LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue91/cole.html

256 lines
14 KiB
HTML
Raw Permalink Blame History

<!--startcut ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>Book Review: Web Hacking: Attacks and Defense LG #91</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->
<!-- *** BEGIN navbar *** -->
<A HREF="lg_bytes.html">&lt;&lt;&nbsp;Prev</A>&nbsp;&nbsp;|&nbsp;&nbsp;<A HREF="index.html">TOC</A>&nbsp;&nbsp;|&nbsp;&nbsp;<A HREF="../index.html">Front Page</A>&nbsp;&nbsp;|&nbsp;&nbsp;<A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue91/cole.html">Talkback</A>&nbsp;&nbsp;|&nbsp;&nbsp;<A HREF="../faq/index.html">FAQ</A>&nbsp;&nbsp;|&nbsp;&nbsp;<A HREF="collinge.html">Next&nbsp;&gt;&gt;</A>
<!-- *** END navbar *** -->
<!--endcut ============================================================-->
<TABLE BORDER><TR><TD WIDTH="200">
<A HREF="http://www.linuxgazette.com/">
<IMG ALT="LINUX GAZETTE" SRC="../gx/2002/lglogo_200x41.png"
WIDTH="200" HEIGHT="41" border="0"></A>
<BR CLEAR="all">
<SMALL>...<I>making Linux just a little more fun!</I></SMALL>
</TD><TD WIDTH="380">
<CENTER>
<BIG><BIG><STRONG><FONT COLOR="maroon">Book Review: Web Hacking: Attacks and Defense</FONT></STRONG></BIG></BIG>
<BR>
<STRONG>By <A HREF="../authors/cole.html">John B Cole</A></STRONG>
</CENTER>
</TD></TR>
</TABLE>
<P>
<!-- END header -->
The guys at Addison-Wesley are cool in that they give my LUG free books, and
judging by the titles we have received lately, web site security is something
readers cannot get enough of. I am
not going to bother regurgitating the meaningless blurbs on the back cover, nor
the lengthy credentials of the authors; instead, I am going to focus on a simple
question: can this book teach a working web developer useful lessons? If it
does, it is worth the $49.99 cover price and if it does not I can use it in my
fireplace. I am quite critical of expensive books which grossly overreach and
as a result are unsatisfying to all readers. Let us see how "Web Hacking"
stacks up...
<P> "Web Hacking" is divided into four major sections: The E-Commerce? Playground,
URLs Unraveled, How Do They Do It?, and Advanced Web Kung Fu. The authors are
off to a good start - they (unlike about 99% of the posters on Slashdot)
realize that "URLs" does not require an apostrophe. That is enough for a whole
star even if the rest of the book is copied, grammatical errors and all, from
Usenet archives (although the Gentle Reader should note that I am making no
such assertion). The authors utilize a chatty, conversational style of prose
over an academic style, which is appropriate for this book.
<P> "The E-Commerce? Playground" leads off with a simple case study demonstrating
an effective attack on a small business web site using only HTTP. The attacker
exploited a poorly-written Perl script in the attack, and I hope we all realize
that there is far more badly-written Perl in the world than not (the Reviewer
must grudgingly admit that he has on occasion, contributed to that very
problem). The authors point out that firewalls and intrusion detection systems
are largely useless, and they will continue to emphasize this throughout the
book. All of us would do well to remember that lesson. Sure, the attack in the
case study would not work against Amazon or Dell, but there are a lot of small
web sites that are ripe for the plucking...and one of those sites may have your
credit card number. Chapter 1, Web Languages, covers everything from Perl to
ASP in a nutshell. The idea here is more to demonstrate that every language
(even HTML) has vulnerabilities that can be exploited by a knowledgeable hacker.
Most web developers and system administrator will not learn anything new here,
but pray that your boss does not skip this chapter before he picks the Perfect
Language for your company's Web Site of Tomorrow. Chapter 2, Web and Database
Servers, is very brief and only discusses Apache and IIS on the web server front
and MS SQL Server and Oracle on the database front. I suppose it is not big
deal that other web servers are not discussed, but it is worth noting that there
are many different HTTP servers, and they turn up in the oddest places (What's
running on your production servers? Are you sure?) A security-themed chapter
written for enterprise-level customers, the sort who actually own licenses for
Oracle and MS SQL Server, would be better off as a book. I am disappointed to
see no discussion of MySQL or PostgreSQL here. More sites than you can shake a
stick at, particularly mom-and-pop type businesses, are running MySQL on the
backend, and there are a lot of poorly-secured MySQL installations in the world
(-1/2 star). Chapter 3, Shopping carts and Payment Gateways, was largely new
material for me. I was familiar with older attacks on systems which used
client-side cookies and GET variables to store important (e.g. price)
information. I had not considered some the attacks involving payment validation
systems, and the examples in the book underscore the consequences of sloppy
design. Chapter 4, HTTP and HTTPS: The Hacking Protocols, is included in large
part to emphasize the fact that all an attacker needs is a URL to make you
regret your choice of careers. That aside, its coverage of the HTTP and HTTPS
protocols is useful as a thumbnail review, but the chapter will be of dubious
value to a network novice. Chapter 5, URL: The Web Hacker's Sword, ends Section
1. This chapter is prefaced with a quote from "Star Wars Episode IV: A New
Hope", which demonstrates clearly the geek-worthiness of the authors. Chapter 5
actually covers URL hacks, such as URL structure and encoding, as well as
meta-character mischief and HTML forms. Some of the attacks described will only
work with GET variables, which are visible to the user through the URL. So, a
simple tip for avoiding easy web hacks might be: use sessions for persistent
data and pass data from the browser to the server in POST variables. You have
been warned. The material on metacharacters and form processing focus on the
issue of user input processing. I have worked at universities for a long time,
and believe when I tell you that you should never trust user input. Ever. As a
whole, Section 1 of "Web Hacking" is useful to novice administrators and
developers or managers; experienced professionals are unlikely to find anything
new here.
<P> Section 2, "URLs Unraveled", leads off with another case study. This case study
demonstrates how a savvy hacker might analyze a web site based on the URLs
exposed to the public, and use that knowledge to launch an attack. This case
study serves to motivate the rest of the section. Chapter 6, Web: Under (the)
Cover, provides an overview of web application structure, as well as the
methods used by hackers to dissect target systems. There is all odd manner of
thing in here, including web server APIs, ODBC, and JDBC. There is even a handy
chart to help you match extensions to server platforms. The authors even
mention some things you can do to limit your exposure, and one of the better
ideas (IMHO) is to prevent the leakage of error and messages to the browser.
Skim this chapter and look at the examples. Chapter 7, Reading Between the
Lines, focuses on methods of analyzing HTML source (via "View Page Source") to
identify vulnerabilities and develop attacks. Cool stuff here that can easily
be overlooked during short, rapid development cycles. There is even an example
of some nefarious uses of wget and grep. Chapter 8, Site Linkage Analysis,
continues the exploration of site analytic methods. This chapter focuses
principally on the uses of several software tools for site analysis, all of
which are Windows tools (except for wget). I am torn about this section. Much of
the material seems quite obvious, but that is because I was already familiar
with it. However, I feel that all novices and many seasoned professionals can
learn from the material in this section. No deduction.
<P> Section 3, "How Do They Do It", purports to be the real heart of the book, the
"Great Magic Tricks Revealed" of the web hacking world. Chapter 9, Cyber
Graffiti, covers the web site defacement attacks typically reported in the
media. A detailed case study covers a number of security issues, including
proxy server configuration, HTTP authentication, and directory browsing. Good
stuff. Chapter 10, E-Shoplifting?, provides a case study of an e-commerce
system pieced together from several vendors (get this - an Access backend...).
The basic attack was based on client-side forms validation and the use of
hidden fields to pass price information. A site overhaul to address the risks
exposed by an audit is detailed. Chapter 11, Database Access, is short but
mentions some interesting attacks, as well as sound countermeasures. Chapter
13, Java: Remote Command Execution, was new ground for me. I would generally
rather have hot pokers stuck in my eyes or program in COBOL than even look at
Java source. However, being a savvy developer, I am well aware of the
popularity of Java. I learned some neat stuff in this chapter, but the key
take-home message is that you should always sanitize and screen user input.
Countermeasures based on servlet management are also discussed. Chapter 13,
Impersonation, deals with sessions, session hijacking, and cookies. This
chapter is sort of interesting, but unless a developer does something
spectacularly foolish, such as using a system which generates guessable session
IDs or stores important data on the client using cookies, these attacks are not
a prominent threat. Of greater concern might be physical security to prevent
copies of cookies on a user's machine from being stolen. Chapter 14, Buffer
Overflows: On-the-Fly?, could be a book in its own right. Almost every
vulnerability I hear about these days is due to a buffer overflow. This chapter
covers pretty technical material, and the reckless reader might be faced with
some C or ASM code fragments; if your hair is pointy, you have been warned. I
am not sure that this chapter is very valuable other than to highlight the fact
that not every web site vulnerability is due to poor programming or systems
administration on the part of the consumer of information systems. Sun, IBM,
Microsoft, and their ilk have all shipped numerous products with buffer
overflows that have been identified. Even vendors make mistakes. Section 3 is
what we all opened the book to read. On the whole, it is worthwhile reading.
The authors do a very good job of dissecting attacks, and of emphasizing simple
countermeasures such as "validate all input, whatever the source".
<P> Section 4, "Advanced Web Kung Fu", perked my ears up. Is this Keanu Reeves
"Whoa, I know kung fu!"-type insight, or more pedestrian "Oh yeah, I heard
about that somewhere"-type insight? Chapter 15, "Web Hacking: Automated Tools"
is simply an overview of some commonly-used hacking tools. Frankly, I have only
heard of netcat because it was the only Unix tool discussed. I'm never going to
beat an agent at this rate... Chapter 16, "Worms", is just an overview of a few
famous worms that have ravaged the Internet like Germany pillaging France. I'm
never going to be on "Kung Fu Theater"! Chapter 17, "Beating the IDS", covers
some interesting things that you can do to intrusion detection systems (IDS),
but is simply a curiosity. This section is more like "hitting a drunk guy with
a pool cue when he isn't looking" than "advanced kung fu", and is the most
disappointing part of the book. It feels like three chapters of briefs written
for PHBs so that they can feel savvy at the end of the day. Shame on you guys,
you were doing so well (-1 star).
<P> There is little excuse for any competent developer today to deploy an
application susceptible to most of the attacks detailed in this book (the use
of sessions alone would foil many of these attacks), but the book is a
worthwhile read for novice developers and managers in general. More experienced
developers should read it at the bookstore while on a coffee break or yoink it
from the intern. Is the book worth $49.99? I am afraid that I must say "No".
$24.99 is a much more reasonable price, the thickness (492pp.) of "Web Hacking"
notwithstanding (-1/2 star).
<!-- *** BEGIN author bio *** -->
<P>&nbsp;
<P>
<!-- *** BEGIN bio *** -->
<P>
<img ALIGN="LEFT" ALT="[BIO]" SRC="../gx/2002/note.png">
<em>
John is a scientist and programmer who has been using Linux since 1998, when a
deranged - and somewhat frightening - colleague insisted that there was A
Better Way. John is a supporter of free software, and has written several
applications to support his research, and scratch itches, in PHP and Python.
On several memorable occasions, he wrote PHP program that called Python
programs, parsed the output streams, and presented the results. He promises to
not do that anymore.
<P> John is currently using Mandrake 9.1 on his desktop machine, but is going
to switch to Gentoo and prove his manliness any day now.
<P> John will be happy to tell you about his research in animal breeding and
quantitative genetics just as soon as he can find a scrap of paper. You see,
this next bit is rather technical...
</em>
<br CLEAR="all">
<!-- *** END bio *** -->
<!-- *** END author bio *** -->
<!-- *** BEGIN copyright *** -->
<hr>
<CENTER><SMALL><STRONG>
Copyright &copy; 2003, John B Cole.
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
Published in Issue 91 of <i>Linux Gazette</i>, June 2003
</STRONG></SMALL></CENTER>
<!-- *** END copyright *** -->
<HR>
<!--startcut ==========================================================-->
<CENTER>
<!-- *** BEGIN navbar *** -->
<A HREF="lg_bytes.html">&lt;&lt;&nbsp;Prev</A>&nbsp;&nbsp;|&nbsp;&nbsp;<A HREF="index.html">TOC</A>&nbsp;&nbsp;|&nbsp;&nbsp;<A HREF="../index.html">Front Page</A>&nbsp;&nbsp;|&nbsp;&nbsp;<A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue91/cole.html">Talkback</A>&nbsp;&nbsp;|&nbsp;&nbsp;<A HREF="../faq/index.html">FAQ</A>&nbsp;&nbsp;|&nbsp;&nbsp;<A HREF="collinge.html">Next&nbsp;&gt;&gt;</A>
<!-- *** END navbar *** -->
</CENTER>
</BODY></HTML>
<!--endcut ============================================================-->
Reference in New Issue View Git Blame Copy Permalink