It is always nice when I get a chance to sit down and read a book I bought over year ago.  Finally!  I’ve been enjoying the book, and what I’ve enjoyed so far is the evolutionary process between attacks and web servers.

For example, Microsoft IIS was exploitable with long URLs.  Microsoft fixes that, but attackers learn that they can just keep running the attacks anyway, and eventually the server dies anyway when it runs out of disk space from logging all those long URLs.  Microsoft fixes that by reducing the length of information stored in the logs.  Attackers still continue to use long URLs, because their complete attempts won’t be logged.  You’ll know someone tried something with IIS, but you won’t know exactly what.  It is an interesting technology arms race.

The other thing that I’ve enjoyed so far about the book is the real stories about how systems have been audited, and how they find silly security flaws in the system.  Example:  Being able to view, edit, or become other accounts in the web application.

WebScarab is quite a useful tool to see what is going on between web browser and server.  And the ability to save all of the complete conversations within a browsing session is fantastic.  It is certainly going to be useful when I have to interface into websites that insist on using javascript for authentication and browsing.