Any good books on web penetration testing?
October 18, 2009 8:28 AM   Subscribe

Any good books on web penetration testing?

I'm a web developer and consultant, and I often deal with web application security. Everything I know about penetration testing I've learned in a pretty ad hoc manner, and I think it's time to give myself a bit of a more formal background.

I'm familier enough with the concepts (SQL injection, XSS, CSRF, etc.); I even teach classes on those subjects. I've got decent knowledge crypto and digital security in general. I also have a few tools I sorta know how to use (Burp Suite being the main one). But I don't really have any good grasp on the "right" way to actually conduct a formal web penetration test -- I usually just flail around for a while trying different things until I "feel" satisfied. Doesn't really make for a very scientific process, I know.

So: any suggestions for books (or any other sort of learning material) on web penetration testing? I'd prefer something more on the advanced side of the spectrum; I'd rather be overwhelmed than bored.
posted by jacobian to Computers & Internet (3 answers total) 5 users marked this as a favorite
Best answer: The OWASP testing guide is a good set of industry standards.
posted by reptile at 8:46 AM on October 18, 2009

Yeah, seconding OWASP. You might take a run through their WebGoat project as well.
posted by jquinby at 9:21 AM on October 18, 2009

Been working on my CEH cert for the last couple of months. Here's a few good resources. If you want to learn the hands on stuff I highly recommend your get familiar with Backtrack. Most of the folks I know use this. Also this is a decent framework for how to conduct your assessment. Also the CVE is a good reference for vulnerabilities.
posted by white_devil at 10:26 PM on October 18, 2009

« Older Apparently you CAN level up beyond the PhD bonus...   |   Is Johnson & Wales worth it? Newer »
This thread is closed to new comments.