Impressions of “How to Break Web Software” by Mike Andrews and James A. Whittaker

Everyday testing for me involves Web Software, to be precise, I mainly test a Web Service. At work we have a company book shelf and there were no surprises to encounter  “How to Break Web Software: Functional and Security Testing of Web Applications and Web Services” by Mike Andrews and James A. Whittaker. As it was the only testing related book in the shelf at that point – I decided to read it.

This book was written in 2006 so you can imagine that a lot has changed since! Web Software is bigger than ever. Even a regular website may use multiple web services. I did smirk a lot on some of the terms like Web Bugs (I never heard this term before: it would always be called a tracker or a tracking pixel in my environment). Also, to be honest, some of the tools or examples including IE6 made me cringe a little bit and felt a bit outdated, but…

“How to Break Web Software” gives very good foundation for Security Testing Web Software. I haven’t had much experience with Security Testing except for  one of the days in the 30 Days of Testing where I got to play around with Gruyere.

SQL injection, cross-site scripting, session hijacking and cookie poisoning (web cookies not the ones you brought to work to your colleagues as advised in “Explore It”) are just a few attacks which are in this book. Attacks have very clear structure: when to apply it, how to conduct it and how to protect from it.

Not only that the book describes attacks clearly, but it explains the way Web Software works and introduces its terms and technologies. I realized that the last chapter called Web Services would have been like a gold mine for me from the first day when I started working here. It describes technologies I have to work with daily.

“How to Break Web Software” gave me a better understanding of Web Software and even how to be safer in the Web applying some tips mentioned in the book. The attack descriptions were a great way to learn about the testing techniques heard about before, but the best way to learn them better is to apply them practically.