The Basics of Web Hacking: Tools and Techniques to Attack the Web by Josh Pauli was recently released by Syngress Publishing in July of 2013. Dr. Pauli’s resume includes several academic journals, but this appears to be his first published book. But, do not be dissuaded. As you might expect, this first work shows the love of an eager first-time author who has an obvious passion about the subject matter. Dr. Pauli gives a nod to other topical works in the area of web application penetration testing and offers gracious thanks to his influences in the security community.
In the introduction Dr. Pauli is quick to explain the niche that his contribution to the topic fills within the available body of knowledge. He states that the intent of this book is to provide the fundamentals of web hacking for people who have no previous knowledge of web hacking, and that this book might act as an introduction that prepares people to consume some of the more thorough and advanced books on the subject. Keep reading after the break to see if he succeeded.
First Thoughts on The Basics of Web Hacking
From explaining some of the basics of HTTP to introducing targets of attack (servers, applications, and people), the author begins gently and moves into more advanced detail as the chapters progress. A good breadth of subject matter is covered, including a general reference to application penetration testing being a subset of other types of penetration testing, network penetration testing, an overview of penetration testing methodologies and frameworks, the introduction of basic testing environments that readers can use to practice their talents, the highlights of some of the more popular web attack tools, and references for more reading and opportunities for social and professional interaction.
While the introduction does not say so, it is fair to assume that some knowledge about information security topics will assist people in understanding the topics covered by this book. For example, some terminology is introduced early on that may confuse readers who are unfamiliar with security topics. Terms like exploit, vulnerability, encoding, sessions, and Cross-Site Scripting enter the text without sufficient preamble for the truly uninitiated. While many of these topics are covered in more depth as the book progresses, it might be beneficial for the true absolute novice to be prepared to research some terminology independently or have some grasp of security concepts before digging into this book.
In the beginning, more advanced readers might be occasionally annoyed at the casual handling of some of the subjects, the initial impression being that the author lacks an understanding of the material. However, a closer examination supports the consideration that Dr. Pauli is not writing a comprehensive manual for all things related to Web Applications, but an introduction at the high level. It becomes clear that these oversights are mostly intentional omissions designed to simplify the content into consumable portions for journeymen who have not yet explored the technical matter to the depth required to benefit from more advanced texts. In this context, the information is more than adequate. For example, the role of firewalls and ports, and web application controls are mentioned, but only lightly explored. More advanced levels of penetration would demand a more thorough understanding of these topics.
There are a few technical areas worth dispute, such as how web crawlers work, the role of robots.txt (it is not required, nor even recommended these days, contrary to what the book suggests), and the recommendation to use netcraft to research websites (a tactic that is fine for Internet facing sites, but probably not very helpful for internal websites), but these inconsistencies are far between, with enough follow up to warrant looking beyond them. Also, there are a few areas where hypotheticals suggested in the book might get an uninformed reader in trouble. Chapter two suggests that running nmap against the loopback address isn’t as accurate as running a scan from your coworker’s machine or your home machine. This practice may or may not be legal or otherwise permitted, depending on the context. Outside of the blanket statement in the beginning of the book, there is no further admonition.
There are parts of the book that may offer confusion to the novice such as the author’s decision to recommend a testing environment where the attack platform and attack target coexist within a single virtual machine is great for simplicity, but it may hamper understanding of some of the concepts for some people. When the source and target of the attack reference the same host, it may be more difficult for some to visualize the full scheme or to conduct certain attack scenarios. While a more complex environment (multiple bridged virtual machines) is referenced in the book, it is not explored thoroughly enough for use by a novice. This may be frustrating to some readers.
Additionally, structural problems with the book itself can cause a little consternation. Readers will need to be sure to pay attention during the examples and not type the text blindly into a command prompt, as there are some typos in the examples. Within the text itself, some of the layout presents similar challenges. For example, there are screen shots for Nessus in the Nikto section of the book. For ebook readers, this is very confusing. But, in the print format, these occur on opposite pages. This is hardly a game changer, but it is worth noting. There are a few diagrams that are not entirely clear. For example, some of the Cross-Site Scripting diagrams lacked corresponding text. Also it was a surprise to find the table of contents after the introduction. This made it difficult to reference other book locations as I was reading. Novices and consumers of the eBook version might be confused by these layout choices.
But as nitpicky as these observations might be, let’s get back to viewing the original intent of the book as an introductory volume. With this in mind, it is a good starting point for someone who has little or no exposure to web attacks. Anyone who wants a gentle introduction with a low bar to entry that bridges the gap between his knowledge and more advanced texts, will likely find this book useful. And as the author rightfully states as his intent, it is highly advisable that anyone wishing to be an actual penetration tester supplement his or her knowledge about vulnerability scanners, networking, and web application frameworks, as this book does not provide all of the fundamentals necessary to be fully successful.
The Basics of Web Hacking: Tools and Techniques to Attack the Web is a great introduction, but it is not an out-of-the-box, fully featured launchpad for penetration testers. The explanations and order of introduction are reasonably clear and straightforward. While the author does not belabor the reader with funny anecdotes or clever pictures that clarify complex topics, he covers just enough information for the reader who is introduced to the basics of web technologies to engage in a discussion about web security. Then he wisely leaves the rest of the journey up to you. Was it enough to have a 30,000 foot view of the topic or does this instill a deep desire to learn more? In true hacker style, Dr. Pauli successfully creates the spark, and, based on the readers’ chosen path, gives them a gentle nudge on where to continue on their own.
What are your thoughts? Please be sure to share your experiences with this title or web app security in the forum thread for this review in the EH-Net Community Forums.
Heather Pilkington has almost fifteen years of experience in Information Security, including Incident Response, Change Management, and Vulnerability Management. Certified both as an OSCP and as a CISSP, she has also previously held GCIH and GSEC certifications. Outside her primary professional work, Heather acts as the BeEF project blogmistress and operates as a freelance technical editor.
Tags: book reviewwebapp