How to Break Web Software: Functional and Security Testing of Web Applications and Web Services
Rigorously test and improve the security of all your Web software!
It’s as certain as death and taxes: hackers will mercilessly attack your Web sites, applications, and services. If you're vulnerable, you'd better discover these attacks yourself, before the black hats do. Now, there’s a definitive, hands-on guide to security-testing any Web-based software: How to Break Web Software.
In this book, two renowned experts address every category of Web software exploit: attacks on clients, servers, state, user inputs, and more. You'll master powerful attack tools and techniques as you uncover dozens of crucial, widely exploited flaws in Web architecture and coding. The authors reveal where to look for potential threats and attack vectors, how to rigorously test for each of them, and how to mitigate the problems you find. Coverage includes
- Client vulnerabilities, including attacks on client-side validation
- State-based attacks: hidden fields, CGI parameters, cookie poisoning, URL jumping, and session hijacking
- Attacks on user-supplied inputs: cross-site scripting, SQL injection, and directory traversal
- Language- and technology-based attacks: buffer overflows, canonicalization, and NULL string attacks
- Server attacks: SQL Injection with stored procedures, command injection, and server fingerprinting
- Cryptography, privacy, and attacks on Web services
Your Web software is mission-critical–it can't be compromised. Whether you're a developer, tester, QA specialist, or IT manager, this book will help you protect that software–systematically.
Companion CD contains full source code for one testing tool you can modify and extend, free Web security testing tools, and complete code from a flawed Web site designed to give you hands-on practice in identifying security holes.
Review By: Sid Snook
07/09/2010
This third book in the "How to Break Software" series continues the pragmatic theme of experience-based testing partitioned into bug categories. Each bug category is then described with easily understandable detail, and specific attacks are described for each category. The “Brain on . . . eyes open . . . test!” philosophy of “How to Break Software” and "How to Break Software Security" is carried on in this book within a similar experiential framework structure of attacks.
The basic premise of the book is that “The Web is different. Understanding its background and subtleties will help you become more effective” (and a better Web tester). A basic Web application’s “fault model” is assumed to have three main components:
- A server that hosts the Web application
- A client that is provided Web pages
- A connecting network between the server and the client
Various aspects of these categories of bugs are then presented in a very organized, consistent, and logical method. In fact, one of the best aspects of this book is its logically consistent format. The twenty-four included, specific attacks are partitioned into the following categories: Gathering Information on the Target, Attacking the Client, State-Based Attacks, Attacking User-Supplied Input Data, Language-Based Attacks, Attacking the Server, and Authentication. Each chapter then proceeds to describe in detail each bug category and several specific attacks, as well as applicable tools and examples of when to apply the attack, how to conduct the attack, and how to protect against the attack. Chapters nine and ten depart from the format of the previous chapters to deal specifically with the topics of privacy and Web services.
The CD provided with this book contains automated tools that are useful in understanding the book’s examples and applying the methods described therein. Also included is a bug-laden Web site application useful in re-enforcing the knowledge and examples presented.
This is not a book to be read from cover to cover. To get the maximum understanding of the material, the reader needs to load the provided tools and step through the examples. Both the tools and the vulnerabilities in the sample site are fully documented in two useful appendices.
As I read through the chapters and took the time to understand some of the examples, I began to feel a growing confidence that I might be able to improve my testing abilities in the exceedingly complex and rapidly changing world of Web applications. An essential aspect of this book’s utility and high quality is the presentation. I felt like I was being armed with the knowledge to attempt to cause bugs, look for bugs, and test for the presence of bugs. I also felt that I was given some insight into preventative/corrective suggestions I might be able to give to developers when I find a particular category of bug in their Web applications. And the probability is now higher that I will find a few bugs I might not have found before reading this book.