UKUUG home


(the UK's Unix & Open Systems User Group)






Book Discounts

Other Discounts

Mailing lists






Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast

Paco Hope and Ben Walther
Published by O'Reilly Media
ISBN: 978-0-596-51483-9
312 pages
£ 30.99
Published: 28th October 2008
reviewed by Raza Rizvi
   in the March 2009 issue (pdf), (html)

'Systematic Techniques to Find Problems Fast' they say right up top on the front cover. Indeed easily a good third of this book shows you how to automate a variety of attacks on your web site using testing tools. But this isn't a book about hacking for hackers, it is written for the programmers who are developing web services, to open their eyes to the sort of testing they should be including as part of their code release routines.

It isn't an advert for a multi-thousand dollar testing toolkit but a sensible description of a kitbag of public domain utilities that can be stitched together to form a credible arsenal of weapons exploiting the common mistakes, misunderstandings and oversights to which web code is susceptible in the 'release it now' deployment lifecycles a commercial environment has.

An elegantly simple description of the security testing and web applications in chapter 1 starts the book. The authors make it clear that although this is a 'cookbook', it focuses on the essence of how one performs security tests rather than providing the absolute minutiae of process — a focus on the menu rather than the ingredients if you like. The tools to be used are introduced in turn on chapter 2, following the convention used in the majority of the book of Problem, Solution, and Discussion.

The readership is educated how to understand the flow of information from the web server to the web browser — not just the source code that makes up the web page but also the information that is used by the browser to interpret the HTML or Javascript. Following on into chapter 4 with a description of the encoding of data, the authors take time to visually point out common misconceptions and provide snippets of information that might otherwise be overlooked — for example that a replay attack might allow someone to subvert account security without knowing the actual password if they use a provided hash of the password.

With the 'basic' background adequately covered, the second part of the book, from chapters 5 through to chapter 8, gets down to manual tweaking of the input one can provide to a website — from URL and XML manipulation to cookie modifications. It could take you a good week (of 'oohs and aahs') to apply all the techniques described but it is time well spent so that one understands the kind of things one can do before you unleash some automation. This is covered from chapter 6 onwards and is obviously far more productive for anything other than the very smallest site. The approaches explained allow you to focus testing in individual parts of the web site and its applications using the tools from chapter 2, including the fiendishly useful cURL as an alternative to PERL.

Now we have both an understanding of the interaction of the browser and web server, and the means to automate the testing, we are ready for the final part of the book which leads off with another set of data input attacks (like using URLs out of the intended sequence or subverting password recovery procedures). The examples are all highly interesting reading in their own right and quite rightly put the fear of code abuse into your head. Pity then the AJAX programmer for the examples to this stage have largely used traditional HTML but AJAX (which sits atop Javascript) means local data manipulation in the client-side code has to be considered. The book rounds off by considering attacks that use more than one of the methods described in the book to ensure that data or information is undermined (e.g. guessing usernames and passwords or using Cross Site Scripting).

I expected the book to have a final chapter to preach to me about the need for security, but then I remembered that in chapter 1 I was told that this was a book of 'how to do things' rather than a 'why you need security'. By the end, frankly, it was clear why I needed this book, and I was duly grateful.

Back to reviews list

Tel: 01763 273 475
Fax: 01763 273 255
Web: Webmaster
Queries: Ask Here
Join UKUUG Today!

UKUUG Secretariat
More information

Page last modified 02 Mar 2009
Copyright © 1995-2011 UKUUG Ltd.