Dailydave mailing list archives
Book Review: Professional Pen Testing for Web Applications
From: Dave Aitel <dave () immunityinc com>
Date: Thu, 20 Jul 2006 07:13:37 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Review of: Professional Pen Testing for Web Applications Andres Andreu http://www.wiley.com/WileyCDA/WileyTitle/productCd-0471789666.html First of all, let me say that I got the book for free. It just showed up one day. And I happened to be starting a web application assessment, so I picked it up and read it cover to cover and then referred back to it during the assessment. Largely people like to think they know everything it is about what they do professionally, but web app assessment is hard - it never hurts to pick up a few tricks. My one sentence reaction is this: The book is broad, rather than deep. Like many technical books, it is almost reference-oriented. Having one author is a good thing, since the book flows together rather better than many technical books that are delivered by committee. As a snapshot of today's tools and methodologies, it's great. As something that will last for a half-decade, perhaps not. With any book, there are a few small quibbles. The SSL fingerprinting portion of the book, which I tested out, was good, but they fail to mention that the THC tool (and other tools in the book) are already extremely out of date. I'm also not sure the world needs a lesson in how to use libwhisker - but it's good to see the author can write code, and there are examples sprinkled liberally through the book of various things, written in perl. Andres clearly has his stuff together when it comes to doing Web App Assessments commercially, so it would have been nice to see a scoping section - scoping a web app assessment is hard, and I felt this would have been valuable. OWASP numbers get a lot of shoutouts, but some of the more modern attacks could have used a real workover. Response splitting, for example, could have gone much more into depth. I think most people just use it as a bullet, rather than exploiting it, but it's more interesting than the few paragraphs it got in the book. (Look for the response splitting module in next month's CANVAS! :>) Essentially, the book needed a bit more Chris Eng. But it was a still a good book. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFEv2VhB8JNm+PA+iURAuG9AJ9+LzhfANQX+GVN4F3pWDQBf8lxZgCg4HSO z+oQuxxFrM9tMeokQpCGrCw= =jfN/ -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Book Review: Professional Pen Testing for Web Applications Dave Aitel (Jul 21)