Browse archive

Latest news

Microsoft to pay up to 150k for vulnerabilities

(IN)SECURE Magazine issue 38 released

Collected data helped foil 50 terrorist plots, says NSA chief

65+ websites compromised to deliver malvertising

Customized spam uses cell phone users’ data against them

Facebook once again accessible via Tor

Oracle releases critical security updates for Java

Employees biggest IT threat to businesses

Google asks secret court permission to publish FISA numbers

Failed backups endanger revenue and productivity

How to detect hidden administrator apps on Android

CyanogenMod founder aims to thwart data-grabbing apps

Hacking charge stations for electric cars

Web Security Testing Cookbook

by HNS Staff - Tuesday, 13 January 2009.

Authors: Paco Hope, Ben Walther
Pages: 312
Publisher: O'Reilly
ISBN: 0596514832

Introduction

Buying furniture on eBay, selling childhood ZX Spectrum cassette tapes, doing online banking - every service we use is powered by a robust web application. With all the interaction with users, there are a number of ways that these apps can go wrong. "Web Security Testing Cookbook" is one of the latest books that will help developers spark some ideas on breaking and therefore fixing their web applications.

About the authors

Paco Hope is a Technical Manager at Cigital and co-author of Mastering FreeBSD and OpenBSD Security. Mr. Hope majored in Computer Science and English at The College of William and Mary and received an M.S. in Computer Science from the University of Virginia.

Ben Walther is a consultant at Cigital and contributor to the Edit Cookies tool. He has a hand in both normal Quality Assurance and Software Security. Mr. Walther has a B.S. in Information Science from Cornell University.

Inside the book

The book spreads on just over 250 pages and hosts around 150 recipes focusing on various aspects of web application hacking. Almost right after the introduction, you will understand the scope of practical information you will get out of this book. If you are not a pro in web application security assessment, most of the freeware tools the authors discuss early on will change the way you test your software apps. Out of all the tools mentioned, you could be amazed by how Mozilla Firefox and its plugins are powerful for doing all the grunt work.

Before an amusing chapter on different ways of tampering with various input mechanisms, authors provide an easy to follow tutorial on ways of data encoding usually used by web applications. They instruct the readers how to spot which encoding is in question, as well as how to use this kind of knowledge when assessing applications.

cURL is a quite popular command line tool for transferring files with URL syntax. The software is free and runs under a wide variety of operating systems, which makes it a perfect tool for diverse duties of a security aware developer. Here you will learn how to make cURL do cross site scripting and directory traversal checks, manipulate cookies, impersonating other web clients and more. The next chapter has a similar structure, but the focus is on Perl. As you probably already know, Perl is very handy for any kind of "communication" with Web interfaces and there are 13 Perl specific recipes to enjoy in.

The book ends with a couple of chapters on attacking AJAX, manipulating sessions and utilizing your just acquired knowledge for creating more advanced web application testing methods.

Final thoughts

With the ongoing evolution of the World Wide Web, importance of having stable and secure web applications is on an all time high. Aimed for web developers and software testers, this cookbook provides a wealth of ideas on mangling with web applications - the hands-on way.