"The techniques in this book are not an option for testers–they are mandatory and these are the guys to tell you how to apply them!"
–HarryRobinson, Google.

Rigorously test and improve the security of all your Web software!

It’s as certain as death and taxes: hackers will mercilessly attack your Web sites, applications, and services. If you’re vulnerable, you’d better discover these attacks yourself, before the black hats do. Now, there’s a definitive, hands-on guide to security-testing any Web-based software: How to Break Web Software.

In this book, two renowned experts address every category of Web software exploit: attacks on clients, servers, state, user inputs, and more. You’ll master powerful attack tools and techniques as you uncover dozens of crucial, widely exploited flaws in Web architecture and coding. The authors reveal where to look for potential threats and attack vectors, how to rigorously test for each of them, and how to mitigate the problems you find. Coverage includes

·   Client vulnerabilities, including attacks on client-side validation

·   State-based attacks: hidden fields, CGI parameters, cookie poisoning, URL jumping, and session hijacking

·   Attacks on user-supplied inputs: cross-site scripting, SQL injection, and directory traversal

·   Language- and technology-based attacks: buffer overflows, canonicalization, and NULL string attacks

·   Server attacks: SQL Injection with stored procedures, command injection, and server fingerprinting

·   Cryptography, privacy, and attacks on Web services

Your Web software is mission-critical–it can’t be compromised. Whether you’re a developer, tester, QA specialist, or IT manager, this book will help you protect that software–systematically.

Companion CD contains full source code for one testing tool you can modify and extend, free Web security testing tools, and complete code from a flawed Web site designed to give you hands-on practice in identifying security holes.

Amazon.com® Reader Reviews (Ranked by Helpfulness)

Average Amazon.com® Rating:  Based on 12 Ratings

Short on content with too much padding - 2007-05-17
Reviewer Rating:
I was disappointed in this book. The actual content was pretty thin, and not very well written. Chapter 1 is a complete waste of time, and actually spends pages explaining what client/server means, what the Web is, and other things that are patently obvious to the supposed audience for this material. I found myself turning to the front to see if this book was written in 1997! You then get nine fairly short chapters with instructions on how to hack a website, more or less; followed by 50 pages of useless padding in the appendices including: an unrelated article co-authored by Whittaker for the IEEE, a detailed list of all the bugs present in their "sample application," and then descriptions of their recommended tools, all of which can easily be found on the Web without paying $22 for this book.

As another reviewer mentioned, there are many typos and other problems like incorrect illustrations, making the reader wonder if Addison-Wesley even employs a copy editor. Furthermore, I felt this book was inaccurately named and described. It's really more about rudimentary hacking and protecting your web application against hackers than web quality or web testing. A beginning web developer might do well to read this as a primer on how to create sites and applications with basic security, but as an experienced tester it was of limited use to me.

Wow! - 2007-04-13
Reviewer Rating:
I've been programming for over 10 years and thought that I had encountered it all. Uh ya, I was wrong. I'm amazed that a person can work with something for so long and yet still miss simple things like URL jumping. This is a great 32,000 foot view of web security (not a how to hack book) and covers what you should know if you are a web developer. Even if you alredy "know it all" this is a great read and excellent reference for creating check lists on projects and threats they may be succeptable to.

Great advice for software developers - 2007-06-29
Reviewer Rating:
If your company has a web site, there are many people waiting to attack it and break into it.

In How to Break Web Software: Functional and Security Testing of Web Applications and Web Services, authors Mike Andrews and James Whittaker detail the myriad Web software exploits that attackers will attempt to carry out. The tools and techniques that can be used to fight against them are also detailed.

The book also includes a companion CD that contains all of the source code referenced in the book in addition to a number of testing tools. The authors include software code from an insecure Web site, which helps the reader get a real-world feel for the topics involved.

The authors conclude with a look at the last 50 years of software defects, showing that developers are not learning from the mistakes.

The authors are of the opinion that software quality is no better today than it was decades ago. And in some cases, it is worse.

The book helps drive home the importance of having developers think about writing secure code and testing it for flaws. It is a recommended read for IT professionals.

How to break web software - 2008-12-07
Reviewer Rating:
Very nice book, He covers topics that i never even thought of. Highly recommended

Fast international delivery - 2007-03-15
Reviewer Rating:
It was a good experience to purchase from Amazon and getting them delivered in India at my door-step. Order reached me ontime and is in good condition.

Thanks,
Samta

Browse Similar Topics

Top Level Categories:
Internet/Online
Software Engineering

Sub-Categories:
Internet/Online > Security
Software Engineering > Security and Cryptography