Preface
Web applications are everywhere and in every industry. From retail to banking to human resources to gambling,
everything is on the Web. Everything from trivial personal blogs to mission-critical financial applications is built on
some kind of web application now. If we are going to successfully move applications to the Web and build new ones on
the Web, we must be able to test those applications effectively. Gone are the days when functional testing was
sufficient, however. Today, web applications face an omnipresent and ever-growing security threat from hackers,
insiders, criminals, and others.
This book is about how we test web applications, especially with an eye toward security. We are developers, testers,
architects, quality managers, and consultants who need to test web software. Regardless of what quality or
development methodology we follow, the addition of security to our test agenda requires a new way of approaching
testing. We also need specialized tools that facilitate security testing. Throughout the recipes in this book, we'll be
leveraging the homogenous nature of web applications. Wherever we can we will take advantage of things that we
know are uniformly true, or frequently true, about web applications. This commonality makes the recipes in this book
versatile and likely to work for you. Moreover, it means that you will develop versatile testing tools that are likely
capable of testing more than just one application.
P2.1. Who This Book Is For
This book is targeted at mainstream developers and testers, not security specialists. Anyone involved in the
development of web applications should find something of value in this book. Developers who are responsible for
writing unit tests for their components will appreciate the way that these tools can be precisely focused on a single
page, feature, or form. QA engineers who must test whole web applications will be especially interested in the
automation and development of test cases that can easily become parts of regression suites. The recipes in this book
predominantly leverage free tools, making them easy to adopt without submitting a purchase requisition or investing a
significant amount of money along with your effort.
The tools we have selected for this book and the tasks we have selected as our recipes are platform agnostic. This
means two very important things: they will run on your desktop computer no matter what that computer runs
(Windows, MacOS, Linux, etc.), and they will also work with your web application no matter what technology your
application is built with. They apply equally well to ASP, PHP, CGI, Java, and any other web technology. In some
cases, we will call out tasks that are specific to an environment, but generally that is a bonus, not the focus of a
recipe. Thus, the audience for this book can be any developer or tester on any web platform. You do not need special
tools (except the free ones we discuss in this book) or special circumstances to take advantage of these techniques.
P2.2. Leveraging Free Tools
There are many free testing tools that can be used to help a developer or a tester test the fundamental functions of
their application for security. Not only are these tools free, but they tend to be highly customizable and very flexible.
In security, perhaps more than in any other specialized discipline within QA, the best tools tend to be free. Even in the
network security field, where commercial tools now are mature and powerful, it was a long time before commercial
tools competed with readily available, free tools. Even now, no network assessor does his job strictly with commercial
tools. The free ones still serve niche roles really well.
In so many cases, however, free tools lack documentation. That's one of the gaps that this book fills: showing you
how to make good use of tools that you might have heard of that don't have good documentation on the how and why
of using them. We think mainstream developers and testers are missing out on the promise of free and readily
available tools because they do not know how to use them.
Another barrier to effectively testing web applications with free tools is a general lack of knowledge around how the
tools can be put together to perform good security tests. It's one thing to know that TamperData lets you bypass
client-side checks. It's another thing to develop a good cross-site scripting test using TamperData. We want to get you
beyond making good web application tests and into making good security test cases and getting reliable results from
those tests.
Finally, since many development and QA organizations do not have large tool and training budgets, the emphasis on
free tools means that you can try these recipes out without having to get a demo license for an expensive tool.
评论13