The Barnes & Noble Review
Putting software on the Web is like leaving a baby in a shark tank. Before you expose your mission-critical Web application to the piranhas, you’d better systematically test its security. Now, thankfully, there’s help.
Readers who swore by How to Break Software and How to Break Software Security begged the authors to take on web software next. They’ve done so -- superbly. From buffer overflows to fake encryption, you’ll learn where to look, how to test, and above all, how to mitigate the problems you find.
Such as: Malicious user-supplied input. Client attacks against input controls and validation. Server attacks, such as SQL injection with stored procedures. State-based attacks, from poisoned cookies to hijacked sessions. Even web services attacks targeting flaws in WSDL and XPATH.
Do you really want to go live without running these tests? We didn’t think so. Bill Camarda, from the March 2006 Read Only
Read an Excerpt
Numerous times we've been asked when the next book in the How to Break... series will come out and what it's going to be about. The overwhelming request from our readers has been on the subject of Web applications. It seems many testers find they are working in this area and are facing the prospect of testing applications that employ applications' specialized protocols and languages that exist on the World Wide Web.
Although many of the tests from How to Break Software (Addison-Wesley, 2002) and How to Break Software Security (Addison-Wesley, 2003) are relevant in this environment, applications hosted on the Internet do suffer from some unique problems. This book tackles those problems in the same spirit of its predecessors with a decided slant toward security issues in Web applications.
Before we go into what this book is all about, first let us tell you what it isn't all about. We are not trying to rewrite the Hacking Exposed books. Although there is an overlap of subject matter with the hacking literature, our intention is not to show how to exploit a Web server or Web application. Our focus is about how to test Web applications for common failures that can lead to such exploitation.
How to Break Web Software is a book written for software developers, testers, managers, and quality assurance professionals to help put the hackers out of business.
This focus necessarily means knowledge of hacker techniques is included in this book. After all, one needs to understand the techniques of their adversary in order to counter them. But, this book is about testing, not about exploitation. Our focus is to guide testers toward areas of the application that are prone to problems and methods of rooting them out.
This book isn't about creating a correct Web application architecture, nor is it about coding Web applications. There are other published opinions on this and each Web development platform has its own unique challenges that must be considered, which books like Innocent Code do so well. How to Break Web Software, however, does contain a lot of information about how not to architect and code a Web application. Thus, Web developers would be wise to consider it as part of their reference library on secure Web programming.
What this book is about is pointing the tester toward specific attacks to try on their application to test its defenses. We will be looking at classic examples of malicious input, ways of bypassing validation and authorization checks, as well as problems inherited from certain configurations/languages/architecturesall in a simple format that will show where to look for the problem, how to test for the problem, and advice on methods of mitigation. How to Break Web Software is intended as a one-stop shop for people to dip into to get information (and inspiration) to test web-based applications for common problems.
Happy Web testing!
Mike Andrews, Orange County, California
James A. Whittaker, Melbourne, Florida
© Copyright Pearson Education. All rights reserved.