This book is a practical guide to discovering and exploiting security flaws in web applications. The authors explain each category of vulnerability using real-world examples, screen shots and code extracts. The book is extremely practical in focus, and describes in detail the steps involved in detecting and exploiting each kind of security weakness found within a variety of applications such as online banking, e-commerce and other web applications.

The topics covered include bypassing login mechanisms, injecting code, exploiting logic flaws and compromising other users. Because every web application is different, attacking them entails bringing to bear various general principles, techniques and experience in an imaginative way. The most successful hackers go beyond this, and find ways to automate their bespoke attacks. This handbook describes a proven methodology that combines the virtues of human intelligence and computerized brute force, often with devastating results.

The authors are professional penetration testers who have been involved in web application security for nearly a decade. They have presented training courses at the Black Hat security conferences throughout the world. Under the alias "PortSwigger", Dafydd developed the popular Burp Suite of web application hack tools.

Amazon.com® Reader Reviews (Ranked by Helpfulness)

Average Amazon.com® Rating:  Based on 15 Ratings

Perfect for auditors, less useful for developers - 2009-03-09
Reviewer Rating:
I was hoping that this book would give me a clear conception of how to secure my web applications against potential attackers. It did, but only peripherally. Many of the book's pages are dedicated to hands-on examples of using tools to discover and exploit vulnerabilities. This also means that it's obsessed with the flaws in yesterday's technologies (e.g. older versions of ASP) that I would never touch for a new app.

Still, if you're developing a web application, this book is worth at least skimming through. And if you're in charge of patching up a legacy system, this should be your bible.

Serious candidate for Best Book Bejtlich Read 2009 - 2009-10-25
Reviewer Rating:
The Web Application Hacker's Handbook (TWAHH) is an excellent book. I read several books on Web application security recently, and this is my favorite. The text is very well-written, clear, and thorough. While the book is not suitable for beginners, it is accessible and easy to read for those even without Web development or assessment experience.

At 736 pages, TWAHH is the sort of book that one needs to read more than once in order to digest its contents. At every turn I perceived the authors to be experts and I trusted their advice. Their "Hack Steps" sections nicely summarize key points for operators. The authors integrate explanations of HTTP as a protocol into their text, without boring readers already familiar with the protocol. They also also demonstrate their subject using code snippets for multiple languages and products.

While I considered almost all of the book to be equally helpful, I'd like to mention three specific chapters or sections. First, chapters 1-3 provided a great technical overview of the subject. Chapter 11, Attacking Application Logic, featured examples from the authors' consulting experience which really resonated with me. Finally, I liked the recognition of the importance of locally-written applications, called "bespoke" applications, in chapter 13.

I struggled to find much to complain about in TWAHH. My only concern appeared early in the book, when the authors talked about "all user input is untrusted." They really meant "all user input is untrustworthy," or they should have said "Web developers should consider all user input to be untrusted, but they often trust it." The difference between "untrusted" and "untrustworthy" is subtle, and I still understood the authors' point.

I strongly recommend TWAHH to anyone with a role in defending Web applications. The authors have set a very high standard with this book. Great work!

Most Important Internet Security Book Available!!! - 2009-07-02
Reviewer Rating:
Not for the faint of heart kiddie scriptors.
This book actually shows just how vulnerable the Web really is and that it in fact is sometimes futile to hope for real security.
With that said though it also shows you what to be on the lookout for and how to make things MORE secure than you already may be.

It's a lot to absorb for those of us who have had no formal training but it's imperative that if you are even considering a career in computer repair/security or anything to do with the IT field, you'd better have this book on hand in your library of tools.

It takes you from Web design flaws to HTML bypasses to failures in the design of Operating Systems and that includes ALL OS's. Just because you're using a MAC don't think that you're really any more secure than any other OS. It's a book that will take several weeks to months to get through but you will be forever wiser for having invested the time in it.

An absolute must have!

Great reference - 2009-02-24
Reviewer Rating:
Great book. The beginning has some good explanation of how web apps are constructed. This section is a little tedious if you already know this material, but it is a good review, none the less. The rest of the book is an explanation of web application exploits. I particularly like the review questions at the end of each chapter. Also, be sure to play with the tools cited in the book.

Good book - 2008-10-29
Reviewer Rating:
This was my first web application security book. I've been reading online blogs and web-sites about web security for a while, and I've been waiting for this book to come out. Because of the lack of web security books on the market. But I am impressed with this book. It covers just about everything and shows the reader how hackers exploit web applications in a multitude of ways. This will definately help me secure my own websites and I'm already practicing a lot of what I've learned in this book for security at my company.

I actually was able to log into my jobs intranet website as administrator using some of the techniques I learned from this book. Then I went to my boss and showed him how and then showed how we can prevent it. Short story short they were impressed.

Browse Similar Topics

Top Level Categories:
Internet/Online

Sub-Categories:
Internet/Online > Security