Book Review: "The Web Application Hacker's Handbook, Second Edition"
This book is fantastic, and seeing how the first edition was the first security book I ever read, I just had to pick this version up an give it a proper review. Aptly nicknamed The Web App Hacker's Bible, for both it's mass and authority, I often use this book like a reference material for looking up subjects and hints. Not only does this book cover the deep and complex field of web app pentesting, but the 2nd edition comes back in full force with new technologies and trouble shooting tips. This book focuses in on practically exploiting web applications, by both explaining the theory behind the technologies, then showing real world exploits with industry tools, which makes this book the perfect reference material for when you get stuck in a pentest. The main tool used in the book, The Burp Web Suite, was written by the author of the book, and is kept up to date, more so than this text. The following is a highlight of some of my favorite changes between the first and second editions, as well as some of my favorite chapters in general. At the end, I include all links to the web resources, as well as new online web pentesting labs (which unfortunately cost money). Throughout the new edition, "Try It" blocks link to the online pentest labs, allowing readers to quickly practice new techniques as they learn them. Both the book, and thus the review, is intended for web developers or penetration testers looking to practically exploit web vulnerabilities.
A great place to start the review is Chapter 3, which has been heavily expanded to include many more modern web technologies. This chapter includes overviews and hacking tips for techs such as TCP, HTTP, REST, cookies, HTTPS, proxies, Java, ASP.NET, PHP, Ruby on Rails, SQL, XML, SOAP services, HTML, CSS, JavaScript, VBScript, DOM, Ajax, JSON, Same-Origin Policy, HTML5, various encoding schemes, and serialization frameworks. This is a solid overview on web technology and a bare minimum for any web penetration tester, such that they are less likely to be surprised by a technology on the job. It's always good to go in with a background understanding of the strengths and weaknesses of a specific tech before researching vulnerabilities, let alone auditing a technology.
Chapter 5 also has been expanded, practically delving into hacking these modern web technologies within the Burp intercepting proxy suite. Info here can help you leverage the client side code to abuse server functions, such as reusing javascript driven requests, decompiling browser extensions to access local variables, or in general interpreting and tampering with serialized data transmissions. This chapter can be a great time saver for any aspiring web hacker, as these are trouble shooting lessons I've learned the hard way many times, through encountering web applications using flash or java applets. This foreknowledge can really help any web pen tester, as we are always encountering new situations and must be ready to untangle and debug any application stack.
Chapter 9 have been refocused to give SQL Injection more bandwidth as well as a larger section on using automated tools in your SQL testing. This is a very deep review of SQL injections, with extensive parts on database fingerprinting, UNION SQL injection, injection on numeric fields, bypassing filters, second order SQL injection, and blind sql injection (inference attacks). This chapter also dives into using automated tools such as SQLMap along with burp requests, to chain data from one tool to the next. My favorite part of the 2nd edition is a part at the end on injecting into nontraditional datastores, such as NOSQL, MongoDB, Xpath, and LDAP injection.
Chapter 10 has been divided off into injecting into other backend services, such as processes handled by the operating system, interpreted languages, or data passed to other protocols. This chapter details extensively OS command injection as well as injecting into various interpreted languages, such as Perl, PHP, and XML based SOAP services. It even gets into injecting into email headers and the SMTP protocol. This is a great chapter to open one's eyes to the various types of injection beyond SQL that exist in computing.
Chapter 12 has been split into two chapters similar to SQL injection, this time Chapter 12 focuses exclusively on Cross-Site Scripting. XSS is now covered in depth, with new testing techniques for reflected, stored and DOM based Cross-Site Scripting. The payload section is also heavy, discussing virtual defacement, inducing user actions, injecting "trojaned functionality", and even goes into escalating the attack through attacking other sites and internal scanning. The practical tips involved with these exploits are great, targeting specific data types with lots of "Try It" examples. The filter evasion section also contains lots of good tips for your XSS attacks. Chapter 12 also included all kinds of attacks against non-standard fields, such as in cookies, in the refer header, hidden in file uploads, via Ajax, or through other protocols, such as using web mail. This chapter also has an extensive section on blocking these attacks and remediation of these vulnerabilities, which could prove very useful to developers.
Chapter 13 now covers other unique user-land attacks, including XSRF, UI redress attacks, and frame jacking, just to name a few. These attack vectors now get the respect they deserve and this chapter truly highlights the specific importance of these exploit mitigations. This chapter dives deep into OSRF, XSRF, and UI Redress, where an attacker is trying to induce user level actions through manipulating the browser. This chapter also revisits the Same Origin Policy with browser extended languages, opening a whole new can of worms with languages such as Silverlight, Flash, and Java. This is a fantastic chapter on common vulnerabilities, that are not so commonly found or exploited and will make any penetration tester noticeably better, simply due to the increased amount of vulnerabilities they report they can report.
Other chapters, such as 14, provide tons of practical experience using and automating burp and some of it's special features. This helps drastically with testing and automating against technologies such as anti-CSRF tokens.
Chapter 20 dives into a web penetration tester's toolkit and practical walks through using the toolkit in a real web application penetration test. This is arguably one of my favorite chapters, as it details all of the tools a web pentester should have on hand, including browsers, proxies, spiders, fuzzers, scanners, repeaters, entropy analyzers, and many more. It even details and suggests specific tools, including their strong points and pitfalls. Obviously, this is not an all inclusive list, but does include many tools that I use on the regular, and if your looking to get into penetration testing, you should be familiar with these tools or some equivalent alternative.
Chapter 21, my favorite and our final chapter, is an amazing check list to use when going through a web app penetration test, to make sure you left no stone unturned. Following this itemized list, is a surefire start to finding vulnerabilities and a great baseline. It's processes and routines such as Chapter 21 that make security testing a science and not an art, which is also why this book is so crucial among security books.
Finally, the companion website for this book at http://mdsec.net/wahh contains source code, a list of security tools commonly used, answers to questions in the book, the amazing web app pentest checklist, and a link to buy the book. Also, don't forget to checkout the labs, or you can always practice on free resources! Ultimately, I give the book 9 / 10 stars, as I held the original as one of the best technical information security books and the updated second edition did not disappoint either.
Regardless, you should pick up the book if this review intrigued you!
