Deliver to your Kindle or other device

Enter a promotion code
or gift card

Try it free

Sample the beginning of this book for free

Deliver to your Kindle or other device

Sorry, this item is not available in
Image not available for
Image not available

The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws [Kindle Edition]

Marcus Pinto , Dafydd Stuttard
4.7 out of 5 stars  See all reviews (27 customer reviews)

Digital List Price: $50.00 What's this?
Kindle Price: $28.99
You Save: $21.01 (42%)

Free Kindle Reading App Anybody can read Kindle books—even without a Kindle device—with the FREE Kindle app for smartphones, tablets and computers.

To get the free app, enter your email address or mobile phone number.


Amazon Price New from Used from
Kindle Edition $28.99  
Paperback --  
Unknown Binding --  
Shop the new
New! Introducing the, a hub for Software Developers and Architects, Networking Administrators, TPMs, and other technology professionals to find highly-rated and highly-relevant career resources. Shop books on programming and big data, or read this week's blog posts by authors and thought-leaders in the tech industry. > Shop now

Book Description

This book is a practical guide to discovering and exploitingsecurity flaws in web applications. The authors explain eachcategory of vulnerability using real-world examples, screen shotsand code extracts. The book is extremely practical in focus, anddescribes in detail the steps involved in detecting and exploitingeach kind of security weakness found within a variety ofapplications such as online banking, e-commerce and other webapplications.

The topics covered include bypassing login mechanisms, injectingcode, exploiting logic flaws and compromising other users. Becauseevery web application is different, attacking them entails bringingto bear various general principles, techniques and experience in animaginative way. The most successful hackers go beyond this, andfind ways to automate their bespoke attacks. This handbookdescribes a proven methodology that combines the virtues of humanintelligence and computerized brute force, often with devastatingresults.

The authors are professional penetration testers who have beeninvolved in web application security for nearly a decade. They havepresented training courses at the Black Hat security conferencesthroughout the world. Under the alias "PortSwigger", Dafydddeveloped the popular Burp Suite of web application hack tools.

Editorial Reviews


"If you have an interest in web application security, I would highly recommend picking up a copy of this book, especially if you’re interested in being able to audit applications for vulnerabilities".
Robert Wesley McGrew, McGrew Security

From the Back Cover

Hack the planet

Web applications are everywhere, and they're insecure. Banks, retailers, and others have deployed millions of applications that are full of holes, allowing attackers to steal personal data, carry out fraud, and compromise other systems. This innovative book shows you how they do it.

This is hands-on stuff. The authors, recognized experts in security testing, take a practical approach, showing you the detailed steps involved in finding and exploiting security flaws in web applications. You will learn to:

  • Defeat an application's core defense mechanisms and gain unauthorized access, even to the most apparently secure applications
  • Map attack surfaces and recognize potential entry points

  • Break client-side controls implemented within HTML, Java®, ActiveX®, and Flash®

  • Uncover subtle logic flaws that leave applications exposed

  • Use automation to speed up your attacks, with devastating results

  • Delve into source code and spot common vulnerabilities in languages like C#, Java, and PHP

Know your enemy

To defend an application, you must first know its weaknesses. If you design or maintain web applications, this book will arm you with the protective measures you need to prevent all of the attacks described. If you're a developer, it will show you exactly where and how to strengthen your defenses.

Additional resources online at

  • Source code for scripts in this book
  • Links to tools and resources

  • Checklist of tasks involved in attacking applications

  • Answers to the questions posed in each chapter

  • A hacking challenge prepared by the authors

Product Details

  • File Size: 11593 KB
  • Print Length: 768 pages
  • Publisher: Wiley; 1 edition (February 18, 2010)
  • Sold by: Amazon Digital Services, Inc.
  • Language: English
  • ASIN: B000SFC7S0
  • Text-to-Speech: Enabled
  • X-Ray:
  • Word Wise: Not Enabled
  • Lending: Enabled
  • Amazon Best Sellers Rank: #578,563 Paid in Kindle Store (See Top 100 Paid in Kindle Store)
  •  Would you like to give feedback on images?

Customer Reviews

Most Helpful Customer Reviews
52 of 52 people found the following review helpful
5.0 out of 5 stars Everything You Need to Know January 16, 2008
This is the most important IT security title written in the past year or more. Why? Custom web applications offer more opportunities for exploitation than all of the publicized vulnerabilities your hear about combined. This book gives expert treatment to the subject. I found the writing to be very clear and concise in this 727 page volume. There is minimal fluff. While everything is clearly explained, this is not a beginners book. The authors assume that you can read html, JavaScript, etc... Usually with a book like this there are a few really good chapters and some so-so chapters, but that's not the case here. Chapters 3-18 in this book rock all the way through. Another huge plus is the tools in this book are free.

The first few chapters provide context and background information. Chapter 3 on Web Application Technologies provides particularly useful background info. The next 666 pages of the book are all about attacking the applications.

There next five chapters cover mapping application functionality, client side controls, authentication, sessions, and access controls. The coverage is comprehensive. I'm not new to these topics, but I learned so much in every chapter. The depth of coverage is amazing.

The next six chapters are the heart of this book. They cover injection, path traversal, application logic, XSS and related attacks, automating attacks, and information disclosure. You'll find full treatment of attacks we're all familiar with like SQL injection and cross site scripting as well as many that most of us haven't heard of before. The danger is real and these chapters need to be read.

The final next four chapters cover attacks against compiled applications, application architecture, web servers, and source code.
Read more ›
Comment | 
Was this review helpful to you?
31 of 33 people found the following review helpful
5.0 out of 5 stars Excellent resource for both developer and security pro November 6, 2007
First off - I will come clean and admit that this review is biased on several levels. Since the public facing web application security community is small, any published work or presentation will draw the attention of others in the field and often conversations/reviews/blog comments will ensue. Why mention this? Well, Dafydd reviewed XSS Attacks on his blog - a book I co-authored along with other much bigger players in the field. I also have a bit of admiration for Burp, a program Dafydd wrote and is highlighted in most any valuable web app book. So, to say I have no connections to the authors would be misleading - to say the least.

Now, for the book - just buy it, you won't be disappointed. As I read through the book (scanning some of the familiar parts), I was overwhelmed with the fact that a full time web application penetration tester has to known A LOT - all of which this book touches on in one way or another. I really can't think of any other book that can compete...

For those new to the field, either as security professionals or as web developers, this book will most likely leave you a bit reeling. It does a good job illustrating and demonstrating the many facets of secure web app development. For the more seasoned professional, this book will no doubt serve as a resource to refresh your memory on a trick or technique you forgot about. I know it has already served this purpose for me...

So, where do I start with a more detailed expose on the book? Personally, I would start by reading chapter 20 - A Web Application Hackers Methodology. By doing this, you will get a look into the minds of the authors who spend a significant part of their lives breaking web apps.
Read more ›
Comment | 
Was this review helpful to you?
17 of 17 people found the following review helpful
5.0 out of 5 stars Excellent for both beginners and the experienced November 14, 2007
Before you even read a word, "The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws" should catch your interest for two reasons. The first is that, by name and cover art, it is being presented by Wiley as the web security counterpart of "The Shellcoder's Handbook", which I have already given a positive review. The second reason, which I did not realize it until the book arrived, is that one of the authors, Dafydd Stuttard, is the author of the excellent Burp Suite tools for exploring and exploiting web applications. I use the proxy features of it frequently, and I often tell people it's the only reason I install a Java VM on my laptop. I was very excited about reading a web application security by the author of such a great set of tools, and it did not let me down.

I will admit that I haven't read any other books that focus on attacking web applications, so I do not have anything to compare it to. I can say, however, that this book has very complete and thorough coverage of the topic, from mapping the application to exploitation. While a number of common attacks are covered (such as cross-site scripting and SQL injection), the real value of the book is in the way it teaches the process of finding vulnerabilities. Armed with this, you can more effectively discover problems that involve logical errors unique to the application you're looking at. The book reads very well cover-to-cover, with each chapter building up another step in a complete web application hacker's methodology that the authors have put together.

The topics covered encompass most of the vulnerabilities you'll see disclosed in applications daily on the mailing lists.
Read more ›
Was this review helpful to you?
Most Recent Customer Reviews
2.0 out of 5 stars Good for Web Applications
Like the intro says if you are looking for information on Networks or Computer Protection / Intrusion Prevention, it is best to go elsewhere.
Published 12 months ago by Aceworker
5.0 out of 5 stars Must reading if you write web pages
Skip this review and avoid this book if you use site building kits like WordPress -- or you don't care about your site getting hacked. Read more
Published 21 months ago by W. Wiencke
5.0 out of 5 stars Good book, helped for class
This was a good book. It helped me in class as I listen to all my books, This means I scan my books and turn into audio. Read more
Published on March 14, 2013 by C. Heller
4.0 out of 5 stars Detailed as hell
It's a huge book filled to the brim with examples of both exploitation and protection. I would say you definitely must learn from this book (better the new edition) if you're gonna... Read more
Published on March 8, 2013 by Mark
5.0 out of 5 stars Every web app security professional needs to read!
Excellent book! Wish I had read it before the damn interview. It covers every aspects you need to know and provides detailed description to help you understand and practice.
Published on May 3, 2012 by Samuel
5.0 out of 5 stars Very educational
It helps a lot to understand how things work in systems security.It requires of course some programming experience! Read more
Published on April 25, 2012 by Antonios
5.0 out of 5 stars One of the best out there
I bought this book over a year ago and never got around to reviewing it. I am really disappointed by the quality of many of the security books I have read since then, so feel... Read more
Published on March 22, 2012 by Nick
5.0 out of 5 stars Good book for security
This is a very good entry-level book for getting immersed in the world of web security. If you are a developer of web applications without much knowledge on how to evaluate their... Read more
Published on June 24, 2011 by Eric
5.0 out of 5 stars Very good intro and reference
I have to admit that I did not finish reading the entire book, but so far it's been a good read. The writing style isn't dry and the authors don't just "throw" the knowledge at... Read more
Published on February 4, 2011 by Will
4.0 out of 5 stars Good book, cheesed out on the challenge
Very well written book, great stuff.
Having read it I can't imagine developing a web site without having gone through this stuff.
So why four stars? Read more
Published on January 25, 2011 by D. Neckels
Search Customer Reviews
Search these reviews only

More About the Authors

Discover books, learn about writers, read author blogs, and more.

What Other Items Do Customers Buy After Viewing This Item?


There are no discussions about this product yet.
Be the first to discuss this product with the community.
Start a new discussion
First post:
Prompts for sign-in

Look for Similar Items by Category