- File Size: 5590 KB
- Print Length: 240 pages
- Simultaneous Device Usage: Up to 5 simultaneous devices, per publisher limits
- Publisher: Addison-Wesley Professional; 1 edition (February 2, 2006)
- Publication Date: February 2, 2006
- Sold by: Amazon.com Services LLC
- Language: English
- ASIN: B0028MBKCA
- Text-to-Speech: Enabled
- Word Wise: Not Enabled
- Lending: Not Enabled
- Amazon Best Sellers Rank: #1,288,331 Paid in Kindle Store (See Top 100 Paid in Kindle Store)
How to Break Web Software: Functional and Security Testing of Web Applications and Web Services 1st Edition, Kindle Edition
Use the Amazon App to scan ISBNs and compare prices.
Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
To get the free app, enter your mobile phone number.
Customers who bought this item also bought
Excerpt. © Reprinted by permission. All rights reserved.
Numerous times we've been asked when the next book in the How to Break... series will come out and what it's going to be about. The overwhelming request from our readers has been on the subject of Web applications. It seems many testers find they are working in this area and are facing the prospect of testing applications that employ applications' specialized protocols and languages that exist on the World Wide Web.
Although many of the tests from How to Break Software (Addison-Wesley, 2002) and How to Break Software Security (Addison-Wesley, 2003) are relevant in this environment, applications hosted on the Internet do suffer from some unique problems. This book tackles those problems in the same spirit of its predecessors with a decided slant toward security issues in Web applications.
Before we go into what this book is all about, first let us tell you what it isn't all about. We are not trying to rewrite the Hacking Exposed books. Although there is an overlap of subject matter with the hacking literature, our intention is not to show how to exploit a Web server or Web application. Our focus is about how to test Web applications for common failures that can lead to such exploitation.
How to Break Web Software is a book written for software developers, testers, managers, and quality assurance professionals to help put the hackers out of business.
This focus necessarily means knowledge of hacker techniques is included in this book. After all, one needs to understand the techniques of their adversary in order to counter them. But, this book is about testing, not about exploitation. Our focus is to guide testers toward areas of the application that are prone to problems and methods of rooting them out.
This book isn't about creating a correct Web application architecture, nor is it about coding Web applications. There are other published opinions on this and each Web development platform has its own unique challenges that must be considered, which books like Innocent Code do so well. How to Break Web Software, however, does contain a lot of information about how not to architect and code a Web application. Thus, Web developers would be wise to consider it as part of their reference library on secure Web programming.
What this book is about is pointing the tester toward specific attacks to try on their application to test its defenses. We will be looking at classic examples of malicious input, ways of bypassing validation and authorization checks, as well as problems inherited from certain configurations/languages/architecturesall in a simple format that will show where to look for the problem, how to test for the problem, and advice on methods of mitigation. How to Break Web Software is intended as a one-stop shop for people to dip into to get information (and inspiration) to test web-based applications for common problems.
Happy Web testing!
Mike Andrews, Orange County, California
James A. Whittaker, Melbourne, Florida
From the Inside Flap
"The techniques in this book are not an option for testers–they are mandatory and these are the guys to tell you how to apply them!"
Rigorously test and improve the security of all your Web software!
It’s as certain as death and taxes: hackers will mercilessly attack your Web sites, applications, and services. If you’re vulnerable, you’d better discover these attacks yourself, before the black hats do. Now, there’s a definitive, hands-on guide to security-testing any Web-based software: How to Break Web Software.
In this book, two renowned experts address every category of Web software exploit: attacks on clients, servers, state, user inputs, and more. You’ll master powerful attack tools and techniques as you uncover dozens of crucial, widely exploited flaws in Web architecture and coding. The authors reveal where to look for potential threats and attack vectors, how to rigorously test for each of them, and how to mitigate the problems you find. Coverage includes
· Client vulnerabilities, including attacks on client-side validation
· State-based attacks: hidden fields, CGI parameters, cookie poisoning, URL jumping, and session hijacking
· Attacks on user-supplied inputs: cross-site scripting, SQL injection, and directory traversal
· Language- and technology-based attacks: buffer overflows, canonicalization, and NULL string attacks
· Server attacks: SQL Injection with stored procedures, command injection, and server fingerprinting
· Cryptography, privacy, and attacks on Web services
Your Web software is mission-critical–it can’t be compromised. Whether you’re a developer, tester, QA specialist, or IT manager, this book will help you protect that software–systematically.
Companion CD contains full source code for one testing tool you can modify and extend, free Web security testing tools, and complete code from a flawed Web site designed to give you hands-on practice in identifying security holes.
Would you like to tell us about a lower price?
There was a problem filtering reviews right now. Please try again later.
The fun starts with chapter 2 and these folks do not spend a lot of time on reconnaisance. They know how to break web software and we start on that by chapter 3. I was a little sad in chapter 5, they did not really do SQL injection justice, but then they hit it again with stored procedures in chapter 7.
If there is a weakness to the book it might be chapter 9 and 10, the ending, but I still found both chapters informative.
Every large organization I know is building web applications and most of them are doing it badly. If you are a coder, a webmaster, or a manager of any of the above, buy a copy of this book for everyone on your team. I am going to do the same for my team right now.
I am interested in the subject and glancing through things, it looks like this is exactly what I need for my work.
Above all, this is a book to be used. The authors take a practical approach to each area of consideration, and the chapters are well structured to make it easy for you to get right to work.
For each area they provide an informative overview followed by discussion of the vulnerabilities including numerous code snippets, examples and screen shots. Though rich in detail the writing style keeps you engaged and the sensible structure (when to apply the attack, how to perform it and how to protect against it) makes it easy to grasp the key points.
There is no bias towards either Windows or Unix products on either the client or the server, and you won't need to be a scripting expert to put the authors' ideas into practice.
Chapter 1 explains the difference between web-based and traditional client-server systems and why a different approach is needed when testing. Subsequent chapters cover the vulnerabilities:
Gathering Information on the Target
Bypassing Client-Side Validation
Including Hidden Fields, Cookie poisoning and Session Hijacking
Including Cross-Site Scripting, SQL Injection and Directory Traversal
Including Buffer Overflows
Including Stored Procedures, SQL Injection, Server Fingerprinting and Denial of Service
Including Weak Cryptography and Cross-Site Tracing
Including Caching, Cookies, Web Bugs, ActiveX Controls and Browser Help Objects
Including WSDL and XML attacks
The book comes with an excellent companion CD containing a number of testing tools and a flawed website on which you can use the techniques you have learned to cement your knowledge. Both the tools and the vulnerabilities in the sample site are fully documented in two useful appendices.
All in all, a rich and well-focussed yet accessible introduction to a wide-ranging subject. If the security of web-based applications is your area, make room for this on your bookshelf.
Top international reviews
From the limited amount of the book I have looked at I've noticed the odd sentence which seems to me to be imperfectly crafted and the odd typo which would require a human reader to pick up. I recall "polices" instead of "policies".
My main negative impression so far just relates to the combination of the design of the book, possibly the limitations of screen capture software, and the limitations of black and white printing at the resolution used.
I think it's fair to criticise at least one design choice. There are a small number of text boxes with backgrounds which make the text hard to read (e.g. on p7, pp39-40, pp50-51 ...). The background was totally within the control of the designer and would have been better left as plain white, instead of stippled grey-shaded.
There are examples of screen dumps in the book which are hard or impossible to read (e.g on p24, p126 ...) but I can accept that the screens of some applications or websites may be hard, or impossible, to capture and print legibly in a book printed in black and white with this page size and also accept that being able to read the screen dumps is probably unnecessary to understand the surrounding text.
I don't want to give the impression that the book is overloaded with screen dumps compared with text. It is not and I think the balance is about right. I give credit to the printers for at least rendering white text on black screens quite legibly, although a magnifying glass helps.
I trust the book's many positive reviews and trust that the textual content will be helpful to me.