"Web Security Testing Cookbook", Paco Hope/Ben Walther, 2009,
%A Paco Hope
%A Ben Walther root@... http://blog.benwalther.net
%C 103 Morris Street, Suite A, Sebastopol, CA 95472
%G 978-0-596-51483-9 0-596-51483-2
%I O'Reilly & Associates, Inc.
%O U$39.99/C$39.99 800-998-9938 707-829-0515 nuts@...
%O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P 285 p.
%T "Web Security Testing Cookbook"
The preface states that the book is about how to test Web
applications, particularly with regard to security, and is intended
for developers rather than security professionals.
Chapter one, however, provides more of an introduction, starting with
the statement that security testing involves "hostile and malicious"
input. This limits the scope of the work considerably, but it does
explain questionable assertions, such as that SSL (Secure Sockets
Layer) and cryptography hasn't much impact on testing. The material
is restricted to deliberate attacks, and doesn't deal with issues of
error, noise, performance, or availability. While there is some
discussion of choice of inputs, I doubt that the advice would uncover
issues such as the "1000th login" vulnerability that was seen many
years ago in Novell Netware, and more recently in SSH (Secure Shell).
Chapter two lists Web utility software related to, or providing
information for, testing, but is confined to URLs (Uniform Resource
Locator addresses) and circumscribed descriptions. Limited examples
of using those applications for viewing transactions is given in
chapter three. Data encoding, covered in chapter four, starts out
well with good explanations, but then devolves into another tools
list. Chapter five looks at various ways to manipulate input. Some
examples of using a few utilities for bulk downloading, scanning, and
input fuzzing are mentioned in chapter six.
The cURL scripting tool is discussed in chapter seven, along with its
various functions. Similarly, LibWWWPerl is dealt with in chapter
Chapter nine notes some simple design flaws. A number of the previous
applications, in chapter ten. Chapter eleven repeats earlier content
in regard to session manipulation. A variety of attacks are described
in chapter twelve.
This is not a cookbook for Web security testing, but a very basic
introduction to some tools and concepts related to testing Web
applications for vulnerability to common attacks.
copyright Robert M. Slade, 2009 BKWBSTCB.RVW 20090123
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
Unix for stability.
Macintosh for productivity.
Windows for Solitaire.