insanesecurity » Books

Browser Security Handbook

dblackshell — Wed, 24 Jun 2009 17:02:07 +0000

Recently after moving the blog to this self-hosted platform I decided to cleanup a bit my feed reader… you know, add some, delete some. And while searching for blogs to subscribe to I came across Michal Zalewski’s website searching for a feed. Unfortunately didn’t find a feed, but did find his newest project…

The Browser Security Handbook is a free online book covering information related to web browsers like: IE6, IE7, FF2, FF3, Opera, Chrome, Safari and Android. The book covers material from url schemas, http protocol, DOM, up to same-origin policy.

Being a comprehensive document about browsers it’s a book that I would recommend security testers, as well to website developers. I wouldn’t be amazed if it where a reference lecture upon browsers in the years to follow.

If you are here you might as well check other published material from Michal Zalewski: “I don’t think I really love you” (first Zalewski material I ever read), Absence of fd-based unlink(), “Delivering signals for Fun and Profit”, Rise of the Robots, Juggling with packets, IP Fragmentation and “Strike that out, SAM”.

The Hacker’s Underground Handbook – Review

dblackshell — Wed, 24 Jun 2009 16:59:41 +0000

A couple of days ago David (The Great) Melnichuk released The Hacker’s Underground Handbook, (e)book that comes as an aid for all those that are starting just now in this domain.

Why this and not any other intro/tutorial found on the web, you may ask. Although the internet is the biggest resource, finding useful information (in this domain) may prove quite hard, especialy if you aren’t ‘initiated’ yet in hacking. (no there’s no initiation ritual) And if you don’t know exactly what you are looking for you may come across: boring, idiotic (this is just a joke, by the way) and outdated material.

The Hacker’s Underground Handbook will guide you through password hacking, windows hacking, malware, phising, web hacking, network hacking and Linux (intro, installation, etc). All this material fully packed with images, thus being a top step-by-step guide, on the course of which you cannot fail.

A great starting book which will guide you in the right direction, helping you understand the basic concepts of computer security and matters that you should take in consideration.

OWASP Code Review Guide

dblackshell — Wed, 24 Jun 2009 16:25:00 +0000

Code review is probably the single-most effective technique for identifying security flaws. When used together with automated tools and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. (Introduction)

The first section (Methodology) walks you through the: introduction to code review, preparation for code review, security code review in software development life cycle (waterfall and agile), security code review coverage, application threat modeling and code review metrics. From this first section I’ve found very interesting the “application threat modeling” page, because I never did know how to classify (evaluate) the risk of a vulnerability and it really made me understand a lot about it.

The next section of the guide is about crawling code, what to look for in JAVA/ASP/JavaSript.

I’ll skip the rest (I’ll let you discover it) and only mention the “example by technical control”, section which I would recommend to any web developer (regardless of language) because It points out every aspect for the following technical controls: authentication, authorization, session management, input/data validation, error handling, secure deployment, cryptographic controls.

That being said, you can read the guide on-line at owasp.org, or download the pdf version from lulu.com.