The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws

This is a great read for anyone interested in the security of modern web applications. It covers the hacking process from mapping the attack surface to exploiting input validation, access control, session management, and authentication vulnerabilities using real-world examples and diagrams. There is an in-depth 100pg chapter on injecting code(e.g. SQL, OS, script, etc injection) and a 95pg chapter on attacking other users(e.g. XSS, request forgery, etc attacks). There is information about bypassing common sanitization techniques in cases where user input is sanitized. The book also covers how to write your own scripts to automate complex attacks. At the end of each section are the steps necessary to defend your application against the attacks that were described with an emphasis on "defense-in-depth"; an approach where one tries to prevent the compromise of the whole application even if one component of it is already compromised.This book is extremely up to date with its coverage of new AJAX and XSS-type attacks while still covering the relatively old vulnerabilities like buffer overflows and sql injections.The authors are both professional penetration testers which gives them credibility over the information they provide in this book, and one of them is the author of the excellent free web application hacking tool called Burp Suite.I would recommend this book to anyone that has a basic knowledge of how the Web works (http, javascript, cookies, html, and basics of a programming language like php or java) although you could learn these technologies as you are reading the book which would take some more time.

I bought this book over a year ago and never got around to reviewing it. I am really disappointed by the quality of many of the security books I have read since then, so feel compelled to go back and review this to give the authors the credit they deserve. There seems to be a flourishing industry in rushing out woeful security books that make lofty claims and are little more than brief summaries of "what" tools are with absolutely no "how", "why" or any signs of original thinking. Looking at the perfect 5 scores that many of these offenders receive, I am highly suspicious that authors/publishers are gaming the system and getting their mates to pile on positive reviews. (You will need to take the 5 I award this book with a large grain of salt and do your own research to form your own opinion).Anyway, enough ranting about the state of the industry and on to this book. I have a large bookshelf of security books - many in pristine condition. This one is well worn and dog-eared as it gets a lot of use. It works equally well read from cover to cover and as a future reference. Read in sequence, it is logical and introduces concepts in layers that build understanding on various topics. The chapter breakdown is also very well thought through - attacking client-side controls, authentication schemes, session management, code injection etc. As a reference, it provides thorough coverage describing how a class of exploit works, ways of exploiting it and ways of defending it. The coverage on XSS is the best I have seen in any one reference (you can certainly find all of the info on the net, but this book will save you a lot of time).I just noticed that there is a v2 of this book. Assuming it is the same quality as the original, I would recommend that as this is now a little dated. That said, I see many of the flaws covered in this book are still highly relevant today, but the tools have moved on a bit since then. If however you bought v1, you would not be disappointed.

I was hoping that this book would give me a clear conception of how to secure a new web applications against potential attackers. It did, up to a point. Unfortunately, the book spends most of its time with the flaws in yesterday's technologies (e.g. older versions of ASP) that I would never touch for a new app.Still, if you're developing a web application, this book is worth at least skimming through. And if you're in charge of patching up a legacy system, this should be your bible.[Update: Since I wrote this review, a second edition of this book has been released. I have yet to read it, but my guess is that the new edition is more relevant to non-legacy app developers.]

Skip this review and avoid this book if you use site building kits like WordPress -- or you don't care about your site getting hacked.Get the book if you are not keen on vulnerable cookie-cutter code and hacker prone pages.The "take away" from this book is that a site author has to take a system wide look a the site -- particularly if there is an interaction between the visitor and the server.This book takes the position that any one who uses server side includes (SSI) or client side scripts like JavaScript must be aware of the mechanisms by which the browser and server interact.The book looks at the spectrum of tools available to inspect, analyze and even alter the data flowing between the visitor's browser and the site's server. It doesn't take long to realize that if someone has the tools and wants to spend the time practically any transaction between a browser and server is vulnerable.OK, if you've read this far you already appreciate the value of defensive programming to make software maintainable. What this book gives you is solid examples of what you have to look out for. There's the obvious blunders like stashing key variables in cookies where the hacker can diddle them. But there are subtleties like how a SSI error message can guide a hacker script to discover an ID or password.This is a "must read" book for someone who has a command of HTML, JavaScript, and one of the server side scripting languages like Perl, PHP, or ASF. The book forced me to even more critically rethink my programming habits.,