Thursday, September 2, 2010
Wednesday Book Review: Web Security Testing Cookbook
Well, OK, actually, this is a Thursday Book Review. Yep, I'm late. Life intervened this week and I needed a little more time to complete this one.
Over the years, I used to joke about the fact that O'Reilly's books tended to be three types. The deep, reference books, the "hurry up and get through Chapter 3 so you can be productive" books, and the elusive 3rd category which is the "see how some stuff is done so you can learn to roll your own" books. Web Security Testing Cookbook, written by Paco Hope and Ben Walther, by its very name falls into the 3rd category; truthfully, these are the books I most appreciate by O'Reilly (I went back in my archives, and found it to be amazing that other than Beautiful Testing, this is the first O'Reilly colophon book I've reviewed, which is shameful considering how many of their books I've owned).
One of the comments that used to be repeated by me and my co-workers over the years, and a strong plus in my opinion, was that the reason to get an O'Reilly book, if you read up to chapter three, you would know enough to be conversant and effective with the tool, application, OS, language, etc. being covered. In fact, it was rare that I ever read an O-Reilly colophon book cover to cover (it did, however, lend itself to the exasperating habit of making me an "advanced beginner" in many more subjects that I could have been much better versed in, but the titles were definitely much more well versed towards getting you in quick and getting on with things). The books that broke this trend were the Power Tools books, the Beautiful Books (see Beautiful Testing for example) and their "Cookbook "series. The benefits of the Cookbook is that each section has specific actions and specific items you can look at and consider for your use (and to use the cooking metaphor, many of us want to have an example recipe of Pad Thai to make ourselves rather than read about how amazing Pad Thai is or how to best enjoy Pad Thai).
Web Security is an interesting area, and often one that is traditionally examined at the end of the testing cycle. Not every test will be relevant to every tester, but there's something that will interest someone. The book starts out with an explanation of the Web based model and the various ways that web servers and clients can interact (from simple sites with a few scripts up to massive B2B sites managing huge business workflows). It then follows on with a series of free security testing tools. The biggest challenge with open source and free test tools is that the documentation is often sparse or non-existent (think about buying bulk spices; would you know how to use them in their current state?). Web Security Testing Cookbook lets the user get into the section that interests them, shows a tool that will help perform the task they are looking to accomplish, and put in place a sample script or application that will allow the user to consider other avenues and other scripts to create. The great thing about this book is that it is focused and it is brief (comes in at 320 pages). Each "Recipe" is structured in a similar manner. First a problem is displayed, then a solution is presented, and following the solution a discussion follows, so each recipe can be weighed and considered as to its usefulness. Each section begins with relatively simple projects and builds to bigger and more challenging scenarios.
Here's a breakdown of the chapters and topics:
Chapter 1: Introduction
This chapter introduced the user to the idea of performing web tests specific to security, and provides a rundown on the layers that are present with Web technology and how the various components within a web server and a web client actually work together. Most of all, this chapter explains that this book is a "HOW" book, and
Chapter 2: Installing Some Free Tools
A number of tools ranging from Firefox and Firefox plug-ins like Firebug, installing Perl and Perl packages, cygwin (unix/linux functionality for Windows), plus a number of other tools that will help with specific testing options.
Chapter 3: Basic Observation
Chapter 4: Web-Oriented Data Encoding
This section shows the user how to examine various data encoding schemes such as Base 64, Base 36, URL encoding, etc, not so much as a reference, but to get the user familiar with the format and recognize it when they see it. The point is also plainly made that encoding is NOT the same thing as encryption; these encoded fields can be very easily converted back to plain text with a minimum of effort.
Chapter 5: Tampering with Input
The best way to see how a web page or application responds to malicious input is, well, to send it malicious input. This chapter discusses methods and ways to do exactly that. This section shows ways to muck around with forms, files, GET and POST commands, manipulating cookies, and other ways to mess with the data that is directed to the server (including uploading sample virus files).
Chapter 6: Automated Bulk Scanning
This section deals with tools to map, or "spider" your web application by following and making a reference to every link and every input on the page. In addition to spidering the section approached mirroring and scanning sites.
Chapter 7: Automating Specific Tasks with cURL
cURL is a command line tool that allows testers to automate specific tasks. This section goes through a number of methods to fetch pages, follow redirects, look for cross-site scripting and impersonating a particular web browser, and then gets into some more sophisticated options that can be used such asmanipulating cookies or creating multi-stage tests.
Chapter 8: Automating with LibWWWPerl
Perl has long been a mainstay in Web programming; most of the CGI scripts from the past two decades were/are written in Perl, and many enhancements that allow for relatively easy scripting of web transactions. Perl's LWP library allows the user the ability to perform various security tests. Examples range from basic fetching of pages, simulating form input, sending malicious cookie values, uploading malicious file contents, uploading viruses, and editing a page directly through a script.
Chapter 9: Seeking Design Flaws
There is a difference between a bug and a design flaw. Bugs are generally localized issues with intended code, and can often be fixed fairly easily. Design flaws are situations where a user can take advantage of a system or use a system in ways the designer or developer never intended or hadn't even considered. The recipes in this section help the user identify various situations such as bypassing pages that restrict the users access (or not), examining password recovery programs, manipulating lookup information to find other people's details in a database, and running repeated attacks (Denial of Service, etc.).
Chapter 10: Attacking AJAX
AJAX is one of the cornerstones of the new interactive WEB 2.0 model, where instead of the user explicitly calling for changes, the application can do it by itself at timed intervals or in slam localized areas based on user input. Note: this book doesn't get into the details of AJAX specifically, but it does show how to use a number of tools, such ad Firebug, to view the actual requests, interpret and modify requests, intercept and modify server responses, and injecting various data types to change and modify AJAX transactions.
Chapter 11: Manipulating Sessions
This chapter shows the user how to find session identifiers in cookies and requests, how to parse and understand authorization headers, and change session details to evade restrictions, gain privileges and impersonate other users.
Chapter 12: Multifaceted Tests
The last chapter assumes that the user has read through and tried the various attacks and recipes in the previous chapter. If each section previous was seen as cooking an appetizer or an entrée (hey, it's a "cookbook" so forgive the oft repeated analogy), then Chapter 12 is the equivalent of preparing Thanksgiving Dinner (or any other big festival or celebration to those not specifically from the U.S.A.). The purposes of this chapter is to tie many of the previous examples together into longer and more detailed attack strategies.
This is not a book you read cover to cover. It's a book you sample, and as time and opportunity provide, you try out various recipes, add a little or take away a little here and there, until you have something you can add to your repertoire, then you move onto another one, and another, until you have an arsenal of good tools and the ability to blend them together as needed. Some time will be needed to get used to some of the methods, and some time will need to be invested into using the tools demonstrated. The more attention and time paid to these tools, the sooner you can move from being a web security "cook" and join the ranks of the web security "chef's". Unfortunately, no one can write a "chef's" book, but I'll dare say this particular cookbook will get you a goodly distance towards that goal.
 Col-o-phon, n., a publisher's or printer's distinctive emblem, used as an identifying device on its books and other works. When I say a "Colophon" book, I'm referring to the distinct to O'Reilly design that it has a wood block print of an animal on the cover, which has been a stylistic element of O'Reilly books since their inception. In my day to day work, I rarely refer to an O'Reilly title by its name, but by its animal, such as "Hey, can I borrow the Turtle book (Korn Shell)?" or "Who has the Chimpanzee book (Exploring Expect)?" or "Hey, where's my Llama Book (Programming Perl)?" The funny thing is, most of us (meaning me and my co-workers) who regularly read O'Reilly titles know exactly which book we are referring to just by saying the animal on the cover. That's some pretty awesome iconography, if nothing else. For those wondering what you would say for this one, my guess is you'll be asking "Hey, who has the Nutcracker book?!", since the Nutcracker is the bird on the cover.