Cenzic 232 Patent
Paid Advertising
web application security lab

Book review: Professional Pen Testing for Web Applications

I don’t generally do book reviews (maybe I’ll start if I have to do this much traveling in the future - since it will give me lots of time to read). In this case, the book was really on topic, if a tad out of date. Andres Andreu wrote a book in the 2005-2006 timeframe called “Professional Pen Testing for Web Applications” (I think he could have sold another 10k copies if he had spelled out “Penetration” instead of “Pen” but that’s neither here nor there). The book is actually a really good and quick read as there are lots of pictures and examples to drive the text along.

Normally I find it tedious to get through penetration testing style books, because the authors generally only talk about one or two tools (generally nmap and insert one or two other tools here) and stick with them for the entire book. Andres does a really nice job of talking about dozens of different tools and how they are useful from a web application security perspective. One section that I found a tad cheezy though was the ethics of what you can and can’t do during an audit. I don’t know why, but I’ve always found that stuff to be obvious. For instance while it does say extortion is not okay (I hope that’s also obvious to everyone reading this), it fails to mention bribery, rubber hose cryptanalysis, intimidation, kidnapping, murder, or a host of other things that actually do work and three letter agencies worldwide have employed. So don’t go looking at that chart as saying “Andres didn’t say I couldn’t.” The chart made me and id laugh. If anyone wants to sign up for that kind of audit, just let us know. We’ve got the blowtorch and the pliers standing by. The ethics section of the book was short, and it got better quickly thereafter.

Anyway, sure, some parts of the book are out of date, as you’d expect with a book written 1-2 years ago, but a lot of the book is timeless. The general tactics put in place, how the different threat modeling works, and how you document what you find is all good information. I’ve had my own way of doing things for years, but it’s always nice to hear someone else’s perspective. The best part of the book for me, was that since it was slightly out of date, I got to hear a lot more about technologies we tend to forget about since they aren’t used that much any longer. There weren’t many blogs detailing this stuff back then to read, so this is a bit of a blast from the past. Granted, he doesn’t talk at all about a lot of the more modern stuff since it didn’t exist yet, but I found it a really interesting refresher course in the way things used to be, and the way we should probably continue to think about legacy systems.

The cons are that he doesn’t discuss manual assessment using things like telnet hardly at all, focusing more on the existing tools, at least half a chapter when you add it all up is talking about buffer overlows without going into enough detail to actually show a working example in the wild, he talks quite a bit about SSL security (which really isn’t much of a problem most of the time), and it makes a big leap that you already know how to develop programs, run programs and have access to *Nix environments. That’s true in my case, and on the cover it even says “Programmer to Programmer.” Still it’s definitely not meant for a beginner with only access to Windows and no idea what Cygwin is. Overall, it was probably a four out of five star type book when it came out, but because it’s a little out of date it’s probably more like three stars now. Still, it makes a nice addition to the bookshelf, and it got my brain thinking.

9 Responses to “Book review: Professional Pen Testing for Web Applications”

  1. Daniel Says:

    One thing I always look for in books like these is how the author approached methodical testing.

    It’s a known fact that a good methodology when testing web applications helps more than a haphazard method, but it’s often forgotten about when people write books.

    Was it included?

  2. Sid Says:

    /me goes to loft to get book
    Really, that’s where I keep it. Not because it’s worthless but because until I go back to university I can only fit X amount of books in my room without it getting too messy, this didn’t make my short list.
    Daniel:
    In the introductory chapter there are a few subsections which cover “The Goal”, “Methodology” and “Rolling documentation”. These three combine to take up about 5/3 of a page. They cover the named topics from a very high level and don’t go into any details (what you’d expect for the amount of space they are given).
    Late on in the book there is a chapter titled Documentation and Presentation. As you would expect of a chapter with that name it covers how to write your final report in a nice, coherent, no blubber way that the company who hired you finds useful. It doesn’t explicitly state anything about methodical testing, but if you read and digest the whole book before you do any pen testing you’ll have an innate feeling for how to produce the report and so you’ll know to be methodical.
    I don’t know what you’re looking for in terms of methodology, if it’s something like going through an example audit telling the reader how to document and what to note about an event, then this isn’t the book for you, nor does it claim to be. Personally I feel that it covers the topic adequately, but perhaps it should have a few references to other books or articles which go into this topic is more depth.

  3. Technocrat Says:

    Good point about the lack of information on the manual testing front. While I haven’t read this exact book, the manual testing stuff is normally hidden few and far between a huge parade of tools. Tools are important, but they are just that….tools.

    DJ Shadow once said that digging won’t make a bad DJ good…but it will make a good DJ better. I directly translate this to the use of tools in the pen-test market.

    While tools are very helpful for both beginners and experts, they do not replace the need for experimentation and good ole fashion parameter manipulation with a proxy.

    A good pen-test needs to fully understand the tools they use. What are the limitation of Nmap or Nessus? Over and over again, I see people ID a service just because Nmap said it was “blank”.

    Manual verification with tools like telnet and others is just as important, if not more…than any shiny toolkit. Manual verification requires a tester to understand the tool used and the target…it requires deeper understand….and that isn’t something you can buy with a PO.

  4. Bob Says:

    You mention the use of telnet for manual assessments. What kind of assessing is telnet convenient for, besides for checking which OPTIONS are available?

  5. Alf Says:

    “rubber hose cryptanalysis”… hehehee :)

  6. ntp Says:

    surprised you didn’t compare it to `hacking exposed web applications, 2nd edition’. or `xss attacks’!

    those three are the must-haves. the others are only so-so (how to break web software, hacking web services, the art of software security testing, developer’s guide to web application security). here’s an ok starting list:
    apache security, covert java, exploiting software, fuzzing brute force vulnerability discovery, google hacking, hunting security bugs, network security tools, preventing web attacks with apache, secure programming with static analysis, security metrics, shellcoder’s handbook, silence on the wire, software security building security in, the art of software security assessment, the security development lifecycle, threat modeling, and wi-foo. i suggest you wait for the new editions of wi-foo and shellcoder’s handbook, and there are a few more syngress press titles coming out soon that are probably worth a look (open-source fuzzing, pci compliance, etc).

  7. RSnake Says:

    Hahah, no, I wasn’t out to compare and contrast. It was just a nice quick read and I wanted to share. As I read more I may or may not post about them. Most books aren’t worth the time to talk about though.

  8. nEUrOO Says:

    I have this book for a couple of months now, and I have to say that I like it, but it’s not because of the technical part.
    This book is for me a kinda repository of techniques that a pen-tester can use with tools. And this is really “professional” pen-tester for me.

  9. RSnake Says:

    @bob - sorry, I missed your question. I use telnet allllll the time. It allows me to quickly identify what’s going on on the server with more than just options, but rather to enumerate manually through what it is and isn’t allowing. Telnet removes a lot of the garbage that you get using tools, and allows you to better mess with certain things that normally are unavailible to you, like the verbs, the HTTP version, removing those things, etc… That’s actually how I found an information disclosure issue in mod_security a few years back.