BN.com Gift Guide

How to Break Web Software: Functional and Security Testing of Web Applications and Web Services

Other Format (Print)
Used and New from Other Sellers
Used and New from Other Sellers
from $9.38
Usually ships in 1-2 business days
(Save 82%)
Other sellers (Other Format)
  • All (18) from $9.38   
  • New (11) from $30.12   
  • Used (7) from $9.38   

Overview

"The techniques in this book are not an option for testers–they are mandatory and these are the guys to tell you how to apply them!"
–HarryRobinson, Google.

Rigorously test and improve the security of all your Web software!

It’s as certain as death and taxes: hackers will mercilessly attack your Web sites, applications, and services. If you’re vulnerable, you’d better discover these attacks yourself, before the black hats do. Now, there’s a definitive, hands-on guide to security-testing any Web-based software: How to Break Web Software.

In this book, two renowned experts address every category of Web software exploit: attacks on clients, servers, state, user inputs, and more. You’ll master powerful attack tools and techniques as you uncover dozens of crucial, widely exploited flaws in Web architecture and coding. The authors reveal where to look for potential threats and attack vectors, how to rigorously test for each of them, and how to mitigate the problems you find. Coverage includes

· Client vulnerabilities, including attacks on client-side validation

· State-based attacks: hidden fields, CGI parameters, cookie poisoning, URL jumping, and session hijacking

· Attacks on user-supplied inputs: cross-site scripting, SQL injection, and directory traversal

· Language- and technology-based attacks: buffer overflows, canonicalization, and NULL string attacks

· Server attacks: SQL Injection with stored procedures, command injection, and server fingerprinting

· Cryptography, privacy, and attacks on Web services

Your Web software is mission-critical–it can’t be compromised. Whether you’re a developer, tester, QA specialist, or IT manager, this book will help you protect that software–systematically.

Companion CD contains full source code for one testing tool you can modify and extend, free Web security testing tools, and complete code from a flawed Web site designed to give you hands-on practice in identifying security holes.

Read More Show Less

Editorial Reviews

From Barnes & Noble
The Barnes & Noble Review
Putting software on the Web is like leaving a baby in a shark tank. Before you expose your mission-critical Web application to the piranhas, you’d better systematically test its security. Now, thankfully, there’s help.

Readers who swore by How to Break Software and How to Break Software Security begged the authors to take on web software next. They’ve done so -- superbly. From buffer overflows to fake encryption, you’ll learn where to look, how to test, and above all, how to mitigate the problems you find.

Such as: Malicious user-supplied input. Client attacks against input controls and validation. Server attacks, such as SQL injection with stored procedures. State-based attacks, from poisoned cookies to hijacked sessions. Even web services attacks targeting flaws in WSDL and XPATH.

Do you really want to go live without running these tests? We didn’t think so. Bill Camarda, from the March 2006 Read Only

Read More Show Less

Product Details

  • ISBN-13: 9780321369444
  • Publisher: Addison-Wesley
  • Publication date: 2/10/2006
  • Pages: 240
  • Sales rank: 879,334
  • Product dimensions: 6.90 (w) x 9.00 (h) x 0.70 (d)

Meet the Author

Mike Andrews is a senior consultant at Foundstone who specializes in software security and leads the Web application security assessments and Ultimate Web Hacking classes. He brings with him a wealth of commercial and educational experience from both sides of the Atlantic and is a widely published author and speaker. Before joining Foundstone, Mike was a freelance consultant and developer of Web-based information systems, working with clients such as The Economist, the London transport authority, and various United Kingdom universities. In 2002, after being an instructor and researcher for a number of years, Mike joined the Florida Institute of Technology as an assistant professor, where he was responsible for research projects and independent security reviews for the Office of Naval Research, Air Force Research Labs, and Microsoft Corporation. Mike holds a Ph.D. in computer science from the University of Kent at Canterbury in the United Kingdom, where his focus was on debugging tools and programmer psychology.

James A. Whittaker is a professor of computer science at the Florida Institute of Technology (Florida Tech) and is founder of Security Innovation. In 1992, he earned his Ph.D. in computer science from the University of Tennessee. His research interests are software testing, software security, software vulnerability testing, and anticyber warfare technology. James is the author of How to Break Software (Addison-Wesley, 2002) and coauthor (with Hugh Thompson) of How to Break Software Security (Addison-Wesley, 2003), and over fifty peer-reviewed papers on software development and computer security. He holds patents on various inventions in software testing and defensive security applications and has attracted millions in funding, sponsorship, and license agreements while a professor at Florida Tech. He has also served as a testing and security consultant for Microsoft, IBM, Rational, and many other United States companies.

In 2001, James was appointed to Microsoft’s Trustworthy Computing Academic Advisory Board and was named a “Top Scholar” by the editors of the Journal of Systems and Software, based on his research publications in software engineering. His research team at Florida Tech is known for its testing technologies and tools, which include the highly acclaimed runtime fault injection tool Holodeck. His research group is also well known for their development of exploits against software security, including cracking encryption, passwords and infiltrating protected networks via novel attacks against software defenses.

Read More Show Less

Read an Excerpt

Numerous times we've been asked when the next book in the How to Break... series will come out and what it's going to be about. The overwhelming request from our readers has been on the subject of Web applications. It seems many testers find they are working in this area and are facing the prospect of testing applications that employ applications' specialized protocols and languages that exist on the World Wide Web.

Although many of the tests from How to Break Software (Addison-Wesley, 2002) and How to Break Software Security (Addison-Wesley, 2003) are relevant in this environment, applications hosted on the Internet do suffer from some unique problems. This book tackles those problems in the same spirit of its predecessors with a decided slant toward security issues in Web applications.

Before we go into what this book is all about, first let us tell you what it isn't all about. We are not trying to rewrite the Hacking Exposed books. Although there is an overlap of subject matter with the hacking literature, our intention is not to show how to exploit a Web server or Web application. Our focus is about how to test Web applications for common failures that can lead to such exploitation.

How to Break Web Software is a book written for software developers, testers, managers, and quality assurance professionals to help put the hackers out of business.

This focus necessarily means knowledge of hacker techniques is included in this book. After all, one needs to understand the techniques of their adversary in order to counter them. But, this book is about testing, not about exploitation. Our focus is to guide testers toward areas of the application that are prone to problems and methods of rooting them out.

This book isn't about creating a correct Web application architecture, nor is it about coding Web applications. There are other published opinions on this and each Web development platform has its own unique challenges that must be considered, which books like Innocent Code do so well. How to Break Web Software, however, does contain a lot of information about how not to architect and code a Web application. Thus, Web developers would be wise to consider it as part of their reference library on secure Web programming.

What this book is about is pointing the tester toward specific attacks to try on their application to test its defenses. We will be looking at classic examples of malicious input, ways of bypassing validation and authorization checks, as well as problems inherited from certain configurations/languages/architectures—all in a simple format that will show where to look for the problem, how to test for the problem, and advice on methods of mitigation. How to Break Web Software is intended as a one-stop shop for people to dip into to get information (and inspiration) to test web-based applications for common problems.

Happy Web testing!

Mike Andrews, Orange County, California

James A. Whittaker, Melbourne, Florida

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Table of Contents

Preface vii

Acknowledgments ix

About the Authors xi

Chapter 1: The Web Is Different 1

Chapter 2: Gathering Information on the Target 11

Chapter 3: Attacking the Client 29

Chapter 4: State-Based Attacks 41

Chapter 5: Attacking User-Supplied Input Data 65

Chapter 6: Language-Based Attacks 85

Chapter 7: Attacking the Server 99

Chapter 8: Authentication 115

Chapter 9: Privacy 135

Chapter 10: Web Services 149

Appendix A: Fifty Years of Software: Key Principles for Quality 159

Appendix B: Flowershop Bugs 171

Appendix C: Tools 179

Index 207

Read More Show Less

Preface

Numerous times we've been asked when the next book in the How to Break... series will come out and what it's going to be about. The overwhelming request from our readers has been on the subject of Web applications. It seems many testers find they are working in this area and are facing the prospect of testing applications that employ applications' specialized protocols and languages that exist on the World Wide Web.

Although many of the tests from How to Break Software (Addison-Wesley, 2002) and How to Break Software Security (Addison-Wesley, 2003) are relevant in this environment, applications hosted on the Internet do suffer from some unique problems. This book tackles those problems in the same spirit of its predecessors with a decided slant toward security issues in Web applications.

Before we go into what this book is all about, first let us tell you what it isn't all about. We are not trying to rewrite the Hacking Exposed books. Although there is an overlap of subject matter with the hacking literature, our intention is not to show how to exploit a Web server or Web application. Our focus is about how to test Web applications for common failures that can lead to such exploitation.

How to Break Web Software is a book written for software developers, testers, managers, and quality assurance professionals to help put the hackers out of business.

This focus necessarily means knowledge of hacker techniques is included in this book. After all, one needs to understand the techniques of their adversary in order to counter them. But, this book is about testing, not about exploitation. Our focus is to guide testers toward areas of the application that are prone to problems and methods of rooting them out.

This book isn't about creating a correct Web application architecture, nor is it about coding Web applications. There are other published opinions on this and each Web development platform has its own unique challenges that must be considered, which books like Innocent Code do so well. How to Break Web Software, however, does contain a lot of information about how not to architect and code a Web application. Thus, Web developers would be wise to consider it as part of their reference library on secure Web programming.

What this book is about is pointing the tester toward specific attacks to try on their application to test its defenses. We will be looking at classic examples of malicious input, ways of bypassing validation and authorization checks, as well as problems inherited from certain configurations/languages/architectures—all in a simple format that will show where to look for the problem, how to test for the problem, and advice on methods of mitigation. How to Break Web Software is intended as a one-stop shop for people to dip into to get information (and inspiration) to test web-based applications for common problems.

Happy Web testing!

Mike Andrews, Orange County, California

James A. Whittaker, Melbourne, Florida

© Copyright Pearson Education. All rights reserved.

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing all of 3 Customer Reviews
  • Anonymous

    Posted March 17, 2006

    excellent overview of web attack vectors

    Andrews and Whittaker describe to the Web programmer how your server side code can be vulnerable to attack across the Web. Web software has a server side and a client [or browser] side. These days, the browser code can be more than just passive HTML. It might have scripts, written in various scripting languages, typically JavaScript. The most common problem is that a cracker can get full access to your browser code. So while you might embed various tests on user input, or pass various parameters in the URL or forms, these can be read and usually altered. From which flows such attacks as buffer overflow, SQL injection and cross site scripting [XSS]. All of which means that the real tests must be done on your server, even if this means replicating tests already done in your browser code. The merit of this book is in how it provides a good level of introductory detail across the various attack vectors. While the topics discussed by the book can often be described in more detail elsewhere, if you need the extra information. For example, on buffer overflows, see 'Buffer Overflow Attacks' by Foster et al. While for defending against SQL injection, there is 'Guarding Your Website Against SQL Injection' by Breidenbach. Or, on the subject of using a Web server, Apache is the most common choice. Thus you can confer with 'Preventing Web Attacks with Apache' by Barnett, which just came out a few weeks ago. The latter book is a good complement to this one. The only quibble I have with 'How to Break Web Software' is in one sentence - 'Phishing is a scam that only diligence and the law will wipe out'. It says that no technical solution is possible. I disagree. I am the co-inventor of several antiphishing US Patent Pending methods, that will publish soon at uspto.gov. We believe these to be seminal, and furnish such a technical solution. We actually like this book and its quote, given that it was published in February 2006, and our first Provisionals were filed in September and October 2004. The text is one of several that reflects the state of the art after our submissions, and before they were publicly disclosed.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted October 24, 2008

    No text was provided for this review.

  • Anonymous

    Posted April 28, 2010

    No text was provided for this review.

Sort by: Showing all of 3 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)