The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws

This is a great read for anyone interested in the security of modern web applications. It covers the hacking process from mapping the attack surface to exploiting input validation, access control, session management, and authentication vulnerabilities using real-world examples and diagrams. There is an in-depth 100pg chapter on injecting code(e.g. SQL, OS, script, etc injection) and a 95pg chapter on attacking other users(e.g. XSS, request forgery, etc attacks). There is information about bypassing common sanitization techniques in cases where user input is sanitized. The book also covers how to write your own scripts to automate complex attacks. At the end of each section are the steps necessary to defend your application against the attacks that were described with an emphasis on "defense-in-depth"; an approach where one tries to prevent the compromise of the whole application even if one component of it is already compromised. This book is extremely up to date with its coverage of new AJAX and XSS-type attacks while still covering the relatively old vulnerabilities like buffer overflows and sql injections. The authors are both professional penetration testers which gives them credibility over the information they provide in this book, and one of them is the author of the excellent free web application hacking tool called Burp Suite. I would recommend this book to anyone that has a basic knowledge of how the Web works (http, javascript, cookies, html, and basics of a programming language like php or java) although you could learn these technologies as you are reading the book which would take some more time.

I bought this book over a year ago and never got around to reviewing it. I am really disappointed by the quality of many of the security books I have read since then, so feel compelled to go back and review this to give the authors the credit they deserve. There seems to be a flourishing industry in rushing out woeful security books that make lofty claims and are little more than brief summaries of "what" tools are with absolutely no "how", "why" or any signs of original thinking. Looking at the perfect 5 scores that many of these offenders receive, I am highly suspicious that authors/publishers are gaming the system and getting their mates to pile on positive reviews. (You will need to take the 5 I award this book with a large grain of salt and do your own research to form your own opinion). Anyway, enough ranting about the state of the industry and on to this book. I have a large bookshelf of security books - many in pristine condition. This one is well worn and dog-eared as it gets a lot of use. It works equally well read from cover to cover and as a future reference. Read in sequence, it is logical and introduces concepts in layers that build understanding on various topics. The chapter breakdown is also very well thought through - attacking client-side controls, authentication schemes, session management, code injection etc. As a reference, it provides thorough coverage describing how a class of exploit works, ways of exploiting it and ways of defending it. The coverage on XSS is the best I have seen in any one reference (you can certainly find all of the info on the net, but this book will save you a lot of time). I just noticed that there is a v2 of this book. Assuming it is the same quality as the original, I would recommend that as this is now a little dated. That said, I see many of the flaws covered in this book are still highly relevant today, but the tools have moved on a bit since then. If however you bought v1, you would not be disappointed.

I was hoping that this book would give me a clear conception of how to secure a new web applications against potential attackers. It did, up to a point. Unfortunately, the book spends most of its time with the flaws in yesterday's technologies (e.g. older versions of ASP) that I would never touch for a new app. Still, if you're developing a web application, this book is worth at least skimming through. And if you're in charge of patching up a legacy system, this should be your bible. [Update: Since I wrote this review, a second edition of this book has been released. I have yet to read it, but my guess is that the new edition is more relevant to non-legacy app developers.]

Skip this review and avoid this book if you use site building kits like WordPress -- or you don't care about your site getting hacked. Get the book if you are not keen on vulnerable cookie-cutter code and hacker prone pages. The "take away" from this book is that a site author has to take a system wide look a the site -- particularly if there is an interaction between the visitor and the server. This book takes the position that any one who uses server side includes (SSI) or client side scripts like JavaScript must be aware of the mechanisms by which the browser and server interact. The book looks at the spectrum of tools available to inspect, analyze and even alter the data flowing between the visitor's browser and the site's server. It doesn't take long to realize that if someone has the tools and wants to spend the time practically any transaction between a browser and server is vulnerable. OK, if you've read this far you already appreciate the value of defensive programming to make software maintainable. What this book gives you is solid examples of what you have to look out for. There's the obvious blunders like stashing key variables in cookies where the hacker can diddle them. But there are subtleties like how a SSI error message can guide a hacker script to discover an ID or password. This is a "must read" book for someone who has a command of HTML, JavaScript, and one of the server side scripting languages like Perl, PHP, or ASF. The book forced me to even more critically rethink my programming habits. ,

This was my first web application security book. I've been reading online blogs and web-sites about web security for a while, and I've been waiting for this book to come out. Because of the lack of web security books on the market. But I am impressed with this book. It covers just about everything and shows the reader how hackers exploit web applications in a multitude of ways. This will definately help me secure my own websites and I'm already practicing a lot of what I've learned in this book for security at my company. I actually was able to log into my jobs intranet website as administrator using some of the techniques I learned from this book. Then I went to my boss and showed him how and then showed how we can prevent it. Short story short they were impressed.

Like the intro says if you are looking for information on Networks or Computer Protection / Intrusion Prevention, it is best to go elsewhere.

Arrived quickly and in good condition. it is a used library book but is in fine condition. Slightly outdated but part are very useful in my basic studies and help me, hopefully, in strengthening my home network security. At the least it is good learning more about network and TCP/IP Internet stuff. Interesting to find out what people know and do. Some of this information is probably illegal in some places so use it for knowledge about what these kinds of people know and can do to hack into your networks. Strengthening your websites would be the most benefit from reading this book most likely. It's so technical that I may never finish it.

I have to admit that I did not finish reading the entire book, but so far it's been a good read. The writing style isn't dry and the authors don't just "throw" the knowledge at you. They are quite descriptive and provide a great intro to WebApp vulnerabilities. I highly encourage that anyone who purchases this book make sure they also look into the OWASP site and get WebGoat or another vulnerable web app in order to get some hands-on experience while reading this book.

bel libro, anche se molto teorico. Gli esercizi di pratica sono relativamente poco guidati e quindi possono risultatre difficoltosi, inoltre si appoggiano sull'uso di burp suite piuttosto che altri strumenti. La versione di burp gratuita e' pero' limitata nelle funzionalita'.

I don't think there is another book that comes close to the Web Application Hackers Handbook at the moment. This book is well thought out and is both great to read from front to back on your first time through and then to use as a reference book later on. I have heard it referred to as the manual for Burp Suite Pro but as Burp Suite Pro should be in every web pen testers toolkit I don't think that is a bad thing. It does cover other tools too but the most important part is that it helps you understand what goes wrong with web apps and how to discover and exploit their flaws, this is much more important for web application security testing than knowing how to click 'go' on an automated scanner. I am looking forward to receiving the second edition and trying out the labs, it is not often in day-to-day pentesting that you get to practice all the techniques discussed in the book so the labs are a welcome edition.

Dafydd Stuttard n'est autre que l'auteur de Burp Suite. Si l'outil incontournable pour auditer des sites Internet. Dans ce livre Dafydd énumère de façon très accessible un très grand nombre de point à vérifier lors d'un audit web. J'y ai appris plein de choses notamment sur la gestion des sessions que je ne savais pas si complexe. Pas la peine d'acheter d'autres livres qui ne font qu'effleurer le sujet, ce livre est le plus complet qui soit sur le sujet. A noter qu'il y a une deuxième édition de ce livre...

I think it doesn't have a very good chapter about SQLi (teaching sqlmap for example), but it covers almost everything you will need to test on a webapp. It's somewhat focused in Burp Suite, a software made (I believe) by the authors of the book. But that shouldn't be a problem because it's the software you are probably going to use, as it is the less expensive and most stable software of the kind.

Un très bon ouvrage résumant bien tous les risques des applications Web notamment en termes de sécurité. Chapitre après chapitre, les auteurs présentent les concepts, des exemples simples, des applications de ces exemples et des recommandations. S'il faut un bon bagage pour aborder ce livre, les différents chapitres étant indépendants, il est possible de ne s'intéresser qu'à certaines parties. Le livre se termine par un "process descrition", un méthodologie de recherche de failles d'une application. Il recommande également quelques outils intéressants. Par contre, les test annoncés en quatrième couverture (hacking challenge) n'étaient pas disponibles lors de mes derniers essais. Globalement un très bon achat.