How to Break Web Software and over 2 million other books are available for Amazon Kindle . Learn more


or
Sign in to turn on 1-Click ordering.
Trade in Yours
For a 5.00 Gift Card
Trade in
More Buying Choices
Have one to sell? Sell yours here
Sorry, this item is not available in
Image not available for
Colour:
Image not available

 
Start reading How to Break Web Software on your Kindle in under a minute.

Don't have a Kindle? Get your Kindle here, or download a FREE Kindle Reading App.

How to Break Web Software: Functional and Security Testing of Web Applications and Web Services [Paperback]

Mike Andrews , James A. Whittaker
4.5 out of 5 stars  See all reviews (4 customer reviews)
Price: 34.99 & FREE Delivery in the UK. Details
o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o
Only 5 left in stock (more on the way).
Dispatched from and sold by Amazon. Gift-wrap available.
Want it Wednesday, 23 April? Choose Express delivery at checkout. Details

Formats

Amazon Price New from Used from
Kindle Edition 14.87  
Paperback 34.99  
Trade In this Item for up to 5.00
Trade in How to Break Web Software: Functional and Security Testing of Web Applications and Web Services for an Amazon.co.uk gift card of up to 5.00, which you can then spend on millions of items across the site. Trade-in values may vary (terms apply). Learn more

Book Description

2 Feb 2006 0321369440 978-0321369444 1
Since its early days as an information exchange tool limited to academe, researchers, and the military, the web has grown into a commerce engine that is now omnipresent in all facets of our lifes. More websites are created daily and more applications are developed to allow users to learn, research, and purchase online. As a result, web development is often rushed, which increases the risk of attacks from hackers. Furthermore, the need for secure applications has to be balanced with the need for usability, performance, and reliability. In this book, Whittaker and Andrews demonstrate how rigorous web testing can help prevent and prepare for such attacks. They point out that methodical testing must include identifying threats and attack vectors to establish and then implement the appropriate testing techniques, manual or automated.

Frequently Bought Together

How to Break Web Software: Functional and Security Testing of Web Applications and Web Services + How Google Tests Software + Agile Testing: A Practical Guide for Testers and Agile Teams (Addison-Wesley Signature)
Price For All Three: 91.98

Buy the selected items together


Product details

  • Paperback: 240 pages
  • Publisher: Addison Wesley; 1 edition (2 Feb 2006)
  • Language: English
  • ISBN-10: 0321369440
  • ISBN-13: 978-0321369444
  • Product Dimensions: 23.8 x 17.4 x 1.6 cm
  • Average Customer Review: 4.5 out of 5 stars  See all reviews (4 customer reviews)
  • Amazon Bestsellers Rank: 408,559 in Books (See Top 100 in Books)
  • See Complete Table of Contents

More About the Author

Discover books, learn about writers, and more.

Product Description

From the Back Cover

"The techniques in this book are not an option for testers–they are mandatory and these are the guys to tell you how to apply them!"
–HarryRobinson, Google.

 

Rigorously test and improve the security of all your Web software!

 

It’s as certain as death and taxes: hackers will mercilessly attack your Web sites, applications, and services. If you’re vulnerable, you’d better discover these attacks yourself, before the black hats do. Now, there’s a definitive, hands-on guide to security-testing any Web-based software: How to Break Web Software.

 

In this book, two renowned experts address every category of Web software exploit: attacks on clients, servers, state, user inputs, and more. You’ll master powerful attack tools and techniques as you uncover dozens of crucial, widely exploited flaws in Web architecture and coding. The authors reveal where to look for potential threats and attack vectors, how to rigorously test for each of them, and how to mitigate the problems you find. Coverage includes

 

·   Client vulnerabilities, including attacks on client-side validation

·   State-based attacks: hidden fields, CGI parameters, cookie poisoning, URL jumping, and session hijacking

·   Attacks on user-supplied inputs: cross-site scripting, SQL injection, and directory traversal

·   Language- and technology-based attacks: buffer overflows, canonicalization, and NULL string attacks

·   Server attacks: SQL Injection with stored procedures, command injection, and server fingerprinting

·   Cryptography, privacy, and attacks on Web services

 

Your Web software is mission-critical–it can’t be compromised. Whether you’re a developer, tester, QA specialist, or IT manager, this book will help you protect that software–systematically.

 

Companion CD contains full source code for one testing tool you can modify and extend, free Web security testing tools, and complete code from a flawed Web site designed to give you hands-on practice in identifying security holes.

About the Author

Mike Andrews is a senior consultant at Foundstone who specializes in software security and leads the Web application security assessments and Ultimate Web Hacking classes. He brings with him a wealth of commercial and educational experience from both sides of the Atlantic and is a widely published author and speaker. Before joining Foundstone, Mike was a freelance consultant and developer of Web-based information systems, working with clients such as The Economist, the London transport authority, and various United Kingdom universities. In 2002, after being an instructor and researcher for a number of years, Mike joined the Florida Institute of Technology as an assistant professor, where he was responsible for research projects and independent security reviews for the Office of Naval Research, Air Force Research Labs, and Microsoft Corporation. Mike holds a Ph.D. in computer science from the University of Kent at Canterbury in the United Kingdom, where his focus was on debugging tools and programmer psychology.

 

James A. Whittaker is a professor of computer science at the Florida Institute of Technology (Florida Tech) and is founder of Security Innovation. In 1992, he earned his Ph.D. in computer science from the University of Tennessee. His research interests are software testing, software security, software vulnerability testing, and anticyber warfare technology. James is the author of How to Break Software (Addison-Wesley, 2002) and coauthor (with Hugh Thompson) of How to Break Software Security (Addison-Wesley, 2003), and over fifty peer-reviewed papers on software development and computer security. He holds patents on various inventions in software testing and defensive security applications and has attracted millions in funding, sponsorship, and license agreements while a professor at Florida Tech. He has also served as a testing and security consultant for Microsoft, IBM, Rational, and many other United States companies.

 

In 2001, James was appointed to Microsoft’s Trustworthy Computing Academic Advisory Board and was named a “Top Scholar” by the editors of the Journal of Systems and Software, based on his research publications in software engineering. His research team at Florida Tech is known for its testing technologies and tools, which include the highly acclaimed runtime fault injection tool Holodeck. His research group is also well known for their development of exploits against software security, including cracking encryption, passwords and infiltrating protected networks via novel attacks against software defenses.

 


Inside This Book (Learn More)
Browse Sample Pages
Front Cover | Copyright | Table of Contents | Excerpt | Index | Back Cover
Search inside this book:


Customer Reviews

3 star
0
2 star
0
1 star
0
4.5 out of 5 stars
4.5 out of 5 stars
Most Helpful Customer Reviews
4 of 4 people found the following review helpful
5.0 out of 5 stars Buy it 11 Jan 2007
Format:Paperback
If you want to get to grips with this subject this book is a great little read. You can either just plough through it, as it is an easy read, or go and look at all the links and tools he is referencing to get extra detail and clarity. If you don't have any other books on this subject, get this first.

No, I don't know the author.
Comment | 
Was this review helpful to you?
3 of 3 people found the following review helpful
4.0 out of 5 stars client side only 23 Feb 2009
Format:Paperback
If you're looking for a comprehensive guide to web testing - this is not it as it only deals with client side testing. However, it still is a good read, with valuable insight and guidance ... and at this price, I would recommend it a definate buy!
Comment | 
Was this review helpful to you?
Format:Paperback|Verified Purchase
I'm not going to argue with other reviewers as to the quality of the content. I haven't yet read enough to judge for myself but am hopeful that it will be useful to me. There are many more reviews of this book on amazon.com than on amazon.co.uk and they are generally positive. I was initially puzzled thinking, maybe, a review had been pulled which pointed out a wrong attribution of the invention of Gopher but now realise that this review is on amazon.com.

From the limited amount of the book I have looked at I've noticed the odd sentence which seems to me to be imperfectly crafted and the odd typo which would require a human reader to pick up. I recall "polices" instead of "policies".

My main negative impression so far just relates to the combination of the design of the book, possibly the limitations of screen capture software, and the limitations of black and white printing at the resolution used.

I think it's fair to criticise at least one design choice. There are a small number of text boxes with backgrounds which make the text hard to read (e.g. on p7, pp39-40, pp50-51 ...). The background was totally within the control of the designer and would have been better left as plain white, instead of stippled grey-shaded.

There are examples of screen dumps in the book which are hard or impossible to read (e.g on p24, p126 ...) but I can accept that the screens of some applications or websites may be hard, or impossible, to capture and print legibly in a book printed in black and white with this page size and also accept that being able to read the screen dumps is probably unnecessary to understand the surrounding text.

I don't want to give the impression that the book is overloaded with screen dumps compared with text.
Read more ›
Comment | 
Was this review helpful to you?
5 of 7 people found the following review helpful
By D. Ward
Format:Paperback
In keeping with the brevity of this excellent book, I'll keep this short. This book is readable, educational and covers the majority of tests that are required on web applications today. The tools included on the CD are also first rate, with good commentary on how to use them in the book, giving further reading where required.
Comment | 
Was this review helpful to you?
Most Helpful Customer Reviews on Amazon.com (beta)
Amazon.com: 4.3 out of 5 stars  17 reviews
11 of 11 people found the following review helpful
4.0 out of 5 stars One of the best on the topic! 28 April 2006
By Charles Hornat - www.infosecwriters.com - Published on Amazon.com
Format:Paperback
This is a hard topic to find good reading. Most books are usually targeted towards operating systems or malware specifically. However, from the first page, I knew this was something worthwhile. A key part to this book being so good is the format Mike and James use to present each topic thus providing something for attackers and security folks. It also could provide pen testers and auditors some good ammo to use as well.

The layout of the chapters starts with gathering information on targets. Then takes a step towards client side attacks, server side attacks, Language based attacks, Authentication, Privacy, and Web Services. They even throw in a chapter outlining the last 50 years or so of web software defects. Surprisingly, or not so surprisingly, we have not always learned from our mistakes.

The best part of the book however, is not the topic as much as it is the layout they use to demonstrate every vulnerability. They start with a topic, Buffer Overflows as an example. The authors describe what it is in a few paragraphs, then discuss when to apply this type of attack, then proceed in How to conduct this attack, and end with How to protect oneself from this attack. Each section is no more than a few paragraphs, ensuring that you do not loose focus on what's being discussed.

The authors also do a great job discussing the tools that one can use to test or perform each attack. Tools such as Nikto, Wikto, Paros and SSL Digger are discussed. When additional information is needed, they provide screenshots and output for one to learn from.

This book is a must for anyone in the role of Web Security, Auditing, or pen testing.

Pros

Good Tools, Excellent format, Easy to read

Cons

Perhaps more references for more information since the authors do not go into great detail; Advanced web security people may find it a bit elementary
14 of 15 people found the following review helpful
5.0 out of 5 stars Very informative. If you develop web software it's a must-read 4 Aug 2006
By Jim Anderton - Published on Amazon.com
Format:Paperback
I recently finished reading How to Break Web Software: Functional and Security Testing of Web Applications and Web Services by Mike Andrews and James A. Whittaker. I, like many of you, develop web software for a living. I've always taken security seriously and occasionally sneered when I ran across examples of common mistakes. Having said that, this book was an eye opener for me.

The book covers common exploits such as bypassing input validation, SQL injection, and denial of service. There were also several types of attacks I hadn't really considered before. I won't list them here because someone would undoubtedly say, "I can't believe he didn't know about that one!" The authors cover 24 different types of attacks in all. The book also includes coverage of web privacy issues and security related to web services.

Finally, as icing on the cake, a CD is included that contains many tools that will find permanent spots in your arsenal. There are tools to do things like scan web servers for common exploits, mirror sites for local analysis, and check SSL cipher strengths. My favorites are the local proxies that will allow you to view and modify posts as they travel from the client and the server. I always knew I could do this, but didn't know how easy it is. The CD also contains the source code of an example site that includes many flaws for you to practice.

This book is written for software professionals to help them put the hackers out of business. So, it necessarily includes hacker techniques. If you develop or test web software, you should read this book before the hackers do. :-)
19 of 24 people found the following review helpful
2.0 out of 5 stars Short on content with too much padding 17 May 2007
By Groovymarlin - Published on Amazon.com
Format:Paperback
I was disappointed in this book. The actual content was pretty thin, and not very well written. Chapter 1 is a complete waste of time, and actually spends pages explaining what client/server means, what the Web is, and other things that are patently obvious to the supposed audience for this material. I found myself turning to the front to see if this book was written in 1997! You then get nine fairly short chapters with instructions on how to hack a website, more or less; followed by 50 pages of useless padding in the appendices including: an unrelated article co-authored by Whittaker for the IEEE, a detailed list of all the bugs present in their "sample application," and then descriptions of their recommended tools, all of which can easily be found on the Web without paying $22 for this book.

As another reviewer mentioned, there are many typos and other problems like incorrect illustrations, making the reader wonder if Addison-Wesley even employs a copy editor. Furthermore, I felt this book was inaccurately named and described. It's really more about rudimentary hacking and protecting your web application against hackers than web quality or web testing. A beginning web developer might do well to read this as a primer on how to create sites and applications with basic security, but as an experienced tester it was of limited use to me.
5 of 5 people found the following review helpful
5.0 out of 5 stars A rich and well-focussed yet accessible introduction to a wide-ranging subject 12 April 2006
By Christos Partsenidis - Published on Amazon.com
Format:Paperback
This is a focussed book with a single aim; to help you find and correct common vulnerabilities in web-based applications and website software.

Above all, this is a book to be used. The authors take a practical approach to each area of consideration, and the chapters are well structured to make it easy for you to get right to work.

For each area they provide an informative overview followed by discussion of the vulnerabilities including numerous code snippets, examples and screen shots. Though rich in detail the writing style keeps you engaged and the sensible structure (when to apply the attack, how to perform it and how to protect against it) makes it easy to grasp the key points.

There is no bias towards either Windows or Unix products on either the client or the server, and you won't need to be a scripting expert to put the authors' ideas into practice.

Chapter 1 explains the difference between web-based and traditional client-server systems and why a different approach is needed when testing. Subsequent chapters cover the vulnerabilities:

Gathering Information on the Target

Bypassing Client-Side Validation

State-Based Attacks

Including Hidden Fields, Cookie poisoning and Session Hijacking

Data Attacks

Including Cross-Site Scripting, SQL Injection and Directory Traversal

Language-Based Attacks

Including Buffer Overflows

Server Attacks

Including Stored Procedures, SQL Injection, Server Fingerprinting and Denial of Service

Authentication

Including Weak Cryptography and Cross-Site Tracing

Privacy

Including Caching, Cookies, Web Bugs, ActiveX Controls and Browser Help Objects

Web Services

Including WSDL and XML attacks

The book comes with an excellent companion CD containing a number of testing tools and a flawed website on which you can use the techniques you have learned to cement your knowledge. Both the tools and the vulnerabilities in the sample site are fully documented in two useful appendices.

All in all, a rich and well-focussed yet accessible introduction to a wide-ranging subject. If the security of web-based applications is your area, make room for this on your bookshelf.
10 of 12 people found the following review helpful
5.0 out of 5 stars Technique after technique that really works 20 May 2006
By Stephen Northcutt - Published on Amazon.com
Format:Paperback|Verified Purchase
You can't really read a book like this. You read a few pages and prop the book up with a cookbook holder and start typing in the examples. There were a couple I could not duplicate, but almost everything worked as the authors said it would. Great book, or maybe it would be better to say, great tool!

The fun starts with chapter 2 and these folks do not spend a lot of time on reconnaisance. They know how to break web software and we start on that by chapter 3. I was a little sad in chapter 5, they did not really do SQL injection justice, but then they hit it again with stored procedures in chapter 7.

If there is a weakness to the book it might be chapter 9 and 10, the ending, but I still found both chapters informative.

Every large organization I know is building web applications and most of them are doing it badly. If you are a coder, a webmaster, or a manager of any of the above, buy a copy of this book for everyone on your team. I am going to do the same for my team right now.
Were these reviews helpful?   Let us know
Search Customer Reviews
Only search this product's reviews
ARRAY(0xb51e2f60)

Customer Discussions

This product's forum
Discussion Replies Latest Post
No discussions yet

Ask questions, Share opinions, Gain insight
Start a new discussion
Topic:
First post:
Prompts for sign-in
 

Search Customer Discussions
Search all Amazon discussions
   


Look for similar items by category


Feedback