How to Break Web Software: Functional and Security Testing of Web Applications and Web Services
"The techniques in this book are not an option for testers–they are mandatory and these are the guys to tell you how to apply them!"\ –HarryRobinson, Google.\ Rigorously test and improve the security of all your Web software!\ It’s as certain as death and taxes: hackers will mercilessly attack your Web sites, applications, and services. If you’re vulnerable, you’d better discover these attacks yourself, before the black hats do. Now, there’s a definitive, hands-on guide to security-testing...
Search in google:
"The techniques in this book are not an option for testers–they are mandatory and these are the guys to tell you how to apply them!"–HarryRobinson, Google.Rigorously test and improve the security of all your Web software! It’s as certain as death and taxes: hackers will mercilessly attack your Web sites, applications, and services. If you’re vulnerable, you’d better discover these attacks yourself, before the black hats do. Now, there’s a definitive, hands-on guide to security-testing any Web-based software: How to Break Web Software.In this book, two renowned experts address every category of Web software exploit: attacks on clients, servers, state, user inputs, and more. You’ll master powerful attack tools and techniques as you uncover dozens of crucial, widely exploited flaws in Web architecture and coding. The authors reveal where to look for potential threats and attack vectors, how to rigorously test for each of them, and how to mitigate the problems you find. Coverage includes· Client vulnerabilities, including attacks on client-side validation· State-based attacks: hidden fields, CGI parameters, cookie poisoning, URL jumping, and session hijacking· Attacks on user-supplied inputs: cross-site scripting, SQL injection, and directory traversal· Language- and technology-based attacks: buffer overflows, canonicalization, and NULL string attacks· Server attacks: SQL Injection with stored procedures, command injection, and server fingerprinting· Cryptography, privacy, and attacks on Web servicesYour Web software is mission-critical–it can’t be compromised. Whether you’re a developer, tester, QA specialist, or IT manager, this book will help you protect that software–systematically.Companion CD contains full source code for one testing tool you can modify and extend, free Web security testing tools, and complete code from a flawed Web site designed to give you hands-on practice in identifying security holes.
Numerous times we've been asked when the next book in the How to Break... series will come out and what it's going to be about. The overwhelming request from our readers has been on the subject of Web applications. It seems many testers find they are working in this area and are facing the prospect of testing applications that employ applications' specialized protocols and languages that exist on the World Wide Web.\ Although many of the tests from How to Break Software (Addison-Wesley, 2002) and How to Break Software Security (Addison-Wesley, 2003) are relevant in this environment, applications hosted on the Internet do suffer from some unique problems. This book tackles those problems in the same spirit of its predecessors with a decided slant toward security issues in Web applications.\ Before we go into what this book is all about, first let us tell you what it isn't all about. We are not trying to rewrite the Hacking Exposed books. Although there is an overlap of subject matter with the hacking literature, our intention is not to show how to exploit a Web server or Web application. Our focus is about how to test Web applications for common failures that can lead to such exploitation.\ How to Break Web Software is a book written for software developers, testers, managers, and quality assurance professionals to help put the hackers out of business.\ This focus necessarily means knowledge of hacker techniques is included in this book. After all, one needs to understand the techniques of their adversary in order to counter them. But, this book is about testing, not about exploitation. Our focus is to guide testers toward areas of the application that are prone to problems and methods of rooting them out.\ This book isn't about creating a correct Web application architecture, nor is it about coding Web applications. There are other published opinions on this and each Web development platform has its own unique challenges that must be considered, which books like Innocent Code do so well. How to Break Web Software, however, does contain a lot of information about how not to architect and code a Web application. Thus, Web developers would be wise to consider it as part of their reference library on secure Web programming.\ What this book is about is pointing the tester toward specific attacks to try on their application to test its defenses. We will be looking at classic examples of malicious input, ways of bypassing validation and authorization checks, as well as problems inherited from certain configurations/languages/architectures—all in a simple format that will show where to look for the problem, how to test for the problem, and advice on methods of mitigation. How to Break Web Software is intended as a one-stop shop for people to dip into to get information (and inspiration) to test web-based applications for common problems.\ Happy Web testing!\ Mike Andrews, Orange County, California\ James A. Whittaker, Melbourne, Florida\ © Copyright Pearson Education. All rights reserved.
Ch. 1The Web is different1Ch. 2Gathering information on the target11Ch. 3Attacking the client29Ch. 4State-based attacks41Ch. 5Attacking user-supplied input data65Ch. 6Language-based attacks85Ch. 7Attacking the server99Ch. 8Authentication115Ch. 9Privacy135Ch. 10Web services149App. AFifty years of software : key principles for quality159App. BFlowershop bugs171App. CTools179
\ From Barnes & NobleThe Barnes & Noble Review\ Putting software on the Web is like leaving a baby in a shark tank. Before you expose your mission-critical Web application to the piranhas, you’d better systematically test its security. Now, thankfully, there’s help. \ Readers who swore by How to Break Software and How to Break Software Security begged the authors to take on web software next. They’ve done so -- superbly. From buffer overflows to fake encryption, you’ll learn where to look, how to test, and above all, how to mitigate the problems you find.\ Such as: Malicious user-supplied input. Client attacks against input controls and validation. Server attacks, such as SQL injection with stored procedures. State-based attacks, from poisoned cookies to hijacked sessions. Even web services attacks targeting flaws in WSDL and XPATH.\ Do you really want to go live without running these tests? We didn’t think so. Bill Camarda, from the March 2006 Read Only\ \ \
