BKWBSTCB.RVW 20090123 "Web Security Testing Cookbook", Paco Hope/Ben Walther, 2009, 978-0-596-51483-9, U$39.99/C$39.99 %A Paco Hope %A Ben Walther root@benwalther.net http://blog.benwalther.net %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 2009 %G 978-0-596-51483-9 0-596-51483-2 %I O'Reilly & Associates, Inc. %O U$39.99/C$39.99 800-998-9938 707-829-0515 nuts@ora.com %O http://www.amazon.com/exec/obidos/ASIN/0596514832/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0596514832/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0596514832/robsladesin03-20 %O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 285 p. %T "Web Security Testing Cookbook" The preface states that the book is about how to test Web applications, particularly with regard to security, and is intended for developers rather than security professionals. Chapter one, however, provides more of an introduction, starting with the statement that security testing involves "hostile and malicious" input. This limits the scope of the work considerably, but it does explain questionable assertions, such as that SSL (Secure Sockets Layer) and cryptography hasn't much impact on testing. The material is restricted to deliberate attacks, and doesn't deal with issues of error, noise, performance, or availability. While there is some discussion of choice of inputs, I doubt that the advice would uncover issues such as the "1000th login" vulnerability that was seen many years ago in Novell Netware, and more recently in SSH (Secure Shell). Chapter two lists Web utility software related to, or providing information for, testing, but is confined to URLs (Uniform Resource Locator addresses) and circumscribed descriptions. Limited examples of using those applications for viewing transactions is given in chapter three. Data encoding, covered in chapter four, starts out well with good explanations, but then devolves into another tools list. Chapter five looks at various ways to manipulate input. Some examples of using a few utilities for bulk downloading, scanning, and input fuzzing are mentioned in chapter six. The cURL scripting tool is discussed in chapter seven, along with its various functions. Similarly, LibWWWPerl is dealt with in chapter eight. Chapter nine notes some simple design flaws. A number of the previous tools are used to examine AJAX (Asynchronous JavaScript and XML) applications, in chapter ten. Chapter eleven repeats earlier content in regard to session manipulation. A variety of attacks are described in chapter twelve. This is not a cookbook for Web security testing, but a very basic introduction to some tools and concepts related to testing Web applications for vulnerability to common attacks. copyright Robert M. Slade, 2009 BKWBSTCB.RVW 20090123