Tuesday, May 31, 2011

Review: How to Break Web Software by Andrews and Whittaker

I haven't had to travel much over the last couple of weeks, which has been good for me in that I get to work on my reading list a bit.  I picked up "How to Break Web Software" for a trip a little while ago, and never got to the book.  Not having to travel coupled with the long weekend gave me some time to read and digest this book.  Here are a couple of things that I really liked about this book:

  • I really liked the table of regular expressions that is included in chapter 2.  To me, this is great because after I have retrieved source code, I can script out exactly what I'm looking for; especially hidden fields.
  • I liked the fact that the CD contained some older software that is not easily found on the web.  While the functionality of some of these tools is rolled up into newer software, there are times that I want to perform just what these tools do, and nothing more.  HttpPrint is highly useful to me as there are plenty of times I get on site and the client either doesn't know what they have, or doesn't want me to know all that they have.  SSLDigger is great for letting the client know how strong their SSL is.
  • The book includes its own vulnerable web application where you can practice some of these attacks.
  • I liked the chapter on Web Services.  More and more, I'm running into web services, and while some of the more advanced tools cover the services, it is good to have a primer on the various technologies involved.
Overall, I enjoyed the book.  In my estimation, the material is basic, and gives a great jumping off point for someone getting into testing/breaking web applications.  With the tools, a reader can dive into the material, practice, and really start to get a foundation for breaking web applications.

No comments:

Post a Comment