256 lines
14 KiB
HTML
256 lines
14 KiB
HTML
<!--startcut ==============================================-->
|
|
<!-- *** BEGIN HTML header *** -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML><HEAD>
|
|
<title>Book Review: Web Hacking: Attacks and Defense LG #91</title>
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
|
|
ALINK="#FF0000">
|
|
<!-- *** END HTML header *** -->
|
|
|
|
<!-- *** BEGIN navbar *** -->
|
|
<A HREF="lg_bytes.html"><< Prev</A> | <A HREF="index.html">TOC</A> | <A HREF="../index.html">Front Page</A> | <A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue91/cole.html">Talkback</A> | <A HREF="../faq/index.html">FAQ</A> | <A HREF="collinge.html">Next >></A>
|
|
<!-- *** END navbar *** -->
|
|
|
|
<!--endcut ============================================================-->
|
|
|
|
<TABLE BORDER><TR><TD WIDTH="200">
|
|
<A HREF="http://www.linuxgazette.com/">
|
|
<IMG ALT="LINUX GAZETTE" SRC="../gx/2002/lglogo_200x41.png"
|
|
WIDTH="200" HEIGHT="41" border="0"></A>
|
|
<BR CLEAR="all">
|
|
<SMALL>...<I>making Linux just a little more fun!</I></SMALL>
|
|
</TD><TD WIDTH="380">
|
|
|
|
|
|
<CENTER>
|
|
<BIG><BIG><STRONG><FONT COLOR="maroon">Book Review: Web Hacking: Attacks and Defense</FONT></STRONG></BIG></BIG>
|
|
<BR>
|
|
<STRONG>By <A HREF="../authors/cole.html">John B Cole</A></STRONG>
|
|
</CENTER>
|
|
|
|
</TD></TR>
|
|
</TABLE>
|
|
<P>
|
|
|
|
<!-- END header -->
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The guys at Addison-Wesley are cool in that they give my LUG free books, and
|
|
judging by the titles we have received lately, web site security is something
|
|
readers cannot get enough of. I am
|
|
not going to bother regurgitating the meaningless blurbs on the back cover, nor
|
|
the lengthy credentials of the authors; instead, I am going to focus on a simple
|
|
question: can this book teach a working web developer useful lessons? If it
|
|
does, it is worth the $49.99 cover price and if it does not I can use it in my
|
|
fireplace. I am quite critical of expensive books which grossly overreach and
|
|
as a result are unsatisfying to all readers. Let us see how "Web Hacking"
|
|
stacks up...
|
|
|
|
<P> "Web Hacking" is divided into four major sections: The E-Commerce? Playground,
|
|
URLs Unraveled, How Do They Do It?, and Advanced Web Kung Fu. The authors are
|
|
off to a good start - they (unlike about 99% of the posters on Slashdot)
|
|
realize that "URLs" does not require an apostrophe. That is enough for a whole
|
|
star even if the rest of the book is copied, grammatical errors and all, from
|
|
Usenet archives (although the Gentle Reader should note that I am making no
|
|
such assertion). The authors utilize a chatty, conversational style of prose
|
|
over an academic style, which is appropriate for this book.
|
|
|
|
<P> "The E-Commerce? Playground" leads off with a simple case study demonstrating
|
|
an effective attack on a small business web site using only HTTP. The attacker
|
|
exploited a poorly-written Perl script in the attack, and I hope we all realize
|
|
that there is far more badly-written Perl in the world than not (the Reviewer
|
|
must grudgingly admit that he has on occasion, contributed to that very
|
|
problem). The authors point out that firewalls and intrusion detection systems
|
|
are largely useless, and they will continue to emphasize this throughout the
|
|
book. All of us would do well to remember that lesson. Sure, the attack in the
|
|
case study would not work against Amazon or Dell, but there are a lot of small
|
|
web sites that are ripe for the plucking...and one of those sites may have your
|
|
credit card number. Chapter 1, Web Languages, covers everything from Perl to
|
|
ASP in a nutshell. The idea here is more to demonstrate that every language
|
|
(even HTML) has vulnerabilities that can be exploited by a knowledgeable hacker.
|
|
Most web developers and system administrator will not learn anything new here,
|
|
but pray that your boss does not skip this chapter before he picks the Perfect
|
|
Language for your company's Web Site of Tomorrow. Chapter 2, Web and Database
|
|
Servers, is very brief and only discusses Apache and IIS on the web server front
|
|
and MS SQL Server and Oracle on the database front. I suppose it is not big
|
|
deal that other web servers are not discussed, but it is worth noting that there
|
|
are many different HTTP servers, and they turn up in the oddest places (What's
|
|
running on your production servers? Are you sure?) A security-themed chapter
|
|
written for enterprise-level customers, the sort who actually own licenses for
|
|
Oracle and MS SQL Server, would be better off as a book. I am disappointed to
|
|
see no discussion of MySQL or PostgreSQL here. More sites than you can shake a
|
|
stick at, particularly mom-and-pop type businesses, are running MySQL on the
|
|
backend, and there are a lot of poorly-secured MySQL installations in the world
|
|
(-1/2 star). Chapter 3, Shopping carts and Payment Gateways, was largely new
|
|
material for me. I was familiar with older attacks on systems which used
|
|
client-side cookies and GET variables to store important (e.g. price)
|
|
information. I had not considered some the attacks involving payment validation
|
|
systems, and the examples in the book underscore the consequences of sloppy
|
|
design. Chapter 4, HTTP and HTTPS: The Hacking Protocols, is included in large
|
|
part to emphasize the fact that all an attacker needs is a URL to make you
|
|
regret your choice of careers. That aside, its coverage of the HTTP and HTTPS
|
|
protocols is useful as a thumbnail review, but the chapter will be of dubious
|
|
value to a network novice. Chapter 5, URL: The Web Hacker's Sword, ends Section
|
|
1. This chapter is prefaced with a quote from "Star Wars Episode IV: A New
|
|
Hope", which demonstrates clearly the geek-worthiness of the authors. Chapter 5
|
|
actually covers URL hacks, such as URL structure and encoding, as well as
|
|
meta-character mischief and HTML forms. Some of the attacks described will only
|
|
work with GET variables, which are visible to the user through the URL. So, a
|
|
simple tip for avoiding easy web hacks might be: use sessions for persistent
|
|
data and pass data from the browser to the server in POST variables. You have
|
|
been warned. The material on metacharacters and form processing focus on the
|
|
issue of user input processing. I have worked at universities for a long time,
|
|
and believe when I tell you that you should never trust user input. Ever. As a
|
|
whole, Section 1 of "Web Hacking" is useful to novice administrators and
|
|
developers or managers; experienced professionals are unlikely to find anything
|
|
new here.
|
|
|
|
<P> Section 2, "URLs Unraveled", leads off with another case study. This case study
|
|
demonstrates how a savvy hacker might analyze a web site based on the URLs
|
|
exposed to the public, and use that knowledge to launch an attack. This case
|
|
study serves to motivate the rest of the section. Chapter 6, Web: Under (the)
|
|
Cover, provides an overview of web application structure, as well as the
|
|
methods used by hackers to dissect target systems. There is all odd manner of
|
|
thing in here, including web server APIs, ODBC, and JDBC. There is even a handy
|
|
chart to help you match extensions to server platforms. The authors even
|
|
mention some things you can do to limit your exposure, and one of the better
|
|
ideas (IMHO) is to prevent the leakage of error and messages to the browser.
|
|
Skim this chapter and look at the examples. Chapter 7, Reading Between the
|
|
Lines, focuses on methods of analyzing HTML source (via "View Page Source") to
|
|
identify vulnerabilities and develop attacks. Cool stuff here that can easily
|
|
be overlooked during short, rapid development cycles. There is even an example
|
|
of some nefarious uses of wget and grep. Chapter 8, Site Linkage Analysis,
|
|
continues the exploration of site analytic methods. This chapter focuses
|
|
principally on the uses of several software tools for site analysis, all of
|
|
which are Windows tools (except for wget). I am torn about this section. Much of
|
|
the material seems quite obvious, but that is because I was already familiar
|
|
with it. However, I feel that all novices and many seasoned professionals can
|
|
learn from the material in this section. No deduction.
|
|
|
|
<P> Section 3, "How Do They Do It", purports to be the real heart of the book, the
|
|
"Great Magic Tricks Revealed" of the web hacking world. Chapter 9, Cyber
|
|
Graffiti, covers the web site defacement attacks typically reported in the
|
|
media. A detailed case study covers a number of security issues, including
|
|
proxy server configuration, HTTP authentication, and directory browsing. Good
|
|
stuff. Chapter 10, E-Shoplifting?, provides a case study of an e-commerce
|
|
system pieced together from several vendors (get this - an Access backend...).
|
|
The basic attack was based on client-side forms validation and the use of
|
|
hidden fields to pass price information. A site overhaul to address the risks
|
|
exposed by an audit is detailed. Chapter 11, Database Access, is short but
|
|
mentions some interesting attacks, as well as sound countermeasures. Chapter
|
|
13, Java: Remote Command Execution, was new ground for me. I would generally
|
|
rather have hot pokers stuck in my eyes or program in COBOL than even look at
|
|
Java source. However, being a savvy developer, I am well aware of the
|
|
popularity of Java. I learned some neat stuff in this chapter, but the key
|
|
take-home message is that you should always sanitize and screen user input.
|
|
Countermeasures based on servlet management are also discussed. Chapter 13,
|
|
Impersonation, deals with sessions, session hijacking, and cookies. This
|
|
chapter is sort of interesting, but unless a developer does something
|
|
spectacularly foolish, such as using a system which generates guessable session
|
|
IDs or stores important data on the client using cookies, these attacks are not
|
|
a prominent threat. Of greater concern might be physical security to prevent
|
|
copies of cookies on a user's machine from being stolen. Chapter 14, Buffer
|
|
Overflows: On-the-Fly?, could be a book in its own right. Almost every
|
|
vulnerability I hear about these days is due to a buffer overflow. This chapter
|
|
covers pretty technical material, and the reckless reader might be faced with
|
|
some C or ASM code fragments; if your hair is pointy, you have been warned. I
|
|
am not sure that this chapter is very valuable other than to highlight the fact
|
|
that not every web site vulnerability is due to poor programming or systems
|
|
administration on the part of the consumer of information systems. Sun, IBM,
|
|
Microsoft, and their ilk have all shipped numerous products with buffer
|
|
overflows that have been identified. Even vendors make mistakes. Section 3 is
|
|
what we all opened the book to read. On the whole, it is worthwhile reading.
|
|
The authors do a very good job of dissecting attacks, and of emphasizing simple
|
|
countermeasures such as "validate all input, whatever the source".
|
|
|
|
<P> Section 4, "Advanced Web Kung Fu", perked my ears up. Is this Keanu Reeves
|
|
"Whoa, I know kung fu!"-type insight, or more pedestrian "Oh yeah, I heard
|
|
about that somewhere"-type insight? Chapter 15, "Web Hacking: Automated Tools"
|
|
is simply an overview of some commonly-used hacking tools. Frankly, I have only
|
|
heard of netcat because it was the only Unix tool discussed. I'm never going to
|
|
beat an agent at this rate... Chapter 16, "Worms", is just an overview of a few
|
|
famous worms that have ravaged the Internet like Germany pillaging France. I'm
|
|
never going to be on "Kung Fu Theater"! Chapter 17, "Beating the IDS", covers
|
|
some interesting things that you can do to intrusion detection systems (IDS),
|
|
but is simply a curiosity. This section is more like "hitting a drunk guy with
|
|
a pool cue when he isn't looking" than "advanced kung fu", and is the most
|
|
disappointing part of the book. It feels like three chapters of briefs written
|
|
for PHBs so that they can feel savvy at the end of the day. Shame on you guys,
|
|
you were doing so well (-1 star).
|
|
|
|
<P> There is little excuse for any competent developer today to deploy an
|
|
application susceptible to most of the attacks detailed in this book (the use
|
|
of sessions alone would foil many of these attacks), but the book is a
|
|
worthwhile read for novice developers and managers in general. More experienced
|
|
developers should read it at the bookstore while on a coffee break or yoink it
|
|
from the intern. Is the book worth $49.99? I am afraid that I must say "No".
|
|
$24.99 is a much more reasonable price, the thickness (492pp.) of "Web Hacking"
|
|
notwithstanding (-1/2 star).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<!-- *** BEGIN author bio *** -->
|
|
<P>
|
|
<P>
|
|
<!-- *** BEGIN bio *** -->
|
|
<P>
|
|
<img ALIGN="LEFT" ALT="[BIO]" SRC="../gx/2002/note.png">
|
|
<em>
|
|
|
|
John is a scientist and programmer who has been using Linux since 1998, when a
|
|
deranged - and somewhat frightening - colleague insisted that there was A
|
|
Better Way. John is a supporter of free software, and has written several
|
|
applications to support his research, and scratch itches, in PHP and Python.
|
|
On several memorable occasions, he wrote PHP program that called Python
|
|
programs, parsed the output streams, and presented the results. He promises to
|
|
not do that anymore.
|
|
|
|
<P> John is currently using Mandrake 9.1 on his desktop machine, but is going
|
|
to switch to Gentoo and prove his manliness any day now.
|
|
|
|
<P> John will be happy to tell you about his research in animal breeding and
|
|
quantitative genetics just as soon as he can find a scrap of paper. You see,
|
|
this next bit is rather technical...
|
|
</em>
|
|
<br CLEAR="all">
|
|
<!-- *** END bio *** -->
|
|
|
|
<!-- *** END author bio *** -->
|
|
|
|
|
|
<!-- *** BEGIN copyright *** -->
|
|
<hr>
|
|
<CENTER><SMALL><STRONG>
|
|
Copyright © 2003, John B Cole.
|
|
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
|
|
Published in Issue 91 of <i>Linux Gazette</i>, June 2003
|
|
</STRONG></SMALL></CENTER>
|
|
<!-- *** END copyright *** -->
|
|
<HR>
|
|
|
|
<!--startcut ==========================================================-->
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<A HREF="lg_bytes.html"><< Prev</A> | <A HREF="index.html">TOC</A> | <A HREF="../index.html">Front Page</A> | <A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue91/cole.html">Talkback</A> | <A HREF="../faq/index.html">FAQ</A> | <A HREF="collinge.html">Next >></A>
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</BODY></HTML>
|
|
<!--endcut ============================================================-->
|