allowed, you might want to scan and see what's there. Remember, just because something is a potential vulnerability doesn't mean it has to be changed. A cost/risks analysis may have been done with the determination that a given "hole" has sufficient reward to justify the risk. But until you've gone over the policies and reviewed the business reasons for any given service, you can't determine if it is a hole or not.

RagManX

Re:FUD

[Theatetus]

And becasue some customers might really not need them for their particular circumstances. A failure or security breach isn't necessarily the end of the world...[simile snipped]...Sure, sometimes that's false economy based on bad estimates and wishful thinking, but sometimes it might be valid.

I'm still amazed at how may PHB's I've met who are so "concerned about security" that they insist on spending thousands to "secure" a static marketing website that contains nothing anyone would want to look at, yet still use their dog's name as the password to secure the HR files on their intranet.

I guess since the Web seems "out there" [gesturing genericly towards the horizon], a lot of people worry that their website will get "hacked" and altered by someone (though when you ask who would do that, or why, they get very vague), whereas the actual security risk, confidential info stored on an office computer, seems so mundane that nobody cares about it.

Re:FUD

[Zeinfeld]

I agree that scanning a network doesn't make it secure but rather it is the first step in identifying where it is insecure. It's an important step that should not be overlooked. As far as the book goes, anything to help people realize that security is important is a good thing.

Every categorical statement about computer security is wrong.

If you talk to anyone in the top rank of information security, whether someone with a public profile like Bruce Schneier or Ross Anderderson or people like Jeff Schiller, Butler Lampson, Steve Bellovin or myself who are well known in the industry but may not pop up in print as often you will get a fairly consistent reply on the value of various strategies but in every case you will be told that what is meant 'secure' depends on your particular needs.

What you will not get is computer security boiled down to a simple set of rules. You might get 'Security is risk control, not risk elimination' which has been arround for several decades before Bruce recently claimed it.

What security is not is the set of ideological slogans that tend to infest slashdot. For example 'security through obscurity' is regularly brought out to attack what are actually valid security strategies. It took several years to get the unix community to undersand that shadow passwords are not a form of security through obscurity. Many folk on slashdot think that unix has always had them.

Before looking at site policy or anything else suggested so far as the 'first step' ask yourself what assets do I have and what damage would be caused if they were disclosed, erased or otherwise damaged?. This is actually quite a hard question and many people will miss out their most important assets. For example the CIA and NSA failled to consider their reputation as an asset when they outsourced the running of their Web sites with embarassing results when they were hacked. The Whitehouse did not make that mistake. Before the site ever went online they realised that the Web site was potentially a reputation asset. The first target of a coup is always the television station since the coup plotters can often get people to comply with the revolution just by announcing that it has taken place. Also they had been bitten during the 1992 election campaign when an NRA supporter sent out a fake press release promissing an imminent gun grabbing. Ironically the response to the fake release suggested that gun grabbing was popular, so know you know who you have to blame.

As for the book, it sounds to me that this is a very 'down in the trenches' type of book. I don't worry about a lot of the attacks described because I would never go near certain technologies. Client side Java, Javascript and other 'winky-blinky' technology would have been much better if never invented. However when you come to build systems you can still have problems because even though you may not use javascript a weakness in javascript could compromise a mechanism you relly on such as session cookies.

I just gor Ross Anderson's book 'Security Engineering'. I have not read it yet but his monograph 'why security protocols fail' is the one that Bruce, Ron Rivest or myself all refer to if we want to quickly install some clues into someone designing a protocol with inadequate security...

Re:FUD

[Zeinfeld]

Shadow passwords are a form of security through obscurity.
You've simply moved the password information to another slightly less readable file (by file permissions) but it still is readable off backup tapes and other tricks

I don't agree. File permissions are not a sufficient protection for a password file. Neither is one way encryption. The combination is an acceptable level of security fot some applications.

Security through obscurity is something else entirely. It is assuming that a process is so complex that the complexity provides security.

If you want to redefine the meaning of security through obscurity, that is fine. Just remember to change the assertion that security through obscurity is alway bad at the same time.

To take the argument to the extreme I would insist on using one way encryption even if the password file was to be stored in trusted hardware where the problems of inadvertent disclosure you cite could not occur.

Re:FUD

[tpv]

Not in the general meaning of the term.

Security through obscurity is where you rely on the fact that an attacker doesn't know/understand how the system works, and therefore is unable to determine how to break the system.
That's not the case with shadow passwords. The shadow password mechanism is well known and public. No one is hiding the inplementation details.

Shadow passwords are security through concealment, which is a different thing to obscurity.
As you point out, there are a number of techniques to break that concealment, but that is a different issue.

Get ...

[NWT]

... THIS!

at least you weren't hasty...

[dAzED1]

"So I decided to pick it up on Friday after I left work and see what it had to offer...This review will cover some of the topics covered in this book, along with things that could or should have been covered in greater detail"
Ok, so its a 492 page technical resource, and you just *bought* the book 5 days ago?
Is it possible that maybe you missed some things?
I mean, I can read a good 500 page novel in a day or two, but I don't think I'd give a review on a technical book I just bought 5 days ago. Maybe that's just me.

Re:at least you weren't hasty...

5 day review of a 500 page book. Would be a full time job.

Re:at least you weren't hasty...

[ianweeks]

"I took a speed-reading course and read War and Peace in twenty minutes. It involves Russia." - Woody Allen

Re:at least you weren't hasty...

[angst_ridden_hipster]

I've spent a lot of time and a lot of money on technical books. In order to save time and money, I've developed a rough analysis approach that will assess the quality of a technical book without having to read the whole thing before buying.

In general, if you go into one of the large, corporate McBooks outlets, and scan the technical titles, the following analysis will vet a 95% or better evaluation rate:

1. Font size. Inversely proportional to quality of the text.

2. Screen shots. Quality of the text is inversely proportional to the total area dedicated to screen shots. Windows dialog boxes count as double their physical area.

3. Quick Reference Icons. Sometimes the author feels necessary to come up with special icons which will be placed on a page to show you what's important. The quality of the book is inversely proportional to the number of these icons multiplied by the size of the icons.

4. Index. The quality of the book is proportional to the number of serious entries in the index. If there are less than five humorous entries, these humorous entries may be included in the above count. If there are more than ten humorous entries in the index, each should be considered as reducing the "serious" count by 10%.

5. Included stuff from the 'net. The quality score for the book is reduced for each appendix which merely includes reprints of stuff that's readily available online. Extra points off for reprinting publically available APIs. If I was going to code in an offline environment, I might want this, but I'm not going to code without a net connection.

Follow this system, and you won't be ripped off again!

some instructions

A.) Put this under book reviews, where it belongs

B.) Its a Xenomorph, not a Zenomorph. Jesus.

Re:some instructions

[n9hmg]

Its a Xenomorph, not a Zenomorph
really? How do you know? Because the word you're thinking when you pronounce his id is spelled "xenomorph"? Perhaps it's about taking a shape dictated by Zen? If somebody tells you to put things in the "to box", do you correct him, telling him it's the "two boxes", when he might well mean the box that is not the "from" box?
No wonder you post AC.

Heh...

[$0+31337]

The authors have a tendency to include snippets from IRC conversations. While it's explaining how hackers communicate during attacks I found it a little lame. I'd rather they had mentioned some "hacker" channels, or something along those lines.

I didn't realize that hacker communication was that interesting, even during an attack. Heh... It could be kind of funny I suppose if the "hackers" were script kiddies.

Hacker #1: D00Zs! I just hax0red this windoze box!
Hacker #2: No way! Fuckin' Awesome guy!
Hacker #1: YeAh, I woulda Hax0red more but mom made me go to bed
Hacker #2: Damn, That be harsh.

Re:Heh...

[unicron]

I would've joined their conversation but my room buster wasn't working.

"Security" books

[borgesian]

My guess is that script kiddies salivate over this type of information. Having read similar books, they are basically how-to tutorials, a capable System Administrator will likely know about this issues or learn them elsewhere. Oh well, since it makes the Authors some good bucks....I guess thats Security for them.

Re:"Security" books

[slutdot]

Hiding the information from the general public doesn't do any good either. You know how everyone keeps bashing MS for not disclosing holes, it's the same thing with not wanting to publish info on how to hack a system. A capable system administrator will take this info and secure their boxes against the holes published in these books. They are just too busy to be looking for such obscure information as finding holes in software. These books provide valuable insight from people who are working in the field and as a security administrator for a rather large company, I place high value in these books.

Re:"Security" books

[larien]

Yup, I agree with the above. You've also got to bear in mind that it's not the skript kiddies you have to worry about; it's the real hackers who know how to write script kiddie tools.

It's fairly simple to defend against script kiddies by following good practice; defending against "real" hackers takes a lot of work and knowledge.

The truth about security

It's a simple fact that 95% of "attacks" are quite harmless game-playing by "script kiddies", against which there's no need to defend.

Virtually all of the remaining five percent are the work of honorable hackers (hackers in the correct sense: Brilliant geeks who like to explore and experiment) motivated solely by intellectual curiosity. As we all know, such true hackers are unable to do harm because their value system precludes it. For a true hacker to do harm is a logical impossibility, a meaningless paradox.

The hysteria about "security" is mostly an attempt to discredit the hacker community, to misrepresent curious and brilliant techies -- us, in short -- as demons in human form. It's bigotry, pure and simple.

I'm not surprised when CNN or MSNBC spews out this kind of propaganda, but for a geek site like Slashdot to be propagating the "security" myth is rather discouraging.

Re:The truth about security

[Second_Derivative]

It's a simple fact that 95% of "attacks" are quite harmless game-playing by "script kiddies", against which there's no need to defend.

Last I checked having some HTML file written in FrontPage saying "j00 h4v3 b33n 0wnz0r3d" in red on black where your index page is supposed to be doesn't do wonders for your company's reputation.

Re:The truth about security

[Deagol]

The bandwidth consumption, system overhead, and problems resulting from Code Red, Nimbda, Slapper, etc. are quite real. Ask anyone who's either been hit directly or felt the side effects. So there are real threats out there.

That said, I quite often don't follow the hype. I will occasionally visit a vulnerability site just to make sure nothing truly new, clever, and dangerous is on the loose. A decent admin will have most bases covered.

For example, when all those SSH/OpenSSH hack came through early this year (and late last year), I wasn't overly concerned, even though I manage a ton of OpenSSH servers. Why? Because I'm smart enough to use tcp_wrappers to keep the l33t AOL and AT&T Broadband hackers from messing with my systems and I turned off protocol 1 suport long ago.

Sure, I went out and upgraded OpenSSL/OpenSSH on the vulnerable machines. Who wouldn't? But I didn't need to make a mad dash to upgrade because I had devices in place to keep things in check.

I don't believe that the industry is trying to discredit "hackers". Like it or not "hackers" is pretty much a negative term these days. No, the industry uses this kind of hype and hysteria to... make money!

Re:The truth about security

[tmark]

It's a simple fact that 95% of "attacks" are quite harmless game-playing by "script kiddies", against which there's no need to defend.

Virtually all of the remaining five percent are the work of honorable hackers

Kindly provide us with the statistics that support this simple fact, so that the rest of the world can dispense with its bigotry.

The "I love you" and "melissa" viruses were written by little more than a script kiddies. Are you telling me there is no reason to defend against this ? Are you saying there's no reason for concern ?

And while you're at it, please provide statistics about the dollar-value of damage conducted by the people who DON'T fall into your schema. It'd be great to know that a few million dollars lost here or some credit card numbers stolen there don't merit real concern.

Could anyone have done more damage to your oh-so-discriminated-against community then a posterboy like Kevin Mitnick, by undermining the trust that people have in these systems ?

Re:The truth about security

[Helter]

While you may be correct in your percentages, that is only because of the huge number of "script kiddies".

When I was in the .com industry we outsourced some web-application dev work out to a russian design firm. They did excellent work for a great price, literally pennies on the dollar compared to what it would have cost to do the same thing in the states. We also outsourced some work to Israel and India, and saw the same value and competence. In summation, these were not 14 year old script kiddies.

On top of application development, they offered us an interesting growth plan. For 500 USD a day they would take any of our competition off the net completely. That's their website, AND main office. For more money they would corrupt their server-side applications to the point of unusability.

THIS is what you need security for. Because there are offices FULL of Russian, Israeli, Indian, (wherever) programmers who are willing to do whatever work they can, whether that be hacking or development, just to bring a paycheck home. In many cases they are protected either actively or passively by their government, and in some may even work for the government.

You're correct, script kiddies and curious hackers aren't much of a problem. The malevolent black hat hacker out to cause destruction and mayhem in your network for the sheer joy of it is almost entirely a media creation. But industrial espionage is alive and well, and to make matters worse it's cheap.

Re:The truth about security

[Pfhreakaz0id]

we had a similar experience with outsourcing some web work to India -- we didn't take them up on it. It was a real eye opener, so we had them look at our product (which included a web application component) for security and they found several BIG holes that had made it through our "security" audit.

Re:The truth about security

[davet]

It doesn't matter if damage is done out of malice or incompetence, it still takes time and effort to recover a compromised server. I make the effort to secure my systems at work and at home for the same reason I keep the kitchen knives away from my children.

It's not demonizing curious children, it's called childproofing.

Just think of security as childproofing your network.

Much of what's been done to discredit "hacking" (in the original sense) has been done by clueless vandals who imagine that breaking into someone elses computer made them some kind of "brilliant techie" or "3733t hax0r d00d".

Re:The truth about security

[Dark+Lord+Seth]

Dpends how creative the Marketing Dept is really. If they are GOOD, they can work miracles even with that.

Problems with reviews.

[FreeLinux]

The problem I have with these reviews and those that are found on Amazon, is that there is no context for the review. Specifically, what's great to you might suck to me. We have no knowledge of the reviewers skill level or experience.

It would be far better if the reviewers would give a little background information about themselves, along with the review.

What is Zenomorph's skill level? How long have they worked in this field? What related hardware and software are they proficient with? What other books on the subject has this person read and what was their opinion of those books? Without this information the review carries no more weight than one from Jon Katz.

Re:Problems with reviews.

He is the administrator of cgisecurity.com, a web security news site. He's written a few papers and advisories. Check out the site.

Re:Problems with reviews.

[Milalwi]

The problem I have with these reviews and those that are found on Amazon, is that there is no context for the review. Specifically, what's great to you might suck to me. We have no knowledge of the reviewers skill level or experience.

Even worse, you don't know if the have some relationship to the author! A contractor working for me was sharing a cubicle with a "business analyst". This guy boasted about how he had published several books and got great ratings on Amazon because he (through secondary accounts) and his buddies would write reviews about how great the book was and then would use other accounts to recommend the reviews. Sad. Let the buyer beware.

Milalwi

They struck!

[dr_dank]

I noticed that there were no reviews from any person in the web security community had commented on it

See? Those web hackers are pretty good, no?

Slight Error

This story DOES NOT belong in the Reviews section.

The book got an "8." All books in the Reviews section get a "9." Therefore it does not belong.

whisker

"Chapter 17 is a treat. Covers how attackers avoid IDS systems through the use of SSL, and URL encoding (such as Unicode, 2-byte, 3-Byte, and double encoding.) Also covers how to set up an IDS on SSL via reverse proxies."

Ummm... here is a free version of that information. Very thorough, and it is by RFP the writer of whisker.

Re:whisker

[Conare]

The link is VERY interesting and thank you, but just to let others know, it only covers HTTP URL encoding. It does not cover setting up IDS on SSL via reverse proxies, nor does it cover avoiding IDS by using SSL. (but that should be somewhat obvious to anyone who cares to think about it a little.)

Re:National Security Matter

[dkh2]

(Score:0) ???

Geeze, some people just don't recognize sarcasm when they see it.

The point here is, in many instances the PATRIOT act is written so broadly that it may be construed that the mere mention of anything security related is deemed an unpatriotic, seditionist, revolutionary plot.

Issues

[dildatron]

The problem that arises with books like this is that they become obsolete quickly. More generic hackerish books just describe generalisms and may discuss buffer overflows in general rather than specific buffer overflows in specific programs.

There is a need for both types of books, but one like this will not be good reading 10 years from now (nor should they be).

Updated Aliens script

[mav[LAG]]

Hudson Is this going to be a standup job sir, or just another bug-hunt?

Gorman: All we know is there's still no contact with the colony's Web server. In the meantime I want you all to look at this book on Web security. It's just been reviewed by zenomorph.

Apone: Excuse me sir - who?

Gorman: zenomorph.

Hicks (aside to Hudson) It's a bug hunt.

yep

[cr@ckwhore]

Nothing like a book full of FUD to further obscure the real "web site hackers".

This is just too complicated a subject to wrap it all up in a generi-book. Of course its aimed at beginners... they don't know any better!

Re:yep

[Azghoul]

So, if someone actually IS a beginner, why is this bad? Why call it a book full of FUD when it exposes potential beginners to some of the issues that are out there?

Certainly almost any IT subject is too complex to put into a single book. But that doesn't mean people would be unable to get a leg up from such a tome. Right?

Re:yep

[cr@ckwhore]

They're more likely to gain confusion and false information

You slow learner

[Pac]

So you haven't yet managed the modern learning techiques available? How do you expect to find or keep your job if you can't extract all useful content from a book by perusing the index and reading two or three careful selected pages plus the command reference table at Apendix A? I am really concerned about your future, mister, really concerned. Clearly you wouldn't have survived for a day during the dot.com boom. What if the economy becomes irrationaly exuberant again? What will you do when they discover you can't learn Magic Bullet v10.3 in two hours and have a presentation for marketing to give the client by the end of the day?

Since when is Amazon an authority?

[viper21]

I find it quite interesting that you assume that any people of note should bother submitting a review to Amazon.com if they have something to say about a book. If I were going to take the time to write a professional review of a book, I'm sure that I would have it published somewhere that I would get good exposure and receive compensation for my time.

Maybe you would like to take a look at Web Security, Privacy & Commerce, 2nd Edition from OReilly (I have no connection w/ this link or this book).

Or maybe you could figure out where the Web Security zealots hang out. I bet they've talked about the book there, if it has any merit of note.

If you expect anything besides rehashes of the books TOC on the Amazon.com review system, you're going to be disappointed most of the time.

-S

I've taken a class from these guys

[El+Volio]

I took the Foundstone "Ultimate Hacking" course a few months ago, and some of these guys were on the team who taught it. While I can't speak to the book itself, not having read it, the authors themselves were very knowledgeable and authoritative in their fields. I expect that the information in this book should (hopefully) be of the same caliber.

Re:I've taken a class from these guys

[Quixote]

Humor me if you will, but why the heck would any self-respecting "hacker"-wannabe take an "Ultimate hacking" course? Isn't that somewhat like watching a documentary on hiking in order to learn hiking?

'Hacking' is learnt by doing. Maybe I'm from the old school and I don't know any better.

Re:I've taken a class from these guys

[oh]

I thought I knew a bit about hacking. I have secured large (million hits a day) web sites, configured corporate firewalls, written security evaluations.

I've taken a course at Uni on cryptography, and at one stage understood DES, RSA and key exchange.

Without saying anything that might incriminate myself, I thought I knew a bit. So when my company sent me on a similar hacking course I didn't think I was going to get much out of it, but I was looking to get something on my CV that said I know about security.

What scared me was not how much they taught me in the course, but how little. The first day on information gathering was interesting, but I knew most of the social engineering and technical hacking bits.

What scared me was how easily they could put together everything I had already known, and systematically apply with frightening success. I haven't had an experience like it. It must be something like the karate-kid (the first one). Knowing all the bits, (wax on, wax off) then seeing them fall into place.

Be very sure of yourself before you say a course like this is irrelevant. You may know all the "facts" already, but there is a world of difference between learning off the "security community" on the web and applying it in a systematic, professional manner. As well, the contacts you make at the course and extremely valuable.

Just don't do what my co-worker did. He was trying to VNC to a NT server at the same time as another team, and he was having trouble with the mouse moving in two directions at once. This other team are from the "defence department", so he decides to crash their PC. Again, and again, and again. Later the course instructor tells me by doing this he's guaranteed a tax audit for at least the next five years.

Re:I've taken a class from these guys

[El+Volio]

Sometimes you just have to go to a class because the boss wants it -- makes a nice bullet point on presentations to prospective customers, executives, etc. Plus, it never hurts to learn a few new things and have an appropriate environment in which to play.

That, and it beats being in the office for a week.

Ahh yes but...

[sterno]

How does one become a capable System Administrator? By learning which involves, amongst many other things, reading books on the subject.

Foundstone Trust Level

Foundstone is essentially a Microsoft subsidiary now, so getting consistently useful information from them is somewhat in question for me. Now, maybe there are still a few people there who haven't compromised their integrity to get a cushy paycheck from MS.. but I'm a skeptic.

Essentially MS and Symantec have both bought out fairly prominent security "experts" who are taking their knowledge of exploits and hoarding that information.

And of course Foundstone is one of the "founding" members of OIS, the security through obscurity security notification group. No time limits for public disclosure of vulnerabilities, no documentation of vulnerabilities (.gif "viruses" anyone), and no public discourse unless the vendor is happy with what you're saying.

Foundstone

[j_kenpo]

Considering that the book is written by the team at Foundstone, guys who have written other books on security such as Hacking Exposed, Hacking Linux Exposed, and Hacking Windows 2000 Exposed, teach courses in network security, such as Ultimate Hacking and Ultimate IDS, and have been doing this for countless years, Id have to say itd probally be a pretty good book on the subject. While not all topics are covered, as the reviewer pointed out the book is geared towards novices to intermediate users.. so dont expect everything. Not knowing the reviewers skill level, Ill trust that the Foundstone guys wrote a fairly decent book and expect that a few things are either held back due to relevence or space. And chances are I will probally pick it up myself in one of my future book runs. If someone who reads the book is all that interested in the security field after reading it, it will at least give them a starting point to start looking and discover some of the missing elements mentioned in the review...

This coming...

[mrgrey]

from the guy whose name is $0 31337

Ironic? Nah.

[Weaselmancer]

Anybody else think it's kinda funny that Amazon.com is selling a book on web security?

Weaselmancer

They forgot Chapter 18

[erik1474]

"Distributed DOS attacks"

Post link to target site on slashdot front page. Wait a couple minutes.

The End.

Translation:

[PFactor]

MacOS is what I use, so it rules. Plus, here's some fake technical information copied from the internet so you can think I know what I'm about.

It is a concrete fact that that no MacOS based webserver has ever been hacked into in the history of the internet.

It is also a concrete fact that no webserver based on my small intestine has been hacked, but that's because it is just as fictional.

Re:Translation:

I wrote all that stuff from scratch asshole. I posted it before but I wrote ever line. I am a developer of many multimillion dollar products, many entirely authored by ME.

In addition I have run hack proof distributed-load-web servers for over 5 years, on macs.

You are a closed minded linux lover who hates FACTS that show that NO MAC HAS EVER BEEN EXPLOITED!

EVER.

Try Hacking Web Applications Exposed

Another book by the Foundstone crew is Hacking Web Applications Exposed. I found this book to a lot better than Web Hacking: Attacks and Defense. I know a bunch of the guys over at Foundstone and personally, I find Shema's book to be a lot better than Shah's.

Just a little insight.

in defense of not finishing books

[rjnagle]

I don't want to belabor the point, but often it's not necessary to read a technical book from start to finish to review it. A good part of technical reviewing involves just reporting what the book does and doesn't have. Sometimes a book's quality can be determined simply how well it is organized (for a reference book, for instance), or on the quality and depth of its learning activities. Sometimes, there may be very good reasons for writing a review/preview/response without reading a book in its entirety. I once had a rather frivolous dialogue with Jeffrey Dean about the merits and drawbacks of writing reviews for books you haven't read completely. I'm not defending the practice of reviewing books you haven't read. Nor am I defending the value that comes with "living with a book" for several weeks or months. But the value of early reporting of a book sometimes outweigh the decision not to read the book entirely. Other Idiotprogrammer Book Reviews

Re:in defense of not finishing books

[Conare]

I don't want to belabor the point, but often it's not necessary to read a technical book from start to finish to review it. A good part of technical reviewing involves just reporting what the book does and doesn't have

Sure you can report about some things that the book has before reading it entirely, but how do you know what the book doesn't have unless you've read the whole thing?

Would that be Lasso CGI?

[brokeninside]

One 3rd party tool created the only known exploit backdoor in mac history and that was back in 1995 and is not, nor was, a widely used tool. I do not even know its name. From 1995 to 2002 not one macintosh web server on the internet has been broken into or defaced EVER. Other than that event ages ago in 1995, no mac web server has ever been rooted,defaced,owned,scanned,exploited, etc.

The bugtraq mailing list lists a known exploit for Lasso CGI on top of Webstar in 1997.

If CGI is enabled, Webstar becomes no more secure than any other web server with CGI enabled. For static content, Webstar does appear to be unbreakable.

A new cliche for the new millennium

[marsvin]

"Never judge a book by its Amazon review"

No Problem!

[frankmanowar]

Really,

There is nothing wrong with this review or anything intrinsically wrong with reviews in general! and you don't need to know his 5Kyllz lev3l either (alhtough i get this sense that he is strangely powerful, like Goku, maybe a 5 thousand !!!!). You have to make up your own mind, oh god, no! this is what we do when we think before making a decision. HOWEVER, a REVIEW is GREAT because it lets us know whether something interests us or not. We don't call them DECISIONS-MADE-WHILE-YOU-WAIT for a reason. Of course you have to check it out yourself, thumb thru it, maybe even buy it and read it before you really know its super-fantastic.

gripe about something important. like socks.

Translation:

[PFactor]

I wrote all that stuff from scratch asshole

I pulled this out of my ass.

In addition I have run hack proof distributed-load-web servers for over 5 years, on macs.


I have a website that nobody's ever visited.

You are a closed minded linux lover who hates FACTS that show that NO MAC HAS EVER BEEN EXPLOITED!


I am bigoted against linux users. Plus, I firmly believe that shouting makes my arguments more persuasive.

EVER.

Sometimes I use complete sentences.

Translation:

[PFactor]

You seem to be angry at facts. Why not DISCUSS your envy of the fact that no mac webserver has ever been remotely exploited in internet history.

I'm a pretend psychologist.

And yes there are indeed many macs sold, and many used as servers.

But I failed statistics and research in college.

I think you are a Linux-zealot trying to be humorous.

I think you are a Linux-zealot trying to be humorous.

The mac is the most secure webserver in the world and that book does NOT address it because it is a MS controlled company.

I don't know that books are not companies.

Translation:

[PFactor]

Not a troll, just scientific facts about mac being more secure for webserver

Science is the study of copying and pasting from one web browser window to another.

Find ONE fualt in it, if you think its a troll.

I'm not smart enough to notice how ironic it is that I can't spell "fault".

It should not be modded as a trol by linux-fanboys like you.

I can't spell "troll", so I must not be one!

Re:FUD HAHAHA! Wrong! Macs are easy!

[Latent+IT]

It is a concrete fact that that no MacOS based webserver has ever been hacked into in the history of the internet.

I bet you'd like to think you're right, but you're not.

Install a filter between you're brain and typing fingers, then come back, okay?

I think

[karb]

Probably if you already understand what the book is explaining, you can probably skim it looking for errors.

Typically, unless you're a book reviewer you probably wouldn't read a technical book that only explains things you already understand :)

Don't click on Slashdots link...

[RedWolves2]

Don't click on slashdots link to buy the book from Barnes and Noble. It is listed there at $39.99. Amazon has the same book for $34.99.

Save yourself some money.

Re:Don't click on Slashdots link...

[Rocky]

Wow! Thank you Sir!

With the remaining monies, I can now go to a movie!

By myself!

Re:Don't click on Slashdots link...

Don't click on slashdots link to buy the book from Barnes and Noble. It is listed there at $39.99. Amazon [amazon.com] has the same book [amazon.com] for $34.99.

Save yourself some money.

Dude! DONT buy from amazon!!! it's only $28.95 at bookpool.com the ultimate online tech bookstore!

http://www.bookpool.com/.x/d4aysbtukr/sm/0201761 76 9

Re:Don't click on Slashdots link...

[bud8879]

BookPool has it for $29 http://www.bookpool.com/.x/pjpfpi1wk4/ss/1?qs=0201 761769&Go.x=21&Go.y=5

Re:Don't click on Slashdots link...

[bud8879]

sorry about that. BookPool has it for $29

Just as fictional?

[brokeninside]

Webstar and other web servers do exist for MacOS. In fact, in 1999 the US army switched to Webstar on MacOS. I don't know how long they stayed there. For all I know, they never completed the conversion after the announcement.

MacOS was also an incredibly secure web serving platform. A number of companies held a "crack a mac" contest in 1996/1997. After several repeats of the contest because no one could break in to claim the US $10,000 prize, third party software was included (Lasso CGI). The system was cracked shortly thereafter.

The original poster certainly overstated the case. Once CGI is enabled, all systems are (theoretically) as insecure. MacOS is no exception. It's superiority on this level is one of security through obscurity.

Mod parent down

[crapulent]

Parent is a copy-and-paste karma whore.

Turnabout

[0x0d0a]

Let's look at your post from how you would feel if someone aimed this at you -- I think you'll find it a bit harsh.

"The problem I have with posts on Slashdot making personal attacks, is that there is no context for the attack. Specifically, blah blah blah. We have no knowledge of the posters skill level or experience.

It would be far better if the poster would give a little background information about themselves, along with the post.

What is FreeLinux's skill level? How long has he worked in this field? What related hardware and software is he proficient with? What other books on the subject has this person read and what was their opinion of one of those books? Without this information the post carries no more weight than one from Jon Katz."

Re: [OT] some instructions

[Xenographic]

B.) Its a Xenomorph, not a Zenomorph.
>>>>

Zenomorph has been a friend of mine on CyberArmy.com for ages; that's his name, like it or not. Yes, things did get confusing for a while with two similar names, but now that everyone & their dog has an alias named '[xz]eno.*' ... They've even knocked off my once trademark smiley :]

Sorry for this minor, OT rant. We now return to your regularly scheduled program...

Re:The book is a sham! Ignores secure-OS webserver

[0x0d0a]

Dammit, troll instead of funny? C'mon, have a heart -- the guy was funny.

Oh, well. Here we go.

It's a concrete fact that no MacOS based webserver has ever been hacked into in the history of the internet.

Heh

The MacOS running WebStar and other webservers as hs never been exploited or defaced, and are unbreakable based on ample historical evidence

It's easy to write a secure webserver. It's a little harder to write one that does useful work *and* is secure. I can write a secure webserver in an afternoon. Start adding on forums or something worthwhile to a WebStar server and you'll see security holes.

That is why the US Army gave up on MS IIS and got a Mac for a web server

The Army dropped IIS because it's a bug-laden insecure piece of shit that's been responsible for more break-ins than any other piece of software in the history of mankind. That doesn't mean that Mac OS based webservers are ideal, mate.

I am not talking about FreeBSD derived MacOS X (which already had more than 30 exploits and potential exploits in BugTraq) I am talking about current Mac OS 9.x and earlier which are highly sophisticated abstract-OS models.

Ah, yes. Classic Mac OS. No memory protection, if my memory of 7.x days serves me well. An exploit of the server is an exploit of the whole machine. No chroot.

Why is it hack proof?

Hehe

No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for process to process communication that is heavily typed and "pipe-less"

You're talking about command line arguments? Doesn't have anything to do with piped communication.

No root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stuff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.

Yeah, I did development on System 7.x for a while. It does teach you to be damn careful with those pointers -- crash "Damn, gotta reboot so I can change one line, recompile, and try again!". I don't buy it.

Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL) but the side effect is less buffer exploits. Individual 3rd party products may use C sings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator

Pascal strings are a fucking archaic scheme dating from times when you statically allocated 255 byte strings and then had a size byte to tell you how much you were actually using. They cap you at 255 bytes. You can do bounds-checked arrays in C, just as you can in Pascal. Not everyone does so, but the same applies to the Mac and Pascal strings, as you pointed out. Furthermore, using UNIX or Windows doesn't mean that you have to use C/C++. In the GNU Compiler Collection alone, you have Java, fortran 77, objective C (*cough* like MacOS X), and Ada support, all of which have bounds-checked strings.

Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on macs are not easily settable by users, especially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.

Yeah? And UNIX has an executable bit. If someone can get it and flip permission bits and rename files, the chances are pretty good that they can change file types.

Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by design of creating an executable file. The file type is not set to executable for the hacker's needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if they had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually. TOTAL security.

This is why every communication program for the Mac supports MacBinary. If you can upload something to the system, you can pretty assuredly toss a resource fork up.

Stack return addresses positioned in safer location than some intel OSes. Buffer exploits take advantage of loser programers lack of string length checking and clobber the return address to run their exploit code instead. The Mac compilers usually place return address in front or out of context of where the buffer would overrun. Much safer.

Take a look at the first link on this Google search. Secure or not?

There are less macs, though there are huge cash prizes for cracking into a MacOS based WebStar server (typically over $10,000 US)

This happened *once*, laddie buck.

Less macs mean less hacker interest, but there are MILLIONS of macs sold, and some of the most skilled programmers are well versed in systems level mac engineering and know of the cash prizes, so its a moot point, but perhaps macs are never kracked because there appear to be less of them.

Some of the most skilled programmers are systems level Mac coders? I mean, it's not *impossible*, but is there a Archangeli or a Cox in the MacOS world? If there is, they likely work for Apple and aren't out trying to break into web servers.

But some huge high performance sites use load-balancing webstar.

Why should you *not* use a classic Mac for a high-powered server?

Let's see. If we have more than one process doing anything on the system, we run into the complete lack of preemptive multitasking. If an administrator is doing something at the console, everything except for interrupt-driven crap stops cold. Bit of an issue. There's the lousy VM in the classic Mac OS. HFS/HFS+ is not the most impressively high performance filesystem ever. Caching in the classic Mac OS sucks.

Classic Mac OS was designed to be a workstation. Servers were not in the mind of the designers at all. That doesn't matter -- it makes a fine workstation for many people. But pimping it as a server is silly.

MacOS source not available traditionally, except within apple, similar to Microsoft source only available to its summer interns and engineers, source is rare to MacOS. This makes it hard to look fo rprogramming mistakes, but I feel the restricted source access is not the main reasons the MacOS has never been remotely broken into and exploited.

So by your logic, there should be no IIS exploits.

Sure a fool can install freeware and shareware server tools and unsecure 3rd party addon tools for e-commerce, but a mac (MacOS 9) running WebStar is the most secure web server possible and webstar offers many services as is

People who install Apache are fools? ...other than that event ages ago in 1995, no mac web server has ever been...scanned...

I really hate to break this to you, but you're in error here.

I think its quite amusing that there are over 200 or 300 known vulnerabilities in RedHat over the years and not one MacOS 9.x or older remote exploit hack. There are even vulnerabilities a month ago in OpenBSD! Each month vulnerabilities in XP arise.

Those 200 to 300 vulnerabilities you list are *local* exploits, you idiot. Classic Mac OS doesn't list those because by using the computer you are engaging in one giant exploit...able to read other users files and whatnot. If Apple was as ambitious as Red Hat is, they'd be listing "local vulnerabilities" as well. Apple doesn't go out of their way to point out holes that they *do* have. Furthermore, Red Hat ships with *servers* to exploit. The Mac OS doesn't *do* anything out of box as regards serving, so there isn't much to exploit. If you don't care about doing anything, an off computer is even more secure.

BTW, I distinctly remember Apple never shipping a free update to Open Transport to fix some vulnerabilities in the TCP implementation for those of us with System 7.5.x. That *is* attackable.

Re:Jesus Shines My Shoes

[SEWilco]

Spelling for dummies: Foreword

I bet you don't bank online

[PinglePongle]

If you did - or bought something from an online retailer, or stored sensitive or valuable information stored on a computer that is connected to the internet....

There's definitely a lot of FUD sown by the "security" industry. I also agree that the media don't always treat the subject responsibly - events involving any kind of computer usually get cloaked in semi-accurate buzzwords implying the use of magical incantations and mysterious underground organisations, when usually it's a bored teenager trying to hack into a porn site.

On the other hand, there are serious security breaches every day - and script kiddies can do as much damage as a responsible hacker - more, because they often don't understand their tools very well. If nothing else, you need to protect your system against them.

If you write software that can be used by total strangers across the internet, you need to assume that some of them will have unpleasant motives and will attempt to cause your software harm. It doesn't matter if this applies to 0.001% - if you are dealing with sensitive data, providing a public service or rely on your income from your online application, if just one script kiddy brings your site down, you've lost the ball game.

I think anyone who is involved with online application development should at least look at books like this, and if you're the technical lead you should make sure you understand exactly what your application is going to be up against. The numbers don't matter - just one visitor is enough to do irreparable harm to your site.

How can I get /. to help me make money off clicks?

[Hyped01]

Neat!!! /. is now allowing people to post "reviews" of books and links to a paid referral purchase link!!!

How can I get in on this great deal???

www.BinFeeds.com
The best online XXX Newsgroup Binary Galleries
Thumbnailed for ease of use!! Click here and help /. help me make money!!!

Re:FUD HAHAHA! Wrong! Macs are easy!

[Latent+IT]

No MacOS webserver has ever been rooted or defaced in history.

Okay there, buddy. Stop frothing at the mouth. First of all, how the hell do you root a system that doesn't even have different levels of access? It's all root. In that sense, Mac OS 9 is just about as shiny and amazing as Windows 95. You don't even have protected memory. That's why you have vulnerabilities in your web broswers where just looking at a website can force your wonder machine to download and run any code the site designer wants, that's why doing a simple RDNS will shut your system down completely.

Oh, by the way. If your machine is a web server that RDNS's addresses, anyone browsing from, or spoofing 206.207.151.40, 206.98.128.14, 206.207.48.173, or 206.207.48.194 will shut your system down. Like, wave bye-bye down, since you again, have no protected memory. Wow. I'm sure in the HISTORY of Mac OS 8 and 9 webservers, no RDNS's have been performed.

Honestly, the system you're bragging about is fucking Mickey Mouse bullshit. Name the site and the date, indeed. The burden of proof is on you, friend. Nothing is secure. Why not show me some (any) respectable (non-geocities/mac zealot) links that agree with you?

Example of real world security thru obscurity

[Mith]

I'll leave it up to the Slashdot crowd to figure out how useful this may or may not be in the computer security field. There exists in the real world a document that was encrypted to keep the contents from becoming public and has foiled all known attempts to discover the plaintext. How long has has the security held? Over four hundred years! This remains true dispite efforts by several well qualified experts including the CIA/NSA. The original was donated to Yale and is still there, waiting to be deciphered. So, it is possible but probably not practical. What is the name of the document? The Voynich Manuscript. A short quote from the site:

The Voynich Manuscript has been dubbed 'The Most Mysterious Manuscript in the World'. It is named after its discoverer, the American antique book dealer and collector, Wilfrid M. Voynich, who discovered it in 1912, amongst a collection of ancient manuscripts kept in villa Mondragone in Frascati, near Rome, which had been by then turned into a Jesuit College (closed in 1953).

There are several other sources, some much more wacko than others, so try to consider the source when looking at a given site. Some more links:
voynich site on GeoCities
page of links from geocities Voynich site

Re:inversely proportional ?

[ibennetch]

Basically as one variable goes up the other goes down; to make an example from #1 above:
Font size. Inversely proportional to quality of the text
The bigger the font size; the lesser the quality of the text. The smaller the font size the higher the quality.

Go here for [slightly] more in-depth information