{"id":571,"date":"2013-11-23T12:31:37","date_gmt":"2013-11-23T20:31:37","guid":{"rendered":"https:\/\/formidableengineeringconsultants.com\/?p=571"},"modified":"2014-10-10T11:42:25","modified_gmt":"2014-10-10T19:42:25","slug":"log-rolling-in-our-time-part-1","status":"publish","type":"post","link":"https:\/\/formidableengineeringconsultants.com\/?p=571","title":{"rendered":"Log Rolling in Our Times (Part 1)"},"content":{"rendered":"

\"basics\"<\/a>I admit it. I got a free eBook.\u00a0 I signed up with O’Reilly Media<\/a> as a reviewer. The terms and conditions of this position were that when I get an\u00a0 eBook, \u00a0I agree to write a review of it.\u00a0 Doesn’t matter if the review is good or bad (so I guess, technically, this is NOT log rolling).\u00a0 I just need to write a review.\u00a0 And if I post the review, I get to choose another eBook to review.\u00a0 And so on. So, here it is. \u00a0The first in what will likely be an irregular series. \u00a0My review.<\/p>\n

The book under review is “The Basics of Web Hacking” subtitled “Tools and Techniques to Attack the Web” by Josh Pauli<\/a>. The book was published in June, 2013 so it is fairly recent.\u00a0 Alas, recent in calendar time is actually not quite that recent in Internet time – but more on this later.<\/p>\n

First, a quick overview.\u00a0The book provides an survey of hacking tools of the sort that might be used for either the good of mankind (to test and detect security issues in a website and application\u00a0installation) or for the destruction of man and the furtherance of evil (to identify and exploit security issues in a website and application\u00a0installation).\u00a0 The book includes a several page disclaimer advising against the latter behavior suggesting that the eventual outcomes of such a path\u00a0may not be pleasant. \u00a0I would say that the disclaimer section is written thoughtfully with the expectation that readers would take seriously its warnings.<\/p>\n

For the purposes of practice, the book introduces the Damn Vulnerable Web Application<\/a> (DVWA). \u00a0This poorly-designed-on-purpose web application allows you to use available tools and techniques to see exactly how vulnerabilities are detected and exploits deployed. While the book describes utilizing an earlier version of the application, figuring out how to install and use the newer version that is now available is a helpful and none-too-difficult experience as well.<\/p>\n

Using DVWA as a test bed, the book walks you through jargon and then techniques and then practical exercises in the world of hacking. Coverage of scanning, exploitation, vulnerability assessment and attacks suited to each vulnerability including a decent overview of the vast array of available tools to facilitate these actions. \u00a0The number of widely available very well built applications with easy-to-use interfaces is overwhelming and quite frankly quite scary. \u00a0Additionally, a plethora of web sites provide a repository of information regarding already known to be vulnerable web sites and how they are vulnerable (in many cases these sites remain vulnerable despite the fact that they have been notified)<\/p>\n

The book covers usage of applications such as Burp Suite<\/a>, Metasploit<\/a>, nmap<\/a>, nessus<\/a>, nikto<\/a>\u00a0and The Social Engineer Toolkit<\/a>. Of course, you could simply download these applications and try them out but the book marches through a variety of useful hands-on experiments that exhibit typical real-life usage scenarios. The book also describes how the various applications can be used in combination with each other\u00a0which can make investigation and exploitation easier.<\/p>\n

In the final chapter, the book describes design methods and application development rules that can either correct or minimize most vulnerabilities as well as providing a relatively complete list of “for further study” items\u00a0that includes books, groups, conferences\u00a0and web sites.<\/p>\n

All in all, this book provides a valuable primer and introduction to detecting and correcting vulnerabilities in web applications. \u00a0Since the book is not that old, changes to applications are slight enough that figuring out what the changes are and how to do what the book is describing is a great learning experience rather than simply an exercise in frustration.\u00a0These slight detours\u00a0actually serve to increase your understanding of the application.<\/p>\n

I say 4.5 stars out of 5 (docked a star because these subject areas tend to get out-of-date too quickly but if you read it NOW you are set to grow with the field)<\/p>\n

See you at DEFCON!<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

I admit it. I got a free eBook.\u00a0 I signed up with O’Reilly Media as a reviewer. The terms and conditions of this position were that when I get an\u00a0 eBook, \u00a0I agree to write a review of it.\u00a0 Doesn’t matter if the review is good or bad (so I guess, technically, this is NOT […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[87,31,47,48,56,15,51,17],"tags":[46,55,6,38,58,57,89,36,53,22],"class_list":["post-571","post","type-post","status-publish","format-standard","hentry","category-book-reviews","category-consulting","category-data","category-databases","category-security","category-software","category-software-tips-tricks","category-web-x1-0","tag-ideas","tag-linux","tag-new","tag-revolutionary","tag-risk","tag-security-2","tag-software","tag-usability","tag-windows","tag-world-wide-web"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/formidableengineeringconsultants.com\/index.php?rest_route=\/wp\/v2\/posts\/571","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/formidableengineeringconsultants.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/formidableengineeringconsultants.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/formidableengineeringconsultants.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/formidableengineeringconsultants.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=571"}],"version-history":[{"count":19,"href":"https:\/\/formidableengineeringconsultants.com\/index.php?rest_route=\/wp\/v2\/posts\/571\/revisions"}],"predecessor-version":[{"id":767,"href":"https:\/\/formidableengineeringconsultants.com\/index.php?rest_route=\/wp\/v2\/posts\/571\/revisions\/767"}],"wp:attachment":[{"href":"https:\/\/formidableengineeringconsultants.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=571"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/formidableengineeringconsultants.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=571"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/formidableengineeringconsultants.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=571"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}