REVIEW: "Web Security Testing Cookbook", Paco Hope/Ben Walther

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

BKWBSTCB.RVW   20090123

"Web Security Testing Cookbook", Paco Hope/Ben Walther, 2009,
978-0-596-51483-9, U$39.99/C$39.99
%A   Paco Hope
%A   Ben Walther
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2009
%G   978-0-596-51483-9 0-596-51483-2
%I   O'Reilly & Associates, Inc.
%O   U$39.99/C$39.99 800-998-9938 707-829-0515
%O  ( product link shortened)
  ( product link shortened)
%O   Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   285 p.
%T   "Web Security Testing Cookbook"

The preface states that the book is about how to test Web
applications, particularly with regard to security, and is intended
for developers rather than security professionals.

Chapter one, however, provides more of an introduction, starting with
the statement that security testing involves "hostile and malicious"
input.  This limits the scope of the work considerably, but it does
explain questionable assertions, such as that SSL (Secure Sockets
Layer) and cryptography hasn't much impact on testing.  The material
is restricted to deliberate attacks, and doesn't deal with issues of
error, noise, performance, or availability.  While there is some
discussion of choice of inputs, I doubt that the advice would uncover
issues such as the "1000th login" vulnerability that was seen many
years ago in Novell Netware, and more recently in SSH (Secure Shell).

Chapter two lists Web utility software related to, or providing
information for, testing, but is confined to URLs (Uniform Resource
Locator addresses) and circumscribed descriptions.  Limited examples
of using those applications for viewing transactions is given in
chapter three.  Data encoding, covered in chapter four, starts out
well with good explanations, but then devolves into another tools
list.  Chapter five looks at various ways to manipulate input.  Some
examples of using a few utilities for bulk downloading, scanning, and
input fuzzing are mentioned in chapter six.

The cURL scripting tool is discussed in chapter seven, along with its
various functions.  Similarly, LibWWWPerl is dealt with in chapter

Chapter nine notes some simple design flaws.  A number of the previous
tools are used to examine AJAX (Asynchronous JavaScript and XML)
applications, in chapter ten.  Chapter eleven repeats earlier content
in regard to session manipulation.  A variety of attacks are described
in chapter twelve.

This is not a cookbook for Web security testing, but a very basic
introduction to some tools and concepts related to testing Web
applications for vulnerability to common attacks.

copyright Robert M. Slade, 2009    BKWBSTCB.RVW   20090123

"Dictionary of Information Security," Syngress               1597491152 /
============= for back issues:
[Base URL] site /
CISSP refs:     [Base URL]mnbksccd.htm
Book reviews:   [Base URL]mnbk.htm
Review mailing list: send mail to

Site Timeline