Any good books on web penetration testing?
October 18, 2009 8:28 AM
Any good books on web penetration testing?
I'm a web developer and consultant, and I often deal with web application security. Everything I know about penetration testing I've learned in a pretty ad hoc manner, and I think it's time to give myself a bit of a more formal background.
I'm familier enough with the concepts (SQL injection, XSS, CSRF, etc.); I even teach classes on those subjects. I've got decent knowledge crypto and digital security in general. I also have a few tools I sorta know how to use (Burp Suite being the main one). But I don't really have any good grasp on the "right" way to actually conduct a formal web penetration test -- I usually just flail around for a while trying different things until I "feel" satisfied. Doesn't really make for a very scientific process, I know.
So: any suggestions for books (or any other sort of learning material) on web penetration testing? I'd prefer something more on the advanced side of the spectrum; I'd rather be overwhelmed than bored.
I'm a web developer and consultant, and I often deal with web application security. Everything I know about penetration testing I've learned in a pretty ad hoc manner, and I think it's time to give myself a bit of a more formal background.
I'm familier enough with the concepts (SQL injection, XSS, CSRF, etc.); I even teach classes on those subjects. I've got decent knowledge crypto and digital security in general. I also have a few tools I sorta know how to use (Burp Suite being the main one). But I don't really have any good grasp on the "right" way to actually conduct a formal web penetration test -- I usually just flail around for a while trying different things until I "feel" satisfied. Doesn't really make for a very scientific process, I know.
So: any suggestions for books (or any other sort of learning material) on web penetration testing? I'd prefer something more on the advanced side of the spectrum; I'd rather be overwhelmed than bored.
Yeah, seconding OWASP. You might take a run through their WebGoat project as well.
posted by jquinby at 9:21 AM on October 18, 2009
posted by jquinby at 9:21 AM on October 18, 2009
Been working on my CEH cert for the last couple of months. Here's a few good resources. If you want to learn the hands on stuff I highly recommend your get familiar with Backtrack. Most of the folks I know use this. Also this is a decent framework for how to conduct your assessment. Also the CVE is a good reference for vulnerabilities.
posted by white_devil at 10:26 PM on October 18, 2009
posted by white_devil at 10:26 PM on October 18, 2009
This thread is closed to new comments.
posted by reptile at 8:46 AM on October 18, 2009