Publisher: McGraw-Hill Professional
Web applications security and Web security in general are some of the most hottest topics in the InfoSec community. The rise of both vulnerabilities and security products in this IS sector clearly shows the importance of having the Web part of our lives secure. The book I'm taking a look at today is a part of Hack Notes series that carry on with the Hacking Exposed fame.
About the author
Mike Shema is a principle consultant and trainer for Foundstone, Inc. He is co-author of Hacking Exposed Web Application and Anti Hacker Tool Kit. In his professional line of duty, he has performed security assessments of a number of networks and Web applications.
Inside the book
The book is divided into three thematical parts, each containing a large portion of both theoretical, as well as practical web security situations. The first part incorporates introduction into web hacking and penetration methodologies. The topics covered within these chapters are mainly related to reconnaissance testing of applications and web services. Afterwards, in a chapter effectively titled "Critical hacks and defenses", the author traverses trough well known types of attacks including cross site scripting, SQL injection, session attacks and provides information on issues such as input validation, token analysis and XML services. What comes very valuable to the reader, are those numerous tables containing easily browsable info on stuff like Perl Regex, common input validation tests, SQL injections strings and common database defaults.
The second part of the book strives to provide the administrator all the things he/she should be aware while working in a Web environment. For the start, the author covers methods of vulnerability assessment and guides the reader through all the popular web security tools. Three vulnerability scanners (Whisker, Nikto and Nessus) and three assessment tools (Achilles, WebProxy and Curl) are featured in this section. Each of these tools is covered on a couple of pages accompanied with the appropriate screenshots. From the hardening point of view, readers are presented with couple of very useful checklists that focus on the two most popular Web servers around - Apache and Microsoft IIS.
Because of its importance, besides the checklists I mentioned above, Web server security is covered more thoroughly early in the third part of this Hack Notes title. Author shares some more tips on checking the log files and using proxies and load balancers.
Web security consists of two major parts - security of web servers and web applications. The importance of writing secure code can be seen on almost every page of this book, so it was expected that the book's "official content" (the book also hosts two more appendixes and one preview chapter from Hack Notes Network Security) is finished with tips on secure coding.
As with all the books from these series, Hack Notes Web Security also incorporates a satisfactory 30 page reference center located in the center of the book. It includes such topics like input validation tests, HTTP protocol notes, application assessment checklists and search terms that will make Google a valuable addition in the attacker's arsenal :)
I mentioned earlier that there are two appendixes to the book. The first is a 7-bit ASCII reference (containing character, description, decimal, hexadecimal tabs) and the other one is a nice essay on WebGoat. This geeky titled product was created by OWASP (Open Source Web Application Security Project) and provides an easy, hands-on approach for better understanding the security issues related to web applications.
To share my thoughts
If you've read my review of "HackNotes Linux and Unix Security", I should warn you that I'll probably repeat some of my final thoughts on this book. Being a part of Hack Notes series, you'll either love it, or hate it. I'm personally a big fan of these kind of publications as they provide so much valuable information squeezed into a compact reference guide.
Before recommending the book to different type of readers, I would stress out the importance of writing secure code. While checking BugTraq and other security mailing lists, we are mostly stunned in how many web applications are vulnerable to the attacks mentioned in thios book. Even stranger is to see that some very popular products (hint: content management systems) are struck with new vulnerability reports on a monthly basis. I would highly recommend this book to all those programmers who should consider security very seriously. Even if you are familiar with the usual web application security problems, you'll surely be surprised in how many extras this book incorporates. You'll probably find a plenty of new ideas from the quantity of author's practical knowledge on these topics.
The book is written in a way that follows Hack Notes schemes - it covers possible security issues, methods of exploiting them, as well suggestions and hints on the things to do to make the attacker's life as complicated as possible.
To finish the review - the author managed to crawl through almost every web application security corner on the Internet and summarized a great quantity of examples, tips and ideas into an very useful web security reference.