Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast (Paperback)

by Paco Hope (Author), Ben Walther (Author)
Key Phrases: manipulating sessions, edit request, lockout functionality, Automating Specific Tasks, Discussion There, Internet Explorer (more...)

Editorial Reviews

Product Description
Among the tests you perform on web applications, security testing is perhaps the most important, yet it's often the most neglected. The recipes in the Web Security Testing Cookbook demonstrate how developers and testers can check for the most common web security issues, while conducting unit tests, regression tests, or exploratory tests. Unlike ad hoc security assessments, these recipes are repeatable, concise, and systematic-perfect for integrating into your regular test suite. Recipes cover the basics from observing messages between clients and servers to multi-phase tests that script the login and execution of web application features. By the end of the book, you'll be able to build tests pinpointed at Ajax functions, as well as large multi-step tests for the usual suspects: cross-site scripting and injection attacks. This book helps you: Obtain, install, and configure useful-and free-security testing tools Understand how your application communicates with users, so you can better simulate attacks in your tests Choose from many different methods that simulate common attacks such as SQL injection, cross-site scripting, and manipulating hidden form fields Make your tests repeatable by using the scripts and examples in the recipes as starting points for automated tests

Don't live in dread of the midnight phone call telling you that your site has been hacked. With Web Security Testing Cookbook and the free tools used in the book's examples, you can incorporate security coverage into your test suite, and sleep in peace.

About the Author
Paco Hope is a Technical Manager at Cigital, Inc. and co-author of Mastering FreeBSD and OpenBSD Security (April 2005, O'Reilly, ISBN 0596006268). Mr. Hope has also published articles on Misuse and Abuse Cases and PKI. He has been invited to conferences to speak on topics such as software security re-quirements, web application security, and embedded system security. At Cigi-tal, he has served as a subject matter expert to MasterCard International for security policies and has assisted a Fortune 500 hospitality company in writ-ing software security policy. He also trains software developers and testers in the fundamentals of software security. In the gaming and mobile communica-tions industries he has advised several companies on software security. Mr. Hope majored in Computer Science and English at The College of William and Mary and received an M.S. in Computer Science from the University of Virginia.

Ben Walther is a consultant at Cigital and contributor to the Edit Cookies tool. He has a hand in both normal Quality Assurance and Software Security. Day to day, he designs and executes tests - and so he understands the need for simple recipes, in the hectic QA world. Yet he has also given talks on web ap-plication testing tools to members of the Open Web Application Security Pro-ject (OWASP). Through Cigital, he tests systems ranging from financial data processing to slot machines. Mr. Walther has a B.S. in Information Science from Cornell University.

Product Details

• Paperback: 312 pages
• Publisher: O'Reilly Media, Inc.; 1 edition (October 28, 2008)
• Language: English
• ISBN-10: 0596514832
• ISBN-13: 978-0596514839
• Product Dimensions: 9.1 x 7 x 0.8 inches
• Shipping Weight: 14.9 ounces (View shipping rates and policies)
• Average Customer Review: 5.0 out of 5 stars See all reviews (3 customer reviews)
• Amazon.com Sales Rank: #167,818 in Books (See Bestsellers in Books)

  Popular in these categories: (What's this?)

  #33 in	Books > Computers & Internet > Microsoft > Web Browsers
  #46 in	Books > Computers & Internet > Home Computing > Internet > Web Browsers

Customer Reviews

Most Helpful Customer Reviews

9 of 9 people found the following review helpful:

5.0 out of 5 stars Very useful for web application developers, November 14, 2008

By	calvinnme "Texan refugee" (Fredericksburg, Va) - See all my reviews (TOP 10 REVIEWER)

This book is about how web applications are tested with an emphasis on security. This book is aimed at web applications developers and testers, not security specialists. Developers who are responsible for writing unit tests for their components will appreciate the way that these tools can be focused on an individual page, feature, or form. Quality assurance professionals who must test whole web applications will be especially interested in the automation and development of test cases that can easily become parts of regression suites. The recipes in this book mainly use free tools, making them easy to try out and hopefully adopt.

The unfortunate problem with free tools in so many cases is lack documentation. This book fills that gap by showing you how to make good use of tools that you might have heard of that don't have good documentation on their application. Another barrier to effectively testing web applications with free tools is a general lack of knowledge about how the tools can be put together to perform good security tests. It's one thing to know that TamperData lets you bypass client-side checks. It's another thing to develop a good cross-site scripting test using TamperData. This book takes you beyond making good web application tests and helps you produce good security test cases.

The book divides material into three sections. The first section covers setting up tools and some of the basics concepts used to develop tests. The second section is about the different methods of bypassing client-side input validation via SQL injection, cross-site scripting, and manipulating hidden form fields. The third section is about the session, locating session identifiers, determining their predictability, and how to manipulate them. Each major section begins with relatively simple tasks and gradually builds to more complex tasks. Thus the first recipes are simple exercises that show what happens behind the scenes in web applications. The final recipes put many building blocks together into complex tasks that can form the basis of major web application security tests. The following is a listing and synopsis of each chapter:

Chapter 1, A little terminology and some important testing concepts that are referred to throughout the book.

Chapter 2, Installing Some Free Tools, includes an entire toolbox of free tools you can make use of. Information on each tool includes some basic instructions on where to find it, install it, and get it running.

Chapter 3, Basic Observation, teaches you the basics of observing your web application and testing the functionality of the system.

Chapter 4, Web-Oriented Data Encoding, shows how to encode and decode data in the various ways that web applications use it. In addition to encoding and decoding, you need to be able to eyeball encoded data and have some idea how it has been encoded.

Chapter 5, Tampering with Input, discusses the most important basic technique: malicious input. Discusses how you get it into your application and how you look at what's happening in the browser and what it's sending to the web application.

Chapter 6, Automated Bulk Scanning, shows you how to spider your application to find input points and pages, as well as ways to conduct batch tests on some specialized applications.

Chapter 7, Automating Specific Tasks with Curl, shows you a very good tool for building automated tests: Curl. First a a few simple ways of submitting batches of tests are examined. Complexity gradually builds to more difficult tasks such as retaining state when you log in and manipulating cookies, and culminates in the task of logging in on eBay.

Chapter 8, Automating with LibPerl, is focused on Perl and its LWP library. This chapter contains a set of specific techniques that you can use with Perl and the LWP library to perform security tests. These include uploading viruses to your application, using very long filenames, and parsing the responses from your application. It ends with a script that can edit a Wikipedia page.

Chapter 9, Seeking Design Flaws, discusses the unintentional interactions in your web application and how you can reveal them with good security tests. The recipes in this chapter focus on ways you can enable tests with testing programs. Topics includes predictable identifiers, weak randomness, and repeatable transactions.

Chapter 10, Attacking AJAX, shows you a lot of the top web attacks and how you can execute them building on earlier techniques discussed in the book. This book doesn't have much on AJAX itself, so you may need an additional text on the subject.

Chapter 11, Manipulating Sessions, discusses how to get behind the scenes of AJAX and test it both manually and automatically. The recipes intercept client-side requests to test server-side logic and vice versa, testing the client-side code by manipulating the server's responses.

Chapter 12, Multifaceted Tests, the final chapter, focuses on sessions, session management, and how security tests can attack it. It gives you several recipes that show you how to find, analyze, and ultimately test the strength of session management.

1 of 6 people found the following review helpful:

5.0 out of 5 stars A guide packed with scripts and insights, January 16, 2009

By	Midwest Book Review (Oregon, WI USA) - See all my reviews

The WEB SECURITY TESTING COOKBOOK is a winning set of recipe tests to be performed on web applications to assure security standards are met, and cover the basics from observing messages between clients and servers to building original tests pinpointed at Ajax functions. Learn how to obtain, install and use free security testing tools and how to choose from many different methods in a guide packed with scripts and insights.

Diane C. Donovan
California Bookwatch

1 of 8 people found the following review helpful:

5.0 out of 5 stars Good Deal, February 21, 2009

By	Olutoyin D. Oladipo "Omolisabi" (Aurora, Colorado USA) - See all my reviews (REAL NAME)

The book was as advertised and its delivery was also on time. You can't beat that.