Gray Hat C#
Gray Hat C#

Author: Brandon Perry
Publisher: No Starch Press
Pages: 304
ISBN: 978-1593277598
Print: 1593277598
Kindle: B074LSP4H5
Audience: Developers interested in security
Rating: 5
Reviewer: Kay Ewbank

 

How can you find the security weaknesses in programming projects? This book takes you through a wide range of techniques and tools and shows how to automate their use.

The author of this book is Brandon Perry, well known for his book 'Wicked Cool Shell Scripts', and this book has the same balance of enthusiasm and knowledge. In most chapters, Perry shows how to use a particular type of attack on a site, user or machine, then shows how you can identify exactly where the weaknesses are, so you can defend against that attack type.

The book opens with a crash course in C# that illustrates most elements of the language, including advanced features such as anonymous methods and P/Invoke. If you know another programming language, this should be enough to let you use the rest of the book without problems. 

Having introduced the language, Perry moves straight on to the heart of the book with a chapter on fuzzing and exploiting XSS and SQL injection, showing how to write HTTP request fuzzers that look for XSS and SQL injection in a number of data types by using the HTTP library to communicate with web servers. The idea, as with other chapters, is that you can use the fuzzers to test sites that you're working on or have responsibility for, and see whether there are any obvious security holes. 

Banner

Chapter three is dedicated to fuzzing SOAP endpoints. Perry builds on the fuzzers of the previous chapter to create a fuzzer that retrieves and parses a SOAP WSDL to identify any SQL injections.

Perry then moves away from attacks based on HTTP to look at how payloads work and how you can test against them. As with other chapters, the explanation starts with how to create simple payloads over TCP and UDP, before moving on to see how to generate code in Metasploit to create cross-platform payloads.

 

 

Having shown you how to write software to expose exploits, the next few chapters look at how you can automate a variety of security scanners, starting with a chapter on automating Nessus to watch and report on scans of CIDR ranges. A chapter on automating Nexpose comes next, particularly useful as there's a free version of Nexpose. The third chapter in this set looks at automating OpenVAS, an open source scanner.

The next chapter of the book looks at using Cuckoo Sandbox, an open source sandbox lets you run samples of malware in virtual machines so you can see what it does without risking your real machines. Cuckoo Sandbox has a REST API that Perry shows how to use via C# libraries.

A chapter on automating sqlmap is next, looking at how to use it to find and then verify HTTP parameters that are vulnerable to SQL injection, and how that can be used with the SOAP fuzzer developed earlier to automatically verify potential places for SQL injection attacks. 

ClamAV is the subject of the next chapter. This is an open source antivirus system that isn't written in a .NET language, and the chapter shows how you can still work with its core libraries, and how these techniques can be more widely applied.

While using Metasploit was introduced in an earlier chapter, the next chapter is a more detailed look at how to automate it to report on shelled hosts.  This is followed by a chapter showing how to automate Arachni, a black-box web application scanner. 

The final two chapters look at decompiling and reversing managed assemblies, and how to read offline registry hives.
 
Overall, I found this book very readable, and the explanations of what the code does are excellent. If you're trying to test projects to see where the vulnerabilities lie so you can close down the holes, this is a highly recommended title.
 

loadposition signup}

Banner


Robot Programming

Author: Cameron and Tracey Hughes
Publisher: Que
Pages:400
ISBN: 978-0789755001
Print: 0789755009
Kindle: B01F06BBM4
Audience: Those interested in robots, preferably with access to one to try out ideas
Rating:  2
Reviewer: Harry Fairhead

Robots are the way of the future so any  [ ... ]



CSS3 Pocket Primer

Author: Oswald Campesato
Publisher: Mercury Learning & Information
Pages: 200
ISBN: 978-1938549687
Print: 1938549686
Kindle: B01LXL0ZMF
Audience: JavaScript programmers
Rating: 3
Reviewer: Ian Elliot

CSS3 is the overlooked technology by many a programmer. A pocket book m [ ... ]


More Reviews

 

 

Last Updated ( Tuesday, 06 March 2018 )
 
 

   
Banner
RSS feed of book reviews only
I Programmer Book Reviews
RSS feed of all content
I Programmer Book Reviews
Copyright © 2018 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.