Wednesday, May 26, 2010

Wednesday Book Review: How to Break Web Software

Through the years, I have come across a number of books that I have used and valued. These may be new books, or they may be older ones. Each Wednesday, I will review a book that I personally feel would be worthwhile to testers.


Whittaker’s Attacks have become a common phrase in testing parlance. Many testers know about them and many testers use them. I reviewed the first How to Break book a couple of weeks ago. How to Break Web Software, written by Mike Andrews and James Whittaker, is book number 3 (for full disclosure, I do not own nor have I yet read book #2, How to Break Software Security, but it’s on my list of books to read and soon :) ).

Web development is a different beast as compared to typical software development. The ability to code a web site and deploy it is much faster that the similar effort to create a windows application that does many of the same things. Because of this, web development happens at a much more rapid pace. However, by its very nature, web development and its being online all the time makes for a very tempting target for hackers and those who mean to do harm to and exploit the system. How can you find out what your server’s response is to various attacks? That’s right, perform them yourself!

How to Break Web Software is structured much in the same vein as the first “How to Break Software” book. It presents an interesting area under the guise of “planning an attack”, and it give the user a chance to become familiar with the necessary attack style, and tools where relevant. So what are the specific attacks? Here they are, in order:

Attack 1: Panning for Gold (open up the web page source code listing and scan the page. What you find may often astound you)
Attack 2: Guessing Files and Directories
Attack 3: Holes Left by other People: Vulnerabilities in Sample Applications
Attack 4: Bypass Restriction on Input Choices
Attack 5: Bypass Client Side Validation
Attack 6: Look for Hidden Fields
Attack 7: Look for CGI Parameters in the URL
Attack 8: Create Cookie Poisoning
Attack 9: Perform URL Jumping During Transactions
Attack 10: Perform Session Hijacking
Attack 11: Access Cross Site Scripting (XSS)
Attack 12: Enter SQL Injection
Attack 13: Perform Directory Traversal
Attack 14: Create Buffer Overflows
Attack 15: Use Character Canonicalization to Get Around The System
Attack 16: Create NULL-String Attacks
Attack 17: Inject Stored Procedures
Attack 18: Inject Commands
Attack 19: Fingerprint the Server
Attack 20: Perform Denial of Service Attacks
Attack 21: Break Less than Adequate, Roll-Your-Own Cryptography Schemes
Attack 22: Break Authentication
Attack 23: Perform Cross-Site Tracing
Attack 24: Break the SSL Cipher

The book also comes with a CD and various tools that allow the user to install and experiment with the attacks (if the book calls for a particular attack, the tool is included on the CD). There’s also a bit of additional material towards the back of the book that seems to be repetitive and not entirely relevant to the book. The techniques themselves provide a level of interest and will have the reader curious to see what the next potential exploit will be.

Bottom Line:

For those starting out in Web Testing and would like to have an effective arsenal of tests to perform, How to Break Web Software will certainly fill that role, and provide a bevy of tools to use to assist in the process. More experienced testers may find some nuggets of wisdom in here as well, though I think the greater value is towards novice testers starting out with understanding web environments and web testing.

No comments: