How to Break Web Software and over 670,000 other books are available for Amazon Kindle � Amazon�s new wireless reading device. Learn more

Quantity:

Express Checkout with PayPhrase

What's this? | Create PayPhrase

More Buying Choices

52 used & new from $18.36

Have one to sell? Sell yours here

Get a $4.00 Amazon.com Gift Card

Share your own customer images

Search inside this book

Start reading How to Break Web Software on your Kindle in under a minute.

Don�t have a Kindle? Get your Kindle here, or download a FREE Kindle Reading App.

How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD [Paperback]

Mike Andrews (Author), James A. Whittaker (Author)

4.4 out of 5 stars See all reviews (12 customer reviews)

List Price:	$49.99
Price:	$31.49 & this item ships for FREE with Super Saver Shipping. Details
You Save:	$18.50 (37%)
	o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o

In Stock.
Ships from and sold by Amazon.com. Gift-wrap available.

Want it delivered Wednesday, September 8? Choose One-Day Shipping at checkout. Details

29 new from $19.99 23 used from $18.36

Formats	Amazon Price		New from	Used from
Kindle Edition Kindle Edition $17.59 Available for download now. Publisher: Addison-Wesley Professional Published: February 2, 2006	$17.59		--	--
Paperback Paperback $31.49 In Stock. Publisher: Addison-Wesley Professional Published: February 12, 2006	$31.49		$19.99	$18.36

Frequently Bought Together

Customers Who Bought This Item Also Bought

How to Break Software: A Practical Guide to Testing W/CD

by James A. Whittaker

3.9 out of 5 stars (20) $27.84

Testing Applications on the Web: Test Planning for Mobile and Internet-Based Systems, Second Edition

by Hung Q. Nguyen

4.7 out of 5 stars (6) $29.70

How to Break Software Security

by James A. Whittaker

4.0 out of 5 stars (7) $36.19

Exploratory Software Testing: Tips, Tricks, Tours, and Techniques to Guide Test Design

by James A. Whittaker

4.0 out of 5 stars (4) $31.19

The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws

by Dafydd Stuttard

4.9 out of 5 stars (16) $31.50

› Explore similar items

Editorial Reviews

Product Description

Since its early days as an information exchange tool limited to academe, researchers, and the military, the web has grown into a commerce engine that is now omnipresent in all facets of our lifes. More websites are created daily and more applications are developed to allow users to learn, research, and purchase online. As a result, web development is often rushed, which increases the risk of attacks from hackers. Furthermore, the need for secure applications has to be balanced with the need for usability, performance, and reliability. In this book, Whittaker and Andrews demonstrate how rigorous web testing can help prevent and prepare for such attacks. They point out that methodical testing must include identifying threats and attack vectors to establish and then implement the appropriate testing techniques, manual or automated.

From the Back Cover

"The techniques in this book are not an option for testers–they are mandatory and these are the guys to tell you how to apply them!"
–HarryRobinson, Google.

Rigorously test and improve the security of all your Web software!

It’s as certain as death and taxes: hackers will mercilessly attack your Web sites, applications, and services. If you’re vulnerable, you’d better discover these attacks yourself, before the black hats do. Now, there’s a definitive, hands-on guide to security-testing any Web-based software: How to Break Web Software.

In this book, two renowned experts address every category of Web software exploit: attacks on clients, servers, state, user inputs, and more. You’ll master powerful attack tools and techniques as you uncover dozens of crucial, widely exploited flaws in Web architecture and coding. The authors reveal where to look for potential threats and attack vectors, how to rigorously test for each of them, and how to mitigate the problems you find. Coverage includes

· Client vulnerabilities, including attacks on client-side validation

· State-based attacks: hidden fields, CGI parameters, cookie poisoning, URL jumping, and session hijacking

· Attacks on user-supplied inputs: cross-site scripting, SQL injection, and directory traversal

· Language- and technology-based attacks: buffer overflows, canonicalization, and NULL string attacks

· Server attacks: SQL Injection with stored procedures, command injection, and server fingerprinting

· Cryptography, privacy, and attacks on Web services

Your Web software is mission-critical–it can’t be compromised. Whether you’re a developer, tester, QA specialist, or IT manager, this book will help you protect that software–systematically.

Companion CD contains full source code for one testing tool you can modify and extend, free Web security testing tools, and complete code from a flawed Web site designed to give you hands-on practice in identifying security holes.

See all Editorial Reviews

Product Details

Paperback: 240 pages
Publisher: Addison-Wesley Professional (February 12, 2006)
Language: English
ISBN-10: 0321369440
ISBN-13: 978-0321369444
Product Dimensions: 9 x 6.9 x 0.7 inches
Shipping Weight: 1.1 pounds (View shipping rates and policies)

Average Customer Review: 4.4 out of 5 stars See all reviews (12 customer reviews)

Amazon Bestsellers Rank: #96,087 in Books (See Top 100 in Books)

#41 in	Books > Computers & Internet > Certification Central > Security+
#50 in	Books > Computers & Internet > Security & Encryption > Encryption
#22 in	Books > Computers & Internet > Programming > Software Design, Testing & Engineering > Testing

Would you like to update product info or give feedback on images?

More About the Author

Discover books, learn about writers, read author blogs, and more.

› Visit Amazon's Mike Andrews Page

Inside This Book (learn more)

What Do Customers Ultimately Buy After Viewing This Item?

	74% buy the item featured on this page: How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD by Mike Andrews Paperback 4.4 out of 5 stars (12) $31.49
	8% buy How to Break Software: A Practical Guide to Testing W/CD by James A. Whittaker Paperback 3.9 out of 5 stars (20) $27.84
	7% buy Testing Applications on the Web: Test Planning for Mobile and Internet-Based Systems, Second Edition by Hung Q. Nguyen Paperback 4.7 out of 5 stars (6) $29.70
	6% buy Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast by Paco Hope Paperback 5.0 out of 5 stars (5) $26.39

› Explore similar items

Tags Customers Associate with This Product

(What's this?)

Click on a tag to find related items, discussions, and people.

security testing(2)

internet(1)

network security(1)

software(1)

webtesting(1)

Agree with these tags?

Customer Reviews

12 Reviews

5 star:		(8)
4 star:		(2)
3 star:		(1)
2 star:		(1)
1 star:		(0)

Average Customer Review

4.4 out of 5 stars (12 customer reviews)

Share your thoughts with other customers:

Create your own review

Most Helpful Customer Reviews

10 of 10 people found the following review helpful:

5.0 out of 5 stars Very informative. If you develop web software it's a must-read, August 3, 2006

By	Jim Anderton (Portland, OR USA) - See all my reviews (REAL NAME)

This review is from: How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD (Paperback)

I recently finished reading How to Break Web Software: Functional and Security Testing of Web Applications and Web Services by Mike Andrews and James A. Whittaker. I, like many of you, develop web software for a living. I've always taken security seriously and occasionally sneered when I ran across examples of common mistakes. Having said that, this book was an eye opener for me.

The book covers common exploits such as bypassing input validation, SQL injection, and denial of service. There were also several types of attacks I hadn't really considered before. I won't list them here because someone would undoubtedly say, "I can't believe he didn't know about that one!" The authors cover 24 different types of attacks in all. The book also includes coverage of web privacy issues and security related to web services.

Finally, as icing on the cake, a CD is included that contains many tools that will find permanent spots in your arsenal. There are tools to do things like scan web servers for common exploits, mirror sites for local analysis, and check SSL cipher strengths. My favorites are the local proxies that will allow you to view and modify posts as they travel from the client and the server. I always knew I could do this, but didn't know how easy it is. The CD also contains the source code of an example site that includes many flaws for you to practice.

This book is written for software professionals to help them put the hackers out of business. So, it necessarily includes hacker techniques. If you develop or test web software, you should read this book before the hackers do. :-)

Help other customers find the most helpful reviews

Was this review helpful to you?

Report this | Permalink

Comment Comment

8 of 8 people found the following review helpful:

4.0 out of 5 stars One of the best on the topic!, April 27, 2006

By	Charles Hornat - www.infosecwriters.com (NY, USA) - See all my reviews

This review is from: How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD (Paperback)

This is a hard topic to find good reading. Most books are usually targeted towards operating systems or malware specifically. However, from the first page, I knew this was something worthwhile. A key part to this book being so good is the format Mike and James use to present each topic thus providing something for attackers and security folks. It also could provide pen testers and auditors some good ammo to use as well.

The layout of the chapters starts with gathering information on targets. Then takes a step towards client side attacks, server side attacks, Language based attacks, Authentication, Privacy, and Web Services. They even throw in a chapter outlining the last 50 years or so of web software defects. Surprisingly, or not so surprisingly, we have not always learned from our mistakes.

The best part of the book however, is not the topic as much as it is the layout they use to demonstrate every vulnerability. They start with a topic, Buffer Overflows as an example. The authors describe what it is in a few paragraphs, then discuss when to apply this type of attack, then proceed in How to conduct this attack, and end with How to protect oneself from this attack. Each section is no more than a few paragraphs, ensuring that you do not loose focus on what's being discussed.

The authors also do a great job discussing the tools that one can use to test or perform each attack. Tools such as Nikto, Wikto, Paros and SSL Digger are discussed. When additional information is needed, they provide screenshots and output for one to learn from.

This book is a must for anyone in the role of Web Security, Auditing, or pen testing.

Pros
Good Tools, Excellent format, Easy to read

Cons
Perhaps more references for more information since the authors do not go into great detail; Advanced web security people may find it a bit elementary

Help other customers find the most helpful reviews

Was this review helpful to you?

Report this | Permalink

Comment Comment

13 of 16 people found the following review helpful:

2.0 out of 5 stars Short on content with too much padding, May 17, 2007

By	Groovymarlin - See all my reviews

This review is from: How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD (Paperback)

I was disappointed in this book. The actual content was pretty thin, and not very well written. Chapter 1 is a complete waste of time, and actually spends pages explaining what client/server means, what the Web is, and other things that are patently obvious to the supposed audience for this material. I found myself turning to the front to see if this book was written in 1997! You then get nine fairly short chapters with instructions on how to hack a website, more or less; followed by 50 pages of useless padding in the appendices including: an unrelated article co-authored by Whittaker for the IEEE, a detailed list of all the bugs present in their "sample application," and then descriptions of their recommended tools, all of which can easily be found on the Web without paying $22 for this book.

As another reviewer mentioned, there are many typos and other problems like incorrect illustrations, making the reader wonder if Addison-Wesley even employs a copy editor. Furthermore, I felt this book was inaccurately named and described. It's really more about rudimentary hacking and protecting your web application against hackers than web quality or web testing. A beginning web developer might do well to read this as a primer on how to create sites and applications with basic security, but as an experienced tester it was of limited use to me.

Help other customers find the most helpful reviews

Was this review helpful to you?

Report this | Permalink

Comment Comment (1)

Share your thoughts with other customers: Create your own review

› See all 12 customer reviews...

Most Recent Customer Reviews

5.0 out of 5 stars How to break web software
Very nice book, He covers topics that i never even thought of. Highly recommended

Published 21 months ago by Giftcard

5.0 out of 5 stars Great advice for software developers
If your company has a web site, there are many people waiting to attack it and break into it.

In How to Break Web Software: Functional and Security Testing of Web... Read more

Published on June 29, 2007 by Ben Rothke

5.0 out of 5 stars Wow!
I've been programming for over 10 years and thought that I had encountered it all. Uh ya, I was wrong. Read more

Published on April 12, 2007 by Daniel S. Boucher

5.0 out of 5 stars Fast international delivery
It was a good experience to purchase from Amazon and getting them delivered in India at my door-step. Order reached me ontime and is in good condition. Read more

Published on March 15, 2007 by S. Sharma

5.0 out of 5 stars Technique after technique that really works
You can't really read a book like this. You read a few pages and prop the book up with a cookbook holder and start typing in the examples. Read more

Published on May 19, 2006 by Stephen Northcutt

3.0 out of 5 stars Needs a good proofreader
This book is full of useful information couched in terms that even less technical
people could understand. However, it suffers from a barrage of typos. Read more

Published on May 11, 2006 by Mr. Richard A. Hagen

5.0 out of 5 stars A rich and well-focussed yet accessible introduction to a wide-ranging subject
This is a focussed book with a single aim; to help you find and correct common vulnerabilities in web-based applications and website software. Read more

Published on April 11, 2006 by Christos Partsenidis

4.0 out of 5 stars excellent overview of web attack vectors
Andrews and Whittaker describe to the Web programmer how your server side code can be vulnerable to attack across the Web. Read more

Published on March 17, 2006 by W Boudville

5.0 out of 5 stars Great professional "job insurance"...
If you write external-facing web apps, just accept the fact that someone will try to hack them. The best you can do is to be aware of the different ways that web apps can be... Read more

Published on March 3, 2006 by Thomas Duff

› See all 12 customer reviews...

.jsOffDisplayBlock { display: block; } .jsOffDisplayInline { display: inline; } .jsOffVisibility { visibility: visible; } .jsOnDisplayBlock { display: none; } .jsOnDisplayNoneBlock { display: block; } .jsOnDisplayNoneInline { display: inline; } .jsOnDisplayInline { display: none; } .jsOnVisibility { visibility: hidden; } .jqOnDisplayBlock { display: none; } .jqOnDisplayInline { display: none; } .jqOnVisibility { visibility: hidden; } .jqOnDisplayNoneBlock { display: block; } .jqOnDisplayNoneInline { display: inline; }

Customer Discussions

This product's forum

Discussion	Replies	Latest Post
No discussions yet

Ask questions, Share opinions, Gain insight

Start a new discussion

Topic:

First post:

Receive e-mail when new posts are made

Prompts for sign-in

Guidelines

Active discussions in related forums

Discussion	Replies	Latest Post
textbook buyback Scam	4	22 minutes ago
textbook buyback is it safe to buy books from amazon?	211	2 hours ago
textbook buyback no refund for returned book	1	17 hours ago
textbook buyback Is it OK if your name is written inside the cover?	40	21 hours ago
software Choosing the right Security Software. Help?	25	2 days ago
software Good backup program (that actually works as it should)?	0	3 days ago
internet really great website	0	7 days ago