Among the tests you perform on web applications, security testing
is perhaps the most important, yet it's often the most
neglected. The recipes in the Web Security Testing Cookbook
demonstrate how developers and testers can check for the most
common web security issues, while conducting unit tests, regression
tests, or exploratory tests. Unlike ad hoc security assessments,
these recipes are repeatable, concise, and systematic-perfect for
integrating into your regular test suite.
Recipes cover the basics from observing messages between clients
and servers to multi-phase tests that script the login and
execution of web application features. By the end of the book,
you'll be able to build tests pinpointed at Ajax functions, as
well as large multi-step tests for the usual suspects: cross-site
scripting and injection attacks. This book helps you:
- Obtain, install, and configure useful-and free-security testing
- Understand how your application communicates with users, so you
can better simulate attacks in your tests
- Choose from many different methods that simulate common attacks
such as SQL injection, cross-site scripting, and manipulating
hidden form fields
- Make your tests repeatable by using the scripts and examples in
the recipes as starting points for automated testsDon't live in
dread of the midnight phone call telling you that your site has
been hacked. With Web Security Testing Cookbook and the free tools
used in the book's examples, you can incorporate security
coverage into your test suite, and sleep in peace.
Millions of dollars are spent every year developing, testing,
defending, and fixing web applications -- and, ultimately, web
developers are blamed when something goes wrong. Web Security
Testing Cookbook gives developers an inexpensive way to include
testing as part of the development cycle. You'll find scores of
recipes for testing web applications, from relatively simple
solutions to complex ones that combine several solutions.
This practical book focuses on how to test web applications -- not
what web security consists of or why developers should test. And,
rather than IT security, the recipes address application software
exclusively -- source code, business logic -- written, operated,
and now tested by you. Each recipe in the book states the problem
to be solved, the tools and techniques required, technical details
involved, and examples.
Web Security Testing Cookbook also leverages free tools, and not
only because they save you considerable expense. In security,
perhaps more than in any other specialized discipline, the best
tools tend to be free. The book offers recipes in four different
sections to help you: Learn basics concepts to develop tests, and
obtain and set up the tools you'll use Automate tools and
scripts to test a web application in a systematic way Learn methods
to bypass client side input validation for various purposes, such
as SQL injection, cross-site scripting, and manipulating hidden
form fields Focus on the session by finding identifiers, analyzing
how predictable they are, and manipulating them with tools.
By following the recipes in this book, you can be reasonably sure
that your application is not going to be one of the thousands that
hackers compromise every day. They don't take the place of real
penetration testing, but they will make sure your application is
not a disaster waiting to happen.
Take the time to include security testing in the development cycle.
Web Security Testing Cookbook will save you weeks of headaches and
tons of money down the road. Who knows? This book might even save
Paco Hope is a Technical Manager at Cigital, Inc. and co-author of Mastering FreeBSD and OpenBSD Security (April 2005, O'Reilly, ISBN 0596006268). Mr. Hope has also published articles on Misuse and Abuse Cases and PKI. He has been invited to conferences to speak on topics such as software security re-quirements, web application security, and embedded system security. At Cigi-tal, he has served as a subject matter expert to MasterCard International for security policies and has assisted a Fortune 500 hospitality company in writ-ing software security policy. He also trains software developers and testers in the fundamentals of software security. In the gaming and mobile communica-tions industries he has advised several companies on software security. Mr. Hope majored in Computer Science and English at The College of William and Mary and received an M.S. in Computer Science from the University of Virginia.