Buy Used
CDN$ 7.09
+ CDN$ 6.49 shipping
Used: Good | Details
Condition: Used: Good
Comment: **SHIPPED FROM UK** We believe you will be completely satisfied with our quick and reliable service. All orders are dispatched as swiftly as possible! Buy with confidence!
Have one to sell?
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See all 2 images

The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws Paperback – Oct 22 2007

4.7 out of 5 stars 3 customer reviews

See all 3 formats and editions Hide other formats and editions
Amazon Price
New from Used from
"Please retry"
CDN$ 45.93 CDN$ 7.09

There is a newer edition of this item:

Unlimited FREE Two-Day Shipping for Six Months When You Try Amazon Student
click to open popover

No Kindle device required. Download one of the Free Kindle apps to start reading Kindle books on your smartphone, tablet, and computer.

  • Apple
  • Android
  • Windows Phone
  • Android

To get the free app, enter your mobile phone number.

Product Details

  • Paperback: 768 pages
  • Publisher: Wiley; 1 edition (Oct. 22 2007)
  • Language: English
  • ISBN-10: 0470170778
  • ISBN-13: 978-0470170779
  • Product Dimensions: 18.8 x 4.1 x 23.4 cm
  • Shipping Weight: 1.1 Kg
  • Average Customer Review: 4.7 out of 5 stars 3 customer reviews
  • Amazon Bestsellers Rank: #471,965 in Books (See Top 100 in Books)
  •  Would you like to update product info, give feedback on images, or tell us about a lower price?

  • See Complete Table of Contents

Product Description


"If you have an interest in web application security, I would highly recommend picking up a copy of this book, especially if you’re interested in being able to audit applications for vulnerabilities".
Robert Wesley McGrew, McGrew Security

From the Back Cover

Hack the planet

Web applications are everywhere, and they're insecure. Banks, retailers, and others have deployed millions of applications that are full of holes, allowing attackers to steal personal data, carry out fraud, and compromise other systems. This innovative book shows you how they do it.

This is hands-on stuff. The authors, recognized experts in security testing, take a practical approach, showing you the detailed steps involved in finding and exploiting security flaws in web applications. You will learn to:

  • Defeat an application's core defense mechanisms and gain unauthorized access, even to the most apparently secure applications
  • Map attack surfaces and recognize potential entry points

  • Break client-side controls implemented within HTML, Java®, ActiveX®, and Flash®

  • Uncover subtle logic flaws that leave applications exposed

  • Use automation to speed up your attacks, with devastating results

  • Delve into source code and spot common vulnerabilities in languages like C#, Java, and PHP

Know your enemy

To defend an application, you must first know its weaknesses. If you design or maintain web applications, this book will arm you with the protective measures you need to prevent all of the attacks described. If you're a developer, it will show you exactly where and how to strengthen your defenses.

Additional resources online at

  • Source code for scripts in this book
  • Links to tools and resources

  • Checklist of tasks involved in attacking applications

  • Answers to the questions posed in each chapter

  • A hacking challenge prepared by the authors

See all Product Description

Customer Reviews

4.7 out of 5 stars
5 star
4 star
3 star
2 star
1 star
See all 3 customer reviews
Share your thoughts with other customers

Top Customer Reviews

Format: Paperback
Written for a hacker? Not really! The book succeeds at showing Web application vulnerabilities and how to effectively defend from the possible attacks these would allow.

We are using it in our company as the guideline for securing an important Web application and it has covered all issues automated test tools from Rational reported.

I find the book is very well written and explains concepts with clarity, I just could not stop reading it, it's a really interesting book!
2 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again.
Report abuse
Format: Paperback
This is a great resource for anyone looking for an introduction to web application security and no clue where to start. It begins with the background information you will need to work through many of the techniques that are introduced in the later chapters.
One person found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again.
Report abuse
Format: Paperback
I found section 5.10.4 on page 696 most interesting.

This is especially important since the cookie path defaults to the current location without the trailing slash ([...])

I was able to reproduce this behavior on IE6, IE7, IE8, Safari 3 and even Netscape Communicator 4.79 :-)

However with Firefox or Chrome, cookies set on path "/bank" cannot be accessed from resources located under "/banktest/".
Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again.
Report abuse

Most Helpful Customer Reviews on (beta) 4.8 out of 5 stars 28 reviews
5 of 5 people found the following review helpful
5.0 out of 5 stars Best text on subject Dec 4 2007
By Garot M. Conklin - Published on
Format: Paperback Verified Purchase
This is by far the best text I have ever come across on the topic of web application vulnerability exploits. Although this is a 10+ year old topic, it is just now moving to the forefront of security professionals minds everywhere. This book goes into extreme detail and theory on every facet of web application exploitation that I have or have not heard of in my experience. At times it was a bit beyond my understanding as I am not a professional coder but it was still reasonably clear where the author was going. Hey, it's not his fault I am not at the same level right? Which is why I am reading his book. If you are not familiar with the Burpe suite of tools, and you should be if you are considering reading this book, the author is also the author of that application. So it is used or referenced in the book often. It is a GREAT tool set for this type of assessment. If you don't have it... get it... it is FREE and you will need something to follow along and try out the examples as they are presented, which is exactly how I recommend you read this book. There is so much presented that if you do not actually try out each scenario when it is presented in the text you will not remember it by the end of the chapter. The only thing that I would have liked to have seen was the use of a specific exploit from start to finish. If you read any of my other book reviews on similar topics, you will know that I say this in every review. No one does this. Why? I have no idea. It is painfully clear that the author can carry out these exploits, why not show one from start to finish. From the initial thought process or feeling you get when you go to a site and just "know" something is not right. Someone needs to walk people through a real exploit, that is hopefully patched now, step by step. This is essential to the mass learning process. Not everyone can extract this information and "know-how" from all theory and vague examples. Even in this great book they missed the boat there. I guess the problem is that it takes a great deal of time to really develop to the point of the author or any other similar professional, however security professionals need this information and know-how today, not next year, to really make an impact on this form of exploitation. Often many organizations do not have the resources or cannot justify the resources to put an expert(s) into this position, so they call upon an existing staff member to fill the role. That staff member needs to be up to speed now, immediately. This is just my opinion, but hey... what do I know right?
6 of 6 people found the following review helpful
5.0 out of 5 stars An excellent thorough resource for web application security Jan. 20 2008
By Bruce M - Published on
Format: Paperback Verified Purchase
This is a great read for anyone interested in the security of modern web applications. It covers the hacking process from mapping the attack surface to exploiting input validation, access control, session management, and authentication vulnerabilities using real-world examples and diagrams. There is an in-depth 100pg chapter on injecting code(e.g. SQL, OS, script, etc injection) and a 95pg chapter on attacking other users(e.g. XSS, request forgery, etc attacks). There is information about bypassing common sanitization techniques in cases where user input is sanitized. The book also covers how to write your own scripts to automate complex attacks. At the end of each section are the steps necessary to defend your application against the attacks that were described with an emphasis on "defense-in-depth"; an approach where one tries to prevent the compromise of the whole application even if one component of it is already compromised.

This book is extremely up to date with its coverage of new AJAX and XSS-type attacks while still covering the relatively old vulnerabilities like buffer overflows and sql injections.

The authors are both professional penetration testers which gives them credibility over the information they provide in this book, and one of them is the author of the excellent free web application hacking tool called Burp Suite.

I would recommend this book to anyone that has a basic knowledge of how the Web works (http, javascript, cookies, html, and basics of a programming language like php or java) although you could learn these technologies as you are reading the book which would take some more time.
1 of 1 people found the following review helpful
5.0 out of 5 stars Good book Oct. 29 2008
By Evan Larsen - Published on
Format: Paperback Verified Purchase
This was my first web application security book. I've been reading online blogs and web-sites about web security for a while, and I've been waiting for this book to come out. Because of the lack of web security books on the market. But I am impressed with this book. It covers just about everything and shows the reader how hackers exploit web applications in a multitude of ways. This will definately help me secure my own websites and I'm already practicing a lot of what I've learned in this book for security at my company.

I actually was able to log into my jobs intranet website as administrator using some of the techniques I learned from this book. Then I went to my boss and showed him how and then showed how we can prevent it. Short story short they were impressed.
10 of 14 people found the following review helpful
4.0 out of 5 stars Perfect for auditors, less useful for developers March 9 2009
By Trevor Burnham - Published on
Format: Paperback Verified Purchase
I was hoping that this book would give me a clear conception of how to secure a new web applications against potential attackers. It did, up to a point. Unfortunately, the book spends most of its time with the flaws in yesterday's technologies (e.g. older versions of ASP) that I would never touch for a new app.

Still, if you're developing a web application, this book is worth at least skimming through. And if you're in charge of patching up a legacy system, this should be your bible.

[Update: Since I wrote this review, a second edition of this book has been released. I have yet to read it, but my guess is that the new edition is more relevant to non-legacy app developers.]
55 of 55 people found the following review helpful
5.0 out of 5 stars Everything You Need to Know Jan. 16 2008
By Jeff Pike - Published on
Format: Paperback
This is the most important IT security title written in the past year or more. Why? Custom web applications offer more opportunities for exploitation than all of the publicized vulnerabilities your hear about combined. This book gives expert treatment to the subject. I found the writing to be very clear and concise in this 727 page volume. There is minimal fluff. While everything is clearly explained, this is not a beginners book. The authors assume that you can read html, JavaScript, etc... Usually with a book like this there are a few really good chapters and some so-so chapters, but that's not the case here. Chapters 3-18 in this book rock all the way through. Another huge plus is the tools in this book are free.

The first few chapters provide context and background information. Chapter 3 on Web Application Technologies provides particularly useful background info. The next 666 pages of the book are all about attacking the applications.

There next five chapters cover mapping application functionality, client side controls, authentication, sessions, and access controls. The coverage is comprehensive. I'm not new to these topics, but I learned so much in every chapter. The depth of coverage is amazing.

The next six chapters are the heart of this book. They cover injection, path traversal, application logic, XSS and related attacks, automating attacks, and information disclosure. You'll find full treatment of attacks we're all familiar with like SQL injection and cross site scripting as well as many that most of us haven't heard of before. The danger is real and these chapters need to be read.

The final next four chapters cover attacks against compiled applications, application architecture, web servers, and source code. The final two chapters are more useful as a quick reference. They provide an overview of the tools covered throughout the book and describe attack methodology discussed throughout the book for exploiting each technology.

This book scores five easily based on the relevance and value of the information.