Hacking Web Services (Internet Series) (Paperback)

by Shreeraj Shah (Author)

Editorial Reviews

Product Description
Web Services are an integral part of next generation Web applications. The development and use of these services is growing at an incredible rate, and so too are the security issues surrounding them. Hacking Web Services is a practical guide for understanding Web services security and assessment methodologies. Written for intermediate-to-advanced security professionals and developers, the book provides an in-depth look at new concepts and tools used for Web services security. Beginning with a brief introduction to Web services technologies, the book discusses Web services assessment methodology, WSDL -- an XML format describing Web services as a set of endpoints operating on SOAP messages containing information -- and the need for secure coding. Various development issues and open source technologies used to secure and harden applications offering Web services are also covered. Throughout the book, detailed case studies, real-life demonstrations, and a variety of tips and techniques are used to teach developers how to write tools for Web services. If you are responsible for securing your company's Web services, this is a must read resource!

About the Author
Shreeraj Shah, B.E., MSCS, MBA, is a co-founder of Blueinfy and SecurityExposure, companies that provide application security and On Demand Scanning services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank, and IBM in information security. Shreeraj has played an instrumental role in product development, researching new methodologies, and training designs. He has performed several security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews, and managing projects (Products/Services). He is the author of Web 2.0 Security (Cengage Learning, 2007), Hacking Web Services (Thomson Learning, 2006), and Web Hacking: Attacks and Defense (Addison-Wesley, 2002). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA, and OWASP. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, and HNS. His work has been quoted on BBC, Dark Reading, and Bank Technology as an expert.

Product Details

• Paperback: 352 pages
• Publisher: Charles River Media; 1 edition (August 2, 2006)
• Language: English
• ISBN-10: 1584504803
• ISBN-13: 978-1584504801
• Product Dimensions: 9 x 5.9 x 0.9 inches
• Shipping Weight: 1.2 pounds (View shipping rates and policies)
• Average Customer Review: 3.9 out of 5 stars See all reviews (7 customer reviews)
• Amazon.com Sales Rank: #693,804 in Books (See Bestsellers in Books)

Customer Reviews

Most Helpful Customer Reviews

7 of 7 people found the following review helpful:

2.0 out of 5 stars Good basic info, but too Windows focused, March 17, 2007

By	Paco Hope "Security Consultant" (Herndon, VA USA) - See all my reviews

Pros

On the good side, the author (Shreeraj Shah) does a good job of establishing the foundations. He covers all the concepts, the alphabet soup (SOAP, WSDL,UDDI, etc.. There's plenty of real, live XML in the text. Although it sometimes feels like fluff, most of the time I find it helpful. Since I'm pretty unfamiliar with this subject, it was handy to have some of the examples written out. I have to perform software assessments for a living, and sometimes I run across web services. I'm better armed for those services having read this book.

Cons

There's a lot to be said that is negative about this book.

* It's very "hack" focused. Duh, that's the title of the book. But at the same time, I don't find it that useful to have yet another book that shows you how to break an application. What about fixing them? He has some suggestions there. I'll get to that.

* Everything is Microsoft and .NET focused. He makes mention of J2EE-based web services, and Perl and Python based scripts, but no significant part of the book is built on those things. If you're totally Windows-centric, this book will be fine. If you're on another platform, it's up to you to adapt what you learn here.

* He has a suite of tools that look to be really useful for monkeying around with web services. They're written in .NET, but unfortunately, they're closed-source. Even though lots of .NET apps run on MacOS and Linux under Mono and other emulations, he hasn't released his tools that way. One tool is released in a "Linux" binary that runs under mono. What about the rest of us?

* The text is poorly typeset. This isn't a nit picking criticism. When you're displaying lots of XML or .NET code, indentation is important. Some specifics:

* o Most of the XML is indented well when it shows up in the text, but if it has to wrap from one line to the next, the indentation is usually poor. The second line might begin right at the left margin.

* o The .NET code is almost always not indented at all. That is, everything is lined up on the left margin. That makes reading example code harder than necessary.

* o Some line breaks are just handled badly. In the chapter where he introduces HTTP headers, one of his example HTTP headers is too long to fit on a line, so it wraps to the next line. This, of course, is not what it really would look like.

* He gets definitions and word usage wrong in a few places. For example, his definition of a web service is really awkward and needlessly complex. He calls hashing a value with SHA1 "encryption" in at least one place.

* There's a lot of motherhood-and-apple-pie security in here. It's the same old tired advice like "developers need to code securely" (whatever that means) and "go build a threat model." These are not new ideas, they're not specific to web services, and they're a waste of paper in this book. It's not this book's job to teach those things, so just don't bother mentioning them in an impotent way.

* His example code for using WSEsecurity (p.277, Chapter 11) is vulnerable to SQL injection, a hack he has been demonstrating over and over and over. This just goes to show how (a) it's not easy to get it right, and (b) when authors focus on demonstrating one piece of functionality, they can overlook another. It's just especially unfortunate in this book, since he's theoretically telling you how to be more secure. Woe to the developer who simply copies and pastes this code and doesn't realize the SQL injection error lurking in it.

* Finally, there are lots of little places where it's clear that the editors were asleep at the wheel. The author has written at least one other book, but his vocabulary and grammar are awkward sometimes.

So, the final analysis is: I like it as a starting point, but I found myself mentally noting a lot of flaws as I went. Since I'm not a Windows user, I also found it a lot less relevant than I had hoped. Web services are not .NET or Windows specific, but this book really is.

4 of 4 people found the following review helpful:

2.0 out of 5 stars Great info but wait for a second edition, August 22, 2006

By	M. Jason Schmitt (Atlanta, GA USA) - See all my reviews (REAL NAME)

I have never paid this much for a book with poor grammer and editing in nearly every page. Perhaps because the material is cutting edge they chose to rush this book to print. Not only is the copy bad, there are many places (like the entire appendix) where figures are referenced but do not exist. Despite this, the book contains some great information about the emerging security threats to web services and some measures you can take to preempt them. I applaud the author for his technical content, but the book itself needs a lot of work before you should pay this much for it.

2 of 2 people found the following review helpful:

5.0 out of 5 stars Information You'll Need, Sooner or Later, August 15, 2006

By	John Matlock "Gunny" (Winnemucca, NV) - See all my reviews (REAL NAME)

Web Services is one of the fastest growing parts of the web. It is the standard format that allows computers to communicate with computers using the web as the communications medium. Being used largely in a business to business environment, the need for security is very high. And of course the efforts of the bad guys to break that security is also high.

This book is intended for the intermediate to advanced security managers and for system developers. It provides a detailed look at web services including it's concepts, protocols, and components. This takes about one quarter of the book. It's necessary to provide the background of the web services concept upon which is built the security systems.

The remainder of the book is on security. It includes known holes in the system, approaches the bad guys use, and of course mostly information that you can use to block them from getting into your system. This includes security tools that have been developed.

There is a CD with the book that has demos on the tools, the working of Web Services, audit and defense methodologies.

This is a book that in a good world you would never need, but if you're running web services sooner or later you'll need this information.