Customer Reviews

Web Applications (Hacking Exposed)

5 star:		(8)
4 star:		(2)
3 star:		(1)
2 star:		(0)
1 star:		(0)

 

 

I just finished reading Hacking Exposed Web Apps and was coming back to Amazon to fwd the recommendation to a friend who is a CSO at a Fortune 500 firm when I stumbled upon the review from hermie. I have to say that I disagree completely with hermie's assessment, and felt compelled enough to say so in print! First of all, the book does cover a number of web platforms besides IIS -- it's the only one I've seen that talks about web services in any detail (SOAP, UDDI, XML, etc.), and it also devotes entire chapters to both web app management and web client hacking as well (very salient but often overlooked topics in other books). Main author Scambray may be a Windows security expert, but the non-Windows expertise is very visible in the appendix on libwhisker and the chapters on surveying the app, attacking session state, and input validation, etc. This also calls into question the criticisms by hermie of the specific detail versus the depiction of broad concepts -- if you are after ancient security concepts, then you plainly shouldn't be reading the Hacking Exposed series! That's the point of each book in the series -- use fresh, relevant technical details on how to hack to illustrate cutting-edge *concepts* in computer and Internet security. I think hermie really missed the boat here. Finally, the straw that broke the camels back for me was the comparison to "Web Hacking" by McClure. McClure is an executive now running his own start-up, and the knock that I've heard on this book is that it is really non-technical and out-of-date in sections. McClure brought in strong contributors to drive the details, but apparently couldn't glue the right pieces together to make this book competitive. I have a borrowed copy on my shelf, but frankly could not get past the first three or so chapters. Sigh -- I guess that's the breaks when anyone can post their thoughts here in the review section :)

I must admit, I was disappointed with Hacking Exposed Web Applications (HE:WA, as another reviewer called it). Overall, I thought it was basically mediocre.

My main fault with the book was that it was incomplete; equal and fair coverage was not given where it should be. For example, Chapter 9 "Attacking Web Datastores" should have been called "Attacking Microsoft SQL Server." While some of the general techniques (i.e. SQL injection attacks) in Chapter 9 could have been applied to any SQL RDBMS, much of it was very specific to a Windows/IIS/ASP/MSSQL setup. This doesn't help me much to write my bread-and-butter Unix/Apache/Perl/PostgreSQL or even
Java/Oracle apps any better.

It seems like the authors wrote their book to be "Hacking IIS Web Applications Exposed" and at the last minute decided to throw in some Apache and Unix here and there, with a sprinkling of Cold Fusion and Netscape Enterprise, to market the book more broadly. If they had just stuck within their expertise (Joel Scambray wrote for Microsoft TechNet's ironically-titled "Ask Us About... Security" column and wrote "Hacking Windows 2000 Exposed") and produced their original book, I think they'd of come up with a better product.

Another problem I have with HE:WA (and the whole HE series) is that they spend too much time on specific attacks and not enough time on the broader security concepts. For example, how useful is the first HE book today? How useful with HE:WA be in three years? I still recommend "Computer Security Basics" to anybody beginning in the security arena, and that book was published over a dozen years ago. CSB remains in print today because it teaches sound pragmatic security <i>concepts</i> that remain relevant today.

I will say, however, that HE:WA does do a better job than some of the other HE books about reinforcing broad concepts (like Input Validation) across all platforms and languages. I still do not feel they teach pragmatic security for web app development though, and it's being pragmatic that will save you from tomorrow's attack. (You've got to distrust your OS, double-check whatever your webserver says, hate your database, and ALWAYS validate your input and you'll be immune to almost all vulnerabilities discussed in HE:WA ).

Despite all the problems I have mentioned, this remains an okay book for a novice web developer looking to learn security, especially those of the One-True-Microsoft-Way persuasion. If you're looking for an alternative, I'm half way through "Web Hacking: Attacks and Defense" (co-authored by Hacking Exposed lead author Stuart McClure) on Safari. I like it better than HE:WA so far, and it seems to be fairly comparable on the target audience and topics covered (and it actually covers them!) I would give it a 4/5 or a 5/5 based on what I've read.

In conclusion, if you can only by one book on Web Application security, don't get this one. Otherwise, it is at least worth a skim and a spot on the bookshelf.

There is an unofficial time cycle called an ohnosecond, which is the amount of time between when you realize you left your keys in the car, and when the car door locks. While its frustrating paying the locksmith $100.00 to open the car door, it is also exasperating to the person paying the $100.00 that a good locksmith can open the car door in under a minute.

While a car door is a entrance to one's automobile, web servers are portals to corporate intranets, e-commerce offerings, and much more. And while a locksmith or thief can open a car door in a minute, so too can adversaries often penetrate corporate web servers with similar ease.

For those that don't accept the comparison, reading Hacking Exposed Web Applications will clearly open one's eyes. Forgetting for a minute the myriad vulnerabilities that effect many software products (including Windows, Apache, ColdFusion, and more), both books show how poorly written software, and misconfigured web servers make the penetration of web servers child's play.

The book provides step-by-step instructions in a easy to read style for hardening web servers against attack. For those that have read previous and are comfortable with books in the Hacking Exposed serious, Hacking Exposed Web Applications uses the same easy to read and well organized style.

The book has a lot of value even for those who are not so security conscious. For those with an interest in security, one's eyes will be open to the myriad places where vulnerabilities lie, from software, to scripts, mark-up files, and more. Anyone concerned with web server security should definitely read this title, or at least ensure their system administrators do. If not, think of your web servers as being Gone in 60 Seconds.

"Hacking Exposed: Web Applications" (HE:WA) is an example of the direction the "Hacking Exposed" series should continue to take. The authors follow the methodology proven to compromise the mightiest servers. HE:WA is practioner-focused, giving readers the opportunity to follow along as the authors dissect victim web platforms. I highly recommend this book for its technical strengths and its ability to convey important information in an entertaining manner.

HE:WA is particularly strong where the authors choose to explain web technologies. Successfully compromising web platforms requires an understanding of more than Apache or IIS. Accordingly, HE:WA gives background on SQL, web services, and web-based management. My favorite aspect of the book is its ability to explain technical details of web-based systems with an eye towards security. It's refreshing to be introduced to web services, for example, as well as learn how to attack and defend them -- all in a single book!

HE:WA describes numerous vulnerabilities, chosen to demonstrate classes of attacks. The authors provide useful methodologies for assessing web applications, each with accompanying code and text snippets. Their explanations of cross-site scripting were exceptionally clear, thanks to this approach.

I found HE:WA to be a fast but informative and engaging read. The appendices, featuring "best practices" for securing web platforms, an assessment "crib sheet", and instructions for proper deployment of URLScan, bring this excellent book to a close. Scambray and Shema won't leave you hanging -- they share their knowledge to help keep your systems as secure as possible. This is the book to buy if you're responsible for web server security.

It's no good burying your head in the sand and pretending your web applications are not vulnerable to attack... particularly not since the publication of this book! "Hacking Exposed: Web Applications" will appeal to both script kiddies and security administrators alike. Not only does it tell you about various security exploits, but also gives you practical advice on tools you should use and the techniques that will save you the most time without missing a potential backdoor.

When I first flicked through the book my initial reaction was that I wouldn't be able to find the information I wanted very quickly. Having read the book however, the structure of the book makes perfect sense as it follows the thought processes of someone trying to break into a web application. This train of thought makes you think about all the aspects and potential weaknesses of the application and so helps you to secure your web sites and servers more thoroughly than the "per server" approach I was expecting.

There is a lot of information to digest within these pages, so I highly recommend that you have a notepad and pen handy when reading this book for the first time. I make this recommendation because there are a lot of acronyms being thrown around (particularly in the earlier chapters) and it is very easy even for someone with adequate server knowledge to get dizzy from the use of terminology. The appendixes will prove useful references in their own right, with the checklist and crib sheet proving useful time and time again.

If you are serious about protecting your web applications, servers and internal networks, then you really should lock down all your connections with the internet. Reading "Hacking Exposed: Web Applications" will certainly get you looking at your site and it's security in a new way...

Like powerful medicine, the "Hacking Exposed" series of books are unsettling and unnerving, but ultimately required reading for anyone serious about Internet security. The Web Application installment of the series covers exploits related to client- and server-side applications, as well as database and Web service compromises. For beginners, the book includes a section on server hacking, complete with explanations of the "script kiddie" tools that are nonetheless powerful and potentially damaging. And naturally, much emphasis is placed on security best practices and specific techniques for blocking potentially devastating exploits.

If you write web applications and are serious about their security, you need this book. The book gets you inside the mind of a hacker and shows you why simply having the latest patches and security updates is not enough.

You should read this book. If it teaches you nothing else, it'll teach you how much you're forgetting, how much you are missing and just don't think of. Whether you're a sysadmin, or a security engineer -- read the book, it's worth keeping in your library.

This is a general comment regarding Hacking Exposed series. I owned Hacking Exposed (first edition) and then I moved to the more specific Hacking Exposed books, so now I've got Hacking Linux Exposed, Hacking Windows 2000 Exposed and hacking web Applications exposed. All those books absolutely worth it, do not hesitate to buy any of them.

Covers XSS (Cross-Site Scripting), SQL Injection hacks, and a bunch more!

PROS: Doesn't get deep into code, but shows all the ways that people will peek and poke in your web apps. Covers IIS, Apache, ASP, PHP, CGI, and some CMS systems I've never heard about but Enterprise level teams may use.

CON: The book is probably due for a second edition, only because it's a couple years old - but all info/issues/hacks are still issues today!