Joined: 10 Aug 2002
Location: Portland, Oregon USA
|Posted: Sun Jan 18, 2004 6:56 am Post subject: Book Review - Web Hacking: Attacks and Defense
Web Hacking: Attacks and Defense
Authors:Stuart McClure, Saumil Shah, Shreeraj Shah
Publisher: Addison Wesley www.awprofessional.com
Date Published:August 08, 2002
Book Specifications:Soft-cover, 528 pages
Category: Network Security
User Level: Intermediate
Suggested Publisher Price:$49.99 US / L37.99 UK
Amazon.co.uk: Web Hacking: Attacks and Defense UK
Amazon.co.uk: Web Hacking: Attacks and Defense US
Blurb from back cover: Whether it's petty defacing or full-scale cyber robbery, hackers are moving to the Web along with everyone else. Organizations using Web-based business applications are increasingly at risk. Web Hacking: Attacks and Defense is a powerful guide to the latest information on Web attacks and defense.
Security experts Stuart McClure (lead author of Hacking Exposed), Saumil Shah, and Shreeraj Shah present a broad range of Web attacks and defense.
Although I am not an expert in Network Issues, I am familiar enough to understand the lingo used by administrators, along with the basic concepts of securing a web platform. I therefore tenderly gazed at the pages of this book, expecting turmoil and mental-torture to assault my "advanced-novice" state-of-mind.
I was quickly and pleasantly surprised to discover how interesting the book actually was. It proved to be an excellent introductory level book to the world of web hacking. This book shows the common exploits used in hacking into various websites written in numerous scripts and languages.
This book is divided into four major sections: The E-Commerce? Playground, URLs Unraveled, How Do They Do It?, and Advanced Web Kung Fu. The first part of the book (The E-Commerce? Playground) starts out showing a simple case study demonstrating an effective attack on a fictitious small business website using only HTTP. The attacker discovered two vulnerabilities in a Perl Script on the site which he exploited. This was shown in the book as a step by step process with explanations. I found it an enjoyable read.
Throughout the book, the authors warn you repeatedly not to depend on firewalls as your single layer of protection. As has been preached on Security-forums Dot Com repeatedly, your security should be layered. Here too, the authors stand on the same soapbox.
An abundant use of code, including explanations of the weaknesses inherent in the code are used to illustrate the current discussion at hand. I've noticed as well that the authors provide many URLs to facilitate in-depth study of the topic. Often included are precautionary measures, and software tools available to assist in hardening your website.
I did enjoy their presentations on how Web Servers and Databases are exploited. I feel this book is a strong introduction to the art, and science of attacking web platforms. I finished the book having a better understanding of buffer overflows, and Java's Remote Command Execution. This alone makes the book worth reading although the price does feel a bit steep to me. After all this is something I can no doubt discover on Usenet Newsgroups; given the time and patience. (Please notice the use of the words time and patience in the last sentence).
Overall, the book is written for an audience of novice administrators, and web developers. Odds are high that experienced professionals are unlikely to find anything new here.
Style and Detail
I must state that this book lacks in format and organization. Overall, it tends to present the topic of web hacking in an incredibly haphazard manner. The chapters seem to bounce back and forth, and frequently sideways from topic to topic. Although worth reading, the book does lack a smooth flow in the subject matter.
The over-abundance of screen shots, sidebars, and illustrations are wonderful for the novice studying this topic. However, I strongly feel that the expert will quickly get annoyed not only over the amount of them, but also the placement of them as well. I myself began to tire of flipping two or three pages ahead of my current place in the text to view a screen shot. And it happens constantly throughout the book. It's almost as if these items were quickly tossed into the book after it was written in an attempt to bloat the page count.
The quality of Figures, Tables, and Code were excellent throughout the book. However, again; they suffered the same problem (except the code) as the sidebars did above. It was a double-whammy. You would be engrossed in the text, then suddenly required to skip ahead a few pages to check out the figure or screen shot. The second whammy hit you when you came to the point in text a few pages ahead, and you were distracted by the figure or screen shot which you'd already consumed.
Due to the very nature of this book being an excellent instructional guide on this topic, it has earned a respectable SFDC rating of 7/10. It is an excellent starting point for educating oneself in securing a network, although the exploits and examples in the book are now outdated. However, as alt_don, an Administrator of SFDC points out, "the case histories are never out of date as long as they show the proper methodology. By that I mean, they show a detailed approach as to how the author solved those very same problems. That is what is key in most of these books I find. To come away with a proper sequence of events which one should follow. Call it your analytical tree. You always follow the same steps for that way you rarely ever miss anything.". I feel the value of this book is in the education and not the reference.
A novice would do well to grab this book. An expert would find it worth his time to borrow the book from the novice and slowly thumb through it.
Security Forums Dot Com
Keywords: web, hack, security, review, book, attack, defense, McClure, Shah, PCWriter, website
This review is copyright 2004 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.
Last edited by Tom Bair on Thu Jan 29, 2004 2:38 pm; edited 14 times in total