Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "How to Break Web Software", Mike Andrews/James A. Whi

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "How to Break Web Software", Mike Andrews/James A. Whittaker
Date: Mon, 26 Jun 2006 11:46:58 -0800 
BKHTBWSW.RVW   20060520

"How to Break Web Software", Mike Andrews/James A. Whittaker, 2006,
0-321-36944-0, U$34.99/C$46.99
%A   Mike Andrews Mike.Andrews@foundstone.com
%A   James A. Whittaker jw@cs.fit.edu
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2006
%G   0-321-36944-0
%I   Addison-Wesley Publishing Co.
%O   U$34.99/C$46.99 416-447-5101 800-822-6339 bkexpress@aw.com
%O  http://www.amazon.com/exec/obidos/ASIN/0321369440/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0321369440/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321369440/robsladesin03-20
%O   Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P   219 p. + CD-ROM
%T   "How to Break Web Software"

The preface stresses that this book is neither about how to attack a
Web site, nor how to develop one, but, rather, how to test.

Chapter one points out that the Web is a different environment, in
terms of software security, because we have desktop machines, not
centrally administered, talking to everyone (with much of the traffic
being commercial in nature).  The authors even point out that issues
of error-handling, performance, and ease-of-use all contribute to
increased levels of vulnerability.  Various attacks designed to obtain
information about Web applications, structure, and functions are
described in chapter two.  For client-side scripting, chapter three
notes, any validation done on the client should be untrusted and re-
validated on the host, since it may be altered on the client, or data
manually entered as if it came from the client.  Chapter four explains
the danger of using client-side data (cookies or code) for state
information.  Chapter five examines user supplied data, and delves
into cross-site scripting (XSS, the explanation of which is not well
done), SQL (Standard Query Language) injection, and directory
traversal.  Language-based attacks, in chapter six, involve buffer
overflows (which are not explained terribly well), canonicalization
(HTML and Unicode encoding and parsing), and null string attacks.  The
server, with utilities and the underlying operating system, can be
reached via stored procedures (excessive functionality), fingerprinted
for other attempts, or subject to denial of service (in limited ways)
as chapter seven notes.  "Authentication," in chapter eight, is really
more about encryption: the various false forms (encryption via
obscurity?), brute force attacks against verification systems, and
forcing a system to use weak encryption.  Privacy, and related Web
technologies (of which cookies are only one), is reviewed in chapter
nine.  Chapter ten looks at Web services, and the vulnerabilities
associated with some of these systems.

The CD-ROM included with the book contains a number of interesting and
useful tools for trying out the various attacks and tests mentioned in
the text.

This book is a valuable addition to the software security literature. 
The attacks listed in the work are known, but often by name only. 
This text collects and explains a wide variety of Web application
attacks and weaknesses, providing developers with a better
understanding of how their programs may be assailed.  Some of the
items mentioned are defined or explained weakly, but these are usually
items that do have good coverage in other security works.

copyright Robert M. Slade, 2006   BKHTBWSW.RVW   20060520


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
Start every day off with a smile and get it over with. - W.C. Fields
Dictionary Information Security     www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm


------------------------ Yahoo! Groups Sponsor --------------------~--> 
Something is new at Yahoo! Groups.  Check out the enhanced email design.
http://us.click.yahoo.com/SISQkA/gOaOAA/yQLSAA/kgFolB/TM
--------------------------------------------------------------------~-> 

 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "How to Break Web Software", Mike Andrews/James A. Whittaker, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  [CISSP-D] REVIEW: "The CISO Handbook", Mike Gentile/Ron Collette/Tom August, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Next by Date:  [CISSP-D] REVIEW: "Configuring SonicWALL Firewalls", Chris Lathem et al, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Previous by Thread:  [CISSP-D] REVIEW: "The CISO Handbook", Mike Gentile/Ron Collette/Tom August, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Next by Thread:  [CISSP-D] REVIEW: "Configuring SonicWALL Firewalls", Chris Lathem et al, Rob, grandpa of Ryan, Trevor, Devon & Hannah
Indexes:  [Date] [Thread] [Top] [All Lists]