|
UnixReview.com
July 2006
Book Review: How to Break Web Software
Reviewed by Kristy Westphal
How to Break Web Software: Functional and Security Testing of Web Applications and Web Services
By Mike Andrews and James A. Whittaker
Addison Wesley, 2006
ISBN 0-321-36944-0
240 pages
How to Break Web Software shows you how to do exactly that. It is, in a word, awesome! It is chock full of attacks for which all Web sites should be tested. Each attack description includes a detailed explanation, when to use it, and how to protect your site from the attack. The book is easy read, clear and complete in its explanations. Accompanying the book is a CD full of the tools that are referenced throughout the book, including the "hacme" bank application from Foundstone to practice on. Your biggest dilemma when reading this book will be deciding who else should read it — Your developers? Your QA team? Your security team? The answer is probably all of the above.
The majority of the book dedicates a chapter to each major type of attack. It starts with a chapter on a practical and comprehensive method for information gathering and then launches through the chapters explaining everything from client-based attacks, state-based attacks, to attacking the server and authentication. I like the fact that one of the first chapters is the information-gathering chapter, because it displays just how difficult this part of a Web site audit can be.
|
