If your company has a web site, there are many people waiting to attack it and break into it.

In How to Break Web Software: Functional and Security Testing of Web Applications and Web Services, authors Mike Andrews and James Whittaker detail the myriad Web software exploits that attackers will attempt to carry out. The tools and techniques that can be used to fight against them are also detailed.

The book also includes a companion CD that contains all of the source code referenced in the book in addition to a number of testing tools. The authors include software code from an insecure Web site, which helps the reader get a real-world feel for the topics involved.

The authors conclude with a look at the last 50 years of software defects, showing that developers are not learning from the mistakes.

The authors are of the opinion that software quality is no better today than it was decades ago. And in some cases, it is worse.

The book helps drive home the importance of having developers think about writing secure code and testing it for flaws. It is a recommended read for IT professionals.

I was disappointed in this book. The actual content was pretty thin, and not very well written. Chapter 1 is a complete waste of time, and actually spends pages explaining what client/server means, what the Web is, and other things that are patently obvious to the supposed audience for this material. I found myself turning to the front to see if this book was written in 1997! You then get nine fairly short chapters with instructions on how to hack a website, more or less; followed by 50 pages of useless padding in the appendices including: an unrelated article co-authored by Whittaker for the IEEE, a detailed list of all the bugs present in their "sample application," and then descriptions of their recommended tools, all of which can easily be found on the Web without paying $22 for this book.

As another reviewer mentioned, there are many typos and other problems like incorrect illustrations, making the reader wonder if Addison-Wesley even employs a copy editor. Furthermore, I felt this book was inaccurately named and described. It's really more about rudimentary hacking and protecting your web application against hackers than web quality or web testing. A beginning web developer might do well to read this as a primer on how to create sites and applications with basic security, but as an experienced tester it was of limited use to me.

I've been programming for over 10 years and thought that I had encountered it all. Uh ya, I was wrong. I'm amazed that a person can work with something for so long and yet still miss simple things like URL jumping. This is a great 32,000 foot view of web security (not a how to hack book) and covers what you should know if you are a web developer. Even if you alredy "know it all" this is a great read and excellent reference for creating check lists on projects and threats they may be succeptable to.

It was a good experience to purchase from Amazon and getting them delivered in India at my door-step. Order reached me ontime and is in good condition.

Thanks,
Samta

I recently finished reading How to Break Web Software: Functional and Security Testing of Web Applications and Web Services by Mike Andrews and James A. Whittaker. I, like many of you, develop web software for a living. I've always taken security seriously and occasionally sneered when I ran across examples of common mistakes. Having said that, this book was an eye opener for me.

The book covers common exploits such as bypassing input validation, SQL injection, and denial of service. There were also several types of attacks I hadn't really considered before. I won't list them here because someone would undoubtedly say, "I can't believe he didn't know about that one!" The authors cover 24 different types of attacks in all. The book also includes coverage of web privacy issues and security related to web services.

Finally, as icing on the cake, a CD is included that contains many tools that will find permanent spots in your arsenal. There are tools to do things like scan web servers for common exploits, mirror sites for local analysis, and check SSL cipher strengths. My favorites are the local proxies that will allow you to view and modify posts as they travel from the client and the server. I always knew I could do this, but didn't know how easy it is. The CD also contains the source code of an example site that includes many flaws for you to practice.

This book is written for software professionals to help them put the hackers out of business. So, it necessarily includes hacker techniques. If you develop or test web software, you should read this book before the hackers do. :-)