Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Book Review: Professional Pen Testing for Web Applications

From: Dave Aitel <dave () immunityinc com>
Date: Thu, 20 Jul 2006 07:13:37 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Review of:
Professional Pen Testing for Web Applications
Andres Andreu
http://www.wiley.com/WileyCDA/WileyTitle/productCd-0471789666.html

First of all, let me say that I got the book for free. It just showed
up one day. And I happened to be starting a web
application assessment, so I picked it up and read it cover to cover
and then referred back to it during the assessment. Largely people
like to think they know everything it is about what they do
professionally, but web app assessment is hard - it never hurts to
pick up a few tricks.

My one sentence reaction is this: The book is broad, rather than deep.
Like many technical books, it is almost reference-oriented. Having one
author is a good thing, since the book flows together rather better
than many technical books that are delivered by committee. As a
snapshot of today's tools and methodologies, it's great. As something
that will last for a half-decade, perhaps not.

With any book, there are a few small quibbles. The SSL fingerprinting
portion of the book, which I tested out, was good, but they fail to
mention that the THC tool (and other tools in the book) are already
extremely out of date. I'm also not sure the world needs a lesson in
how to use libwhisker - but it's good to see the author can write
code, and there are examples sprinkled liberally through the book of
various things, written in perl.

Andres clearly has his stuff together when it comes to doing Web App
Assessments commercially, so it would have been nice to see a scoping
section - scoping a web app assessment is hard, and I felt this would
have been valuable. OWASP numbers get a lot of shoutouts, but some of
the more modern attacks could have used a real workover. Response
splitting, for example, could have gone much more into depth. I think
most people just use it as a bullet, rather than exploiting it, but
it's more interesting than the few paragraphs it got in the book.
(Look for the response splitting module in next month's CANVAS! :>)

Essentially, the book needed a bit more Chris Eng. But it was a still
a good book.

- -dave



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFEv2VhB8JNm+PA+iURAuG9AJ9+LzhfANQX+GVN4F3pWDQBf8lxZgCg4HSO
z+oQuxxFrM9tMeokQpCGrCw=
=jfN/
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: