52 of 52 people found the following review helpful
on January 16, 2008
The first few chapters provide context and background information. Chapter 3 on Web Application Technologies provides particularly useful background info. The next 666 pages of the book are all about attacking the applications.
There next five chapters cover mapping application functionality, client side controls, authentication, sessions, and access controls. The coverage is comprehensive. I'm not new to these topics, but I learned so much in every chapter. The depth of coverage is amazing.
The next six chapters are the heart of this book. They cover injection, path traversal, application logic, XSS and related attacks, automating attacks, and information disclosure. You'll find full treatment of attacks we're all familiar with like SQL injection and cross site scripting as well as many that most of us haven't heard of before. The danger is real and these chapters need to be read.
The final next four chapters cover attacks against compiled applications, application architecture, web servers, and source code. The final two chapters are more useful as a quick reference. They provide an overview of the tools covered throughout the book and describe attack methodology discussed throughout the book for exploiting each technology.
This book scores five easily based on the relevance and value of the information.
31 of 33 people found the following review helpful
on November 6, 2007
First off - I will come clean and admit that this review is biased on several levels. Since the public facing web application security community is small, any published work or presentation will draw the attention of others in the field and often conversations/reviews/blog comments will ensue. Why mention this? Well, Dafydd reviewed XSS Attacks on his blog - a book I co-authored along with other much bigger players in the field. I also have a bit of admiration for Burp, a program Dafydd wrote and is highlighted in most any valuable web app book. So, to say I have no connections to the authors would be misleading - to say the least.
Now, for the book - just buy it, you won't be disappointed. As I read through the book (scanning some of the familiar parts), I was overwhelmed with the fact that a full time web application penetration tester has to known A LOT - all of which this book touches on in one way or another. I really can't think of any other book that can compete...
For those new to the field, either as security professionals or as web developers, this book will most likely leave you a bit reeling. It does a good job illustrating and demonstrating the many facets of secure web app development. For the more seasoned professional, this book will no doubt serve as a resource to refresh your memory on a trick or technique you forgot about. I know it has already served this purpose for me...
So, where do I start with a more detailed expose on the book? Personally, I would start by reading chapter 20 - A Web Application Hackers Methodology. By doing this, you will get a look into the minds of the authors who spend a significant part of their lives breaking web apps. You will also gain an understanding as to why the book is laid out the way it is - simply because it is how an attack/penetration test is performed. Don't expect to understand everything in detail as this will come later. However, you should quickly get the feeling that this book is going to be an interesting read that you can quickly turn into practical coding/attack techniques.
The book is broken down in to several big parts. The first section will acclimate you to the terms, concepts, and environment that the rest of the book builds upon. This includes a brief look at each of the main sections of the server technology, how a web application functions, and an overview of the attack surface you are about to be exposed to.
The second section starts to take a look at the web application from an attacker's point of view by illustrating numerous ways that an application can be mapped for later analysis. If you are a web developer, chances are you will find that one or more of the techniques discussed will cause a bit of a concern as to how information is stored on your site - you can never assume anything on your web server is safe.
The big section of the book is where you find the fun stuff. Basically, the authors walk through the following stages of a web application attacks - authentication, session management, access control, code injection, web server bugs, logic errors, and compiled application reverse-engineering. In each section, you get a really in depth and comprehensive look at most every attack vector and technique that web application hackers (both good and bad) use to meet their goals.
One of the nice things about this book is that it is not just all theory. They include practical and pointed examples that illustrate the problem, but don't waste your time with pages and pages of source code that serve no purpose but to fill space. At 736 pages, the book doesn't need filler.
In addition to the exploit examples, the authors also provide the much needed `protection' aspect so web developers know how they can shore up their applications against the specific attacks. In my experience, knowing how to secure a web application is often harder than knowing how to break it - so seeing this in the book is a indication of the insight of the authors.
There were three sections that I paid close attention to - partly because I have a vested interest in the subject, and also because it is how I like to present concepts. The first was chapter 11, which covers Attacking Application Logic. In this chapter, the authors used a Function - Assumption - Attack process to outline the problem and how it was exploited. Since logic errors are 100% based on human error, it is very hard to categorize and illustrate without a good example. So, not only did I get to see how others failed, and how this failure resulted in an attack, but it read like a story.
The next section was chapter 12 - Attacking Other Users. This section dove into subjects like XSS, XSRF, and the like - all of which I enjoy as indicated by my work on XSS Attacks book.
And last, but not least, I really liked that the book discussed one aspect of web application security that is often overlooked - reverse-engineering of client side `thick client'. Whether this is a Flash, Java, ActiveX or C++ coded program, it is possible to reverse-engineer the client side code to inject unexpected content into a web based application. So, kudos to the authors for presenting this attack vector.
So, is there anything wrong with the book? Well, except for the fact that it could be bigger - no. This book is an excellent way to understand most every attack out there and it will be a valuable resource for any web developer/security professional. If you want more specific details on a subject, you can find that material elsewhere - Cross Site Scripting Attacks: XSS Exploits and Defense,The Database Hacker's Handbook: Defending Database Servers, and Exploiting Online Games: Cheating Massively Distributed Systems (Addison-Wesley Software Security Series) are a few examples.
Let's sum this up. The Web Application Hackers Handbook is a worth while investment, so go buy it.
17 of 17 people found the following review helpful
on November 14, 2007
Before you even read a word, "The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws" should catch your interest for two reasons. The first is that, by name and cover art, it is being presented by Wiley as the web security counterpart of "The Shellcoder's Handbook", which I have already given a positive review. The second reason, which I did not realize it until the book arrived, is that one of the authors, Dafydd Stuttard, is the author of the excellent Burp Suite tools for exploring and exploiting web applications. I use the proxy features of it frequently, and I often tell people it's the only reason I install a Java VM on my laptop. I was very excited about reading a web application security by the author of such a great set of tools, and it did not let me down.
I will admit that I haven't read any other books that focus on attacking web applications, so I do not have anything to compare it to. I can say, however, that this book has very complete and thorough coverage of the topic, from mapping the application to exploitation. While a number of common attacks are covered (such as cross-site scripting and SQL injection), the real value of the book is in the way it teaches the process of finding vulnerabilities. Armed with this, you can more effectively discover problems that involve logical errors unique to the application you're looking at. The book reads very well cover-to-cover, with each chapter building up another step in a complete web application hacker's methodology that the authors have put together.
The topics covered encompass most of the vulnerabilities you'll see disclosed in applications daily on the mailing lists. Rather than having chapters for specific attacks, the authors gather them up into meaningful categories to present related content together. For example, SQL injection and remote-file-inclusion are rolled into a chapter titled "Injecting Code". Similarly, cross-site scripting attacks, session fixation, and request forgery are covered in "Attacking Other Users". There is introductory material in an early chapter on "Web Application Technologies", however I would recommend that anyone picking this book up be at least somewhat familiar with how web applications work, either from the viewpoint of a developer or understanding the basics of attacks. The questions at the end of each chapter are designed to test the reader's understanding of the chapter's material, and I found it helpful to at least read over them and give them some thought. Someone just getting started with web security would probably get a lot of value out of focusing on each question.
For such a large book, it is a very pleasant surprise to say that I ran across no obvious errors. The website for the book is very complete, and contains answers for all of the questions at the ends of chapters, the source code for a tool developed in one of the chapters, a list of tools described in the text, and a checklist for the methodology presented in the final chapter. If you have an interest in web application security, I would highly recommend picking up a copy of this book, especially if you're interested in being able to audit applications for vulnerabilities. Even for a web application developer, however, the book has a lot of merit. It's important to understand the ways in which your application will be attacked, and mitigation strategies are presented in the book for each attack.
I enjoyed the book, found the techniques presented to be very useful, and I plan on making use of the methodology presented.
10 of 10 people found the following review helpful
on January 25, 2008
If you do any type of professional Web Application Assessments then this is your bible. I have read many books on web app assessments and perform many Web Application Assessments for many large companies and government agencies and this is an excellent resource. I use Dafydd's Burp Suite and I can not say enough about it. If you are serious about Web Application security then this is a must read. Thanks to Dafydd and Marcus for a great book.
8 of 8 people found the following review helpful
on October 24, 2009
The Web Application Hacker's Handbook (TWAHH) is an excellent book. I read several books on Web application security recently, and this is my favorite. The text is very well-written, clear, and thorough. While the book is not suitable for beginners, it is accessible and easy to read for those even without Web development or assessment experience.
At 736 pages, TWAHH is the sort of book that one needs to read more than once in order to digest its contents. At every turn I perceived the authors to be experts and I trusted their advice. Their "Hack Steps" sections nicely summarize key points for operators. The authors integrate explanations of HTTP as a protocol into their text, without boring readers already familiar with the protocol. They also also demonstrate their subject using code snippets for multiple languages and products.
While I considered almost all of the book to be equally helpful, I'd like to mention three specific chapters or sections. First, chapters 1-3 provided a great technical overview of the subject. Chapter 11, Attacking Application Logic, featured examples from the authors' consulting experience which really resonated with me. Finally, I liked the recognition of the importance of locally-written applications, called "bespoke" applications, in chapter 13.
I struggled to find much to complain about in TWAHH. My only concern appeared early in the book, when the authors talked about "all user input is untrusted." They really meant "all user input is untrustworthy," or they should have said "Web developers should consider all user input to be untrusted, but they often trust it." The difference between "untrusted" and "untrustworthy" is subtle, and I still understood the authors' point.
I strongly recommend TWAHH to anyone with a role in defending Web applications. The authors have set a very high standard with this book. Great work!
6 of 6 people found the following review helpful
on January 20, 2008
This is a great read for anyone interested in the security of modern web applications. It covers the hacking process from mapping the attack surface to exploiting input validation, access control, session management, and authentication vulnerabilities using real-world examples and diagrams. There is an in-depth 100pg chapter on injecting code(e.g. SQL, OS, script, etc injection) and a 95pg chapter on attacking other users(e.g. XSS, request forgery, etc attacks). There is information about bypassing common sanitization techniques in cases where user input is sanitized. The book also covers how to write your own scripts to automate complex attacks. At the end of each section are the steps necessary to defend your application against the attacks that were described with an emphasis on "defense-in-depth"; an approach where one tries to prevent the compromise of the whole application even if one component of it is already compromised.
This book is extremely up to date with its coverage of new AJAX and XSS-type attacks while still covering the relatively old vulnerabilities like buffer overflows and sql injections.
The authors are both professional penetration testers which gives them credibility over the information they provide in this book, and one of them is the author of the excellent free web application hacking tool called Burp Suite.
14 of 17 people found the following review helpful
on October 24, 2007
When I first saw the title of this book I groaned. "Not another lame hacker book. I really should write my own." Then I saw who was writing it and thought it might not be that bad. I saw the table of contents and got excited. Finally someone is writing a web application security book that covers the space in depth, at least the testing part. I immediately pre-ordered it from Amazon and my copy arrived yesterday.
The book weighs in at 727 pages so I think it is safe to say I will never read it all the way through. I cherry picked a few chapters to see if the authors "got it right".
What I love about this book is that it covers the theory and the practice equally well. No other book I have seen does that very well, they are all stuck on the practice side. Chapter 8 >Attacking Access Controls is a gold mine filled with great nuggets of information of not only how to attack access controls but great explanation of why and the steps you take to figure out what lines of attack to take.
The Hack Steps sections are nice short guides to the methodical breaking down of a vulnerability and the attack you would launch to find it. They are short and sweet, a great way to go from zero knowledge to at least some understanding of an issue.
My other favorite chapter is Chapter 12: Attacking Other Users. I don't recall seeing this topic covered in such a clear and concise way. I often see these types of laws in web applications and it is a area no web application scanner scan cover effectively.
Speaking of scanners, anyone that still thinks running a web application scanner alone solves your web application security issues needs to read Chapter 19 and the section on web application vulnerability scanners. The authors do a excellent job outlining the limitations of scanning tools. I am so excited to see someone put it down in a book so I don't have to keep explaining it, I can just tell them to RTFB (Read The F***ing Book)
I can't recommend this book enough for anyone who wants to understand what web application security is all about. You are not going to get a lot of help fixing these issues after you find them from this book. I am glad the authors did not try as that subject could easily fill 10 other books. Staying focused on the testing side makes this a must have book.
5 of 5 people found the following review helpful
on December 4, 2007
This is by far the best text I have ever come across on the topic of web application vulnerability exploits. Although this is a 10+ year old topic, it is just now moving to the forefront of security professionals minds everywhere. This book goes into extreme detail and theory on every facet of web application exploitation that I have or have not heard of in my experience. At times it was a bit beyond my understanding as I am not a professional coder but it was still reasonably clear where the author was going. Hey, it's not his fault I am not at the same level right? Which is why I am reading his book. If you are not familiar with the Burpe suite of tools, and you should be if you are considering reading this book, the author is also the author of that application. So it is used or referenced in the book often. It is a GREAT tool set for this type of assessment. If you don't have it... get it... it is FREE and you will need something to follow along and try out the examples as they are presented, which is exactly how I recommend you read this book. There is so much presented that if you do not actually try out each scenario when it is presented in the text you will not remember it by the end of the chapter. The only thing that I would have liked to have seen was the use of a specific exploit from start to finish. If you read any of my other book reviews on similar topics, you will know that I say this in every review. No one does this. Why? I have no idea. It is painfully clear that the author can carry out these exploits, why not show one from start to finish. From the initial thought process or feeling you get when you go to a site and just "know" something is not right. Someone needs to walk people through a real exploit, that is hopefully patched now, step by step. This is essential to the mass learning process. Not everyone can extract this information and "know-how" from all theory and vague examples. Even in this great book they missed the boat there. I guess the problem is that it takes a great deal of time to really develop to the point of the author or any other similar professional, however security professionals need this information and know-how today, not next year, to really make an impact on this form of exploitation. Often many organizations do not have the resources or cannot justify the resources to put an expert(s) into this position, so they call upon an existing staff member to fill the role. That staff member needs to be up to speed now, immediately. This is just my opinion, but hey... what do I know right?
5 of 5 people found the following review helpful
on November 10, 2007
This is by far the best book I've ever read on web application security. The authors do a great job of describing everything involved in analyzing the security of a web app, both from an attacker's point of view and in terms of what web developers can do to build their apps in a secure way.
The book is very well organized, and the sections about attacking other users and testing for logical security issues are important areas that not many other books cover in much detail. I especially liked the questions at the end of each chapter - they really make you think and test your understanding of the content that was covered.
I agree with the previous reviewer's comment about web application scanners being just one piece of a thorough security assessment. The chapter on web application scanners did a great job describing the strengths and weaknesses of these products and didn't include any marketing fluff.
5 of 5 people found the following review helpful
on January 25, 2011
Very well written book, great stuff.
Having read it I can't imagine developing a web site without having gone through this stuff.
So why four stars? The book advertises a 'Challenge prepared by the authors', but, on their web page there are posts dating back to 2007 about how they haven't gotten around to creating it yet.
To be fair to the great books that do provide a lab, even 4 might be steep.
A very good book but could have been a phenomenal book; without some excercises to work through it really looses a lot of its impact.