Gray Hat C#

Author: Brandon Perry
Publisher: No Starch Press
Pages: 304
ISBN: 978-1593277598
Print: 1593277598
Kindle: B074LSP4H5
Audience: Developers interested in security
Rating: 5
Reviewer: Kay Ewbank

 

How can you find the security weaknesses in programming projects? This book takes you through a wide range of techniques and tools and shows how to automate their use.

The author of this book is Brandon Perry, well known for his book 'Wicked Cool Shell Scripts', and this book has the same balance of enthusiasm and knowledge. In most chapters, Perry shows how to use a particular type of attack on a site, user or machine, then shows how you can identify exactly where the weaknesses are, so you can defend against that attack type.

The book opens with a crash course in C# that illustrates most elements of the language, including advanced features such as anonymous methods and P/Invoke. If you know another programming language, this should be enough to let you use the rest of the book without problems. 

Having introduced the language, Perry moves straight on to the heart of the book with a chapter on fuzzing and exploiting XSS and SQL injection, showing how to write HTTP request fuzzers that look for XSS and SQL injection in a number of data types by using the HTTP library to communicate with web servers. The idea, as with other chapters, is that you can use the fuzzers to test sites that you're working on or have responsibility for, and see whether there are any obvious security holes. 

Banner

Chapter three is dedicated to fuzzing SOAP endpoints. Perry builds on the fuzzers of the previous chapter to create a fuzzer that retrieves and parses a SOAP WSDL to identify any SQL injections.

Perry then moves away from attacks based on HTTP to look at how payloads work and how you can test against them. As with other chapters, the explanation starts with how to create simple payloads over TCP and UDP, before moving on to see how to generate code in Metasploit to create cross-platform payloads.

 

 

Having shown you how to write software to expose exploits, the next few chapters look at how you can automate a variety of security scanners, starting with a chapter on automating Nessus to watch and report on scans of CIDR ranges. A chapter on automating Nexpose comes next, particularly useful as there's a free version of Nexpose. The third chapter in this set looks at automating OpenVAS, an open source scanner.

The next chapter of the book looks at using Cuckoo Sandbox, an open source sandbox lets you run samples of malware in virtual machines so you can see what it does without risking your real machines. Cuckoo Sandbox has a REST API that Perry shows how to use via C# libraries.

A chapter on automating sqlmap is next, looking at how to use it to find and then verify HTTP parameters that are vulnerable to SQL injection, and how that can be used with the SOAP fuzzer developed earlier to automatically verify potential places for SQL injection attacks. 

ClamAV is the subject of the next chapter. This is an open source antivirus system that isn't written in a .NET language, and the chapter shows how you can still work with its core libraries, and how these techniques can be more widely applied.

While using Metasploit was introduced in an earlier chapter, the next chapter is a more detailed look at how to automate it to report on shelled hosts.  This is followed by a chapter showing how to automate Arachni, a black-box web application scanner. 

The final two chapters look at decompiling and reversing managed assemblies, and how to read offline registry hives.
 
Overall, I found this book very readable, and the explanations of what the code does are excellent. If you're trying to test projects to see where the vulnerabilities lie so you can close down the holes, this is a highly recommended title.
 

loadposition signup}

Banner


React Programming

Author: Loren Klingman and Ashley Parker
Publisher: Big Nerd Ranch Guides
Date: April 2023
ISBN:978-0137901760
Print:0137901763
Kindle:B0C4V69S8Z
Audience: Front end devs
Rating: 4
Reviewer: Ian Elliot
React is difficult to master, so a book can really help.



Coding All-In-One For Dummies

Author: Chris Minnick
Publisher: For Dummies
Pages: 912
ISBN: 978-1119889564
Print: 1119889561
Kindle: B0B5BBNW9L
Audience: People wanting to learn to code in JavaScript, Flutter and Python
Rating: 3.5
Reviewer: Kay Ewbank

This book is described as offering an ideal starting place for learning th [ ... ]


More Reviews

 

 

Last Updated ( Tuesday, 06 March 2018 )