REVIEW: "Web Security Testing Cookbook", Paco Hope/Ben Walther

Discussion in 'Computer Security' started by Rob Slade, doting grandpa of Ryan and Trevor, Jun 1, 2009.

  1. BKWBSTCB.RVW 20090123

    "Web Security Testing Cookbook", Paco Hope/Ben Walther, 2009,
    978-0-596-51483-9, U$39.99/C$39.99
    %A Paco Hope
    %A Ben Walther http://blog.benwalther.net
    %C 103 Morris Street, Suite A, Sebastopol, CA 95472
    %D 2009
    %G 978-0-596-51483-9 0-596-51483-2
    %I O'Reilly & Associates, Inc.
    %O U$39.99/C$39.99 800-998-9938 707-829-0515
    %O http://www.amazon.com/exec/obidos/ASIN/0596514832/robsladesinterne
    http://www.amazon.co.uk/exec/obidos/ASIN/0596514832/robsladesinte-21
    %O http://www.amazon.ca/exec/obidos/ASIN/0596514832/robsladesin03-20
    %O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
    %P 285 p.
    %T "Web Security Testing Cookbook"

    The preface states that the book is about how to test Web
    applications, particularly with regard to security, and is intended
    for developers rather than security professionals.

    Chapter one, however, provides more of an introduction, starting with
    the statement that security testing involves "hostile and malicious"
    input. This limits the scope of the work considerably, but it does
    explain questionable assertions, such as that SSL (Secure Sockets
    Layer) and cryptography hasn't much impact on testing. The material
    is restricted to deliberate attacks, and doesn't deal with issues of
    error, noise, performance, or availability. While there is some
    discussion of choice of inputs, I doubt that the advice would uncover
    issues such as the "1000th login" vulnerability that was seen many
    years ago in Novell Netware, and more recently in SSH (Secure Shell).

    Chapter two lists Web utility software related to, or providing
    information for, testing, but is confined to URLs (Uniform Resource
    Locator addresses) and circumscribed descriptions. Limited examples
    of using those applications for viewing transactions is given in
    chapter three. Data encoding, covered in chapter four, starts out
    well with good explanations, but then devolves into another tools
    list. Chapter five looks at various ways to manipulate input. Some
    examples of using a few utilities for bulk downloading, scanning, and
    input fuzzing are mentioned in chapter six.

    The cURL scripting tool is discussed in chapter seven, along with its
    various functions. Similarly, LibWWWPerl is dealt with in chapter
    eight.

    Chapter nine notes some simple design flaws. A number of the previous
    tools are used to examine AJAX (Asynchronous JavaScript and XML)
    applications, in chapter ten. Chapter eleven repeats earlier content
    in regard to session manipulation. A variety of attacks are described
    in chapter twelve.

    This is not a cookbook for Web security testing, but a very basic
    introduction to some tools and concepts related to testing Web
    applications for vulnerability to common attacks.

    copyright Robert M. Slade, 2009 BKWBSTCB.RVW 20090123

    --
    ======================

    "Dictionary of Information Security," Syngress 1597491152
    http://blogs.securiteam.com/index.php/archives/author/p1/
    http://blog.isc2.org/isc2_blog/slade/index.html
    http://twitter.com/rslade
    ============= for back issues:
    [Base URL] site http://victoria.tc.ca/techrev/
    CISSP refs: [Base URL]mnbksccd.htm
    Book reviews: [Base URL]mnbk.htm
    Review mailing list: send mail to
    or
     
    Rob Slade, doting grandpa of Ryan and Trevor, Jun 1, 2009
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. kpg

    OT: Ben

    kpg, Oct 27, 2004, in forum: MCSE
    Replies:
    16
    Views:
    1,096
    =?Windows-1252?Q?Frisbee=AE?=
    Oct 29, 2004
  2. Frisbee®

    Ping Ben Smith

    Frisbee®, Jun 16, 2005, in forum: MCSE
    Replies:
    4
    Views:
    546
    Frisbee®
    Jun 16, 2005
  3. T-Bone
    Replies:
    9
    Views:
    514
    Ben Smith
    Jun 30, 2005
  4. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Ben Franklin's Web Site", Robert Ellis Smith

    Rob Slade, doting grandpa of Ryan and Trevor, Jan 2, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    702
    Rob Slade, doting grandpa of Ryan and Trevor
    Jan 2, 2004
  5. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Bluetooth Security", Christian Gehrmann/Joakim Persson/Ben Smeets

    Rob Slade, doting grandpa of Ryan and Trevor, Jul 12, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    530
    Rob Slade, doting grandpa of Ryan and Trevor
    Jul 12, 2004
Loading...

Share This Page