Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast

( 3 )


Among the tests you perform on web applications, security testing is perhaps the most important, yet it's often the most neglected. The recipes in the Web Security Testing Cookbook demonstrate how developers and testers can check for the most common web security issues, while conducting unit tests, regression tests, or exploratory tests. Unlike ad hoc security assessments, these recipes are repeatable, concise, and systematic-perfect for integrating into your regular test suite....

See more details below
BN.com price
(Save 23%)$39.99 List Price

Pick Up In Store

Reserve and pick up in 60 minutes at your local store

Other sellers (Paperback)
  • All (20) from $5.25   
  • New (8) from $17.00   
  • Used (12) from $5.25   
Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK 7.0
  • Samsung Galaxy Tab 4 NOOK 10.1
  • NOOK HD Tablet
  • NOOK HD+ Tablet
  • NOOK eReaders
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
BN.com price
(Save 43%)$31.99 List Price


Among the tests you perform on web applications, security testing is perhaps the most important, yet it's often the most neglected. The recipes in the Web Security Testing Cookbook demonstrate how developers and testers can check for the most common web security issues, while conducting unit tests, regression tests, or exploratory tests. Unlike ad hoc security assessments, these recipes are repeatable, concise, and systematic-perfect for integrating into your regular test suite.

Recipes cover the basics from observing messages between clients and servers to multi-phase tests that script the login and execution of web application features. By the end of the book, you'll be able to build tests pinpointed at Ajax functions, as well as large multi-step tests for the usual suspects: cross-site scripting and injection attacks. This book helps you:

  • Obtain, install, and configure useful-and free-security testing tools
  • Understand how your application communicates with users, so you can better simulate attacks in your tests
  • Choose from many different methods that simulate common attacks such as SQL injection, cross-site scripting, and manipulating hidden form fields
  • Make your tests repeatable by using the scripts and examples in the recipes as starting points for automated tests

Don't live in dread of the midnight phone call telling you that your site has been hacked. With Web Security Testing Cookbook and the free tools used in the book's examples, you can incorporate security coverage into your test suite, and sleep in peace.

Read More Show Less

Product Details

  • ISBN-13: 9780596514839
  • Publisher: O'Reilly Media, Incorporated
  • Publication date: 10/24/2008
  • Edition number: 1
  • Pages: 314
  • Sales rank: 1,496,541
  • Product dimensions: 6.90 (w) x 9.10 (h) x 0.90 (d)

Meet the Author

Paco Hope is a Technical Manager at Cigital, Inc. and co-author of Mastering FreeBSD and OpenBSD Security (April 2005, O'Reilly, ISBN 0596006268). Mr. Hope has also published articles on Misuse and Abuse Cases and PKI. He has been invited to conferences to speak on topics such as software security re-quirements, web application security, and embedded system security. At Cigi-tal, he has served as a subject matter expert to MasterCard International for security policies and has assisted a Fortune 500 hospitality company in writ-ing software security policy. He also trains software developers and testers in the fundamentals of software security. In the gaming and mobile communica-tions industries he has advised several companies on software security. Mr. Hope majored in Computer Science and English at The College of William and Mary and received an M.S. in Computer Science from the University of Virginia.

Ben Walther is a consultant at Cigital and contributor to the Edit Cookies tool. He has a hand in both normal Quality Assurance and Software Security. Day to day, he designs and executes tests - and so he understands the need for simple recipes, in the hectic QA world. Yet he has also given talks on web ap-plication testing tools to members of the Open Web Application Security Pro-ject (OWASP). Through Cigital, he tests systems ranging from financial data processing to slot machines. Mr. Walther has a B.S. in Information Science from Cornell University.

Read More Show Less

Table of Contents

Who This Book Is For;
Leveraging Free Tools;
About the Cover;
Conventions Used in This Book;
Using Code Examples;
Safari® Books Online;
Comments and Questions;
Chapter 1: Introduction;
1.1 What Is Security Testing?;
1.2 What Are Web Applications?;
1.3 Web Application Fundamentals;
1.4 Web App Security Testing;
1.5 It’s About the How;
Chapter 2: Installing Some Free Tools;
2.1 Installing Firefox;
2.2 Installing Firefox Extensions;
2.3 Installing Firebug;
2.4 Installing OWASP’s WebScarab;
2.5 Installing Perl and Packages on Windows;
2.6 Installing Perl and Using CPAN on Linux, Unix, or OS X;
2.7 Installing CAL9000;
2.8 Installing the ViewState Decoder;
2.9 Installing cURL;
2.10 Installing Pornzilla;
2.11 Installing Cygwin;
2.12 Installing Nikto 2;
2.13 Installing Burp Suite;
2.14 Installing Apache HTTP Server;
Chapter 3: Basic Observation;
3.1 Viewing a Page’s HTML Source;
3.2 Viewing the Source, Advanced;
3.3 Observing Live Request Headers with Firebug;
3.4 Observing Live Post Data with WebScarab;
3.5 Seeing Hidden Form Fields;
3.6 Observing Live Response Headers with TamperData;
3.7 Highlighting JavaScript and Comments;
3.8 Detecting JavaScript Events;
3.9 Modifying Specific Element Attributes;
3.10 Track Element Attributes Dynamically;
3.11 Conclusion;
Chapter 4: Web-Oriented Data Encoding;
4.1 Recognizing Binary Data Representations;
4.2 Working with Base 64;
4.3 Converting Base-36 Numbers in a Web Page;
4.4 Working with Base 36 in Perl;
4.5 Working with URL-Encoded Data;
4.6 Working with HTML Entity Data;
4.7 Calculating Hashes;
4.8 Recognizing Time Formats;
4.9 Encoding Time Values Programmatically;
4.10 Decoding ASP.NET’s ViewState;
4.11 Decoding Multiple Encodings;
Chapter 5: Tampering with Input;
5.1 Intercepting and Modifying POST Requests;
5.2 Bypassing Input Limits;
5.3 Tampering with the URL;
5.4 Automating URL Tampering;
5.5 Testing URL-Length Handling;
5.6 Editing Cookies;
5.7 Falsifying Browser Header Information;
5.8 Uploading Files with Malicious Names;
5.9 Uploading Large Files;
5.10 Uploading Malicious XML Entity Files;
5.11 Uploading Malicious XML Structure;
5.12 Uploading Malicious ZIP Files;
5.13 Uploading Sample Virus Files;
5.14 Bypassing User-Interface Restrictions;
Chapter 6: Automated Bulk Scanning;
6.1 Spidering a Website with WebScarab;
6.2 Turning Spider Results into an Inventory;
6.3 Reducing the URLs to Test;
6.4 Using a Spreadsheet to Pare Down the List;
6.5 Mirroring a Website with LWP;
6.6 Mirroring a Website with wget;
6.7 Mirroring a Specific Inventory with wget;
6.8 Scanning a Website with Nikto;
6.9 Interpretting Nikto’s Results;
6.10 Scan an HTTPS Site with Nikto;
6.11 Using Nikto with Authentication;
6.12 Start Nikto at a Specific Starting Point;
6.13 Using a Specific Session Cookie with Nikto;
6.14 Testing Web Services with WSFuzzer;
6.15 Interpreting WSFuzzer’s Results;
Chapter 7: Automating Specific Tasks with cURL;
7.1 Fetching a Page with cURL;
7.2 Fetching Many Variations on a URL;
7.3 Following Redirects Automatically;
7.4 Checking for Cross-Site Scripting with cURL;
7.5 Checking for Directory Traversal with cURL;
7.6 Impersonating a Specific Kind of Web Browser or Device;
7.7 Interactively Impersonating Another Device;
7.8 Imitating a Search Engine with cURL;
7.9 Faking Workflow by Forging Referer Headers;
7.10 Fetching Only the HTTP Headers;
7.11 POSTing with cURL;
7.12 Maintaining Session State;
7.13 Manipulating Cookies;
7.14 Uploading a File with cURL;
7.15 Building a Multistage Test Case;
7.16 Conclusion;
Chapter 8: Automating with LibWWWPerl;
8.1 Writing a Basic Perl Script to Fetch a Page;
8.2 Programmatically Changing Parameters;
8.3 Simulating Form Input with POST;
8.4 Capturing and Storing Cookies;
8.5 Checking Session Expiration;
8.6 Testing Session Fixation;
8.7 Sending Malicious Cookie Values;
8.8 Uploading Malicious File Contents;
8.9 Uploading Files with Malicious Names;
8.10 Uploading Viruses to Applications;
8.11 Parsing for a Received Value with Perl;
8.12 Editing a Page Programmatically;
8.13 Using Threading for Performance;
Chapter 9: Seeking Design Flaws;
9.1 Bypassing Required Navigation;
9.2 Attempting Privileged Operations;
9.3 Abusing Password Recovery;
9.4 Abusing Predictable Identifiers;
9.5 Predicting Credentials;
9.6 Finding Random Numbers in Your Application;
9.7 Testing Random Numbers;
9.8 Abusing Repeatability;
9.9 Abusing High-Load Actions;
9.10 Abusing Restrictive Functionality;
9.11 Abusing Race Conditions;
Chapter 10: Attacking AJAX;
10.1 Observing Live AJAX Requests;
10.2 Identifying JavaScript in Applications;
10.3 Tracing AJAX Activity Back to Its Source;
10.4 Intercepting and Modifying AJAX Requests;
10.5 Intercepting and Modifying Server Responses;
10.6 Subverting AJAX with Injected Data;
10.7 Subverting AJAX with Injected XML;
10.8 Subverting AJAX with Injected JSON;
10.9 Disrupting Client State;
10.10 Checking for Cross-Domain Access;
10.11 Reading Private Data via JSON Hijacking;
Chapter 11: Manipulating Sessions;
11.1 Finding Session Identifiers in Cookies;
11.2 Finding Session Identifiers in Requests;
11.3 Finding Authorization Headers;
11.4 Analyzing Session ID Expiration;
11.5 Analyzing Session Identifiers with Burp;
11.6 Analyzing Session Randomness with WebScarab;
11.7 Changing Sessions to Evade Restrictions;
11.8 Impersonating Another User;
11.9 Fixing Sessions;
11.10 Testing for Cross-Site Request Forgery;
Chapter 12: Multifaceted Tests;
12.1 Stealing Cookies Using XSS;
12.2 Creating Overlays Using XSS;
12.3 Making HTTP Requests Using XSS;
12.4 Attempting DOM-Based XSS Interactively;
12.5 Bypassing Field Length Restrictions (XSS);
12.6 Attempting Cross-Site Tracing Interactively;
12.7 Modifying Host Headers;
12.8 Brute-Force Guessing Usernames and Passwords;
12.9 Attempting PHP Include File Injection Interactively;
12.10 Creating Decompression Bombs;
12.11 Attempting Command Injection Interactively;
12.12 Attempting Command Injection Systematically;
12.13 Attempting XPath Injection Interactively;
12.14 Attempting Server-Side Includes (SSI) Injection Interactively;
12.15 Attempting Server-Side Includes (SSI) Injection Systematically;
12.16 Attempting LDAP Injection Interactively;
12.17 Attempting Log Injection Interactively;

Read More Show Less

Customer Reviews

Average Rating 4.5
( 3 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing all of 3 Customer Reviews
  • Anonymous

    Posted January 25, 2015



    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted January 9, 2015

    1st alive thing in grave

    My fish Charles died a few days ago. He means a lot to me because I have had him for 4 years. He is a male Chinese Fighter Fish. *starts to cri* "Good bye little one" PetLover#101

    Was this review helpful? Yes  No   Report this review
  • Posted September 29, 2011

    more from this reviewer

    good introductio

    it is a good introduction to the way to test security in your web, or to learn how to protect your system.

    0 out of 1 people found this review helpful.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing all of 3 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)