Buying Options
Web Security Testing Cookbook
Print $39.99
Add to Cart
Print+Ebook $43.99
Add to Cart
Ebook $31.99
(Mobi, PDF, ePub)
Add to Cart
Safari Books Online
Add to Cart
What is this?
Print £30.99
Add to Cart
What is this?

Web Security Testing Cookbook

Systematic Techniques to Find Problems Fast

By
Paco Hope, Ben Walther
Publisher:
O'Reilly Media
Released:
October 2008
Pages:
320
Press Release
Description
Among the tests you perform on web applications, security testing is perhaps the most important, yet it's often the most neglected. The recipes in the Web Security Testing Cookbook demonstrate how developers and testers can check for the most common web security issues, while conducting unit tests, regression tests, or exploratory tests. Unlike ad hoc security assessments, these recipes are repeatable, concise, and systematic-perfect for integrating into your regular test suite.
Full Description
Table of Contents

  1. Chapter 1 Introduction

    1. What Is Security Testing?

    2. What Are Web Applications?

    3. Web Application Fundamentals

    4. Web App Security Testing

    5. It’s About the How

  2. Chapter 2 Installing Some Free Tools

    1. Installing Firefox

    2. Installing Firefox Extensions

    3. Installing Firebug

    4. Installing OWASP’s WebScarab

    5. Installing Perl and Packages on Windows

    6. Installing Perl and Using CPAN on Linux, Unix, or OS X

    7. Installing CAL9000

    8. Installing the ViewState Decoder

    9. Installing cURL

    10. Installing Pornzilla

    11. Installing Cygwin

    12. Installing Nikto 2

    13. Installing Burp Suite

    14. Installing Apache HTTP Server

  3. Chapter 3 Basic Observation

    1. Viewing a Page’s HTML Source

    2. Viewing the Source, Advanced

    3. Observing Live Request Headers with Firebug

    4. Observing Live Post Data with WebScarab

    5. Seeing Hidden Form Fields

    6. Observing Live Response Headers with TamperData

    7. Highlighting JavaScript and Comments

    8. Detecting JavaScript Events

    9. Modifying Specific Element Attributes

    10. Track Element Attributes Dynamically

    11. Conclusion

  4. Chapter 4 Web-Oriented Data Encoding

    1. Recognizing Binary Data Representations

    2. Working with Base 64

    3. Converting Base-36 Numbers in a Web Page

    4. Working with Base 36 in Perl

    5. Working with URL-Encoded Data

    6. Working with HTML Entity Data

    7. Calculating Hashes

    8. Recognizing Time Formats

    9. Encoding Time Values Programmatically

    10. Decoding ASP.NET’s ViewState

    11. Decoding Multiple Encodings

  5. Chapter 5 Tampering with Input

    1. Intercepting and Modifying POST Requests

    2. Bypassing Input Limits

    3. Tampering with the URL

    4. Automating URL Tampering

    5. Testing URL-Length Handling

    6. Editing Cookies

    7. Falsifying Browser Header Information

    8. Uploading Files with Malicious Names

    9. Uploading Large Files

    10. Uploading Malicious XML Entity Files

    11. Uploading Malicious XML Structure

    12. Uploading Malicious ZIP Files

    13. Uploading Sample Virus Files

    14. Bypassing User-Interface Restrictions

  6. Chapter 6 Automated Bulk Scanning

    1. Spidering a Website with WebScarab

    2. Turning Spider Results into an Inventory

    3. Reducing the URLs to Test

    4. Using a Spreadsheet to Pare Down the List

    5. Mirroring a Website with LWP

    6. Mirroring a Website with wget

    7. Mirroring a Specific Inventory with wget

    8. Scanning a Website with Nikto

    9. Interpretting Nikto’s Results

    10. Scan an HTTPS Site with Nikto

    11. Using Nikto with Authentication

    12. Start Nikto at a Specific Starting Point

    13. Using a Specific Session Cookie with Nikto

    14. Testing Web Services with WSFuzzer

    15. Interpreting WSFuzzer’s Results

  7. Chapter 7 Automating Specific Tasks with cURL

    1. Fetching a Page with cURL

    2. Fetching Many Variations on a URL

    3. Following Redirects Automatically

    4. Checking for Cross-Site Scripting with cURL

    5. Checking for Directory Traversal with cURL

    6. Impersonating a Specific Kind of Web Browser or Device

    7. Interactively Impersonating Another Device

    8. Imitating a Search Engine with cURL

    9. Faking Workflow by Forging Referer Headers

    10. Fetching Only the HTTP Headers

    11. POSTing with cURL

    12. Maintaining Session State

    13. Manipulating Cookies

    14. Uploading a File with cURL

    15. Building a Multistage Test Case

    16. Conclusion

  8. Chapter 8 Automating with LibWWWPerl

    1. Writing a Basic Perl Script to Fetch a Page

    2. Programmatically Changing Parameters

    3. Simulating Form Input with POST

    4. Capturing and Storing Cookies

    5. Checking Session Expiration

    6. Testing Session Fixation

    7. Sending Malicious Cookie Values

    8. Uploading Malicious File Contents

    9. Uploading Files with Malicious Names

    10. Uploading Viruses to Applications

    11. Parsing for a Received Value with Perl

    12. Editing a Page Programmatically

    13. Using Threading for Performance

  9. Chapter 9 Seeking Design Flaws

    1. Bypassing Required Navigation

    2. Attempting Privileged Operations

    3. Abusing Password Recovery

    4. Abusing Predictable Identifiers

    5. Predicting Credentials

    6. Finding Random Numbers in Your Application

    7. Testing Random Numbers

    8. Abusing Repeatability

    9. Abusing High-Load Actions

    10. Abusing Restrictive Functionality

    11. Abusing Race Conditions

  10. Chapter 10 Attacking AJAX

    1. Observing Live AJAX Requests

    2. Identifying JavaScript in Applications

    3. Tracing AJAX Activity Back to Its Source

    4. Intercepting and Modifying AJAX Requests

    5. Intercepting and Modifying Server Responses

    6. Subverting AJAX with Injected Data

    7. Subverting AJAX with Injected XML

    8. Subverting AJAX with Injected JSON

    9. Disrupting Client State

    10. Checking for Cross-Domain Access

    11. Reading Private Data via JSON Hijacking

  11. Chapter 11 Manipulating Sessions

    1. Finding Session Identifiers in Cookies

    2. Finding Session Identifiers in Requests

    3. Finding Authorization Headers

    4. Analyzing Session ID Expiration

    5. Analyzing Session Identifiers with Burp

    6. Analyzing Session Randomness with WebScarab

    7. Changing Sessions to Evade Restrictions

    8. Impersonating Another User

    9. Fixing Sessions

    10. Testing for Cross-Site Request Forgery

  12. Chapter 12 Multifaceted Tests

    1. Stealing Cookies Using XSS

    2. Creating Overlays Using XSS

    3. Making HTTP Requests Using XSS

    4. Attempting DOM-Based XSS Interactively

    5. Bypassing Field Length Restrictions (XSS)

    6. Attempting Cross-Site Tracing Interactively

    7. Modifying Host Headers

    8. Brute-Force Guessing Usernames and Passwords

    9. Attempting PHP Include File Injection Interactively

    10. Creating Decompression Bombs

    11. Attempting Command Injection Interactively

    12. Attempting Command Injection Systematically

    13. Attempting XPath Injection Interactively

    14. Attempting Server-Side Includes (SSI) Injection Interactively

    15. Attempting Server-Side Includes (SSI) Injection Systematically

    16. Attempting LDAP Injection Interactively

    17. Attempting Log Injection Interactively

  1. Colophon

View Full Table of Contents
Product Details
Title:
Web Security Testing Cookbook
By:
Paco Hope, Ben Walther
Publisher:
O'Reilly Media
Formats:
  • Print
  • Ebook
  • Safari Books Online
Print Release:
October 2008
Ebook Release:
October 2008
Pages:
320
Print ISBN:
978-0-596-51483-9
| ISBN 10:
0-596-51483-2
Ebook ISBN:
978-0-596-15588-9
| ISBN 10:
0-596-15588-3
Customer Reviews
About the Authors

  1. Paco Hope

    Paco Hope is a Technical Manager at Cigital, Inc. and co-author of Mastering FreeBSD and OpenBSD Security (April 2005, O'Reilly, ISBN 0596006268). Mr. Hope has also published articles on Misuse and Abuse Cases and PKI. He has been invited to conferences to speak on topics such as software security re-quirements, web application security, and embedded system security. At Cigi-tal, he has served as a subject matter expert to MasterCard International for security policies and has assisted a Fortune 500 hospitality company in writ-ing software security policy. He also trains software developers and testers in the fundamentals of software security. In the gaming and mobile communica-tions industries he has advised several companies on software security. Mr. Hope majored in Computer Science and English at The College of William and Mary and received an M.S. in Computer Science from the University of Virginia.

    View Paco Hope's full profile page.

  2. Ben Walther

    Ben Walther is a consultant at Cigital and contributor to the Edit Cookies tool. He has a hand in both normal Quality Assurance and Software Security. Day to day, he designs and executes tests - and so he understands the need for simple recipes, in the hectic QA world. Yet he has also given talks on web ap-plication testing tools to members of the Open Web Application Security Pro-ject (OWASP). Through Cigital, he tests systems ranging from financial data processing to slot machines. Mr. Walther has a B.S. in Information Science from Cornell University.

    View Ben Walther's full profile page.

  • Book cover of Web Security Testing Cookbook
Got a Question?
icons
Favicon Service and support by Satisfaction