How to Break Web Software: Functional and Security Testing of Web Applications and Web Services. Book & CD

by Mike Andrews, James Whittaker

Rigorously test and improve the security of all your Web software! It’s as certain as death and taxes: hackers will mercilessly attack your Web sites, applications, and services. If you’re vulnerable, you’d better discover these attacks yourself, before the black hats do. Now, there’s a definitive, hands-on guide to security-testing any Web-based software: How to Break Web Software. In this book, two renowned experts address every category of Web software exploit: attacks on clients, servers, state, user inputs, and more. You’ll master powerful attack tools and techniques as you uncover dozens of crucial, widely exploited flaws in Web architecture and coding. The authors reveal where to look for potential threats and attack vectors, how to rigorously test for each of them, and how to mitigate the problems you find. Coverage includes · Client vulnerabilities, including attacks on client-side validation · State-based attacks: hidden fields, CGI parameters, cookie poisoning, URL jumping, and session hijacking · Attacks on user-supplied inputs: cross-site scripting, SQL injection, and directory traversal · Language- and technology-based attacks: buffer overflows, canonicalization, and NULL string attacks · Server attacks: SQL Injection with stored procedures, command injection, and server fingerprinting · Cryptography, privacy, and attacks on Web services Your Web software is mission-critical–it can’t be compromised. Whether you’re a developer, tester, QA specialist, or IT manager, this book will help you protect that software–systematically.

Genres: Computer Science, Programming, Web, Software, Nonfiction, Technical, Technology

240 pages, Paperback

First published February 2, 2006

Reviews

[Targe Movis · Rating 5 out of 5]

Functional testing is an area that I've been deeply involved in throughout my software development journey. As many of you would agree, it's a vital part of ensuring that our applications perform as they are intended to, checking each functionality against specified requirements.

Having done this hands-on, I can testify that it involves detailed, painstaking work. However, the payoff when you catch a potential problem early, before it gets to the users, is definitely worth it.

What's changed the game for me in recent years is automation. Functional test automation can accelerate the process while reducing the risk of human error. It can be a bit daunting to implement, but that's where considering 'test automation as a service' comes in handy.

In this context, I recently discovered Scimus's services (https://thescimus.com/automation-qa-t...), and their approach seems quite comprehensive. They offer a variety of QA testing services, including functional testing and test automation, which seems promising.

What are your experiences with functional testing? How has automation changed your testing processes? Looking forward to your insights!

[Scott Pearson · Rating 4 out of 5]

This almost 20-year-old book describes the then-most common weaknesses of Internet software. Although some of the referenced technologies are outdated, a majority of the principles are still relevant in 2025. SQL injection, cross-site scripting, and the need to sanitize input parameters remain hot issues in web security for developers. Other items bring eye rolls to developers who have been around the bush – Internet Explorer, to name one.

Although this book isn’t going to suddenly hop up the sales charts, it provides a nice set of history to someone who wants to better understand the history of the field. I certainly would have benefitted from reading it when it came out in 2006, but even now, after I’ve spent most of my career developing for the Internet, this book shows me where we’ve been – and perhaps, a bit of where we might go together.

[Ethan Harvey · Rating 3 out of 5]

As others have pointed out this book is dated but provides a good introduction to some of the common security issues prevalent in the software industry particularly with web applications. Still a good read in 2025 for anyone wanting to brush up their knowledge.

[John de Wit-Zondag · Rating 4 out of 5]

Very informative but a bit old.

[Sarah · Rating 3 out of 5]

A little dated but still useful

[Daniel Schulte · Rating 4 out of 5]

Overall a really great book on testing web software. It is simple enough that I was able to learn a lot from it (I have barely done any web programming), but thorough enough that I understand cross-site-scripting (XSS) better than I did from my college security course. I would recommend this book to developers and testers alike.

[Ben Klaasen · Rating 4 out of 5]

An excellent, practical introduction into the elements of security testing on Web applications. Introduces SQL Injection, cross-site scripting (xss) and recommends tools and techniques to turn you into a junior security analyst.

[Debra · Rating 5 out of 5]

This book comes with a cd that has some testing tools which are very hard to find these days. Highly recommended.

[Kevin Connery · Rating 4 out of 5]

Good, but nothing outstanding

[Eric Gragsone · Rating 3 out of 5]

Good overview for people new to web application security.