Review: How To Break Web Software
Source: Eric Lubow - Posted by Eric Lubow   
Book Reviews With a tool so widely used by so many different types of people like the World Wide Web, it is necessary for everyone to understand as many aspects as possible about its functionality. From web designers to web developers to web users, this is a must read. Security is a job for everyone and How To Break Web Software by Mike Andrews and James A. Whittaker is written for everyone to understand.

Date: 8 May 2006

Vitals:

Title How To Break Web Software
Author Mike Andrews and James A. Whittaker
Pages 205
ISBN 0-321-36944-0
Publisher Addison-Wesley
Edition 1st Edition (Feb 2006)
Purchase Amazon

Audience:

Although this book may be geared more towards the developer, it is really a book for everyone. As I mentioned before, security is everyone's responsibility. The ideas, concepts, and procedures outlined in this book are things that even just the average user should be able to pick up on and alert the webmaster of in order to prevent potential disaster.

It is necessary to keep in mind that this book, although seemingly full of information on how to attack web sites and bring down servers is for informational and educational purposes. It is to inform the developers of common programming and design mistakes. It is also to ensure that common users with no malicious intent can spot problems in design and nip them in the bud before the problems become catastrophic.

Summary:

The book begins by very basically showing the reader in no uncertain terms the basic concepts that are going to be outlined through the book. The first idea to geteveryone on the same page with client-server relationships and general information about the world wide web.

One of the most important aspects of an attack is knowing your victim. The first informational chapter in this book discusses gathering information on a potential target. Just as with all forthcoming chapters, this one begins with the obvious information and progresses into the more obscure, less thought about topics.

Once the information has been gathered, either via source code, URLs, or any other method that potentially puts information out in the open, the attacks can begin. There are many way in which these attacks can happen. The authors begin by discussing attacks on the user (client) input and how validation needs to occur or the input needs to be sanitized. They then move on to talk about state based attacks, either through CGI parameters or hidden fields within forms. These ideas were also extended to discuss cookie poisoning, URL jumping, and session hijacking (can also include man in the middle attacks). Without all this information consistently being checked and verified, it is possible to for those with malintent to inject information into a session.

Another set of attacks that are covered are language attacks. These can also occur as a result of poor or total lack of input validation. These languages include CSS, XSS (Cross Site Scripting for any number of languages), C, C++, or SQL, to name just a few. It is to be noted that attacks via SQL involves attacking the server and having a little knowledge about databases, queries, and the way that databases function. Next, the authors discuss authentication and cryptography. They make it a point to prove to the reader and users that not just any cryptography will do and that only proven tried and true methods are acceptable for public use.

The book then goes into discussing privacy issues. It discusses identifying information such as the referrer logs, agent logs, web bugs, clipboard access (via Javascript), and cached pages. It then finishes up by discussing various types of web services (including XML, SOAP, WSDL, and UDDI) and the inherent problems that can be around using each one of them. The set of tools outlines at the end of the book to help in bug testing web software is an excellent compilation.

Opinion:

Software testing and implementation theories have been around for a long time. There has also been numerous writings, journals, and theories published on how things should and shouldn't be done. Mike Andrews and James Whittaker do an excellent job of outlining the potential shortcomings of web programming. This is an excellent jumping off point for anyone beginning on the security side of web design.

To me, the most enjoyable part of the book is where the authors discuss the "Key Principals for Quality" over the fifty years of software design. I think they should have put that as part of the introduction to outline their point of view on testing as a necessary part of the design phase (which should be a more widely shared view point). Other than that, I believe that this is an excellent all around reference and should be read by those involved in all aspects of the world wide web.

Reviewed by: Eric Lubow

Comments
what is linux programing codeWritten by vihar on 2006-07-18 08:27:23
hi 
please give me a linux 's information about linux programing 
in linux's kernal wahat is a programing language 
please sent e-mail on  
coolvihar2004@yahoo.co.in
How To Break Web SoftwareWritten by khalid on 2006-08-12 08:08:16
it's god but where this book is , i need it
IT Student (freshman)Written by Ida Perine on 2006-10-02 19:43:31
I am having the hardest time finding reliable, drawn out information on any Linux site I have been to. I think it would be very useful, not just for students, for every one to have a site to visit that a list of general information on Linux. I am very determined to find information about Linux, but this lack of information is getting on my nerves. Please Help US!!!!
General Linux infoWritten by Neal on 2006-11-04 03:14:55
Try this: www.tldp.org
testWritten by Alex on 2007-01-11 18:38:54
http://www.linuxsecurity.com/content/view/122713/2/
hackearWritten by sandy erick on 2007-03-13 02:54:50
hola bueno les agradesco gracias

Only registered users can write comments.
Please login or register.

Powered by AkoComment!