How to Break Web Software: Functional and Security Testing of Web Applications and Web Services [Kindle Edition]

Mike Andrews (Author), James A. Whittaker (Author)

Editorial Reviews

Product Description

"The techniques in this book are not an option for testers—they are mandatory and these are the guys to tell you how to apply them!"
—HarryRobinson, Google.

 

Rigorously test and improve the security of all your Web software!

 

It’s as certain as death and taxes: hackers will mercilessly attack your Web sites, applications, and services. If you’re vulnerable, you’d better discover these attacks yourself, before the black hats do. Now, there’s a definitive, hands-on guide to security-testing any Web-based software: How to Break Web Software.

 

In this book, two renowned experts address every category of Web software exploit: attacks on clients, servers, state, user inputs, and more. You’ll master powerful attack tools and techniques as you uncover dozens of crucial, widely exploited flaws in Web architecture and coding. The authors reveal where to look for potential threats and attack vectors, how to rigorously test for each of them, and how to mitigate the problems you find. Coverage includes

 

·   Client vulnerabilities, including attacks on client-side validation

·   State-based attacks: hidden fields, CGI parameters, cookie poisoning, URL jumping, and session hijacking

·   Attacks on user-supplied inputs: cross-site scripting, SQL injection, and directory traversal

·   Language- and technology-based attacks: buffer overflows, canonicalization, and NULL string attacks

·   Server attacks: SQL Injection with stored procedures, command injection, and server fingerprinting

·   Cryptography, privacy, and attacks on Web services

 

Your Web software is mission-critical—it can’t be compromised. Whether you’re a developer, tester, QA specialist, or IT manager, this book will help you protect that software—systematically.

From the Back Cover

"The techniques in this book are not an option for testers–they are mandatory and these are the guys to tell you how to apply them!"
–HarryRobinson, Google.

 

Rigorously test and improve the security of all your Web software!

 

It’s as certain as death and taxes: hackers will mercilessly attack your Web sites, applications, and services. If you’re vulnerable, you’d better discover these attacks yourself, before the black hats do. Now, there’s a definitive, hands-on guide to security-testing any Web-based software: How to Break Web Software.

 

In this book, two renowned experts address every category of Web software exploit: attacks on clients, servers, state, user inputs, and more. You’ll master powerful attack tools and techniques as you uncover dozens of crucial, widely exploited flaws in Web architecture and coding. The authors reveal where to look for potential threats and attack vectors, how to rigorously test for each of them, and how to mitigate the problems you find. Coverage includes

 

·   Client vulnerabilities, including attacks on client-side validation

·   State-based attacks: hidden fields, CGI parameters, cookie poisoning, URL jumping, and session hijacking

·   Attacks on user-supplied inputs: cross-site scripting, SQL injection, and directory traversal

·   Language- and technology-based attacks: buffer overflows, canonicalization, and NULL string attacks

·   Server attacks: SQL Injection with stored procedures, command injection, and server fingerprinting

·   Cryptography, privacy, and attacks on Web services

 

Your Web software is mission-critical–it can’t be compromised. Whether you’re a developer, tester, QA specialist, or IT manager, this book will help you protect that software–systematically.

 

Companion CD contains full source code for one testing tool you can modify and extend, free Web security testing tools, and complete code from a flawed Web site designed to give you hands-on practice in identifying security holes.

See all Editorial Reviews

Product Details

• Format: Kindle Edition
• File Size: 5596 KB
• Publisher: Addison-Wesley Professional; 1 edition (February 2, 2006)
• Sold by: Amazon Digital Services
• Language: English
• ASIN: B0028MBKCA
• Text-to-Speech: Enabled
• Average Customer Review: 4.4 out of 5 stars  See all reviews (15 customer reviews)
• Amazon Best Sellers Rank: #120,045 Paid in Kindle Store (See Top 100 Paid in Kindle Store)
  • #70 in Books > Computers & Technology > Programming > Software Design, Testing & Engineering > Testing

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

13 of 13 people found the following review helpful:

5.0 out of 5 stars Very informative. If you develop web software it's a must-read, August 3, 2006

By 

Jim Anderton (Portland, OR USA) - See all my reviews
(REAL NAME)   

This review is from: How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD (Paperback)

I recently finished reading How to Break Web Software: Functional and Security Testing of Web Applications and Web Services by Mike Andrews and James A. Whittaker. I, like many of you, develop web software for a living. I've always taken security seriously and occasionally sneered when I ran across examples of common mistakes. Having said that, this book was an eye opener for me.

The book covers common exploits such as bypassing input validation, SQL injection, and denial of service. There were also several types of attacks I hadn't really considered before. I won't list them here because someone would undoubtedly say, "I can't believe he didn't know about that one!" The authors cover 24 different types of attacks in all. The book also includes coverage of web privacy issues and security related to web services.

Finally, as icing on the cake, a CD is included that contains many tools that will find permanent spots in your arsenal. There are tools to do things like scan web servers for common exploits, mirror sites for local analysis, and check SSL cipher strengths. My favorites are the local proxies that will allow you to view and modify posts as they travel from the client and the server. I always knew I could do this, but didn't know how easy it is. The CD also contains the source code of an example site that includes many flaws for you to practice.

This book is written for software professionals to help them put the hackers out of business. So, it necessarily includes hacker techniques. If you develop or test web software, you should read this book before the hackers do. :-)

11 of 11 people found the following review helpful:

4.0 out of 5 stars One of the best on the topic!, April 27, 2006

By 

Charles Hornat - www.infosecwriters.com (NY, USA) - See all my reviews

This review is from: How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD (Paperback)

This is a hard topic to find good reading. Most books are usually targeted towards operating systems or malware specifically. However, from the first page, I knew this was something worthwhile. A key part to this book being so good is the format Mike and James use to present each topic thus providing something for attackers and security folks. It also could provide pen testers and auditors some good ammo to use as well.

The layout of the chapters starts with gathering information on targets. Then takes a step towards client side attacks, server side attacks, Language based attacks, Authentication, Privacy, and Web Services. They even throw in a chapter outlining the last 50 years or so of web software defects. Surprisingly, or not so surprisingly, we have not always learned from our mistakes.

The best part of the book however, is not the topic as much as it is the layout they use to demonstrate every vulnerability. They start with a topic, Buffer Overflows as an example. The authors describe what it is in a few paragraphs, then discuss when to apply this type of attack, then proceed in How to conduct this attack, and end with How to protect oneself from this attack. Each section is no more than a few paragraphs, ensuring that you do not loose focus on what's being discussed.

The authors also do a great job discussing the tools that one can use to test or perform each attack. Tools such as Nikto, Wikto, Paros and SSL Digger are discussed. When additional information is needed, they provide screenshots and output for one to learn from.

This book is a must for anyone in the role of Web Security, Auditing, or pen testing.

Pros

Good Tools, Excellent format, Easy to read

Cons

Perhaps more references for more information since the authors do not go into great detail; Advanced web security people may find it a bit elementary

13 of 15 people found the following review helpful:

5.0 out of 5 stars Technique after technique that really works, May 19, 2006

By 

Stephen Northcutt (Kauai, HI USA) - See all my reviews
(REAL NAME)   

Amazon Verified Purchase

This review is from: How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD (Paperback)

You can't really read a book like this. You read a few pages and prop the book up with a cookbook holder and start typing in the examples. There were a couple I could not duplicate, but almost everything worked as the authors said it would. Great book, or maybe it would be better to say, great tool!

The fun starts with chapter 2 and these folks do not spend a lot of time on reconnaisance. They know how to break web software and we start on that by chapter 3. I was a little sad in chapter 5, they did not really do SQL injection justice, but then they hit it again with stored procedures in chapter 7.

If there is a weakness to the book it might be chapter 9 and 10, the ending, but I still found both chapters informative.

Every large organization I know is building web applications and most of them are doing it badly. If you are a coder, a webmaster, or a manager of any of the above, buy a copy of this book for everyone on your team. I am going to do the same for my team right now.