This book is fantastic, and seeing how the first edition was the first security book I ever read, I just had to pick this version up an give it a proper review. Aptly nicknamed The Web App Hacker's Bible, for both it's mass and authority, I often use this book like a reference material for looking up subjects and hints. Not only does this book cover the deep and complex field of web app pentesting, but the 2nd edition
comes back in full force with new technologies and
trouble shooting tips. This book focuses in on
practically exploiting web applications, by both
explaining the theory behind the technologies, then showing real world exploits with industry tools,
which makes this book the perfect reference
material for when you get stuck in a pentest. The
main tool used in the book, The Burp Web Suite, was
written by the author of the book, and is kept up to
date, more so than this text. The following is a highlight of some of my favorite changes between
the first and second editions, as well as some of my
favorite chapters in general. At the end, I include all
links to the web resources, as well as new online
web pentesting labs (which unfortunately cost
money). Throughout the new edition, "Try It" blocks link to the online pentest labs, allowing readers to
quickly practice new techniques as they learn them.
Both the book, and thus the review, is intended for
web developers or penetration testers looking to
practically exploit web vulnerabilities.
A great place to start the review is Chapter 3, which
has been heavily expanded to include many more
modern web technologies. This chapter includes
overviews and hacking tips for techs such as TCP,
HTTP, REST, cookies, HTTPS, proxies, Java, ASP.NET,
PHP, Ruby on Rails, SQL, XML, SOAP services, HTML, CSS, JavaScript, VBScript, DOM, Ajax, JSON, Same-
Origin Policy, HTML5, various encoding schemes, and
serialization frameworks. This is a solid overview on
web technology and a bare minimum for any web
penetration tester, such that they are less likely to be
surprised by a technology on the job. It's always good to go in with a background understanding of the
strengths and weaknesses of a specific tech before
researching vulnerabilities, let alone auditing a
technology.
Chapter 5 also has been expanded, practically delving
into hacking these modern web technologies within
the Burp intercepting proxy suite. Info here can help
you leverage the client side code to abuse server
functions, such as reusing javascript driven requests,
decompiling browser extensions to access local variables, or in general interpreting and tampering
with serialized data transmissions. This chapter can
be a great time saver for any aspiring web hacker, as
these are trouble shooting lessons I've learned the
hard way many times, through encountering web
applications using flash or java applets. This foreknowledge can really help any web pen tester,
as we are always encountering new situations and
must be ready to untangle and debug any application
stack.
Chapter 9 have been refocused to give SQL Injection
more bandwidth as well as a larger section on using
automated tools in your SQL testing. This is a very
deep review of SQL injections, with extensive parts
on database fingerprinting, UNION SQL injection,
injection on numeric fields, bypassing filters, second order SQL injection, and blind sql injection (inference
attacks). This chapter also dives into using automated
tools such as SQLMap along with burp requests, to
chain data from one tool to the next. My favorite part
of the 2nd edition is a part at the end on injecting into
nontraditional datastores, such as NOSQL, MongoDB, Xpath, and LDAP injection.
Chapter 10 has been divided off into injecting into
other backend services, such as processes handled
by the operating system, interpreted languages, or
data passed to other protocols. This chapter details
extensively OS command injection as well as injecting
into various interpreted languages, such as Perl, PHP, and XML based SOAP services. It even gets into
injecting into email headers and the SMTP protocol.
This is a great chapter to open one's eyes to the
various types of injection beyond SQL that exist in
computing.
Chapter 12 has been split into two chapters similar to
SQL injection, this time Chapter 12 focuses exclusively
on Cross-Site Scripting. XSS is now covered in depth,
with new testing techniques for reflected, stored and
DOM based Cross-Site Scripting. The payload section is
also heavy, discussing virtual defacement, inducing user actions, injecting "trojaned functionality", and
even goes into escalating the attack through
attacking other sites and internal scanning. The
practical tips involved with these exploits are great,
targeting specific data types with lots of "Try It"
examples. The filter evasion section also contains lots of good tips for your XSS attacks. Chapter 12 also
included all kinds of attacks against non-standard
fields, such as in cookies, in the refer header, hidden
in file uploads, via Ajax, or through other protocols,
such as using web mail. This chapter also has an
extensive section on blocking these attacks and remediation of these vulnerabilities, which could
prove very useful to developers.
Chapter 13 now covers other unique user-land
attacks, including XSRF, UI redress attacks, and frame
jacking, just to name a few. These attack vectors now
get the respect they deserve and this chapter truly
highlights the specific importance of these exploit
mitigations. This chapter dives deep into OSRF, XSRF, and UI Redress, where an attacker is trying to induce
user level actions through manipulating the browser.
This chapter also revisits the Same Origin Policy with
browser extended languages, opening a whole new
can of worms with languages such as Silverlight,
Flash, and Java. This is a fantastic chapter on common vulnerabilities, that are not so commonly found or
exploited and will make any penetration tester
noticeably better, simply due to the increased
amount of vulnerabilities they report they can report.
Other chapters, such as 14, provide tons of practical
experience using and automating burp and some of
it's special features. This helps drastically with testing and automating against technologies such as anti-CSRF tokens.
Chapter 20 dives into a web penetration tester's
toolkit and practical walks through using the toolkit in
a real web application penetration test. This is
arguably one of my favorite chapters, as it details all
of the tools a web pentester should have on hand,
including browsers, proxies, spiders, fuzzers, scanners, repeaters, entropy analyzers, and many
more. It even details and suggests specific tools,
including their strong points and pitfalls. Obviously,
this is not an all inclusive list, but does include many
tools that I use on the regular, and if your looking to
get into penetration testing, you should be familiar with these tools or some equivalent alternative.
Chapter 21, my favorite and our final chapter, is an
amazing check list to use when going through a web
app penetration test, to make sure you left no stone
unturned. Following this itemized list, is a surefire
start to finding vulnerabilities and a great baseline.
It's processes and routines such as Chapter 21 that make security testing a science and not an art, which
is also why this book is so crucial among security
books.
Finally, the companion website for this book at http://mdsec.net/wahh contains source code, a list of security tools commonly used, answers to
questions in the book, the amazing web app pentest
checklist, and a link to buy the book. Also, don't
forget to checkout the labs, or you can always practice on free resources! Regardless, you should pick up the book if this review intrigued you!
| Reading List: | Video Supplement: | |||
|---|---|---|---|---|
| Read Web For Pentester PDF | Web Application Firewalls | OWASP Cheat Cheats | Nebula | Web for pentester |
| Bypassing WAFs and PCI | Florida State Pentester Course! |
via oneofthebest All articles about hacking have only an educational goal and we are not responsible
0 commentaires:
Enregistrer un commentaire