If you develop web applications, you can survive even without studying the HTTP protocol; after all, high level platforms like ASP.Net and J2EE hide the lower level details of the protocol from the developer. A knowledge of the underlying protocol is essential, however, if you want to test the security of your application. Paradoxically, Chris Shiflett’s “HTTP Developer’s Handbook” is an excellent place to learn the innards of the HTTP protocol for security testers.
A few weeks ago, we wrote in Palisade Blog on how we faced a shortage of good training material on HTTP for security testers. That’s when we were tipped off on Shiflett’s book, and we loved it.
Shiflett takes us through a tour of the HTTP protocol explaining how the various tags and attributes work together to maintain state, improve performance and provide security. A section on session management analyzes the various options available to maintain state — essential reading if you intend to dissect the state maintenance strategy of applications. The chapter on security looks beneath the hood of Basic and Digest authentication and shows the weaknesses in Basic authentication. There is also a chapter on other attacks on web applications, though the coverage is quite basic.
Where the book really sparkles is in the section on Improving Performance. Few books have looked at the HTTP protocol’s underlying mechanisms for controlling caching as this one. In lucid prose, Shiflett presents the various caching directives and their exact meaning. Experience shows us that many web applications manage caching directives insecurely. This is the book developers and testers need to read to understand caching and eliminate those security holes.