- Paperback: 314 pages
- Publisher: O'Reilly Media; 1 edition (October 27, 2008)
- Language: English
- ISBN-10: 0596514832
- ISBN-13: 978-0596514839
- Product Dimensions: 7 x 0.9 x 9.2 inches
- Shipping Weight: 1.2 pounds (View shipping rates and policies)
- Average Customer Review: 12 customer reviews
- Amazon Best Sellers Rank: #1,368,964 in Books (See Top 100 in Books)
Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
To get the free app, enter your mobile phone number.
Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast 1st Edition
Use the Amazon App to scan ISBNs and compare prices.
"Neverworld Wake" by Marisha Pessl
Read the absorbing new psychological suspense thriller from acclaimed New York Times bestselling author Marisha Pessl. Pre-order today
Frequently bought together
What other items do customers buy after viewing this item?
Systematic Techniques to Find Problems Fast
About the Author
Paco Hope is a Technical Manager at Cigital, Inc. and co-author of Mastering FreeBSD and OpenBSD Security (April 2005, O'Reilly, ISBN 0596006268). Mr. Hope has also published articles on Misuse and Abuse Cases and PKI. He has been invited to conferences to speak on topics such as software security re-quirements, web application security, and embedded system security. At Cigi-tal, he has served as a subject matter expert to MasterCard International for security policies and has assisted a Fortune 500 hospitality company in writ-ing software security policy. He also trains software developers and testers in the fundamentals of software security. In the gaming and mobile communica-tions industries he has advised several companies on software security. Mr. Hope majored in Computer Science and English at The College of William and Mary and received an M.S. in Computer Science from the University of Virginia.
Ben Walther is a consultant at Cigital and contributor to the Edit Cookies tool. He has a hand in both normal Quality Assurance and Software Security. Day to day, he designs and executes tests - and so he understands the need for simple recipes, in the hectic QA world. Yet he has also given talks on web ap-plication testing tools to members of the Open Web Application Security Pro-ject (OWASP). Through Cigital, he tests systems ranging from financial data processing to slot machines. Mr. Walther has a B.S. in Information Science from Cornell University.
Top customer reviews
There was a problem filtering reviews right now. Please try again later.
The book is structured like the other "Cookbook" titles from O'Reilly. Each chapter has a series of "recipes" that describe a problem, present a solution, and have some discussion about the issue. It's unclear exactly who the target audience is.
Some of the recipes are very basic -- this is good if you've got very little experience working with tools like curl or wget, but not worth much if you've seen these and know how to read the man pages for these tools to find the flag you're looking for. Recipes like these lead me to believe that the audience for the book includes people who are very new to web technologies.
Other recipes are meaty enough -- there are several recipes that have page-long perl or bash scripts to automate (for example) the hunt for XSS vulnerabilities.
But then again, I can't see how a rookie web tester can possibly get through the book without a lot of head scratching. While vulnerabilities like cross-site scripting (XSS) and SQL injection are mentioned frequently, they are never defined, and their mechanism of operation is never clearly laid out. This leads me to believe that the target audience is people with at least an intermediate-level understanding of what these attacks mean, how they are performed, and what happens behind the scenes.
I was disappointed to see a couple of serious errors after only browsing through the recipes for an hour or so. For example, on page 90 the authors state that on Unix/Linux systems, filenames can contain slashes. This is incorrect: slashes are the only non-NUL character *not* allowed in a Linux filename. Verifying this fact only takes about two minutes of web searching.
Some recipes, like "5.8 Uploading Files with Malicious Names" are too shallow. They mention XSS and SQL injection, which are a concern. But they don't discuss directory traversal or code injection in any depth. There's a bear trap icon with a brief sidebar to hint at other possible problems, but this topic could have had another three or four recipes dedicated to it.
Some topics, like SQL Injection, are not sufficiently discussed. SQL injection, while an important web application security topic, is not covered directly by any particular recipe. It is mentioned in passing in a handful of other recipes, but it does not get the attention it deserves.
This *could* be a great book if they figured out the target audience a little better, got rid of the fluff recipes, got rid of some of the gratuitous (and useless) screen shots, and expanded the depth of coverage of some key topics. But it's not all bad -- it's relatively well structured, and I did learn a few new things. At $40 list price I'd pass, at the 40% or so discount on Amazon it's not a bad resource.
If you want to buy a better version of this book, see How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD. It's written with a similar formula, but is much better executed. (That text explains SQL injection in detail as well as how to perform SQL injection attacks, for example.)
Thanks again Paco, excellent book. Please let us know of the second edition as I will definitely pre-order without a doubt.
As for the book, you can easily recycle first 30% of book.
First chapter is dedicated for those who like 'show off' by using professional terms in conversations instead of doing their job (e.g. if one wants to impress his/her boss with his/her theoretical knowledge).
Second chapter contain just couple of useful words (yes, words not a paragraph): two names of hacker tools you may use for diagnostics purposes the rest will be repeated in 3rd chapter and in the rest of the book.
Third chapter explains each firefox addon separately. What was the reason of separating it, if you will learn that in next chapters on practical examples? :)
Fourth chapter will explain the basics, how to encode URL, what is base64 or hidden field. The one, who decided to become a tester, should have basic knowledge of software development, otherwise it is better to buy program and do automatic tests. I think you will be interested only by the part, which gives some idea about WebScarab tool, which will be used later.
As a conclusion: the book is good for beginner hackers.