Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Web Security Testing Cookbook", Paco Hope/Ben Walther

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKWBSTCB.RVW 20090123 Web Security Testing Cookbook , Paco Hope/Ben Walther, 2009, 978-0-596-51483-9, U$39.99/C$39.99 %A Paco Hope %A Ben Walther
    Message 1 of 1 , Jun 1, 2009
      BKWBSTCB.RVW 20090123

      "Web Security Testing Cookbook", Paco Hope/Ben Walther, 2009,
      978-0-596-51483-9, U$39.99/C$39.99
      %A Paco Hope
      %A Ben Walther root@... http://blog.benwalther.net
      %C 103 Morris Street, Suite A, Sebastopol, CA 95472
      %D 2009
      %G 978-0-596-51483-9 0-596-51483-2
      %I O'Reilly & Associates, Inc.
      %O U$39.99/C$39.99 800-998-9938 707-829-0515 nuts@...
      %O http://www.amazon.com/exec/obidos/ASIN/0596514832/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0596514832/robsladesin03-20
      %O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
      %P 285 p.
      %T "Web Security Testing Cookbook"

      The preface states that the book is about how to test Web
      applications, particularly with regard to security, and is intended
      for developers rather than security professionals.

      Chapter one, however, provides more of an introduction, starting with
      the statement that security testing involves "hostile and malicious"
      input. This limits the scope of the work considerably, but it does
      explain questionable assertions, such as that SSL (Secure Sockets
      Layer) and cryptography hasn't much impact on testing. The material
      is restricted to deliberate attacks, and doesn't deal with issues of
      error, noise, performance, or availability. While there is some
      discussion of choice of inputs, I doubt that the advice would uncover
      issues such as the "1000th login" vulnerability that was seen many
      years ago in Novell Netware, and more recently in SSH (Secure Shell).

      Chapter two lists Web utility software related to, or providing
      information for, testing, but is confined to URLs (Uniform Resource
      Locator addresses) and circumscribed descriptions. Limited examples
      of using those applications for viewing transactions is given in
      chapter three. Data encoding, covered in chapter four, starts out
      well with good explanations, but then devolves into another tools
      list. Chapter five looks at various ways to manipulate input. Some
      examples of using a few utilities for bulk downloading, scanning, and
      input fuzzing are mentioned in chapter six.

      The cURL scripting tool is discussed in chapter seven, along with its
      various functions. Similarly, LibWWWPerl is dealt with in chapter

      Chapter nine notes some simple design flaws. A number of the previous
      tools are used to examine AJAX (Asynchronous JavaScript and XML)
      applications, in chapter ten. Chapter eleven repeats earlier content
      in regard to session manipulation. A variety of attacks are described
      in chapter twelve.

      This is not a cookbook for Web security testing, but a very basic
      introduction to some tools and concepts related to testing Web
      applications for vulnerability to common attacks.

      copyright Robert M. Slade, 2009 BKWBSTCB.RVW 20090123

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Unix for stability.
      Macintosh for productivity.
      Windows for Solitaire.
      http://blog.isc2.org/isc2_blog/slade/index.html http://twitter.com/rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.