Cатсн²² (in)sесuяitу / ChrisJohnRiley

Web Application Obfuscation: ‘-/WAFs..Evasion..Filters//alert(/Obfuscation/)-’

by Mario Heiderich, Eduardo Alberto Vela Nava, Gareth Heyes, David Lindsay

In penetration testing there’s nothing worse than knowing there’s a vulnerability there for the taking, only to be blocked by a filter (WAF, Server-Side, IDS/IPS.. .take your pick!). That’s when obfuscation comes into play…

Web Application Obfuscation takes a look at common Web infrastructure and security controls from an attackers perspective, allowing the reader to understand the shortcomings of their security systems.

A noble cause indeed, and one that I think the authors have achieved, at least in part. Why do I say in part. Well if I had to give one reason to explain that statement it would be that it’s not an easy read. Now don’t misunderstand me, the book is well written, concise, and well presented. All the information is there for the taking.With the concise nature of the topic and its excellent coverage, I sometimes found it hard to follow the thought processes behind things. Sometimes understand came straight off, and other times it took a few re-reads of a section and a bit of tinkering to really get the facts straight in my head. With that said, with a topic is broad and complex as this, I’d be surprised to find a book out there that explains the information any better… and in-case you want to look, good luck… I doubt you’ll find anything more than a few specialist articles on the topics this book covers. This book takes an already highly specialised area of IT (Information Security), takes it down past the more specialised Penetration Tester level into a unique area of highly focused individuals who call themselves Web Application Security Specialists… (yes I’m aware that’s dangerously close to ASS, but I couldn’t think of a better way to describe this –> See ASS Cert for more information).

Contents in brief

Chapter 1: Introduction
Chapter 2: HTML
Chapter 3: JavaScript and VBScript
Chapter 4: Nonalphanumeric JavaScript
Chapter 5: CSS 
Chapter 6: PHP
Chapter 7: SQL
Chapter 8: Web Application Firewalls and Client-side Filters
Chapter 9: Mitigating Bypasses and Attacks
Chapter 10: Future Developments

This book isn’t something you’ll be reading cover to cover anytime quickly… I like to sit down in the garden and crank my way through a book, but I never really got anywhere using that strategy with this title. There’s so many occasions where the use of a computer is needed advised to follow some of the context of things. Plus to get the most of this book, I feel that it’s better to dip in and out as needed. Specific examples are complex enough that without a refresher, things don’t stick that well. At least, at my age they don’t. Still if you’re new to Web Application testing and want to drink from the fire-hose of whats possible in obfuscation, I couldn’t think of a better place to get it.

One thing I found myself missing in the book was more focus on how developers can deal with these issues. As a tester I came out the other end wondering if developers ever stood a chance. I can only think what a developer would feel after dipping into this book. Hopelessness piled on uselessness, with a spoonful of not a chance! Chapter 9, that covers mitigations tries to give some useful examples, but at a mere 18 pages, even the authors seem to be a little depressed about their chances.

I’m certainly not short of examples of great information, but in particular the sections on JavaScript and PHP struck home with me as well worth the purchase price. Just the eye-opening section on non-alphanumeric JavaScript makes you want to cry (for joy, and for many other reasons). Digging through the details for that little tidbit of information that gets you past the filters isn’t easy, and a good basic understanding is needed to get the most out of this book.

When all is said and done, if you’re into Web App testing, this is a great book to have on your bookshelf… If you’re not, as a tester, trying these tactics to get past filters, then you’re doing both yourself and your customers a real dis-service. How can you say an application is secure if you’re not trying the same tactics that the bad guys are using day in and day out. Be warned though, it’s not really a weekend read. Too much detail, but we like that, don’t we 😉

Readability: 6

Information: 9

Overall Score: 8/10

Links:

• Amazon link
• Syngress book information
• TaoSecurity Review