Customer Reviews

Web Hacking from the Inside Out

5 star:		(0)
4 star:		(0)
3 star:		(1)
2 star:		(0)
1 star:		(1)

 

 

While I found most of the information in this book to be valuable, and didn't find any errors, the types of attacks discussed seemed very lopsided. The author talks in great length about DOS attacks on websites as well as SQL injection and command injection by exploiting input validation errors, but only covers PHP, ASP, and to some degree Perl. The XSS discussion was only 7 pages, and authentication was only 5 pages! This book is a great starting place, but if you've got any experience with web security you might want to look elsewhere. Additionally the book provides demonstrations using only commercial software that the author wrote. This alone made me extremely suspicious. There were no significant examples or discussion of other tools for testing web applications for vulnerabilities.

I am sitting in my college library and have been reading this book for about 5 minutes and have already found a huge error. When the author talks about safe file opening proceddures in php when using client inputed paramaters for a filename he suggests adding an extension to the end of the string before opening such as .fgfdfg so when an attacker attempts a string such as:
../../../../../../../../etc/passwd
it will try to open the non existent file /etc/passwd.fgfdfg
but any hacker worth his weight would just enter the string with a null bytesuch as:
../../etc/passwd%00
thus clipping the extension from the end. cause opening /etc/passwd\0.bsbs will open passwd

I havent read much more of the book but this huge error makes me want to put it back on the shelf. Overall, good for begginers I guess.... but theres better books out there and I wouldnt trust this one.

Peace
HexaTex