Friday, 15 November 2013

Hacking Web Apps

Title: Hacking Web Apps
Author: Mike Shema
Publisher: Syngress

Hacking Web Apps Book Cover

Got a website? Maybe it's just displaying a few static pages, maybe it's running a pretty fancy web app. You're proud of what you've made, it looks nice and it's bulletproof, right? Wrong.
In Hacking Web Apps, Mike Shema shows how security on your average site is an illusion. In reading this book I was frankly amazed at how many ways there are to attack a site. Some of them you will know - denial of service, cross scripting attacks, all make the news. Lurking in the background though are the other attacks, the ones that don't make the headlines but are very much as real a threat as anything reported in the media. 

Indeed, some of the very things that are supposed to make data, and the web in general more secure such as cryptography, can be an entry point for would-be attackers if implemented poorly. Client-side validation, implementation errors in cryptography and insufficient randomness can all be exploited to allow an attacker access to otherwise protected information. Add to this other points of failure / access, such as the browser, the OS and techniques such as clickjacking and you might wonder if the web should just be shut down and we all go back to using real banks and writing letters and so forth.

Not to worry for help is at hand. The author provides countermeasures for the various attacks and points of failure listed in the book. For the most part they’re pretty easy to follow and to implement. If you have a website, or are building one, I highly recommend reading this book if you’ve got anything to lose. And even if you don’t have anything to lose, and just don’t want the hassle of fixing your site after some kid breaks in and puts some garbage up on your home page, read it and follow the instructions.

Rating
An excellent read, the author describes each potential issue or attack and then proceeds to dissect how it works, following up with preventative measures to stop the attack from happening (again). If you work with website design, read it. If you don’t, ensure that your designer has read it! A hearty 5/5 for this particular book, it’s clearly written with links to a lot of tools and resources.