summersale2015 Hier klicken Jetzt Mitglied werden studentsignup Cloud Drive Photos WHDsFly Learn More blogger UrlaubundReise Fire HD 6 Shop Kindle Sparpaket SummerSale
In weniger als einer Minute können Sie mit dem Lesen von Web Security Testing Cookbook auf Ihrem Kindle beginnen. Sie haben noch keinen Kindle? Hier kaufen oder mit einer unserer kostenlosen Kindle Lese-Apps sofort zu lesen anfangen.

An Ihren Kindle oder ein anderes Gerät senden


Kostenlos testen

Jetzt kostenlos reinlesen

An Ihren Kindle oder ein anderes Gerät senden

Der Artikel ist in folgender Variante leider nicht verfügbar
Keine Abbildung vorhanden für
Keine Abbildung vorhanden

Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast [Kindle Edition]

Paco Hope , Ben Walther

Kindle-Preis: EUR 21,24 Inkl. MwSt. und kostenloser drahtloser Lieferung über Amazon Whispernet

Kostenlose Kindle-Leseanwendung Jeder kann Kindle Bücher lesen  selbst ohne ein Kindle-Gerät  mit der KOSTENFREIEN Kindle App für Smartphones, Tablets und Computer.

Geben Sie Ihre E-Mail-Adresse oder Mobiltelefonnummer ein, um die kostenfreie App zu beziehen.

Weitere Ausgaben

Amazon-Preis Neu ab Gebraucht ab
Kindle Edition EUR 21,24  
Taschenbuch EUR 38,35  

Kunden, die diesen Artikel gekauft haben, kauften auch

Seite von Zum Anfang
Diese Einkaufsfunktion wird weiterhin Artikel laden. Um aus diesem Karussell zu navigieren, benutzen Sie bitte Ihre Überschrift-Tastenkombination, um zur nächsten oder vorherigen Überschrift zu navigieren.



Among the tests you perform on web applications, security testing is perhaps the most important, yet it's often the most neglected. The recipes in the Web Security Testing Cookbook demonstrate how developers and testers can check for the most common web security issues, while conducting unit tests, regression tests, or exploratory tests. Unlike ad hoc security assessments, these recipes are repeatable, concise, and systematic-perfect for integrating into your regular test suite.

Recipes cover the basics from observing messages between clients and servers to multi-phase tests that script the login and execution of web application features. By the end of the book, you'll be able to build tests pinpointed at Ajax functions, as well as large multi-step tests for the usual suspects: cross-site scripting and injection attacks. This book helps you:

  • Obtain, install, and configure useful-and free-security testing tools
  • Understand how your application communicates with users, so you can better simulate attacks in your tests
  • Choose from many different methods that simulate common attacks such as SQL injection, cross-site scripting, and manipulating hidden form fields
  • Make your tests repeatable by using the scripts and examples in the recipes as starting points for automated tests

Don't live in dread of the midnight phone call telling you that your site has been hacked. With Web Security Testing Cookbook and the free tools used in the book's examples, you can incorporate security coverage into your test suite, and sleep in peace.


"Web Security Testing Cookbook" gives developers and testers the tools they need to make security testing a regular part of their development lifecycle. You'll find recipes related to manual, exploratory testing as well as recipes for automated security testing that you can make part of your regression cycle. The recipes cover the basics like observing messages between clients and servers, to multi-phase tests that script the login and execution of web application features. This book provides developers the techniques they need to consider security in their unit tests. Testers will find a wealth of techniques for building web security test cases and executing them. "Web Security Testing Cookbook" also leverages free tools, and not only because they save you considerable expense. In security, perhaps more than in any other specialized discipline, the best tools tend to be free.The book offers recipes in four different sections to help you: learn basics concepts to develop tests, and obtain and set up the tools you'll use; automate tools and scripts to test a web application in a systematic way; also learn methods to bypass client side input validation for various purposes, such as SQL injection, cross-site scripting, and manipulating hidden form fields; and, focus on the session by finding identifiers, analyzing how predictable they are, and manipulating them with tools.

This practical book focuses on how to test web applications - not what web security consists of or why developers should test. Leverage the recipes to add significant security coverage to your testing without adding significant time and cost to your effort.


  • Format: Kindle Edition
  • Dateigröße: 2742 KB
  • Seitenzahl der Print-Ausgabe: 314 Seiten
  • Gleichzeitige Verwendung von Geräten: Keine Einschränkung
  • Verlag: O'Reilly Media; Auflage: 1 (14. Oktober 2008)
  • Verkauf durch: Amazon Media EU S.à r.l.
  • Sprache: Englisch
  • ASIN: B0026OR3FI
  • Text-to-Speech (Vorlesemodus): Aktiviert
  • X-Ray:
  • Word Wise: Nicht aktiviert
  • Erweiterte Schriftfunktion: Nicht aktiviert
  • Amazon Bestseller-Rang: #463.113 Bezahlt in Kindle-Shop (Siehe Top 100 Bezahlt in Kindle-Shop)

  •  Ist der Verkauf dieses Produkts für Sie nicht akzeptabel?

Mehr über die Autoren

Entdecken Sie Bücher, lesen Sie über Autoren und mehr


Es gibt noch keine Kundenrezensionen auf
5 Sterne
4 Sterne
3 Sterne
2 Sterne
1 Sterne
Die hilfreichsten Kundenrezensionen auf (beta) 4.3 von 5 Sternen  11 Rezensionen
20 von 20 Kunden fanden die folgende Rezension hilfreich
5.0 von 5 Sternen Very useful for web application developers 14. November 2008
Von calvinnme - Veröffentlicht auf
This book is about how web applications are tested with an emphasis on security. This book is aimed at web applications developers and testers, not security specialists. Developers who are responsible for writing unit tests for their components will appreciate the way that these tools can be focused on an individual page, feature, or form. Quality assurance professionals who must test whole web applications will be especially interested in the automation and development of test cases that can easily become parts of regression suites. The recipes in this book mainly use free tools, making them easy to try out and hopefully adopt.

The unfortunate problem with free tools in so many cases is lack documentation. This book fills that gap by showing you how to make good use of tools that you might have heard of that don't have good documentation on their application. Another barrier to effectively testing web applications with free tools is a general lack of knowledge about how the tools can be put together to perform good security tests. It's one thing to know that TamperData lets you bypass client-side checks. It's another thing to develop a good cross-site scripting test using TamperData. This book takes you beyond making good web application tests and helps you produce good security test cases.

The book divides material into three sections. The first section covers setting up tools and some of the basics concepts used to develop tests. The second section is about the different methods of bypassing client-side input validation via SQL injection, cross-site scripting, and manipulating hidden form fields. The third section is about the session, locating session identifiers, determining their predictability, and how to manipulate them. Each major section begins with relatively simple tasks and gradually builds to more complex tasks. Thus the first recipes are simple exercises that show what happens behind the scenes in web applications. The final recipes put many building blocks together into complex tasks that can form the basis of major web application security tests. The following is a listing and synopsis of each chapter:

Chapter 1, A little terminology and some important testing concepts that are referred to throughout the book.

Chapter 2, Installing Some Free Tools, includes an entire toolbox of free tools you can make use of. Information on each tool includes some basic instructions on where to find it, install it, and get it running.

Chapter 3, Basic Observation, teaches you the basics of observing your web application and testing the functionality of the system.

Chapter 4, Web-Oriented Data Encoding, shows how to encode and decode data in the various ways that web applications use it. In addition to encoding and decoding, you need to be able to eyeball encoded data and have some idea how it has been encoded.

Chapter 5, Tampering with Input, discusses the most important basic technique: malicious input. Discusses how you get it into your application and how you look at what's happening in the browser and what it's sending to the web application.

Chapter 6, Automated Bulk Scanning, shows you how to spider your application to find input points and pages, as well as ways to conduct batch tests on some specialized applications.

Chapter 7, Automating Specific Tasks with Curl, shows you a very good tool for building automated tests: Curl. First a a few simple ways of submitting batches of tests are examined. Complexity gradually builds to more difficult tasks such as retaining state when you log in and manipulating cookies, and culminates in the task of logging in on eBay.

Chapter 8, Automating with LibPerl, is focused on Perl and its LWP library. This chapter contains a set of specific techniques that you can use with Perl and the LWP library to perform security tests. These include uploading viruses to your application, using very long filenames, and parsing the responses from your application. It ends with a script that can edit a Wikipedia page.

Chapter 9, Seeking Design Flaws, discusses the unintentional interactions in your web application and how you can reveal them with good security tests. The recipes in this chapter focus on ways you can enable tests with testing programs. Topics includes predictable identifiers, weak randomness, and repeatable transactions.

Chapter 10, Attacking AJAX, shows you a lot of the top web attacks and how you can execute them building on earlier techniques discussed in the book. This book doesn't have much on AJAX itself, so you may need an additional text on the subject.

Chapter 11, Manipulating Sessions, discusses how to get behind the scenes of AJAX and test it both manually and automatically. The recipes intercept client-side requests to test server-side logic and vice versa, testing the client-side code by manipulating the server's responses.

Chapter 12, Multifaceted Tests, the final chapter, focuses on sessions, session management, and how security tests can attack it. It gives you several recipes that show you how to find, analyze, and ultimately test the strength of session management.
8 von 8 Kunden fanden die folgende Rezension hilfreich
5.0 von 5 Sternen Excellent book for Web developers writing unit tests 25. Oktober 2009
Von Richard Bejtlich - Veröffentlicht auf
I just wrote five star reviews of The Web Application Hacker's Handbook (TWAHH) and SQL Injection Attacks and Defense (SIAAD). Is there really a need for another Web security book like Web Security Testing Cookbook (WSTC)? The answer is an emphatic yes. While TWAHH and SIAAD include offensive and defensive material helpful for developers, those books are more or less aimed at assessment professionals. WSTC, on the other hand, is directed squarely at Web developers. In fact, WSTC is specifically written for those who incorporate unit testing into their software development lifecycle. I believe anyone developing Web applications would benefit from reading WSTC.

I am not a Web developer, but I really enjoyed reading WSTC. The book is not very long compared to TWAHH and WSTC, but it is very clear and well-written. The test or "recipe" format is easy to read quickly, and it makes for disciplined writing on the part of the authors. I really liked the use of all open tools, in contrast with Hacking Exposed: Web 2.0 (HEW2), a competing book. WSTC is well-organized, building on previous material in a coherent manner suitable for those with less experience in unit testing for Web apps.

I'd like to give special praise to chapter 4, Web-Oriented Data Encoding. As a Network Security Monitoring practitioner, I often encounter Web traffic encoded using the very methods described in chapter 4. This section helped me understand what I see, so I recommend it to those who aren't Web developers but who do need to understand Web traffic on the wire. I felt the same way about chapter 7, which explains the intricacies of using cURL.

I have no complaints regarding WSTC. I think it defines a powerful methodology for approaching Web security, and other authors might want to consider emulating its approach. Great work!
6 von 6 Kunden fanden die folgende Rezension hilfreich
5.0 von 5 Sternen Truly Usefull book 3. Januar 2010
Von Ron Gonzalez - Veröffentlicht auf
Format:Taschenbuch|Verifizierter Kauf
This is one of those few books on my bookshelf that I find myself returning to time and time again. My copy is marked, annotated, labeled, etc. so on and so forth. It is indispensable if you work in the industry and IMHO outshines the much larger tome "The Web Application Hackers Handbook". Of particular importance to Web Engineers is also Appendix E found in the book "Sockets, Shellcode, Porting & Coding".

Thanks again Paco, excellent book. Please let us know of the second edition as I will definitely pre-order without a doubt.
4 von 4 Kunden fanden die folgende Rezension hilfreich
3.0 von 5 Sternen not bad, but overrated 23. September 2011
Von B. St Pierre - Veröffentlicht auf
Format:Taschenbuch|Verifizierter Kauf
I bought this book on the strength of other reviews, and I'm a bit disappointed. It's useful, but not worthy of 5 stars.

The book is structured like the other "Cookbook" titles from O'Reilly. Each chapter has a series of "recipes" that describe a problem, present a solution, and have some discussion about the issue. It's unclear exactly who the target audience is.

Some of the recipes are very basic -- this is good if you've got very little experience working with tools like curl or wget, but not worth much if you've seen these and know how to read the man pages for these tools to find the flag you're looking for. Recipes like these lead me to believe that the audience for the book includes people who are very new to web technologies.

Other recipes are meaty enough -- there are several recipes that have page-long perl or bash scripts to automate (for example) the hunt for XSS vulnerabilities.

But then again, I can't see how a rookie web tester can possibly get through the book without a lot of head scratching. While vulnerabilities like cross-site scripting (XSS) and SQL injection are mentioned frequently, they are never defined, and their mechanism of operation is never clearly laid out. This leads me to believe that the target audience is people with at least an intermediate-level understanding of what these attacks mean, how they are performed, and what happens behind the scenes.

I was disappointed to see a couple of serious errors after only browsing through the recipes for an hour or so. For example, on page 90 the authors state that on Unix/Linux systems, filenames can contain slashes. This is incorrect: slashes are the only non-NUL character *not* allowed in a Linux filename. Verifying this fact only takes about two minutes of web searching.

Throughout the entire book, the authors conflate the "HTML source" with the "source code" of the web application. This is unnecessarily confusing. The "source code" would be the PHP, python, javascript, etc that the client and server sides of the application are coded in. The "HTML source" is simply the HTML that is displayed on particular pages. Examining the HTML source is useful for many things, as they show in various recipes. Examining the "source code" would be an even more productive means of finding flaws in the application, if this is available to you as a tester. (None of the recipes discuss examining the source code, beyond the idea that comments from the source code that leak into the HTML source may give useful hints about internal behavior of the application.)

Some recipes, like "5.8 Uploading Files with Malicious Names" are too shallow. They mention XSS and SQL injection, which are a concern. But they don't discuss directory traversal or code injection in any depth. There's a bear trap icon with a brief sidebar to hint at other possible problems, but this topic could have had another three or four recipes dedicated to it.

Some topics, like SQL Injection, are not sufficiently discussed. SQL injection, while an important web application security topic, is not covered directly by any particular recipe. It is mentioned in passing in a handful of other recipes, but it does not get the attention it deserves.

This *could* be a great book if they figured out the target audience a little better, got rid of the fluff recipes, got rid of some of the gratuitous (and useless) screen shots, and expanded the depth of coverage of some key topics. But it's not all bad -- it's relatively well structured, and I did learn a few new things. At $40 list price I'd pass, at the 40% or so discount on Amazon it's not a bad resource.

If you want to buy a better version of this book, see How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD. It's written with a similar formula, but is much better executed. (That text explains SQL injection in detail as well as how to perform SQL injection attacks, for example.)
1 von 1 Kunden fanden die folgende Rezension hilfreich
5.0 von 5 Sternen Unbelievably Usefull Book 14. Juni 2011
Von Chris Foran - Veröffentlicht auf
With web security being the most important test you can perform for web applications, the Web Security Testing Cookbook shows how to check for the most common web security issues as well as different types of testing such as unit, regression, and exploratory.

I read this book for my Software Testing & Quality Assurance class and it was very informative. Throughout the course it helped me to solve hacking threats against web applications and prepared me for real world experiences. This is a must-have for anyone interested in web security!
Waren diese Rezensionen hilfreich?   Wir wollen von Ihnen hören.

Kunden diskutieren

Das Forum zu diesem Produkt
Diskussion Antworten Jüngster Beitrag
Noch keine Diskussionen

Fragen stellen, Meinungen austauschen, Einblicke gewinnen
Neue Diskussion starten
Erster Beitrag:
Eingabe des Log-ins

Kundendiskussionen durchsuchen
Alle Amazon-Diskussionen durchsuchen

Ähnliche Artikel finden