Hacking Exposed Web Applications, Second Edition and over one million other books are available for Amazon Kindle. Learn more

Hacking Exposed Web Applications, 2nd Ed. (Hacking Exposed) 2nd Edition

5 customer reviews
ISBN-13: 978-0072262995
ISBN-10: 0072262990
Why is ISBN important?
This bar-code number lets you verify that you're getting exactly the right version or edition of a book. The 13-digit and 10-digit formats both work.
Scan an ISBN with your phone
Use the Amazon App to scan ISBNs and compare prices.
Have one to sell? Sell on Amazon
Buy used
Condition: Used - Good
Condition: Used: Good
Comment: Some cover and page wear. Ships direct from Amazon.
Access codes and supplements are not guaranteed with used items.
19 Used from $0.77
Amazon Price New from Used from
"Please retry"
Paperback, June 5, 2006
"Please retry"
$7.10 $0.77
More Buying Choices
13 New from $7.10 19 Used from $0.77

There is a newer edition of this item:

Free Two-Day Shipping for College Students with Amazon Student Free%20Two-Day%20Shipping%20for%20College%20Students%20with%20Amazon%20Student

InterDesign Brand Store Awareness Rent Textbooks

Editorial Reviews

From the Back Cover

Implement bulletproof e-business security the proven Hacking Exposed way

Defend against the latest Web-based attacks by looking at your Web applications through the eyes of a malicious intruder. Fully revised and updated to cover the latest Web exploitation techniques, Hacking Exposed Web Applications, Second Edition shows you, step-by-step, how cyber-criminals target vulnerable sites, gain access, steal critical data, and execute devastating attacks. All of the cutting-edge threats and vulnerabilities are covered in full detail alongside real-world examples, case studies, and battle-tested countermeasures from the authors' experiences as gray hat security professionals.

  • Find out how hackers use infrastructure and application profiling to perform reconnaissance and enter vulnerable systems
  • Get details on exploits, evasion techniques, and countermeasures for the most popular Web platforms, including IIS, Apache, PHP, and ASP.NET
  •  Learn the strengths and weaknesses of common Web authentication mechanisms, including password-based, multifactor, and single sign-on mechanisms like Passport
  • See how to excise the heart of any Web application's access controls through advanced session analysis, hijacking, and fixation techniques
  • Find and fix input validation flaws, including cross-site scripting (XSS), SQL injection, HTTP response splitting, encoding, and special character abuse
  • Get an in-depth presentation of the newest SQL injection techniques, including blind attacks, advanced exploitation through subqueries, Oracle exploits, and improved countermeasures
  • Learn about the latest XML Web Services hacks, Web management attacks, and DDoS attacks, including click fraud
  • Tour Firefox and IE exploits, as well as the newest socially-driven client attacks like phishing and adware



About the Author

Joel Scambray, CISSP, is a Senior Director at Microsoft Corporation, where he led Microsoft's online services security efforts for three years before joining the Windows platform group to focus on security technology development. He has more than 15 years of information security experience, including senior management roles at Ernst & Young, co-founder of Foundstone, technical consultant for Fortune 500 enterprises, and co-author of the best-selling Hacking Exposed book series.

Mike Shema, is the CSO of NT Objectives and has made web application security presentations at numerous security conferences. He has conducted security reviews for a wide variety of web technologies and developed training material for application security courses. He is also a co-author of Anti-Hacker Toolkit.

Caleb Sima, is the co-founder and CTO of SPI Dynamics, a web application security products company, and has more than 12 years of security experience. His pioneering efforts and expertise in web security have helped define the direction the web application security industry has taken. Caleb is a frequent speaker and expert resource for the press on Internet attacks and has been featured in the Associated Press. He is also a contributing author to various magazines and online columns. Caleb is a member of ISSA and is one of the founding visionaries of the Application Vulnerability Description Language (AVDL) standard within OASIS, as well as a founding member of the Web Application Security Consortium (WASC).


Shop the New Digital Design Bookstore
Check out the Digital Design Bookstore, a new hub for photographers, art directors, illustrators, web developers, and other creative individuals to find highly rated and highly relevant career resources. Shop books on web development and graphic design, or check out blog posts by authors and thought-leaders in the design industry. Shop now

Product Details

  • Paperback: 520 pages
  • Publisher: McGraw-Hill Osborne Media; 2 edition (June 5, 2006)
  • Language: English
  • ISBN-10: 0072262990
  • ISBN-13: 978-0072262995
  • Product Dimensions: 7.3 x 1.1 x 9.1 inches
  • Shipping Weight: 2 pounds
  • Average Customer Review: 5.0 out of 5 stars  See all reviews (5 customer reviews)
  • Amazon Best Sellers Rank: #159,890 in Books (See Top 100 in Books)

More About the Authors

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

5 star
4 star
3 star
2 star
1 star
See all 5 customer reviews
Share your thoughts with other customers

Most Helpful Customer Reviews

18 of 18 people found the following review helpful By Richard Bejtlich on October 5, 2006
Format: Paperback
I recently received copies of Hacking Exposed: Web Applications, 2nd Ed (HE:WA2E) by Joel Scambray, Mike Shema, and Caleb Sima, and Professional Pen Testing for Web Applications (PPTFWA) by Andres Andreu. I read HE:WA2E first, then PPTFWA. Both are excellent books, but I expect potential readers want to know which is best for them. I could honestly recommend readers buy either (or both) books. Most people should start by reading HE:WA2E, and then fill in gaps by reading PPTFWA.

Before proceeding I should note I used to work with the two ex-Foundstone authors of HE:WA2E, although I haven't been afraid in the past to review books honestly.

I read and reviewed the first edition of HE:WA about four years ago, and I rated that book five stars. Authors like Scambray and Shema exemplify the best aspects of the HE series: explaining technology, then showing how to exploit it. Frequently the first time security people hear about new applications is when they are being attacked. By digesting books in the core HE series, readers become familiar with the latest services, their flaws, and attacks against those technologies. HE:WA2E continues this tradition.

I was pleased to see HE:WA2E is largely a thorough reworking of the first edition. (This has not always been the case with HE books, considering there are five editions.) In one case, however, this worked against the authors. Ch 8 (Attacking XML Web Services) references non-existent material in Ch 1. Ch 1 in HE:WA2E is completely different from Ch 1 in the first edition, which contains the referenced diagram. A positive aspect of the rewrite is the frequent reference to outside material, instead of repeating techniques and tools already published.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
4 of 4 people found the following review helpful By Paco Hope on March 13, 2009
Format: Paperback
This book is a few years old, but by golly you'll get plenty of use out of it. I do security assessments for a living and the fundamentals in this book are the meat and potatoes of web security testing. Every time I get a young pup security consultant to train on web security, the first book I point them to is this book (No, you _can't_ have mine... go get your own). Ok, actually I point them to my own book first. But this is definitely the SECOND book I point them to, and it was a big inspiration behind my own.

Back when I bought this book, I thought I knew enough about cross-site scripting and SQL injection. It taught me a thing or two, though. They really hit web apps from all sides and all the major attacks you need to know.


It's thorough and lasting. Until web developers finally figure out how to avoid these silly pitfalls, you'll get plenty of use out of it time and time again.


If you're a developer, don't kid yourself that this book will teach you how to avoid these common mistakes. This book is written to security assessors, testers, and auditors. Developers need more pragmatic and context-specific guidance on what to do right. Knowing that your app is chock full of SQL injection doesn't mean that you know the right way to use parameterized queries in your language and your environment to protect against them.

Now, having said that, it is eye-opening for many developers to have their fundamental assumptions destroyed by seeing a standard exploit work against their own application. Nothing brings it home like the real thing. But that doesn't mean they know how to avoid making the same mistake again, having the mistake pointed out in gory detail.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
3 of 3 people found the following review helpful By Chris Griffin on May 5, 2008
Format: Paperback
I bought this book about 4 years ago, and still find myself going back to it again and again for reference. To this day its the only technical book that I have read cover to cover. While I have not yet checked out the 2.0 book for web apps, I still feel you can't go wrong adding this book to your arsenal.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
1 of 1 people found the following review helpful By Alexander Pushkin on November 13, 2009
Format: Paperback Verified Purchase
Read this book in a week. It's a book that gives you the full image of today's web application security. Even if it's 3 years old, it still covers very actual topics and could be very helpful also as a reference.
A Must Have thing.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
2 of 7 people found the following review helpful By Emanuelly Barros on May 12, 2007
Format: Paperback
this book is quite complete, very utile to learn all about security on web applications.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again

Want to discover more products? Check out these pages to see more: software engineering, hacking, software development