Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "How to Break Web Software", Mike Andrews/James A. Whittaker

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKHTBWSW.RVW 20060520 How to Break Web Software , Mike Andrews/James A. Whittaker, 2006, 0-321-36944-0, U$34.99/C$46.99 %A Mike Andrews
    Message 1 of 1 , Jun 26, 2006
      BKHTBWSW.RVW 20060520

      "How to Break Web Software", Mike Andrews/James A. Whittaker, 2006,
      0-321-36944-0, U$34.99/C$46.99
      %A Mike Andrews Mike.Andrews@...
      %A James A. Whittaker jw@...
      %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
      %D 2006
      %G 0-321-36944-0
      %I Addison-Wesley Publishing Co.
      %O U$34.99/C$46.99 416-447-5101 800-822-6339 bkexpress@...
      %O http://www.amazon.com/exec/obidos/ASIN/0321369440/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0321369440/robsladesin03-20
      %O Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation)
      %P 219 p. + CD-ROM
      %T "How to Break Web Software"

      The preface stresses that this book is neither about how to attack a
      Web site, nor how to develop one, but, rather, how to test.

      Chapter one points out that the Web is a different environment, in
      terms of software security, because we have desktop machines, not
      centrally administered, talking to everyone (with much of the traffic
      being commercial in nature). The authors even point out that issues
      of error-handling, performance, and ease-of-use all contribute to
      increased levels of vulnerability. Various attacks designed to obtain
      information about Web applications, structure, and functions are
      described in chapter two. For client-side scripting, chapter three
      notes, any validation done on the client should be untrusted and re-
      validated on the host, since it may be altered on the client, or data
      manually entered as if it came from the client. Chapter four explains
      the danger of using client-side data (cookies or code) for state
      information. Chapter five examines user supplied data, and delves
      into cross-site scripting (XSS, the explanation of which is not well
      done), SQL (Standard Query Language) injection, and directory
      traversal. Language-based attacks, in chapter six, involve buffer
      overflows (which are not explained terribly well), canonicalization
      (HTML and Unicode encoding and parsing), and null string attacks. The
      server, with utilities and the underlying operating system, can be
      reached via stored procedures (excessive functionality), fingerprinted
      for other attempts, or subject to denial of service (in limited ways)
      as chapter seven notes. "Authentication," in chapter eight, is really
      more about encryption: the various false forms (encryption via
      obscurity?), brute force attacks against verification systems, and
      forcing a system to use weak encryption. Privacy, and related Web
      technologies (of which cookies are only one), is reviewed in chapter
      nine. Chapter ten looks at Web services, and the vulnerabilities
      associated with some of these systems.

      The CD-ROM included with the book contains a number of interesting and
      useful tools for trying out the various attacks and tests mentioned in
      the text.

      This book is a valuable addition to the software security literature.
      The attacks listed in the work are known, but often by name only.
      This text collects and explains a wide variety of Web application
      attacks and weaknesses, providing developers with a better
      understanding of how their programs may be assailed. Some of the
      items mentioned are defined or explained weakly, but these are usually
      items that do have good coverage in other security works.

      copyright Robert M. Slade, 2006 BKHTBWSW.RVW 20060520

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Start every day off with a smile and get it over with. - W.C. Fields
      Dictionary Information Security www.syngress.com/catalog/?pid=4150
    Your message has been successfully submitted and would be delivered to recipients shortly.