Will Sargent reviewed Web Application Obfuscation by Mario Heiderich
Review of 'Web Application Obfuscation' on 'Storygraph'
3 stars
This isn't a bad book, but it's somewhat out of date, and suffers from the same problem that a number of security books have -- they go to great lengths to talk about attack, and very little time talking about effective defenses.
The usual suspects show up here: HTML, Javascript (and VBScript!), CSS, PHP, SQL Injection, Web Application Firewalls and the client side filters, and finally, a single chapter on Mitigation.
The mitigation chapter is great: it takes a serious and thoughtful look at what can be done to realistically limit possibly invalid input, and concludes that it's Hard. I wish that they had structured the entire book around defensive programming and gone more into safer markup languages like Markdown, but it's enough for three stars.
However, I wouldn't recommend this book to a programmer. It's a good eyeopener for people writing Javascript and HTML who have never seen attacks, …
This isn't a bad book, but it's somewhat out of date, and suffers from the same problem that a number of security books have -- they go to great lengths to talk about attack, and very little time talking about effective defenses.
The usual suspects show up here: HTML, Javascript (and VBScript!), CSS, PHP, SQL Injection, Web Application Firewalls and the client side filters, and finally, a single chapter on Mitigation.
The mitigation chapter is great: it takes a serious and thoughtful look at what can be done to realistically limit possibly invalid input, and concludes that it's Hard. I wish that they had structured the entire book around defensive programming and gone more into safer markup languages like Markdown, but it's enough for three stars.
However, I wouldn't recommend this book to a programmer. It's a good eyeopener for people writing Javascript and HTML who have never seen attacks, but I think if you were at all concerned about attacks, you wouldn't be using PHP or opening yourself to SQL injection attacks by handwriting your SQL in the first place.