I’m not much for writing reviews of books that I read, but I wanted to heap some praise on this excellent book. As a DoD auditor, more and more, especially in enterprise systems, we are running into applications; specifically web applications. While auditing web servers, database servers, and operating systems is pretty generic (usually,) auditing the enterprise web applications is anything but. To that end, I’ve picked up some books on (pen)testing web applications with the goal of sharpening my skills and better being able to answers the technical checks from the Application Security and Development checklist.
The Web Security Testing Cookbook by Paco Hope and Ben Walther is an excellent book for helping to be a better web application tester. I should point out that the book is not aimed at pen-testers by any stretch; it is clearly aimed at in-house application testers. But, that does not mean that the tools and concepts provided do not translate well to the auditor/pen-tester field. In fact, it is with the eye of an auditor that I believe I was able to glean bits of information that I found useful that may not necessarily apply to an in-house application tester.
Like other books in the O’Reilly cookbook series, the book contains recipes to solving various problems. Typically, within each chapter are a collection of like-recipes that have a problem, a solution, and a discussion. Many tools are discussed (most of which are free or open source.) And, many solutions are given to the various topics of testing.
Here is what I liked:
Chapter Two was awesome for me; a listing of the various tools that are used in the book. Some of these tools I’ve heard of and used, some were new. This was important to me because many times I am limited to “certified” tools for the networks we are auditing. For example, most sites allow us to use Retina, but not Nessus. On the application side, we are typically allowed to use HP’s WebInspect. The tools listed in chapter two allow me to take a more “manual” approach to testing the application. Specifically, I liked Firebug, EditCookies and TamperData, WebScarab, and ViewState Decoder. One note, while testing Edit Cookies, I was not able to get it to work with FireFox 4, at the time of this writing.
The chapter on Basic Observation gave me a new appreciation for hidden fields and what you can do with them.
I do not have much experience with web encoding, so chapter four got me up to speed on the topic. A recipe dealt with OWASP’s CAL9000, however another good encoder I have used is the one linked to by the Ethical Hacker: http://yehg.org/encoding/.
Chapter 5, Tampering With Data, was one of my favorite chapters. Many recipes were discussed, using the tools to show different ways to tamper with the data being sent to the application. My favorite recipe in the book came from this chapter and discussed uploading of files with malicious files names; a concept I never gave much thought in the past.
Chapter 6 discussed the automation of some of the rudimentary tasks. Some of the great tools discussed included wget, nikto, WSFuzzer, along with native *nix tools.
Chapter 7 dealt with cURL, a tool I’ve never used before but will probably add to the toolbox. The first sentence in the chapter sums it up perfectly: “cURL is a command-line URL tool that is ideal for automating simple web testing tasks.” Many recipes were presented that gave examples of using cURL to accomplish common tasks.
Uploading viruses to an application (via EICAR), in chapter 8, was a that never dawned on me. And, included with the concept is a snippet of Perl code that will do the trick. Yet another great feature of the book is the inclusion of much Perl code to make the scripting of many of the recipes possible.
Chapter 11, on manipulating sessions, was enjoyable because I liked the presentation of the various tools to attack sessions and session state. There are checks in the Application Development checklist that are specific to session state, so it was good to expand on my arsenal of tools to check sessions.
Probably the best feature of the book was that it gave me many "A-Ha" moments that will greatly expand my knowledge of auditing applications. If you are in a position of having to audit web applications you will benefit from reading the recipes presented and using the tools described.