|
How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD | 
 enlarge | Authors: Mike Andrews, James A. Whittaker
Publisher: Addison-Wesley Professional
Category: Book
List Price: $34.99
Buy New: $20.53
You Save: $14.46 (41%)
New (35) Used (16) from $19.50
Rating:  11 reviews
Sales Rank: 41448
Media: Paperback
Pages: 240
Number Of Items: 1
Shipping Weight (lbs): 1.1
Dimensions (in): 9 x 6.9 x 0.7
ISBN: 0321369440
Dewey Decimal Number: 005.14
EAN: 9780321369444
Publication Date: February 12, 2006
Availability: Usually ships in 1-2 business days
Shipping: International shipping available
Condition: Absolutely Brand New & In Stock. 100% 30-Day Money Back. Direct from our warehouse. Ships by USPS. 1+ million customers served-In business since 1986. Happy Customers is Our #1 Goal. Toll Free Support
| |
| Similar Items:
|
| Customer Reviews: Read 6 more reviews...
 Technique after technique that really works May 20, 2006
Stephen Northcutt (Kauai, HI USA)
24 out of 26 found this review helpful
You can't really read a book like this. You read a few pages and prop the book up with a cookbook holder and start typing in the examples. There were a couple I could not duplicate, but almost everything worked as the authors said it would. Great book, or maybe it would be better to say, great tool!
The fun starts with chapter 2 and these folks do not spend a lot of time on reconnaisance. They know how to break web software and we start on that by chapter 3. I was a little sad in chapter 5, they did not really do SQL injection justice, but then they hit it again with stored procedures in chapter 7.
If there is a weakness to the book it might be chapter 9 and 10, the ending, but I still found both chapters informative.
Every large organization I know is building web applications and most of them are doing it badly. If you are a coder, a webmaster, or a manager of any of the above, buy a copy of this book for everyone on your team. I am going to do the same for my team right now.
Great professional "job insurance"... March 4, 2006
Thomas Duff (Portland, OR United States)
5 out of 11 found this review helpful
If you write external-facing web apps, just accept the fact that someone will try to hack them. The best you can do is to be aware of the different ways that web apps can be broken, and then use those techniques in your testing. Better you find them first before "they" do. I got a review copy of How to Break Web Software: Functional and Security Testing of Web Applications and Web Services by Mike Andrews and James A. Whittaker. Excellent book...
Contents: The Web Is Different; Gathering Information on the Web; Attacking the Client; State-Based Attacks; Attacking User-Supplied Input Data; Language-Based Attacks; Attacking the Server; Authentication; Privacy; Web Services; Fifty Years of Software: Key Principles for Quality; Flowershop Bugs; Tools; Index
Along with the general information on how web-based applications differ from client-based apps, the authors cover 24 specific attacks with detailed examples on how they work. For instance, I was aware of SQL Injection attacks, but they show an example in there that is a twist I hadn't seen before and that is downright scary. My guess is that there's a lot of data at risk by companies who don't have a clue. There's a CD in the back of the book that contains a number of the tools they use to do their vulnerability testing, and that's almost worth the price of the book alone. For instance, there's Brutus... a brute-force authentication tool. I had also never heard of HTTPrint, which is a tool that targets a server and uses a number of tests to "fingerprint" it and determine the operating system and other items of interest. If you're serious about testing your web applications and securing them against unintended use, then it's best you have these software gems at your disposal. You know the other side already does. Once you understand how your applications can be manipulated, you can become a much better developer by building in security at a foundational layer. For instance, don't trust your JavaScript client side editing routines to validate your data. That input can be changed and sent back to the server. Instead, have input validation both at the client *and* at the server to make sure no data manipulation or validation bypasses were used. Simple stuff like that can save you a ton of headaches and grief down the road.
With the cost of privacy lapses running into the millions for companies who fail in that area, you can't afford *not* to take the time to learn how to write and test secure applications. This may well be the best $35 you ever spent on your professional development. Consider it "job insurance" to avoid having to look for another job because your application ended up as a case study in some IT magazine...
Great advice for software developers June 29, 2007
Ben Rothke (USA)
15 out of 16 found this review helpful
If your company has a web site, there are many people waiting to attack it and break into it.
In How to Break Web Software: Functional and Security Testing of Web Applications and Web Services, authors Mike Andrews and James Whittaker detail the myriad Web software exploits that attackers will attempt to carry out. The tools and techniques that can be used to fight against them are also detailed.
The book also includes a companion CD that contains all of the source code referenced in the book in addition to a number of testing tools. The authors include software code from an insecure Web site, which helps the reader get a real-world feel for the topics involved.
The authors conclude with a look at the last 50 years of software defects, showing that developers are not learning from the mistakes.
The authors are of the opinion that software quality is no better today than it was decades ago. And in some cases, it is worse.
The book helps drive home the importance of having developers think about writing secure code and testing it for flaws. It is a recommended read for IT professionals.
A rich and well-focussed yet accessible introduction to a wide-ranging subject April 12, 2006
Christos Partsenidis (Thessaloniki, Greece - www.Firewall.cx)
4 out of 7 found this review helpful
This is a focussed book with a single aim; to help you find and correct common vulnerabilities in web-based applications and website software.
Above all, this is a book to be used. The authors take a practical approach to each area of consideration, and the chapters are well structured to make it easy for you to get right to work.
For each area they provide an informative overview followed by discussion of the vulnerabilities including numerous code snippets, examples and screen shots. Though rich in detail the writing style keeps you engaged and the sensible structure (when to apply the attack, how to perform it and how to protect against it) makes it easy to grasp the key points.
There is no bias towards either Windows or Unix products on either the client or the server, and you won't need to be a scripting expert to put the authors' ideas into practice.
Chapter 1 explains the difference between web-based and traditional client-server systems and why a different approach is needed when testing. Subsequent chapters cover the vulnerabilities:
Gathering Information on the Target
Bypassing Client-Side Validation
State-Based Attacks
Including Hidden Fields, Cookie poisoning and Session Hijacking
Data Attacks
Including Cross-Site Scripting, SQL Injection and Directory Traversal
Language-Based Attacks
Including Buffer Overflows
Server Attacks
Including Stored Procedures, SQL Injection, Server Fingerprinting and Denial of Service
Authentication
Including Weak Cryptography and Cross-Site Tracing
Privacy
Including Caching, Cookies, Web Bugs, ActiveX Controls and Browser Help Objects
Web Services
Including WSDL and XML attacks
The book comes with an excellent companion CD containing a number of testing tools and a flawed website on which you can use the techniques you have learned to cement your knowledge. Both the tools and the vulnerabilities in the sample site are fully documented in two useful appendices.
All in all, a rich and well-focussed yet accessible introduction to a wide-ranging subject. If the security of web-based applications is your area, make room for this on your bookshelf.
Wow! April 13, 2007
Daniel S. Boucher (Portland, ME)
1 out of 3 found this review helpful
I've been programming for over 10 years and thought that I had encountered it all. Uh ya, I was wrong. I'm amazed that a person can work with something for so long and yet still miss simple things like URL jumping. This is a great 32,000 foot view of web security (not a how to hack book) and covers what you should know if you are a web developer. Even if you alredy "know it all" this is a great read and excellent reference for creating check lists on projects and threats they may be succeptable to.
|
|
|
| |
