[Dailydave] WebHacking and lcamtuf

Dave Aitel dave at immunityinc.com
Mon Jan 2 12:08:20 EST 2012

So this is my review of lcamtuf's book, which is this: It's the best
book out there on web security right now, and if we had more time, we'd
buy one for every student at the INFILTRATE WebHacking class.

The book is less an attempt to "teach" web security than the result of
lcamtuf's extremely deep and systematic review of the basement of web
technology. I think only lcamtuf could have written it, since it not
only goes over the technology, but the historical reasons for various
technological choices that have been made. Likewise, it's extremely up
to date. It's not a long book, and it's somewhat approachable even for
someone with no experience in web security, so there are gaps, but the
book itself is less about covering all possible attacks and more about
covering the underlying structure of the web that makes these attacks
possible. This is what you can see every couple months when lcamtuf
comes out with various demos for ways to circumvent security that can't
readily be patched or prevented. Lcamtuf's conclusion alone is worth the
price of the book.

My only issue (and it's a small one) with the book is that it is written
very much from a defensive "security engineer's" position. Come back to
the dark side lcamtuf!

In the INFILTRATE WebHacking class (coming up in 7 days!!!) the team
designed the class entirely around the model of a wargame. Sometimes
it's the little things that make all the difference - getting your CSRF
attack to work across browsers, for example (no, this is not as easy as
it sounds!). Likewise there's a number of hours devoted to exploiting
SQL Injection as you would have to in the wild. SQLi is one of those
things where people write off the exploitation part a lot if it doesn't
immediately work with their automated tool, since it involves thinky
thinky. But much like Unethical Hacking makes people learn buffer
overflows, WebHacking forces people to be able to really exploit things
by hand.

Deep down what you want from all these class is to transfer that
instinct for GETTING IN to the students. It's just a small taste to try
to develop the call of the wild. If at the end of Unethical Hacking or
WebHacking, the students don't go home tempted to hack their ex
girlfriends, then we judge ourselves a failure. Of course, in the Master
Class we _should_ be teaching restraint. Oddly a lot of the best hackers
I know are ex-addicts. I think there is a similar psychology at work.
But restraint is even harder to teach.

INFILTRATE 2012 January 12th-13th in Miami - the world's best offensive information security conference.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20120102/1951b82d/attachment.sig>

More information about the Dailydave mailing list