Professional Pen Testing for Web Applications

For the last 9 years I had been working daily in security tasks, (no managerial position!) in multiple tasks IDS, Firewalls, Switches, and had been exposed with multiple flavors of security products. From Open Source to Windows. Working with the products! In our arena we need security books references that will help us improve our analytical skills, and let us know what is out there. The field is very dynamic and nobody holds the torch of "guru" in this arena (Even thou many claim it!). Very very few books excel in quality of delivery, and comprehension. And understand our day to day security jobs. This book is one of the few books I recomend for your average security guy, that needs help to understand what is behind the scene in the web network traffic. Go ahead and buy this book. Its worth it.

Awesome book on Pen Testing!! I believe this is right up there with Richard Bejtlich's books. Great examples and very 3D. I highly recommend this book to ANY hands on security folks out there at all levels of skill.

Recipient found the read interesting and thought the purchase was worth the cost. Has kept the book for reference. recommend

I recently received copies of Hacking Exposed: Web Applications, 2nd Ed (HE:WA2E) by Joel Scambray, Mike Shema, and Caleb Sima, and Professional Pen Testing for Web Applications (PPTFWA) by Andres Andreu. I read HE:WA2E first, then PPTFWA. Both are excellent books, but I expect potential readers want to know which is best for them. I could honestly recommend readers buy either (or both) books. Most people should start by reading HE:WA2E, and then fill in gaps by reading PPTFWA.Before proceeding I should note I used to work with the two ex-Foundstone authors of HE:WA2E, although I haven't been afraid in the past to review books honestly.First, I must say PPTFWA was published in the right series. The motto "Programmer to Programmer," and the term "Professional" in the title, clearly apply to this book. Author Andres Andreu takes his work very seriously, sometimes at the expense of the non-programming network security crowd. You will feel welcome if you are a programmer/security person, but maybe not if you work with "edge devices" like firewalls, IDS, and so on. Given this stance, I found it ironic that PPTFWA's advice (on p 220) for dealing with such impediments is "[m]ake sure your client disables these." Despite the author's focus on application security, he still notes (on p 425) "edge-level protective steps are interesting because they can provide the same level of protection to multiple Web applications simultaneously... [t]his is important because many times you will be faced with a Web application that needs remediation, but the stakeholders will not allow anyone to touch it at the core." Exactly!PPTFWA's strengths lie in the depth it covers certain subjects. For example, its discussions of Web Services are very strong, easily better than HE:WA2E. PPTFWA introduces a wider variety of tools than HE:WA2E, many of which were totally new to me. Even tools without a strict security use (e.g., Twill) are shown to have powerful assessment features. (I liked the hints on p0f in Ch 3, and I use p0f with Sguil.) I like the examples of real cross-site scripting attacks in Ch 4 and the case studies in several parts of the book.PPTFWA deserves credit for two other features. First, the book covers report writing, especially identification and removal of false positives. This is critical yet not often mentioned elsewhere. Second, the book links to a VMware image built by the author containing vulnerable Web app software. This is exceptional and much appreciated.I couldn't give PPTFWA five stars for two reasons. First, I didn't think the book was as well-organized as HE:WA2E. One of the other reviews mentions this fact. Signs of weak structure include repeating or rephrasing material, or wondering why a chapter is placed (e.g., Ch 5?).Second, I found conceptional problems with PPTFWA that are unfortunately not limited to this book; i.e, they often appear in Web app security community discussions. On p 5 the author writes "truly thorough defensive postures can always beat out the offense in these scenarios because there will just be an easier target elsewhere." I disagree, especially when targeted attacks or insiders are at work. Speaking of insiders, on p 11 we read that FBI and CSI reports say "a majority of attacks [come] from inside." This isn't true either, and hasn't been for many years (if it were ever true at all).I found the author's use of the terms threat and vulnerability to be all over the map. For example, p 191 says "Threats that are identified as unresolved become vulnerabilities. Vulnerability is also present when a threat exists and the steps to mediate it have not been implemented." This is just wrong; vulnerabilities exist despite the presence or absence of threats. Risk exists when a vulnerability is present, a threat has the capabilities and intentions to exploit it, and an asset has value. Furthermore, much of the "threat" talk in PPTFWA is built on the flawed characterizations of mostly attacks and vulnerabilities found in WASC and OWASP documents. It would have been great for PPTFWA to build on these technically exceptional but terminologically challenged guides by wrapping them with a sound risk, threat, vulnerability, asset, and attack framework.Aside from these issues (which bother me but can be ignored in favor of technical material) I really liked PPTFWA. I think the book is an example of the sort of higher-end book we should expect to see from good security authors in the future. There is much more to digital security than Web applications, although you might not feel that way when reading PPTFWA. Nevertheless, I consider PPTFWA a must-read after HE:WA2E.

Taking a top-level view on the subject on pen testing web applications this book is a success. It does not focus on hack techniques only and certainly does not use case studies to just show off. The author provides an excellent balance of in-depth technical hacking information with the way the results from such activity get applied to the business of pen testing. Many other books simply show techniques or cover a case study and then move on, the author of this book, Andres Andreu, covers how to handle the results of such needle in the haystack work in order to make strides towards web presence protection. He is clearly not trying to generate more script kiddies but provide professionals the power to understand their security position in respect to web applications and take measures to protect themselves through this heightened awareness.One of the strong points the author makes is certainly well taken in that the typical security professional is not knowledgeable enough to properly protect the web applications of today, they are generally network specialists. Based on this notion the book predominately attacks the issue from a programmatic stance aiming at filling the gaps where security is important. But he provides enough foundation and basics that if you carefully read you should not be at a loss when using this book. Also provided are enough data to build an effective personal lab and practice most of the areas covered throughout the book. This book really should be on every desk or shelf of security professionals that deal with web applications.The book has a general pragmatic overtone and the author is obviously focused on real world work and results, keeping theory to a minimum. There are 11 chapters which are loosely associated to what is seemingly the evolution of a pen-testing project that the author sometimes refers to as a journey. Then there are 4 Appendices covering some interesting areas.Chapter 1 at first glance seems like the typical nonsense where we find out how vulnerable we all are and how messed up the industry is. And while there is some of that there is also a very strong distinct message about what makes an effective web application pen tester and if you read the material carefully the author is being very motivational and even covering psychological aspects of this type of work. I enjoyed reading about the mindset one has to get into in order to do this type of white hat work effectively. It gave me a new perspective on what I, as a network security professional, deal with daily. There were also some nice touches of doing this not just as an employee but also as a professional. This lean towards consultants is important because the rules are always different when a consultant comes in to do this type of work as an outsider.Chapter 2 is titled "Some Basics" quite appropriately because only some basics are covered. There is so much more that can be covered in this area even though to be fair the book would then be twice its current size. In any event it is either a love hate type chapter, for example if you have experience with technologies like SOAP then you will not care much for it and will move on. On the other hand if you have gaps in your knowledge that are covered in this chapter you will find it quite beneficial. This seems like a technical chapter targeting non-web-programmers. Security and network engineers stand to learn a lot in this chapter. It covers many different areas like SSL certificates and CSR's all the way to SOAP and WSDL. Along the way many important areas are covered such as standard web languages, web state, data encryption, data encoding, and XML. At first this material in this chapter seems all over the place and I had to come back to it various times. But after the material sank in I realized the method behind the author's seemingly chaotic approach to the material. Love it or hate it there is great material in this chapter.Chapter 3 is your standard surveillance material with a clear lean towards application specific material as opposed to network level. Some network level material is presented even though these areas are covered much better in other books. The author doesn't seem to be trying to cover this in classic from, he just wants what he needs from the network so as to better attack the application. There are some hidden gems in this chapter that will be eye opening in the sense that some pre-packaged programs for this work will inevitably fall short. Manual analysis of gathered data becomes clear as an important step. One interesting step presented is to gather any and all publicly available information and use it all together to form the basis of some eventual attack.Chapter 4 seems totally out of place at first and it annoyed me. After the technical material from chapter 3 I wanted to attack something. And this chapter seems to back track into some theoretical best practices nonsense. But there are many hidden technical tidbits in this chapter and so it requires some careful reading. I like the way the author linked the OWASP Top 10 and the WASC categories, this was unique in its approach and I haven't seen that done anywhere else. This chapter will set the general basis for organizing your work into attack areas and has many areas of non-obvious technical information. I would have liked seeing more in the area of threat modeling even though I know many real world practitioners don't practice this. The author exposes the practice in summarized form and clearly states the some clients in the real world don't care about this. But the material is presented in such a way that it can help you discipline yourself into some structured process. After all, an interesting and valuable chapter.Chapter 5 nose-dives into attacking web servers with a focus on IIS and Apache. Some old and some new exploits are covered. But the key part of the chapter is the area where the types of attacks are covered since this applies to just about any web server. The programmatic approach is blatant here in that most exploits are backed up with code that can execute the attack covered. This is very useful even though you have to be somewhat proficient in Perl for instance to make some of the examples work. I enjoyed this chapter a lot and even wrote some scripts based on the information from this chapter. I now regularly test new web servers with this knowledge before they go live.Chapter 6 is really the hands on apex of the technical aspects the book brings to light. In respect to standard web applications this chapter is huge and effectively covers many aspects ranging from proxy servers as pen testing tools to custom scripts to injection attacks to brute force attacks. Along the way the author covers related areas like effective dictionary generation for brute forcing. He even covers L33T Speak because it is out there. Chapter 6 starts out with a lightweight checklist that is intended to be a foundation and cannot be anything more. This could have been developed further. After this the chapter covers manual and automated testing.The manual testing section focuses on Webscarab, Perl/LibWhisker, Authentication attacks (with ObiWan, Brutus, Crowbar THC-hydra, & Lcrack), Buffer overflow's, and client side attacks such as XSS, RSS, cookies based. This section ends with a small but clear example from what the author claims is a "real-world example". Based on the level of detail presented I believe this indeed accurate.After all the manual work is covered Mr. Andreu dives into the world of automated tools in the form of Open Source and he even exposes some commercial tools that are supposed to be good, even though he certainly leaves that up to the reader. From the Open Source category Paros proxy, Spike proxy, Nikto, E-or, Wikto, ntoinsight, and finally Nessus are covered. Different levels of depth are gone into based on the tool but they are nevertheless effectively presented to us readers. I have used some of them successfully after first being exposed to them from reading this chapter.Chapter 7 took me from where the previous chapter left off into the dark world of known exploits. It is as if the researchers mentioned in this chapter performed the chapter 6 learning's somewhere and documented their findings into information that can be used by anyone. This chapter is structured similar to Chapter 6 in that it starts out with some examples based on manual work; hence the flow from the previous chapter is nice. Lotus Domino and IIS are attacked in the first 2 manual examples and there is a sense of real world here because in the real world black and white are rare. The author takes us through the entire process of these examples from some of his projects and then shows how sometimes the exposure is acceptable risk as opposed to saying something abrupt like "and so I hacked this successfully". These examples do a great job of putting together many of the teachings presented throughout the book up to this point. They are all tied in effectively and the deep complexity of this work starts to take shape this chapter.From here there is a shift into automated testing using Metasploit. The tool is presented effectively but the example I felt lacked a lot. Maybe this is because the 2 earlier examples were much juicier but I was left in a somewhat anti-climactic state.To finish off the chapter the author exposes you to some public sources of valuable data as well as providing you a powerful warning about self-protection and exposing 2 commercial players in the known vulnerability market. The public sources is a nice touch because the information is presented in terms of staying on top of an ever rapidly changing arena like the web based one. The warning is powerful and backed up with a concrete example which I looked up and was astonished to see. I guess this entire dark world of hacking is really multi-edged after all.Chapter 8 moves horizontally (from a technical perspective) into the elusive world of web services. Many areas of XML and SOAP attacks are covered in the first part of the chapter. This seems to be a strong area of focus for the author and my own research is in line based on remote functionality representing the future of the web. This chapter covers many different tools and if you didn't pay attention to the XML data from the Basics chapter you would do yourself justice to go back and review it. Many aspects of web service attacks are covered.Open Source tools are a big focus of chapter 8 with some commercial counterparts presented at the end of the chapter. The Open tools covered are wsPawn, WSDigger, WSMap, wsChess, Webscarab, and WSFuzzer. Again there is a differentiation between the manual and automated that makes for a continuous flow from previous chapters. Aside from the tools the real value in this chapter is the in-depth coverage of potential XML and SOAP flaws. But if you are not familiar with this data form you will quickly feel out of place in this chapter so be aware of this before you start reading.Chapter 9 leaves the deep and dark technical world of hacking to actually do something with the resulting data from your entire pen testing activities. The chapter has an exceptionally powerful message in that false positives plague most automated tools and processes and so the pen tester must be diligent in terms of validating results. The author, in terms of documenting and presenting this data, makes numerous tips and suggestions. This entire notion leans towards consultants but is valuable information to anyone interested in this. I guess we have to consider ourselves outsiders and consultants when pen testing our own work or at least that is a subtle message I pick up from Mr. Andreu's writing in chapter 9.One especially effective touch considering the IT world of today is the way he links findings generated throughout the book to compliance processes like Sarbanes Oxley and HIPAA. A small section of what is probably a larger example is presented linking pen testing data with some software from The Compliancy Group. This is the type of integrated data flow that is necessary today and this section could be turned into its own book.Chapter 10 revolves around the final steps and it subtly is based on the notion that successful results have been acquired in pen testing. It presents numerous options and areas of focus for remediating the findings from a pen test. There is a powerful message in that traditional network security fails for web applications but the situation is not hopeless. What the author calls "Edge level protection" seems to represent the future of security for web applications and is an excellent final note for this book which paints a general dim picture of the state of security with web applications. Some best practices, which really are meant to put the reader on the research path, close out the chapter in strong form. This chapter initially left me feeling dissatisfied until I stepped back and realized that any genre pursued in terms of remediation (for example ASP remediation) actually requires volumes of information in their own right. Considering the scope of such an area the chapter is effective in terms of planting the seeds towards an effective protection strategy.Chapter 11 is all about fun, it shows you how to build your own open source based lab so that you can safely attack your own environments. Again this chapter is meant to plant seeds and you can build off this information for your own learning.Appendix A provides basic SQL knowledge. For a security professional looking to do hands on SQL Injection this is a good set of basics albeit very basic. If you haven't touched SQL yet this is a good place to start and without this knowledge your creativity when injecting data may be short sighted.Appendix B was one of my favorite parts of the book because it shed some basic light to LDAP that is traditionally held in quasi-mystery. If you learn what the author is showing you it starts to take shape as a sister technology to what SQL is to databases. This is effective knowledge especially considering the expansion of LDAP based technologies like Active Directory.Appendix C lost me totally. These seem to be advanced technologies to query XML data in some manner. The author clearly states that this knowledge is necessary to carry out attacks against XML and SOAP but I admit I need some serious practice in this area so I wont write about it anymore.Appendix D provides us readers with an attack dictionary. It seems to be a compilation of some sort and reading through it reveals very interesting and dangerous data. It is broken up into sections based on the type of attack so the learning aspects are clear and in the very beginning Mr. Andreu clearly states this data would be used through fuzzing tools. I don't know how these guys come up with some of this stuff but I am glad to see it here before someone sneaks into my shop with this ...Overall this book deserves high ratings with the warning that it is deeply technical. Security teams in the field will get great benefit from this no nonsense approach book. The author clearly has mastery and in depth knowledge of web application security and web applications beyond your simple web sites. It is some of this mastery that is supposed to come across to us, the rest is up to us the readers.

First things first, this book is not intended for newbies... That being said, this is by far the most comprehensive guide to application security that exists today. No other books out there can give you the depth and practical security knowledge that is presented here.Anyone that is serious about application security will find this book to be a great tool to augment their existing skillset...Anyone who thinks that they know security because they run traditional network firewalls and/or IDS/IPS systems will find this book eye opening!!!

A must buy