The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws

This book offers tons of techniques and strategies for attacking and defending web applications. The beginning chapters discuss the major components of websites and their vulnerabilites.The middle of the book gets much more specific showing "Hack Steps" for different components like the client side, sessions, databases, and authentication.Sections about custom code development show how you can develop your own solution to probe a web app. There were code examples in different languages such as JavaScript, C++, Java, and ASP.NET. The authors highlight many kinds of tools you can use to learn more about a website, including a product they developed themselves called Burp Suite.For readers interested in the testing the techniques there is a website offered by the book but it costs $7 an hour to play around on the site. This fee is for keeping the website running apparently, but I thought it would make more sense to have a monthly fee. I did not subscribe to this site myself though because I was more interested in getting a broad overview of website security.The book is showing its 2011 publication date in some places. For example, IE and Firefox are said to be the dominant browsers while Chrome is a minor player. Additionally, Flash and Silverlight are spoken of as being components of many websites. One issue was I was not really sure where techniques might be outdated and others are still relevant.I would definitely be interested in a 3rd edition for this book. The authors presented a solid foundation for learning about website security.

There's a running joke we have on our assessment team about the Web Application Hackers Handbook. Every time we see a new technology, or have to deal with a one-off situation, we start doing research online only to find it was already referenced in WAHH somewhere. We've all read this book several times too, it's like Dafydd and Marcus sneak into our houses at night and add content...Joking aside though, there is no other reference for web hacking as thorough or complete as WAHH.With WAHH2 the authors added a significant amount content and rehashed existing chapters that were already deeply technical. The bonus in WAHH2 is its associated labs. Dafydd and Marcus have been giving a live WAHH training for years and have now moved the stellar CTF like challenges to the cloud. You can buy credits ($7 for 1hr) and move right along as you read the book (MDSec.net). When I say the labs are stellar, I mean it. The labs come almost straight from the class and start trivial and then get crazy. The injection labs were by far my favorite, housing 30-40 different injection types/variants each between XSS/SQLi. The CTF in the class (which i'll mention again is where the MDSec.com labs are based from) gets ridiculous toward the end. Even seasoned web testers fall around questions 14-16. But i digress...WAHH2 is now the defacto buy for any pentest/QA/Audit team. Its usage will surpass any other book on your bookshelf if you are doing practical testing.5 stars, i'd give it 10 if I could.

Reading this book up to around page 600 made me seriously question how anyone could give it less than 5 stars. The amount of knowledge it gave me for a mere $25 is absolutely astounding. I was eagerly waiting to finish it so I could come review it.Then I finished it, and I understood some of the criticisms. It starts to feel like it's repeating itself after a while, and the product placement for Burp start to become a bit more annoying.Still, the rest of the book is chock full of great, detailed information. If you're like me and had a basic understanding of how SQL injection worked, but wanted to get a deeper look, this book is perfect. If you chopped off the last 200 pages you would have a book that was STILL worth well over $25. It's hard for me to give it less than 5 stars when my major complaint is that it gives too much information.Bottom line: if you're a beginner or intermediate to web application security and you're wondering whether you should buy this, just do it. You won't be disappointed.

I can't even tell you how many times I find myself referencing this book. Despite what some have suggested you don't need to have Burp Suite or do any labs. It's so full of insightful knowledge that it can replace a whole reference library all by itself. It doesn't just show you "how-tos" but helps you THINK differently - better - methodical. One little example is how the authors present the idea of overcoming filtering deployed by a WAF or web server. "<script>" might get filtered but what would happen if you passed "<scr<script>ipt>"? Now run with it and get creative! Can't thank the authors enough for their contribution. This is right up there with Homer's Odyssey, Shakespeare's Romeo and Juliet and quite frankly, The Bible. Ok, maybe that's pushing it but you get the idea.

Don't let the age of this book fool you. While its not exactly a new book, the foundational principles of web security are in here. This book starts with the foundational principles of web technologies and then moves on to advanced attack methodologies like SQLi, XSS, CSRF and more complex business logic attacks. the book is well written, highly detailed,. and offers practical techniques. The only down side is that the links in the book no longer work.

All OK.

This book remains the authority in web application hacking. There is no other book out there to date that is as exhaustive as this book and covers absolutely everything you need to know to defend and exploit.