Among the tests you perform on web applications, security testing is perhaps the most important, yet it's often the most neglected. The recipes in the Web Security Testing Cookbook demonstrate how developers and testers can check for the most common web security issues, while conducting unit tests, regression tests, or exploratory tests. Unlike ad hoc security assessments, these recipes are repeatable, concise, and systematic-perfect for integrating into your regular test suite. Recipes cover the basics from observing messages between clients and servers to multi-phase tests that script the login and execution of web application features. By the end of the book, you'll be able to build tests pinpointed at Ajax functions, as well as large multi-step tests for the usual suspects: cross-site scripting and injection attacks. This book helps you: Obtain, install, and configure useful-and free-security testing tools Understand how your application communicates with users, so you can better simulate attacks in your tests Choose from many different methods that simulate common attacks such as SQL injection, cross-site scripting, and manipulating hidden form fields Make your tests repeatable by using the scripts and examples in the recipes as starting points for automated tests
Don't live in dread of the midnight phone call telling you that your site has been hacked. With Web Security Testing Cookbook and the free tools used in the book's examples, you can incorporate security coverage into your test suite, and sleep in peace.
Review By: Gena O'Flaherty 12/07/2009Have you ever worked with someone called the "go-to" person who had the type of knowledge that only comes from years of experience? Usually, this person is always willing to teach you the little nuances about a tool or technology. This book is like having that person at your fingertips. The book is a goldmine of information on how to test for a variety of security threats as well as simple and brief summaries on tools and technologies. As I was reading, I found myself putting sticky tabs on pages so I could quickly reference them in the future. The authors filled the book with so many real life problems and how-to's that I had to stop using the sticky tabs because I would have put them on nearly every page!
The material is presented in an organized and straightforward manner. Each example test is broken up into three parts: the problem the test addresses, how to test the problem and what tool(s) to use, and a discussion that provides more general details on the test.
The depth and range of the tests are considerable for such a small book, assuming the tester has some level of testing experience and computer savvy. Through the book, the authors help testers prepare and install different tools. The authors' instruction on installation and use of an intelligent array of testing tools is presented with the right amount of technical acumen. Each tool description explains what the tool is best capable of doing.
Where more information would be helpful to understand a tool or concept, the authors provide external references that provide such information. It was interesting to learn that all industry-standard virus scanners use the same harmless test file during their testing and that this file is available to the tester for downloading.
I particularly like how many different tools are discussed and used in the recipes, many of which I learned about from reading this book. While setup of these tools can take some time to complete, it is well worth the effort when used in conjunction with the test recipes in this book.