Thursday, July 12, 2007

Web Hacker Boot Camp Book Review


Copy of my book review on Amazon.com for Web Hacker Boot Camp

Web Hacker Boot Camp by Gerald Quakenbush

Web Hacker Boot Camp can serve as a very good introduction to the world of web application testing and SQL injection. The book is technically accurate but not up to date with the “latest” tactics and techniques. It more than adequately covers the basics that someone new to the field would need to get started.

You get a short introduction to networking (not that useful), a very good introduction to how the web works, specifically http, cookies, user authentication methods, state management (useful), an assessment methodology (nothing new), a large chunk of content on using paros proxy that was useful but I would have preferred to have seen him using a proxy that could do more like webscarab but paros gets the job done. You get a block on setting up your lab environment, but by far the most redeeming part of the book is getting the masterbugs application to practice on. While not a true real life web application it affords you the opportunity to play with paros, practice some simple SQL injection (Ch 6), practice some simple session hijacking (Ch 7), parameter tampering (Ch 8), Cross-Site Scripting (Ch 9), and OS Command Injection (Ch 10). The book wraps up with Cryptography 101 (somewhat useful) and mitigation strategies (not that useful).

What I liked best about the book was the masterbugs sample application that runs on Windows 2000 with MS SQL Server. The set up instructions were accurate and only took a few minutes to set up. The labs worked as described in the book, which is refreshing. The masterbugs application can also be used to play with some of the other open source web application testing tools like nikto and sqlninja.

What I didn’t like about the book was that I thought it was light on content for the price (236 pages, numbered to 218) for approximately 40 dollars and I think more time could have been spent on SQL injection (more background, different types, and methods).

Would I recommend the book? Like I said, the sample application is worth the price but it really depends on the skill level of the purchaser on how much they would get out of it. If you have read and understand a lot of the SQL Injection papers out there and you’re comfortable with SQL Injection sample sites like http://www.mightyseek.com/web-application-security/hands-on-series-sql-injection you may be able to pass but I found it a useful addition to my security library.

Useful Links:
http://www.webappsec.org/projects/threat/classes/sql_injection.shtml the references section on that page has lots of useful links
Foundstone “HackMe” series: http://www.foundstone.com/us/resources-free-tools.asp
WebMaven’s Buggy Bank: http://www.mavensecurity.com/webmaven
Webgoat: http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

CG

No comments: