How to Break Web Software: Functional and Security Testing of Web Applications and Web Services

By:

Mike Andrews and James Whittaker

Published:

2006

Pages:

240

Book Description

Rigorously test and improve the security of all your Web software!

It’s as certain as death and taxes: hackers will mercilessly attack your Web sites, applications, and services. If you're vulnerable, you'd better discover these attacks yourself, before the black hats do. Now, there’s a definitive, hands-on guide to security-testing any Web-based software: How to Break Web Software.

In this book, two renowned experts address every category of Web software exploit: attacks on clients, servers, state, user inputs, and more. You'll master powerful attack tools and techniques as you uncover dozens of crucial, widely exploited flaws in Web architecture and coding. The authors reveal where to look for potential threats and attack vectors, how to rigorously test for each of them, and how to mitigate the problems you find. Coverage includes

Client vulnerabilities, including attacks on client-side validation
State-based attacks: hidden fields, CGI parameters, cookie poisoning, URL jumping, and session hijacking
Attacks on user-supplied inputs: cross-site scripting, SQL injection, and directory traversal
Language- and technology-based attacks: buffer overflows, canonicalization, and NULL string attacks
Server attacks: SQL Injection with stored procedures, command injection, and server fingerprinting
Cryptography, privacy, and attacks on Web services

Your Web software is mission-critical–it can't be compromised. Whether you're a developer, tester, QA specialist, or IT manager, this book will help you protect that software–systematically.

Companion CD contains full source code for one testing tool you can modify and extend, free Web security testing tools, and complete code from a flawed Web site designed to give you hands-on practice in identifying security holes.

Member Reviews:

Review By: Sid Snook
07/09/2010

This third book in the "How to Break Software" series continues the pragmatic theme of experience-based testing partitioned into bug categories. Each bug category is then described with easily understandable detail, and specific attacks are described for each category. The “Brain on . . . eyes open . . . test!” philosophy of “How to Break Software” and "How to Break Software Security" is carried on in this book within a similar experiential framework structure of attacks.

The basic premise of the book is that “The Web is different. Understanding its background and subtleties will help you become more effective” (and a better Web tester). A basic Web application’s “fault model” is assumed to have three main components:

A server that hosts the Web application
A client that is provided Web pages
A connecting network between the server and the client

Various aspects of these categories of bugs are then presented in a very organized, consistent, and logical method. In fact, one of the best aspects of this book is its logically consistent format. The twenty-four included, specific attacks are partitioned into the following categories: Gathering Information on the Target, Attacking the Client, State-Based Attacks, Attacking User-Supplied Input Data, Language-Based Attacks, Attacking the Server, and Authentication. Each chapter then proceeds to describe in detail each bug category and several specific attacks, as well as applicable tools and examples of when to apply the attack, how to conduct the attack, and how to protect against the attack. Chapters nine and ten depart from the format of the previous chapters to deal specifically with the topics of privacy and Web services.

The CD provided with this book contains automated tools that are useful in understanding the book’s examples and applying the methods described therein. Also included is a bug-laden Web site application useful in re-enforcing the knowledge and examples presented.

This is not a book to be read from cover to cover. To get the maximum understanding of the material, the reader needs to load the provided tools and step through the examples. Both the tools and the vulnerabilities in the sample site are fully documented in two useful appendices.

As I read through the chapters and took the time to understand some of the examples, I began to feel a growing confidence that I might be able to improve my testing abilities in the exceedingly complex and rapidly changing world of Web applications. An essential aspect of this book’s utility and high quality is the presentation. I felt like I was being armed with the knowledge to attempt to cause bugs, look for bugs, and test for the presence of bugs. I also felt that I was given some insight into preventative/corrective suggestions I might be able to give to developers when I find a particular category of bug in their Web applications. And the probability is now higher that I will find a few bugs I might not have found before reading this book.

Upcoming Events

Sep 22	STARWEST Software Testing Conference in Anaheim & Online
Oct 13	Agile + DevOps USA The Conference for Agile and DevOps Professionals
Apr 27	STAREAST Software Testing Conference in Orlando & Online

Recommended Web Seminars

Sep 12	Maximizing Test Coverage at Every Stage of Your CI/CD Pipeline with Visual AI
On Demand	Building Confidence in Your Automation
On Demand	Leveraging Open Source Tools for DevSecOps
On Demand	Five Reasons Why Agile Isn't Working
On Demand	Building a Stellar Team

See All

Featured Resources

Introduction to Containers eGuide | TechWell

Scrum Master Essentials eGuide | TechWell

Test Automation eGuide | TechWell

Internet of Things eGuide | TechWell

Implementing Agile eGuide | TechWell

Visit Our Other Communities

Where configuration management and development professionals go for answers on SCM, ALM, change management, DevOps, tools and more.

The home for software testing and QA professionals—practical advice on test automation, test management, test techniques, and more.