Home > Software Quality Tips > Application Security Book Excerpts > How to Break Web Software: Functional and Security Testing of Web Applications and Web Services -- Chapter 4: State-Based Attacks
Software Quality Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

APPLICATION SECURITY BOOK EXCERPTS

How to Break Web Software: Functional and Security Testing of Web Applications and Web Services -- Chapter 4: State-Based Attacks


Mike Andrews and James A. Whittaker
02.02.2006
Rating: -5.00- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



How to Break Web Software: Functional and Security Testing of Web Applications and Web Services
By Andrews, Mike/ Whittaker, James A.
Published by AWP
Series: None
ISBN: 0321369440; Published: 2/10/2006; Copyright 2006; Pages: 240; Edition: 1

Click here for more information or to buy the book

As a registered member of SearchSoftwareQuality.com, you're entitled to a complimentary copy of Chapter 4 of How to Break Web Software: Functional and Security Testing of Web Applications and Web Services written by Mike Andrews and James A. Whittaker and published by Addison Wesley Professional.

"State-Based Attacks" describes attacks that could affect your Web application and helps you determine if your Web application handles state information properly.


Book description:

 In this book, two renowned experts address every category of Web software exploit: attacks on clients, servers, state, user inputs, and more. You'll master powerful attack tools and techniques as you uncover dozens of crucial, widely exploited flaws in Web architecture and coding.

The authors reveal where to look for potential threats and attack vectors, how to rigorously test for each of them, and how to mitigate the problems you find. Coverage includes the following:

  • Client vulnerabilities, including attacks on client-side validation

  • State-based attacks: hidden fields, CGI parameters, cookie poisoning, URL jumping, and session hijacking

  • Attacks on user-supplied inputs: cross-site scripting, SQL injection, and directory traversal

  • Language- and technology-based attacks: buffer overflows, canonicalization, and NULL string attacks

  • Server attacks: SQL Injection with stored procedures, command injection, and server fingerprinting

  • Cryptography, privacy, and attacks on Web services

Your Web software is mission-critical -- it can't be compromised. Whether you're a developer, tester, QA specialist, or IT manager, this book will help you protect that software–systematically.

Companion CD contains full source code for one testing tool you can modify and extend, free Web security testing tools, and complete code from a flawed Web site designed to give you hands-on practice in identifying security holes.

>> Read Chapter 4: State-Based Attacks now.

>> Buy the book

Rate this Tip
To rate tips, you must be a member of SearchSoftwareQuality.com.
Register now to start rating these tips. Log in if you are already a member.




Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
Application Security Book Excerpts
Software Security Engineering: A Guide for Project Managers -- Chapter 3, Requirements Engineering for Secure Software
InfoSecurity 2008 Threat Analysis, Chapter 4: XSS Theory
Google Hacking for Penetration Testers, Volume 2: Chapter 6, Locating Exploits and Finding Targets
Ajax Security -- Chapter 6, Transparency in Ajax Applications
Fuzzing: Brute Force Vulnerability Discovery -- Chapter 12, Fuzzing Frameworks
Cross Site Scripting Attacks: XSS Exploits and Defense -- Chapter 5, Advanced XSS Attack Vectors
Static Analysis as Part of the Code Review Process -- Chapter 3, Secure Programming with Static Analysis
Security Metrics: Replacing Fear, Uncertainty, and Doubt -- Chapter 3, Application Security Metrics
Forms Authentication -- Chapter 5, Professional ASP.NET 2.0 Security, Membership, and Role Management
Securing JavaServer Faces Applications -- Chapter 15, JavaServer Faces: The Complete Reference

Hiring, mentoring and training for software projects
Application security careers have bright future
Trust on a global scale
Project managers cannot rely on generalizations
Readers speak out about U.S. IT labor shortage
Is there really an IT labor shortage in the U.S.?
How to deal with a difficult team member
The six hats of project management
Project management tools and strategies: Team building and managing basics
Time for colleges, managers to focus on software testing
What kind of person makes a good automated tester?

Threat modeling
Web application security and the PCI DSS
The essentials of Web application threat modeling
How to implement security in Java EE and Java ME
Application security shouldn't involve duct tape, Band-Aids or bubble gum
Stop SQL injection attacks on applications
How to counter XSS attacks
Breaking the same origin barrier of JavaScript
Protection against "zero-minute" exploits
Denial of service and Ajax
CSRF attack vector with Ajax serialization

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
Project Management Professional (PMP)  (SearchSoftwareQuality.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2006 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts