Among the tests you perform on web applications, security testing is perhaps the most important, yet it's often the most neglected. The recipes in the Web Security Testing Cookbook demonstrate how developers and testers can check for the most common web security issues, while conducting unit tests, regression tests, or exploratory tests. Unlike ad hoc security assessments, these recipes are repeatable, concise, and systematic-perfect for integrating into your regular test suite.
Recipes cover the basics from observing messages between clients and servers to multi-phase tests that script the login and execution of web application features. By the end of the book, you'll be able to build tests pinpointed at Ajax functions, as well as large multi-step tests for the usual suspects: cross-site scripting and injection attacks. This book helps you:
Obtain, install, and configure useful-and free-security testing tools
Understand how your application communicates with users, so you can better simulate attacks in your tests
Choose from many different methods that simulate common attacks such as SQL injection, cross-site scripting, and manipulating hidden form fields
Make your tests repeatable by using the scripts and examples in the recipes as starting points for automated tests
Don't live in dread of the midnight phone call telling you that your site has been hacked. With Web Security Testing Cookbook and the free tools used in the book's examples, you can incorporate security coverage into your test suite, and sleep in peace.
Chapter 1 Introduction
What Is Security Testing?
What Are Web Applications?
Web Application Fundamentals
Web App Security Testing
It’s About the How
Chapter 2 Installing Some Free Tools
Installing Firefox
Installing Firefox Extensions
Installing Firebug
Installing OWASP’s WebScarab
Installing Perl and Packages on Windows
Installing Perl and Using CPAN on Linux, Unix, or OS X
Installing CAL9000
Installing the ViewState Decoder
Installing cURL
Installing Pornzilla
Installing Cygwin
Installing Nikto 2
Installing Burp Suite
Installing Apache HTTP Server
Chapter 3 Basic Observation
Viewing a Page’s HTML Source
Viewing the Source, Advanced
Observing Live Request Headers with Firebug
Observing Live Post Data with WebScarab
Seeing Hidden Form Fields
Observing Live Response Headers with TamperData
Highlighting JavaScript and Comments
Detecting JavaScript Events
Modifying Specific Element Attributes
Track Element Attributes Dynamically
Conclusion
Chapter 4 Web-Oriented Data Encoding
Recognizing Binary Data Representations
Working with Base 64
Converting Base-36 Numbers in a Web Page
Working with Base 36 in Perl
Working with URL-Encoded Data
Working with HTML Entity Data
Calculating Hashes
Recognizing Time Formats
Encoding Time Values Programmatically
Decoding ASP.NET’s ViewState
Decoding Multiple Encodings
Chapter 5 Tampering with Input
Intercepting and Modifying POST Requests
Bypassing Input Limits
Tampering with the URL
Automating URL Tampering
Testing URL-Length Handling
Editing Cookies
Falsifying Browser Header Information
Uploading Files with Malicious Names
Uploading Large Files
Uploading Malicious XML Entity Files
Uploading Malicious XML Structure
Uploading Malicious ZIP Files
Uploading Sample Virus Files
Bypassing User-Interface Restrictions
Chapter 6 Automated Bulk Scanning
Spidering a Website with WebScarab
Turning Spider Results into an Inventory
Reducing the URLs to Test
Using a Spreadsheet to Pare Down the List
Mirroring a Website with LWP
Mirroring a Website with wget
Mirroring a Specific Inventory with wget
Scanning a Website with Nikto
Interpretting Nikto’s Results
Scan an HTTPS Site with Nikto
Using Nikto with Authentication
Start Nikto at a Specific Starting Point
Using a Specific Session Cookie with Nikto
Testing Web Services with WSFuzzer
Interpreting WSFuzzer’s Results
Chapter 7 Automating Specific Tasks with cURL
Fetching a Page with cURL
Fetching Many Variations on a URL
Following Redirects Automatically
Checking for Cross-Site Scripting with cURL
Checking for Directory Traversal with cURL
Impersonating a Specific Kind of Web Browser or Device
Interactively Impersonating Another Device
Imitating a Search Engine with cURL
Faking Workflow by Forging Referer Headers
Fetching Only the HTTP Headers
POSTing with cURL
Maintaining Session State
Manipulating Cookies
Uploading a File with cURL
Building a Multistage Test Case
Conclusion
Chapter 8 Automating with LibWWWPerl
Writing a Basic Perl Script to Fetch a Page
Programmatically Changing Parameters
Simulating Form Input with POST
Capturing and Storing Cookies
Checking Session Expiration
Testing Session Fixation
Sending Malicious Cookie Values
Uploading Malicious File Contents
Uploading Files with Malicious Names
Uploading Viruses to Applications
Parsing for a Received Value with Perl
Editing a Page Programmatically
Using Threading for Performance
Chapter 9 Seeking Design Flaws
Bypassing Required Navigation
Attempting Privileged Operations
Abusing Password Recovery
Abusing Predictable Identifiers
Predicting Credentials
Finding Random Numbers in Your Application
Testing Random Numbers
Abusing Repeatability
Abusing High-Load Actions
Abusing Restrictive Functionality
Abusing Race Conditions
Chapter 10 Attacking AJAX
Observing Live AJAX Requests
Identifying JavaScript in Applications
Tracing AJAX Activity Back to Its Source
Intercepting and Modifying AJAX Requests
Intercepting and Modifying Server Responses
Subverting AJAX with Injected Data
Subverting AJAX with Injected XML
Subverting AJAX with Injected JSON
Disrupting Client State
Checking for Cross-Domain Access
Reading Private Data via JSON Hijacking
Chapter 11 Manipulating Sessions
Finding Session Identifiers in Cookies
Finding Session Identifiers in Requests
Finding Authorization Headers
Analyzing Session ID Expiration
Analyzing Session Identifiers with Burp
Analyzing Session Randomness with WebScarab
Changing Sessions to Evade Restrictions
Impersonating Another User
Fixing Sessions
Testing for Cross-Site Request Forgery
Chapter 12 Multifaceted Tests
Stealing Cookies Using XSS
Creating Overlays Using XSS
Making HTTP Requests Using XSS
Attempting DOM-Based XSS Interactively
Bypassing Field Length Restrictions (XSS)
Attempting Cross-Site Tracing Interactively
Modifying Host Headers
Brute-Force Guessing Usernames and Passwords
Attempting PHP Include File Injection Interactively
Creating Decompression Bombs
Attempting Command Injection Interactively
Attempting Command Injection Systematically
Attempting XPath Injection Interactively
Attempting Server-Side Includes (SSI) Injection Interactively
Attempting Server-Side Includes (SSI) Injection Systematically
Paco Hope is a Technical Manager at Cigital, Inc. and co-author of Mastering FreeBSD and OpenBSD Security (April 2005, O'Reilly, ISBN 0596006268). Mr. Hope has also published articles on Misuse and Abuse Cases and PKI. He has been invited to conferences to speak on topics such as software security re-quirements, web application security, and embedded system security. At Cigi-tal, he has served as a subject matter expert to MasterCard International for security policies and has assisted a Fortune 500 hospitality company in writ-ing software security policy. He also trains software developers and testers in the fundamentals of software security. In the gaming and mobile communica-tions industries he has advised several companies on software security. Mr. Hope majored in Computer Science and English at The College of William and Mary and received an M.S. in Computer Science from the University of Virginia.
Ben Walther is a consultant at Cigital and contributor to the Edit Cookies tool. He has a hand in both normal Quality Assurance and Software Security. Day to day, he designs and executes tests - and so he understands the need for simple recipes, in the hectic QA world. Yet he has also given talks on web ap-plication testing tools to members of the Open Web Application Security Pro-ject (OWASP). Through Cigital, he tests systems ranging from financial data processing to slot machines. Mr. Walther has a B.S. in Information Science from Cornell University.
Comments about O'Reilly Media Web Security Testing Cookbook:
As to practical, real-world web testing, this is the best so far.
This book is one of the first I have seen that combines 3 aspects of web testing to make it practical for real-world use.
1) Comprehensiveness
The book covers several types of web testing that hit all the high points.
Tools to use
Initial page analysis (source, input fields, etc)
Encodings
Modification of input
Automated scanning and pen testing
AJAX
Sessions
2) Repeatable
The methods used are repeatable. A pen tester can utilize the steps and the order to build up a practical testing methodology that can be used on many different web applications.
3) Automatable
The authors have many scripts included in the text that testers can use immediately to help automate the testing. The scripts are written in Perl and other common scripting languages that are all free of charge. The scripts all appear to be relatively easy to modify to suit various needs.
The material is presented in an easy to read format. The authors keep it simple and to the point. That being said, they do assume the reader knows basic concepts of how web applications and browsers work but non-techies should have no trouble following the examples.
That being said, the book is relatively short (~250+ pages). The material is covered well without wasting pages on filler, yet still highlights the key areas of web apps that need to be checked.
