The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws Paperback – Oct 22 2007
There is a newer edition of this item:
Customers Who Bought This Item Also Bought
No Kindle device required. Download one of the Free Kindle apps to start reading Kindle books on your smartphone, tablet, and computer.
To get the free app, enter your mobile phone number.
"If you have an interest in web application security, I would highly recommend picking up a copy of this book, especially if you’re interested in being able to audit applications for vulnerabilities".
—Robert Wesley McGrew, McGrew Security
From the Back Cover
Hack the planet
Web applications are everywhere, and they're insecure. Banks, retailers, and others have deployed millions of applications that are full of holes, allowing attackers to steal personal data, carry out fraud, and compromise other systems. This innovative book shows you how they do it.
This is hands-on stuff. The authors, recognized experts in security testing, take a practical approach, showing you the detailed steps involved in finding and exploiting security flaws in web applications. You will learn to:
- Defeat an application's core defense mechanisms and gain unauthorized access, even to the most apparently secure applications
Map attack surfaces and recognize potential entry points
Break client-side controls implemented within HTML, Java®, ActiveX®, and Flash®
Uncover subtle logic flaws that leave applications exposed
Use automation to speed up your attacks, with devastating results
Delve into source code and spot common vulnerabilities in languages like C#, Java, and PHP
Know your enemy
To defend an application, you must first know its weaknesses. If you design or maintain web applications, this book will arm you with the protective measures you need to prevent all of the attacks described. If you're a developer, it will show you exactly where and how to strengthen your defenses.
Additional resources online at www.wiley.com/go/webhacker
- Source code for scripts in this book
Links to tools and resources
Checklist of tasks involved in attacking applications
Answers to the questions posed in each chapter
A hacking challenge prepared by the authors
Top Customer Reviews
We are using it in our company as the guideline for securing an important Web application and it has covered all issues automated test tools from Rational reported.
I find the book is very well written and explains concepts with clarity, I just could not stop reading it, it's a really interesting book!
This is especially important since the cookie path defaults to the current location without the trailing slash ([...])
I was able to reproduce this behavior on IE6, IE7, IE8, Safari 3 and even Netscape Communicator 4.79 :-)
However with Firefox or Chrome, cookies set on path "/bank" cannot be accessed from resources located under "/banktest/".
Most Helpful Customer Reviews on Amazon.com (beta)
This book is extremely up to date with its coverage of new AJAX and XSS-type attacks while still covering the relatively old vulnerabilities like buffer overflows and sql injections.
The authors are both professional penetration testers which gives them credibility over the information they provide in this book, and one of them is the author of the excellent free web application hacking tool called Burp Suite.
I actually was able to log into my jobs intranet website as administrator using some of the techniques I learned from this book. Then I went to my boss and showed him how and then showed how we can prevent it. Short story short they were impressed.
Still, if you're developing a web application, this book is worth at least skimming through. And if you're in charge of patching up a legacy system, this should be your bible.
[Update: Since I wrote this review, a second edition of this book has been released. I have yet to read it, but my guess is that the new edition is more relevant to non-legacy app developers.]
The first few chapters provide context and background information. Chapter 3 on Web Application Technologies provides particularly useful background info. The next 666 pages of the book are all about attacking the applications.
There next five chapters cover mapping application functionality, client side controls, authentication, sessions, and access controls. The coverage is comprehensive. I'm not new to these topics, but I learned so much in every chapter. The depth of coverage is amazing.
The next six chapters are the heart of this book. They cover injection, path traversal, application logic, XSS and related attacks, automating attacks, and information disclosure. You'll find full treatment of attacks we're all familiar with like SQL injection and cross site scripting as well as many that most of us haven't heard of before. The danger is real and these chapters need to be read.
The final next four chapters cover attacks against compiled applications, application architecture, web servers, and source code. The final two chapters are more useful as a quick reference. They provide an overview of the tools covered throughout the book and describe attack methodology discussed throughout the book for exploiting each technology.
This book scores five easily based on the relevance and value of the information.
Look for similar items by category
- Books > Computers & Technology > Certification Central > Exams > Security+
- Books > Computers & Technology > History & Culture > Privacy
- Books > Computers & Technology > Internet & Social Media > Hacking
- Books > Computers & Technology > Networking & Cloud Computing > Internet, Groupware, & Telecommunications
- Books > Computers & Technology > Networking & Cloud Computing > Network Security
- Books > Computers & Technology > Networking & Cloud Computing > Networks, Protocols & APIs
- Books > Computers & Technology > Security & Encryption > Privacy & Online Safety
- Books > Computers & Technology > Web Development > Web Services
- Books > Textbooks > Computer Science & Information Systems