The Web Application Hacker's Handbook and over 360,000 other books are available for Amazon Kindle � Amazon�s new wireless reading device. Learn more

Quantity:

Express Checkout with PayPhrase

What's this? | Create PayPhrase

More Buying Choices

60 used & new from $23.49

Have one to sell? Sell yours here

Share with Friends

Share your own customer images

Search inside this book

Start reading The Web Application Hacker's Handbook on your Kindle in under a minute. Don�t have a Kindle? Get your Kindle here.

The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (Paperback)

~ (Author), (Author)
Key Phrases: attacking authentication, web application technologies, burp proxy, Attacking Other Users, Web Application Hacker's Methodology, Web Application Hacker's Toolkit (more...)

4.9 out of 5 stars See all reviews (15 customer reviews)

List Price:	$50.00
Price:	$31.50 & this item ships for FREE with Super Saver Shipping. Details
You Save:	$18.50 (37%)
	o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o

In Stock.
Ships from and sold by Amazon.com. Gift-wrap available.

43 new from $27.45 17 used from $23.49

Formats		Amazon Price	New from	Used from
Kindle Edition $25.20 Available for download now. Published October 22, 2007	Kindle Edition, October 22, 2007	$25.20	--	--
Paperback $31.50 In Stock. Published October 21, 2007	Paperback, October 21, 2007	$31.50	$27.45	$23.49

Frequently Bought Together

Price For All Three: $97.44

Show availability and shipping details

This item: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws by Dafydd Stuttard
In Stock.
Ships from and sold by Amazon.com.
This item ships for FREE with Super Saver Shipping. Details
Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson
In Stock.
Ships from and sold by Amazon.com.
This item ships for FREE with Super Saver Shipping. Details
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning by Gordon Fyodor Lyon
In Stock.
Ships from and sold by Amazon.com.
This item ships for FREE with Super Saver Shipping. Details

Customers Who Bought This Item Also Bought

Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast

by Paco Hope

5.0 out of 5 stars (4) $26.39

Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning

by Gordon Fyodor Lyon

4.9 out of 5 stars (18) $32.97

The Database Hacker's Handbook: Defending Database Servers

by David Litchfield

4.9 out of 5 stars (7) $31.50

The Shellcoder's Handbook: Discovering and Exploiting Security Holes

by Chris Anley

4.5 out of 5 stars (22) $31.49

Gray Hat Hacking, Second Edition: The Ethical Hacker's Handbook

by Shon Harris

5.0 out of 5 stars (2) $31.49

› Explore similar items

Editorial Reviews

Review

"If you have an interest in web application security, I would highly recommend picking up a copy of this book, especially if you’re interested in being able to audit applications for vulnerabilities".
—Robert Wesley McGrew, McGrew Security

Product Description

This book is a practical guide to discovering and exploiting security flaws in web applications. The authors explain each category of vulnerability using real-world examples, screen shots and code extracts. The book is extremely practical in focus, and describes in detail the steps involved in detecting and exploiting each kind of security weakness found within a variety of applications such as online banking, e-commerce and other web applications.

The topics covered include bypassing login mechanisms, injecting code, exploiting logic flaws and compromising other users. Because every web application is different, attacking them entails bringing to bear various general principles, techniques and experience in an imaginative way. The most successful hackers go beyond this, and find ways to automate their bespoke attacks. This handbook describes a proven methodology that combines the virtues of human intelligence and computerized brute force, often with devastating results.

The authors are professional penetration testers who have been involved in web application security for nearly a decade. They have presented training courses at the Black Hat security conferences throughout the world. Under the alias "PortSwigger", Dafydd developed the popular Burp Suite of web application hack tools.

See all Editorial Reviews

Product Details

Paperback: 768 pages
Publisher: Wiley (October 22, 2007)
Language: English
ISBN-10: 0470170778
ISBN-13: 978-0470170779
Product Dimensions: 9.4 x 7.5 x 2.2 inches
Shipping Weight: 2.2 pounds (View shipping rates and policies)

Average Customer Review: 4.9 out of 5 stars See all reviews (15 customer reviews)

Amazon.com Sales Rank: #7,922 in Books (See Bestsellers in Books)

Popular in these categories: (What's this?)

#1 in	Books > Computers & Internet > Certification Central > Exams > Security+
#2 in	Books > Computers & Internet > Business & Culture > Hacking
#2 in	Books > Computers & Internet > Business & Culture > Privacy

Would you like to update product info or give feedback on images?

More About the Authors

Discover books, learn about writers, read author blogs, and more.

Marcus Pinto

Dafydd Stuttard

Inside This Book (learn more)

Key Phrases - Statistically Improbable Phrases (SIPs): (learn more)
attacking authentication, web application technologies, burp proxy, backup file, exclusion list, web application hacker, path traversal vulnerabilities, bespoke attacks, attacking web applications, intercepting proxy, password change function, path traversal vulnerability, key attack surface, repeater comms, following test strings, new session token, path traversal sequences, randomly varying question, password quality rules, core security mechanisms, integer vulnerabilities, injected query, valid session token, path traversal attacks, session fixation vulnerabilities

Key Phrases - Capitalized Phrases (CAPs): (learn more)
Attacking Other Users, Web Application Hacker's Methodology, Web Application Hacker's Toolkit, Attacking Session Management, Bypassing Client-Side Controls, Internet Explorer, Mapping the Application, Automating Bespoke Attacks, Attacking Application Logic, Attacking Application Architecture, Attacking the Web Server, Questions Answers, Core Defense Mechanisms, Press Release, Server Driver, Netgear Hub, Exploiting Path Traversal, Exploiting Information Disclosure, Attacking Compiled Applications, World Wide Web, Burp Spider, Burp Repeater, David Litchfield, Java Platform, Done Figure

What Do Customers Ultimately Buy After Viewing This Item?

	81% buy the item featured on this page: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws 4.9 out of 5 stars (15) $31.50
	10% buy Hacking: The Art of Exploitation, 2nd Edition 4.3 out of 5 stars (57) $32.97
	4% buy Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning 4.9 out of 5 stars (18) $32.97
	3% buy Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast 5.0 out of 5 stars (4) $26.39

Explore similar items

Tags Customers Associate with This Product

(What's this?)

Click on a tag to find related items, discussions, and people.

hacking(13)

security(9)

xss(6)

web application(5)

internet security(4)

web applications(4)

sql(3)

asp(2)

php(2)

sql injection(2)

bejtlich(1)

See all 27 tags...

Customer Reviews

15 Reviews

5 star:		(13)
4 star:		(2)
3 star:		(0)
2 star:		(0)
1 star:		(0)

Average Customer Review

4.9 out of 5 stars (15 customer reviews)

Share your thoughts with other customers:

Create your own review

Most Helpful Customer Reviews

31 of 31 people found the following review helpful:

5.0 out of 5 stars Everything You Need to Know, January 16, 2008

By	Jeff Pike (Mechanicsville, VA United States) - See all my reviews

This is the most important IT security title written in the past year or more. Why? Custom web applications offer more opportunities for exploitation than all of the publicized vulnerabilities your hear about combined. This book gives expert treatment to the subject. I found the writing to be very clear and concise in this 727 page volume. There is minimal fluff. While everything is clearly explained, this is not a beginners book. The authors assume that you can read html, JavaScript, etc... Usually with a book like this there are a few really good chapters and some so-so chapters, but that's not the case here. Chapters 3-18 in this book rock all the way through. Another huge plus is the tools in this book are free.

The first few chapters provide context and background information. Chapter 3 on Web Application Technologies provides particularly useful background info. The next 666 pages of the book are all about attacking the applications.

There next five chapters cover mapping application functionality, client side controls, authentication, sessions, and access controls. The coverage is comprehensive. I'm not new to these topics, but I learned so much in every chapter. The depth of coverage is amazing.

The next six chapters are the heart of this book. They cover injection, path traversal, application logic, XSS and related attacks, automating attacks, and information disclosure. You'll find full treatment of attacks we're all familiar with like SQL injection and cross site scripting as well as many that most of us haven't heard of before. The danger is real and these chapters need to be read.

The final next four chapters cover attacks against compiled applications, application architecture, web servers, and source code. The final two chapters are more useful as a quick reference. They provide an overview of the tools covered throughout the book and describe attack methodology discussed throughout the book for exploiting each technology.

This book scores five easily based on the relevance and value of the information.

Comment Comment | Permalink | Was this review helpful to you? Yes No (Report this)

20 of 22 people found the following review helpful:

5.0 out of 5 stars Excellent resource for both developer and security pro, November 6, 2007

By	Seth Fogie - See all my reviews

First off - I will come clean and admit that this review is biased on several levels. Since the public facing web application security community is small, any published work or presentation will draw the attention of others in the field and often conversations/reviews/blog comments will ensue. Why mention this? Well, Dafydd reviewed XSS Attacks on his blog - a book I co-authored along with other much bigger players in the field. I also have a bit of admiration for Burp, a program Dafydd wrote and is highlighted in most any valuable web app book. So, to say I have no connections to the authors would be misleading - to say the least.

Now, for the book - just buy it, you won't be disappointed. As I read through the book (scanning some of the familiar parts), I was overwhelmed with the fact that a full time web application penetration tester has to known A LOT - all of which this book touches on in one way or another. I really can't think of any other book that can compete...

For those new to the field, either as security professionals or as web developers, this book will most likely leave you a bit reeling. It does a good job illustrating and demonstrating the many facets of secure web app development. For the more seasoned professional, this book will no doubt serve as a resource to refresh your memory on a trick or technique you forgot about. I know it has already served this purpose for me...

So, where do I start with a more detailed expose on the book? Personally, I would start by reading chapter 20 - A Web Application Hackers Methodology. By doing this, you will get a look into the minds of the authors who spend a significant part of their lives breaking web apps. You will also gain an understanding as to why the book is laid out the way it is - simply because it is how an attack/penetration test is performed. Don't expect to understand everything in detail as this will come later. However, you should quickly get the feeling that this book is going to be an interesting read that you can quickly turn into practical coding/attack techniques.

The book is broken down in to several big parts. The first section will acclimate you to the terms, concepts, and environment that the rest of the book builds upon. This includes a brief look at each of the main sections of the server technology, how a web application functions, and an overview of the attack surface you are about to be exposed to.

The second section starts to take a look at the web application from an attacker's point of view by illustrating numerous ways that an application can be mapped for later analysis. If you are a web developer, chances are you will find that one or more of the techniques discussed will cause a bit of a concern as to how information is stored on your site - you can never assume anything on your web server is safe.

The big section of the book is where you find the fun stuff. Basically, the authors walk through the following stages of a web application attacks - authentication, session management, access control, code injection, web server bugs, logic errors, and compiled application reverse-engineering. In each section, you get a really in depth and comprehensive look at most every attack vector and technique that web application hackers (both good and bad) use to meet their goals.

One of the nice things about this book is that it is not just all theory. They include practical and pointed examples that illustrate the problem, but don't waste your time with pages and pages of source code that serve no purpose but to fill space. At 736 pages, the book doesn't need filler.

In addition to the exploit examples, the authors also provide the much needed `protection' aspect so web developers know how they can shore up their applications against the specific attacks. In my experience, knowing how to secure a web application is often harder than knowing how to break it - so seeing this in the book is a indication of the insight of the authors.

There were three sections that I paid close attention to - partly because I have a vested interest in the subject, and also because it is how I like to present concepts. The first was chapter 11, which covers Attacking Application Logic. In this chapter, the authors used a Function - Assumption - Attack process to outline the problem and how it was exploited. Since logic errors are 100% based on human error, it is very hard to categorize and illustrate without a good example. So, not only did I get to see how others failed, and how this failure resulted in an attack, but it read like a story.

The next section was chapter 12 - Attacking Other Users. This section dove into subjects like XSS, XSRF, and the like - all of which I enjoy as indicated by my work on XSS Attacks book.

And last, but not least, I really liked that the book discussed one aspect of web application security that is often overlooked - reverse-engineering of client side `thick client'. Whether this is a Flash, Java, ActiveX or C++ coded program, it is possible to reverse-engineer the client side code to inject unexpected content into a web based application. So, kudos to the authors for presenting this attack vector.

So, is there anything wrong with the book? Well, except for the fact that it could be bigger - no. This book is an excellent way to understand most every attack out there and it will be a valuable resource for any web developer/security professional. If you want more specific details on a subject, you can find that material elsewhere - Cross Site Scripting Attacks: XSS Exploits and Defense, The Database Hacker's Handbook: Defending Database Servers, and Exploiting Online Games: Cheating Massively Distributed Systems (Addison-Wesley Software Security Series) are a few examples.

Let's sum this up. The Web Application Hackers Handbook is a worth while investment, so go buy it.

Comment Comment | Permalink | Was this review helpful to you? Yes No (Report this)

9 of 9 people found the following review helpful:

5.0 out of 5 stars A Truely Excellent Resource for any Professional Web Hacker!, January 25, 2008

By	Kevin M. Horvath (DC area) - See all my reviews (REAL NAME)

If you do any type of professional Web Application Assessments then this is your bible. I have read many books on web app assessments and perform many Web Application Assessments for many large companies and government agencies and this is an excellent resource. I use Dafydd's Burp Suite and I can not say enough about it. If you are serious about Web Application security then this is a must read. Thanks to Dafydd and Marcus for a great book.

Kevin

Comment Comment | Permalink | Was this review helpful to you? Yes No (Report this)

Share your thoughts with other customers: Create your own review

› See all 15 customer reviews...

Most Recent Customer Reviews

5.0 out of 5 stars Serious candidate for Best Book Bejtlich Read 2009
The Web Application Hacker's Handbook (TWAHH) is an excellent book. I read several books on Web application security recently, and this is my favorite. Read more

Published 15 days ago by Richard Bejtlich

5.0 out of 5 stars Most Important Internet Security Book Available!!!
Not for the faint of heart kiddie scriptors.
This book actually shows just how vulnerable the Web really is and that it in fact is sometimes futile to hope for real... Read more

Published 4 months ago by William Scarbrough

4.0 out of 5 stars Perfect for auditors, less useful for developers
I was hoping that this book would give me a clear conception of how to secure my web applications against potential attackers. It did, but only peripherally. Read more

Published 8 months ago by Trevor Burnham

4.0 out of 5 stars Great reference
Great book. The beginning has some good explanation of how web apps are constructed. This section is a little tedious if you already know this material, but it is a good review,... Read more

Published 8 months ago by M. D'Aloisio

5.0 out of 5 stars Good book
This was my first web application security book. I've been reading online blogs and web-sites about web security for a while, and I've been waiting for this book to come out... Read more

Published 12 months ago by Evan Larsen

5.0 out of 5 stars More than just words!
This is an excellent book. Many books of this nature leave you wanting. They talk in complicated jargon, excite you about learning new concepts, and then leave you hanging with no... Read more

Published 20 months ago by John A. Walley

5.0 out of 5 stars An excellent thorough resource for web application security
This is a great read for anyone interested in the security of modern web applications. It covers the hacking process from mapping the attack surface to exploiting input... Read more

Published 21 months ago by BruceMagnus

5.0 out of 5 stars excellent
This book is a complete guide and very easy to read. Simple said it's GOOD.

Mauri

Published 22 months ago by M. Payne

5.0 out of 5 stars Best text on subject
This is by far the best text I have ever come across on the topic of web application vulnerability exploits. Read more

Published 23 months ago by Garot M. Conklin

5.0 out of 5 stars Excellent for both beginners and the experienced
Before you even read a word, "The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws" should catch your interest for two reasons. Read more

Published 24 months ago by R. Wesley McGrew

› See all 15 customer reviews...

.jsOffDisplayBlock { display: block; } .jsOffDisplayInline { display: inline; } .jsOffVisibility { visibility: visible; } .jsOnDisplayBlock { display: none; } .jsOnDisplayNoneBlock { display: block; } .jsOnDisplayNoneInline { display: inline; } .jsOnDisplayInline { display: none; } .jsOnVisibility { visibility: hidden; } .jqOnDisplayBlock { display: none; } .jqOnDisplayInline { display: none; } .jqOnVisibility { visibility: hidden; } .jqOnDisplayNoneBlock { display: block; } .jqOnDisplayNoneInline { display: inline; }