Average Reviews:
(More customer reviews)Taking a top-level view on the subject on pen testing web applications this book is a success. It does not focus on hack techniques only and certainly does not use case studies to just show off. The author provides an excellent balance of in-depth technical hacking information with the way the results from such activity get applied to the business of pen testing. Many other books simply show techniques or cover a case study and then move on, the author of this book, Andres Andreu, covers how to handle the results of such needle in the haystack work in order to make strides towards web presence protection. He is clearly not trying to generate more script kiddies but provide professionals the power to understand their security position in respect to web applications and take measures to protect themselves through this heightened awareness.
One of the strong points the author makes is certainly well taken in that the typical security professional is not knowledgeable enough to properly protect the web applications of today, they are generally network specialists. Based on this notion the book predominately attacks the issue from a programmatic stance aiming at filling the gaps where security is important. But he provides enough foundation and basics that if you carefully read you should not be at a loss when using this book. Also provided are enough data to build an effective personal lab and practice most of the areas covered throughout the book. This book really should be on every desk or shelf of security professionals that deal with web applications.
The book has a general pragmatic overtone and the author is obviously focused on real world work and results, keeping theory to a minimum. There are 11 chapters which are loosely associated to what is seemingly the evolution of a pen-testing project that the author sometimes refers to as a journey. Then there are 4 Appendices covering some interesting areas.
Chapter 1 at first glance seems like the typical nonsense where we find out how vulnerable we all are and how messed up the industry is. And while there is some of that there is also a very strong distinct message about what makes an effective web application pen tester and if you read the material carefully the author is being very motivational and even covering psychological aspects of this type of work. I enjoyed reading about the mindset one has to get into in order to do this type of white hat work effectively. It gave me a new perspective on what I, as a network security professional, deal with daily. There were also some nice touches of doing this not just as an employee but also as a professional. This lean towards consultants is important because the rules are always different when a consultant comes in to do this type of work as an outsider.
Chapter 2 is titled "Some Basics" quite appropriately because only some basics are covered. There is so much more that can be covered in this area even though to be fair the book would then be twice its current size. In any event it is either a love hate type chapter, for example if you have experience with technologies like SOAP then you will not care much for it and will move on. On the other hand if you have gaps in your knowledge that are covered in this chapter you will find it quite beneficial. This seems like a technical chapter targeting non-web-programmers. Security and network engineers stand to learn a lot in this chapter. It covers many different areas like SSL certificates and CSR's all the way to SOAP and WSDL. Along the way many important areas are covered such as standard web languages, web state, data encryption, data encoding, and XML. At first this material in this chapter seems all over the place and I had to come back to it various times. But after the material sank in I realized the method behind the author's seemingly chaotic approach to the material. Love it or hate it there is great material in this chapter.
Chapter 3 is your standard surveillance material with a clear lean towards application specific material as opposed to network level. Some network level material is presented even though these areas are covered much better in other books. The author doesn't seem to be trying to cover this in classic from, he just wants what he needs from the network so as to better attack the application. There are some hidden gems in this chapter that will be eye opening in the sense that some pre-packaged programs for this work will inevitably fall short. Manual analysis of gathered data becomes clear as an important step. One interesting step presented is to gather any and all publicly available information and use it all together to form the basis of some eventual attack.
Chapter 4 seems totally out of place at first and it annoyed me. After the technical material from chapter 3 I wanted to attack something. And this chapter seems to back track into some theoretical best practices nonsense. But there are many hidden technical tidbits in this chapter and so it requires some careful reading. I like the way the author linked the OWASP Top 10 and the WASC categories, this was unique in its approach and I haven't seen that done anywhere else. This chapter will set the general basis for organizing your work into attack areas and has many areas of non-obvious technical information. I would have liked seeing more in the area of threat modeling even though I know many real world practitioners don't practice this. The author exposes the practice in summarized form and clearly states the some clients in the real world don't care about this. But the material is presented in such a way that it can help you discipline yourself into some structured process. After all, an interesting and valuable chapter.
Chapter 5 nose-dives into attacking web servers with a focus on IIS and Apache. Some old and some new exploits are covered. But the key part of the chapter is the area where the types of attacks are covered since this applies to just about any web server. The programmatic approach is blatant here in that most exploits are backed up with code that can execute the attack covered. This is very useful even though you have to be somewhat proficient in Perl for instance to make some of the examples work. I enjoyed this chapter a lot and even wrote some scripts based on the information from this chapter. I now regularly test new web servers with this knowledge before they go live.
Chapter 6 is really the hands on apex of the technical aspects the book brings to light. In respect to standard web applications this chapter is huge and effectively covers many aspects ranging from proxy servers as pen testing tools to custom scripts to injection attacks to brute force attacks. Along the way the author covers related areas like effective dictionary generation for brute forcing. He even covers L33T Speak because it is out there. Chapter 6 starts out with a lightweight checklist that is intended to be a foundation and cannot be anything more. This could have been developed further. After this the chapter covers manual and automated testing.
The manual testing section focuses on Webscarab, Perl/LibWhisker, Authentication attacks (with ObiWan, Brutus, Crowbar THC-hydra, & Lcrack), Buffer overflow's, and client side attacks such as XSS, RSS, cookies based. This section ends with a small but clear example from what the author claims is a "real-world example". Based on the level of detail presented I believe this indeed accurate.
After all the manual work is covered Mr. Andreu dives into the world of automated tools in the form of Open Source and he even exposes some commercial tools that are supposed to be good, even though he certainly leaves that up to the reader. From the Open Source category Paros proxy, Spike proxy, Nikto, E-or, Wikto, ntoinsight, and finally Nessus are covered. Different levels of depth are gone into based on the tool but they are nevertheless effectively presented to us readers. I have used some of them successfully after first being exposed to them from reading this chapter.
Chapter 7 took me from where the previous chapter left off into the dark world of known exploits. It is as if the researchers mentioned in this chapter performed the chapter 6 learning's somewhere and documented their findings into information that can be used by anyone. This chapter is structured similar to Chapter 6 in that it starts out with some examples based on manual work; hence the flow from the previous chapter is nice. Lotus Domino and IIS are attacked in the first 2 manual examples and there is a sense of real world here because in the real world black and white are rare. The author takes us through the entire process of these examples from some of his projects and then shows how sometimes the exposure is acceptable risk as opposed to saying something abrupt like "and so I hacked this successfully". These examples do a great job of putting together many of the teachings presented throughout the book up to this point. They are all tied in effectively and the deep complexity of this work starts to take shape this chapter.
From here there is a shift into automated testing using Metasploit. The tool is presented effectively but the example I felt lacked a lot. Maybe this is because the 2 earlier examples were much juicier but I was left in a somewhat anti-climactic state.
To finish off the chapter the author exposes you to some public sources of valuable data as well as providing you a powerful warning about self-protection and exposing 2 commercial players in the known vulnerability market. The public sources is a nice touch because the information is presented in terms of staying on top of an ever rapidly changing arena like the web based...Read more›
Click Here to see more reviews about: Professional Pen Testing for Web Applications (Programmer to Programmer)
There is no such thing as "perfect security" when it comes to keeping all systems intact and functioning properly. Good penetration (pen) testing creates a balance that allows a system to be secure while simultaneously being fully functional. With this book, you'll learn how to become an effective penetrator (i.e., a white hat or ethical hacker) in order to circumvent the security features of a Web application so that those features can be accurately evaluated and adequate security precautions can be put in place.After a review of the basics of web applications, you'll be introduced to web application hacking concepts and techniques such as vulnerability analysis, attack simulation, results analysis, manuals, source code, and circuit diagrams. These web application hacking concepts and techniques will prove useful information for ultimately securing the resources that need your protection.What you will learn from this book* Surveillance techniques that an attacker uses when targeting a system for a strike* Various types of issues that exist within the modern day web application space* How to audit web services in order to assess areas of risk and exposure* How to analyze your results and translate them into documentation that is useful for remediation* Techniques for pen-testing trials to practice before a live projectWho this book is forThis book is for programmers, developers, and information security professionals who want to become familiar with web application security and how to audit it.Wrox Professional guides are planned and written by working programmers to meet the real-world needs of programmers, developers, and IT professionals. Focused and relevant, they address the issues technology professionals face every day. They provide examples, practical solutions, and expert education in new technologies, all designed to help programmers do a better job.
Get 34% OFF
Buy cheap Professional Pen Testing for Web Applications (Programmer to Programmer) now.
No comments:
Post a Comment