Book Review: Hacking Web Services

I recently heard Adam Vincent from Layer 7 Technologies speak at the NoVa OWASP chapter. He had a lot of good things to say on hacking web services. In particular, he mentioned a book by that title: Hacking Web Services. I’ve pretty much finished the book, and I’d rate it 2 out of 5 stars. The only thing stopping it from being a 1-star book is the fact that it fills a niche in a small market. Read on for the full review”

Pros

On the good side, the author (Shreeraj Shah) does a good job of establishing the foundations. He covers all the concepts, the alphabet soup (SOAP, WSDL,UDDI, etc.. There’s plenty of real, live XML in the text. Although it sometimes feels like fluff, most of the time I find it helpful. Since I’m pretty unfamiliar with this subject, it was handy to have some of the examples written out. I have to perform software assessments for a living, and sometimes I run across web services. I’m better armed for those services having read this book.

Cons

There’s a lot to be said that is negative about this book.

  • It’s very “hack” focused. Duh, that’s the title of the book. But at the same time, I don’t find it that useful to have yet another book that shows you how to break an application. What about fixing them? He has some suggestions there. I’ll get to that.
  • Everything is Microsoft and .NET focused. He makes mention of J2EE-based web services, and Perl and Python based scripts, but no significant part of the book is built on those things. If you’re totally Windows-centric, this book will be fine. If you’re on another platform, it’s up to you to adapt what you learn here.
  • He has a suite of tools that look to be really useful for monkeying around with web services. They’re written in .NET, but unfortunately, they’re closed-source. Even though lots of .NET apps run on MacOS and Linux under Mono and other emulations, he hasn’t released his tools that way. One tool is released in a “Linux” binary that runs under mono. What about the rest of us?
  • The text is poorly typeset. This isn’t a nit picking criticism. When you’re displaying lots of XML or .NET code, indentation is important. Some specifics:
    • Most of the XML is indented well when it shows up in the text, but if it has to wrap from one line to the next, the indentation is usually poor. The second line might begin right at the left margin.
    • The .NET code is almost always not indented at all. That is, everything is lined up on the left margin. That makes reading example code harder than necessary.
    • Some line breaks are just handled badly. In the chapter where he introduces HTTP headers, one of his example HTTP headers is too long to fit on a line, so it wraps to the next line. This, of course, is not what it really would look like.
  • He gets definitions and word usage wrong in a few places. For example, his definition of a web service is really awkward and needlessly complex. He calls hashing a value with SHA1 “encryption” in at least one place.
  • There’s a lot of motherhood-and-apple-pie security in here. It’s the same old tired advice like “developers need to code securely” (whatever that means) and “go build a threat model.” These are not new ideas, they’re not specific to web services, and they’re a waste of paper in this book. It’s not this book’s job to teach those things, so just don’t bother mentioning them in an impotent way.
  • His example code for using WSEsecurity (p.277, Chapter 11) is vulnerable to SQL injection, a hack he has been demonstrating over and over and over. This just goes to show how (a) it’s not easy to get it right, and (b) when authors focus on demonstrating one piece of functionality, they can overlook another. It’s just especially unfortunate in this book, since he’s theoretically telling you how to be more secure. Woe to the developer who simply copies and pastes this code and doesn’t realize the SQL injection error lurking in it.
  • Finally, there are lots of little places where it’s clear that the editors were asleep at the wheel. The author has written at least one other book, but his English is awkward sometimes. The good news is that, when trying to write this review, I actually had a tough time finding an example. I know I have read a few, but they don’t jump out at me.

So, the final analysis is: I like it as a starting point, but I found myself mentally noting a lot of flaws as I went. Since I’m not a Windows user, I also found it a lot less relevant than I had hoped. Web services are not .NET or Windows specific, but this book really is.