Hack Proofing Your Web Applications

I'm working on a presentation on Web Application Security, and I
picked up this text as a reference. What a mistake! The text is
vague, poorly formatted and rife with errors.

Just one example:
p. 131 shows a sample CGI script for submitting comments to
FreeBSD.org. First of all, the screenshot references a page that
doesn't exist, tarnishing FreeBSD for no good reason. Secondly, the
Perl CGI script doesn't set PATH, doesn't use taint, and doesn't check
exit values. Third, the form uses a hidden field for the submit
address -- making it a juicy spam tool since the user could simply
replace "mcross@freebsd.org" with any address she chooses. And I
could go on and on with just that one script.

Other
gripes:
p. 465, "SSL makes the man-in-the-middle attack fail".
Wrong. ...

How about this: The authors refer to Perl as the
"Practical Extraction and Reporting Language." (p. 151, p. 223) Are
they trying to impress newbies?

SSL & PKI: only 20 pages of 565
are devoted to SSL & PKI, and those are mostly screen shots of Windows
MMC.

I'm not picking nits here, just citing examples that
particularly irk me while flipping through it. The author seems to
have little to say about Securing Web Applications, so he rambles on
with useless background and repeats himself often. This might be
useful had it been edited down to 100 pages.

I recommend Garfinkel
and Spafford's 'Web Security, Privacy & Commerce,' however Forristal
does minimally discuss ASP, which Garfinkel and Spafford neglect.
Also, Forristal has some interesting ideas for code review.

...

Other Reviews

• Fragmented and a bit self-important, but still useful
• Hack Proofing Your Web Applications
• Another surprisingly good security book from Syngress