WebApp Sec mailing list archives
Re: looking for advanced web hacking course
From: "Mr. Rufus Faloofus" <foofus () foofus net>
Date: Fri, 14 Nov 2003 07:54:34 -0600
On Thu, Nov 13, 2003 at 11:41:23PM +0100, A.D.Douma wrote: [snip]
Web Hacking - attacks and defense http://www.amazon.com/exec/obidos/tg/detail/-/0201761769/102-2511901-6200112?v=glance
I found this book to be pretty bad, actually. It has some good reference materials, but it is full of unnecessary stuff like: "In the grab bag of countless hacking techniques, Web hacking is by far the most elegant (if we dare use such praise). The simplicity and elegance of using a commone browser to mount the most devastating attacks is pure brilliance, and they are events to behold." (p. 132) Or, in a section about a hypothetical multiplatform worm entitled "Case Study," we hear the story of David, a guy who is a security administrator for "more than 100,000 computer systems at his online brokerage firm," as he reads the newspaper, and then visits cert.org: "The worm was stealth because it encrypted its traffic through SSL, effectively hiding itself from the so-called security devices on the network (intrusion detection systems). Employing standard SSL encryption in use on many commercial Web servers, the worm snaked its way onto Microsoft IIS and Apache Web servers, overwhelming their resources and effectively shutting down critical infrastructure. With the worm gaining momentum, and knocking out critical systems and infrastructure around the workd, David thought, the cyber-world as we know is history." (p. 385) I have reproduced capitalization, spelling, missing words, etc. faithfully. The book really could have used some judicious editing. It's not easy to write good books, and I certainly can't claim to have done anything better. Aside from the useful appendices, though, I'd really not recommend this book.
Books on how to write secure web apps would also be usefull for developers.
Here are two that have been useful to me: Michael Howard & David LeBlanc. WRITING SECURE CODE, Redmond: Microsoft Press, 2002. (0-7356-1588-8) John Viega & Gary McGraw. BUILDING SECURE SOFTWARE, Boston: Addison-Wesley, 2002. (0-201-72152-X) Incidentally, I found these to be more informative than the "web hacking" books I read: they gave me better insight into the kinds of errors that have been most prevalent in web development, and they didn't spend time on details of web server security or other non-application matters. --Foofus.
Current thread:
- looking for advanced web hacking course Pheebee Buffe (Nov 11)
- Re: looking for advanced web hacking course Tim Greer (Nov 11)
- RE: looking for advanced web hacking course Glyn Geoghegan (Nov 13)
- RE: looking for advanced web hacking course Tim Greer (Nov 13)
- Re: looking for advanced web hacking course Bill Pennington (Nov 13)
- Re: looking for advanced web hacking course Tim Greer (Nov 13)
- Re: looking for advanced web hacking course The Crocodile (Nov 13)
- RE: looking for advanced web hacking course Glyn Geoghegan (Nov 13)
- Re: looking for advanced web hacking course minime (Nov 13)
- Re: looking for advanced web hacking course A.D.Douma (Nov 13)
- Re: looking for advanced web hacking course Mr. Rufus Faloofus (Nov 14)
- Re: looking for advanced web hacking course Jarmo Joensuu (Nov 14)
- Re: looking for advanced web hacking course A.D.Douma (Nov 13)
- <Possible follow-ups>
- RE: looking for advanced web hacking course latte1 (Nov 13)
- RE: looking for advanced web hacking course Cuthbert, Daniel (Nov 13)
- RE: looking for advanced web hacking course Filip Maertens (Nov 13)
- RE: looking for advanced web hacking course Zhou, Joe [CC] (Nov 13)
- RE: looking for advanced web hacking course Keifer, Trey (Nov 13)
- RE: looking for advanced web hacking course Filip Maertens (Nov 19)
- Re: looking for advanced web hacking course Tim Greer (Nov 11)