WebApp Sec mailing list archives

Re: looking for advanced web hacking course

From: "Mr. Rufus Faloofus" <foofus () foofus net>
Date: Fri, 14 Nov 2003 07:54:34 -0600

On Thu, Nov 13, 2003 at 11:41:23PM +0100, A.D.Douma wrote:
[snip]

Web Hacking - attacks and defense
http://www.amazon.com/exec/obidos/tg/detail/-/0201761769/102-2511901-6200112?v=glance


I found this book to be pretty bad, actually.  It has some good
reference materials, but it is full of unnecessary stuff like:

  "In the grab bag of countless hacking techniques, Web hacking
  is by far the most elegant (if we dare use such praise).  The
  simplicity and elegance of using a commone browser to mount
  the most devastating attacks is pure brilliance, and they are
  events to behold."  (p. 132)

Or, in a section about a hypothetical multiplatform worm entitled
"Case Study," we hear the story of David, a guy who is a security
administrator for "more than 100,000 computer systems at his
online brokerage firm," as he reads the newspaper, and then visits
cert.org:

  "The worm was stealth because it encrypted its traffic
  through SSL, effectively hiding itself from the so-called
  security devices on the network (intrusion detection systems).
  Employing standard SSL encryption in use on many commercial
  Web servers, the worm snaked its way onto Microsoft IIS and
  Apache Web servers, overwhelming their resources and effectively
  shutting down critical infrastructure.
  With the worm gaining momentum, and knocking out critical
  systems and infrastructure around the workd, David thought,
  the cyber-world as we know is history." (p. 385)

I have reproduced capitalization, spelling, missing words, etc. 
faithfully.  The book really could have used some judicious editing.

It's not easy to write good books, and I certainly can't claim to
have done anything better.  Aside from the useful appendices, 
though, I'd really not recommend this book.

Books on how to write secure web apps would also be usefull for developers.


Here are two that have been useful to me:

Michael Howard & David LeBlanc. WRITING SECURE CODE, Redmond:
  Microsoft Press, 2002.  (0-7356-1588-8)
John Viega & Gary McGraw. BUILDING SECURE SOFTWARE, Boston:
  Addison-Wesley, 2002. (0-201-72152-X)

Incidentally, I found these to be more informative than the "web
hacking" books I read: they gave me better insight into the kinds
of errors that have been most prevalent in web development, and
they didn't spend time on details of web server security or 
other non-application matters.

--Foofus.

Current thread:

looking for advanced web hacking course Pheebee Buffe (Nov 11)
- Re: looking for advanced web hacking course Tim Greer (Nov 11)
  - RE: looking for advanced web hacking course Glyn Geoghegan (Nov 13)
    - RE: looking for advanced web hacking course Tim Greer (Nov 13)
  - Re: looking for advanced web hacking course Bill Pennington (Nov 13)
    - Re: looking for advanced web hacking course Tim Greer (Nov 13)
  - Re: looking for advanced web hacking course The Crocodile (Nov 13)
- Re: looking for advanced web hacking course minime (Nov 13)
  - Re: looking for advanced web hacking course A.D.Douma (Nov 13)
    - Re: looking for advanced web hacking course Mr. Rufus Faloofus (Nov 14)
    - Re: looking for advanced web hacking course Jarmo Joensuu (Nov 14)
- <Possible follow-ups>
- RE: looking for advanced web hacking course latte1 (Nov 13)
- RE: looking for advanced web hacking course Cuthbert, Daniel (Nov 13)
- RE: looking for advanced web hacking course Filip Maertens (Nov 13)
- RE: looking for advanced web hacking course Zhou, Joe [CC] (Nov 13)
- RE: looking for advanced web hacking course Keifer, Trey (Nov 13)
- RE: looking for advanced web hacking course Filip Maertens (Nov 19)