Start reading Web Security Testing Cookbook on the free Kindle Reading App or on your Kindle in under a minute. Don't have a Kindle? Get your Kindle here.

Deliver to your Kindle or other device

Enter a promotion code
or gift card

Try it free

Sample the beginning of this book for free

Deliver to your Kindle or other device

Sorry, this item is not available in
Image not available for
Image not available

To view this video download Flash Player


Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast [Kindle Edition]

Paco Hope , Ben Walther
4.3 out of 5 stars  See all reviews (11 customer reviews)

Digital List Price: $31.99 What's this?
Print List Price: $39.99
Kindle Price: $17.27
You Save: $22.72 (57%)

Free Kindle Reading App Anybody can read Kindle books—even without a Kindle device—with the FREE Kindle app for smartphones, tablets and computers.

To get the free app, enter your email address or mobile phone number.


Amazon Price New from Used from
Kindle Edition $17.27  
Paperback $27.50  
Shop the new
New! Introducing the, a hub for Software Developers and Architects, Networking Administrators, TPMs, and other technology professionals to find highly-rated and highly-relevant career resources. Shop books on programming and big data, or read this week's blog posts by authors and thought-leaders in the tech industry. > Shop now

Book Description

Among the tests you perform on web applications, security testing is perhaps the most important, yet it's often the most neglected. The recipes in the Web Security Testing Cookbook demonstrate how developers and testers can check for the most common web security issues, while conducting unit tests, regression tests, or exploratory tests. Unlike ad hoc security assessments, these recipes are repeatable, concise, and systematic-perfect for integrating into your regular test suite.

Recipes cover the basics from observing messages between clients and servers to multi-phase tests that script the login and execution of web application features. By the end of the book, you'll be able to build tests pinpointed at Ajax functions, as well as large multi-step tests for the usual suspects: cross-site scripting and injection attacks. This book helps you:

  • Obtain, install, and configure useful-and free-security testing tools
  • Understand how your application communicates with users, so you can better simulate attacks in your tests
  • Choose from many different methods that simulate common attacks such as SQL injection, cross-site scripting, and manipulating hidden form fields
  • Make your tests repeatable by using the scripts and examples in the recipes as starting points for automated tests

Don't live in dread of the midnight phone call telling you that your site has been hacked. With Web Security Testing Cookbook and the free tools used in the book's examples, you can incorporate security coverage into your test suite, and sleep in peace.

Editorial Reviews

Book Description

Systematic Techniques to Find Problems Fast

About the Author

Paco Hope is a Technical Manager at Cigital, Inc. and co-author of Mastering FreeBSD and OpenBSD Security (April 2005, O'Reilly, ISBN 0596006268). Mr. Hope has also published articles on Misuse and Abuse Cases and PKI. He has been invited to conferences to speak on topics such as software security re-quirements, web application security, and embedded system security. At Cigi-tal, he has served as a subject matter expert to MasterCard International for security policies and has assisted a Fortune 500 hospitality company in writ-ing software security policy. He also trains software developers and testers in the fundamentals of software security. In the gaming and mobile communica-tions industries he has advised several companies on software security. Mr. Hope majored in Computer Science and English at The College of William and Mary and received an M.S. in Computer Science from the University of Virginia.

Ben Walther is a consultant at Cigital and contributor to the Edit Cookies tool. He has a hand in both normal Quality Assurance and Software Security. Day to day, he designs and executes tests - and so he understands the need for simple recipes, in the hectic QA world. Yet he has also given talks on web ap-plication testing tools to members of the Open Web Application Security Pro-ject (OWASP). Through Cigital, he tests systems ranging from financial data processing to slot machines. Mr. Walther has a B.S. in Information Science from Cornell University.

Product Details

  • File Size: 2742 KB
  • Print Length: 314 pages
  • Simultaneous Device Usage: Unlimited
  • Publisher: O'Reilly Media; 1 edition (October 13, 2008)
  • Sold by: Amazon Digital Services, Inc.
  • Language: English
  • ASIN: B0026OR3FI
  • Text-to-Speech: Enabled
  • X-Ray:
  • Lending: Not Enabled
  • Amazon Best Sellers Rank: #608,367 Paid in Kindle Store (See Top 100 Paid in Kindle Store)
  •  Would you like to give feedback on images?.

Customer Reviews

Most Helpful Customer Reviews
20 of 20 people found the following review helpful
5.0 out of 5 stars Very useful for web application developers November 14, 2008
This book is about how web applications are tested with an emphasis on security. This book is aimed at web applications developers and testers, not security specialists. Developers who are responsible for writing unit tests for their components will appreciate the way that these tools can be focused on an individual page, feature, or form. Quality assurance professionals who must test whole web applications will be especially interested in the automation and development of test cases that can easily become parts of regression suites. The recipes in this book mainly use free tools, making them easy to try out and hopefully adopt.

The unfortunate problem with free tools in so many cases is lack documentation. This book fills that gap by showing you how to make good use of tools that you might have heard of that don't have good documentation on their application. Another barrier to effectively testing web applications with free tools is a general lack of knowledge about how the tools can be put together to perform good security tests. It's one thing to know that TamperData lets you bypass client-side checks. It's another thing to develop a good cross-site scripting test using TamperData. This book takes you beyond making good web application tests and helps you produce good security test cases.

The book divides material into three sections. The first section covers setting up tools and some of the basics concepts used to develop tests. The second section is about the different methods of bypassing client-side input validation via SQL injection, cross-site scripting, and manipulating hidden form fields. The third section is about the session, locating session identifiers, determining their predictability, and how to manipulate them.
Read more ›
Comment | 
Was this review helpful to you?
7 of 7 people found the following review helpful
5.0 out of 5 stars Excellent book for Web developers writing unit tests October 24, 2009
I just wrote five star reviews of The Web Application Hacker's Handbook (TWAHH) and SQL Injection Attacks and Defense (SIAAD). Is there really a need for another Web security book like Web Security Testing Cookbook (WSTC)? The answer is an emphatic yes. While TWAHH and SIAAD include offensive and defensive material helpful for developers, those books are more or less aimed at assessment professionals. WSTC, on the other hand, is directed squarely at Web developers. In fact, WSTC is specifically written for those who incorporate unit testing into their software development lifecycle. I believe anyone developing Web applications would benefit from reading WSTC.

I am not a Web developer, but I really enjoyed reading WSTC. The book is not very long compared to TWAHH and WSTC, but it is very clear and well-written. The test or "recipe" format is easy to read quickly, and it makes for disciplined writing on the part of the authors. I really liked the use of all open tools, in contrast with Hacking Exposed: Web 2.0 (HEW2), a competing book. WSTC is well-organized, building on previous material in a coherent manner suitable for those with less experience in unit testing for Web apps.

I'd like to give special praise to chapter 4, Web-Oriented Data Encoding. As a Network Security Monitoring practitioner, I often encounter Web traffic encoded using the very methods described in chapter 4. This section helped me understand what I see, so I recommend it to those who aren't Web developers but who do need to understand Web traffic on the wire. I felt the same way about chapter 7, which explains the intricacies of using cURL.

I have no complaints regarding WSTC. I think it defines a powerful methodology for approaching Web security, and other authors might want to consider emulating its approach. Great work!
Comment | 
Was this review helpful to you?
6 of 6 people found the following review helpful
5.0 out of 5 stars Truly Usefull book January 3, 2010
Format:Paperback|Verified Purchase
This is one of those few books on my bookshelf that I find myself returning to time and time again. My copy is marked, annotated, labeled, etc. so on and so forth. It is indispensable if you work in the industry and IMHO outshines the much larger tome "The Web Application Hackers Handbook". Of particular importance to Web Engineers is also Appendix E found in the book "Sockets, Shellcode, Porting & Coding".

Thanks again Paco, excellent book. Please let us know of the second edition as I will definitely pre-order without a doubt.
Comment | 
Was this review helpful to you?
4 of 4 people found the following review helpful
3.0 out of 5 stars not bad, but overrated September 23, 2011
Format:Paperback|Verified Purchase
I bought this book on the strength of other reviews, and I'm a bit disappointed. It's useful, but not worthy of 5 stars.

The book is structured like the other "Cookbook" titles from O'Reilly. Each chapter has a series of "recipes" that describe a problem, present a solution, and have some discussion about the issue. It's unclear exactly who the target audience is.

Some of the recipes are very basic -- this is good if you've got very little experience working with tools like curl or wget, but not worth much if you've seen these and know how to read the man pages for these tools to find the flag you're looking for. Recipes like these lead me to believe that the audience for the book includes people who are very new to web technologies.

Other recipes are meaty enough -- there are several recipes that have page-long perl or bash scripts to automate (for example) the hunt for XSS vulnerabilities.

But then again, I can't see how a rookie web tester can possibly get through the book without a lot of head scratching. While vulnerabilities like cross-site scripting (XSS) and SQL injection are mentioned frequently, they are never defined, and their mechanism of operation is never clearly laid out. This leads me to believe that the target audience is people with at least an intermediate-level understanding of what these attacks mean, how they are performed, and what happens behind the scenes.

I was disappointed to see a couple of serious errors after only browsing through the recipes for an hour or so. For example, on page 90 the authors state that on Unix/Linux systems, filenames can contain slashes. This is incorrect: slashes are the only non-NUL character *not* allowed in a Linux filename.
Read more ›
Was this review helpful to you?
Most Recent Customer Reviews
5.0 out of 5 stars Security is mine
Very good and impressive as I have this book, my own application and e-commerce of my own enterprise is successful.
Published 17 months ago by Costa
4.0 out of 5 stars good book but not for software developers
The title of the book should be 'Lockpicking for dummies'. This book is not dedicated to software developers. The writer stuck in the middle of simplicity and complexity. Read more
Published on August 28, 2012 by David S. James
4.0 out of 5 stars Ask Felgall - Book Review
This book has one very clear and practical focus - how to test web applications. It maintains that focus throughout the book giving practical information at every step along the... Read more
Published on December 12, 2011 by Stephen Chapman
1.0 out of 5 stars Old Book Sold As New
My copy of this book has every page turns yellowish or brownish like an old or used book. This is the first time that this happens to me. Read more
Published on August 1, 2011 by Henry Chin
5.0 out of 5 stars Unbelievably Usefull Book
With web security being the most important test you can perform for web applications, the Web Security Testing Cookbook shows how to check for the most common web security issues... Read more
Published on June 14, 2011 by Chris Foran
5.0 out of 5 stars Good Deal
The book was as advertised and its delivery was also on time. You can't beat that.
Published on February 21, 2009 by Olutoyin D. Oladipo
5.0 out of 5 stars A guide packed with scripts and insights
The WEB SECURITY TESTING COOKBOOK is a winning set of recipe tests to be performed on web applications to assure security standards are met, and cover the basics from observing... Read more
Published on January 16, 2009 by Midwest Book Review
Search Customer Reviews
Search these reviews only

More About the Authors

Discover books, learn about writers, read author blogs, and more.

What Other Items Do Customers Buy After Viewing This Item?


There are no discussions about this product yet.
Be the first to discuss this product with the community.
Start a new discussion
First post:
Prompts for sign-in

Look for Similar Items by Category