The Web Application Hacker's Handbook and over 670,000 other books are available for Amazon Kindle � Amazon�s new wireless reading device. Learn more

Quantity:

Express Checkout with PayPhrase

What's this? | Create PayPhrase

More Buying Choices

56 used & new from $27.71

Have one to sell? Sell yours here

Get a $15.46 Amazon.com Gift Card

Share your own customer images

Search inside this book

Start reading The Web Application Hacker's Handbook on your Kindle in under a minute.

Don�t have a Kindle? Get your Kindle here, or download a FREE Kindle Reading App.

The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws [Paperback]

Dafydd Stuttard (Author), Marcus Pinto (Author)

4.9 out of 5 stars See all reviews (16 customer reviews)

List Price:	$50.00
Price:	$31.50 & this item ships for FREE with Super Saver Shipping. Details
You Save:	$18.50 (37%)
	o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o

In Stock.
Ships from and sold by Amazon.com. Gift-wrap available.

Want it delivered Friday, September 10? Choose One-Day Shipping at checkout. Details

40 new from $27.71 16 used from $27.85

Join Amazon Student and get FREE Two-Day Shipping for one year with Amazon Prime shipping benefits.

Formats	Amazon Price		New from	Used from
Kindle Edition Kindle Edition $25.20 Available for download now. Publisher: Wiley Published: October 22, 2007	$25.20		--	--
Paperback Paperback $31.50 In Stock. Publisher: Wiley Published: October 22, 2007	$31.50		$27.71	$27.85

Sell This Book Back for $15.46

Whether you buy it used on Amazon for $27.85 or somewhere else, you can sell it back to our Textbook Buyback Store at the current price of $15.46 through December 31, 2010. Restrictions Apply

Used Price$27.85
Buyback Price$15.46

Price after
Buyback$12.39

› See more product promotions

Frequently Bought Together

Price For All Three: $97.44

Show availability and shipping details

Buy the selected items together

This item: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws by Dafydd Stuttard Paperback$31.50
In Stock.
Ships from and sold by Amazon.com.
This item ships for FREE with Super Saver Shipping. Details
Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson Paperback$32.97
In Stock.
Ships from and sold by Amazon.com.
This item ships for FREE with Super Saver Shipping. Details
Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning by Gordon Fyodor Lyon Paperback$32.97
In Stock.
Ships from and sold by Amazon.com.
This item ships for FREE with Super Saver Shipping. Details

Customers Who Bought This Item Also Bought

Hacking: The Art of Exploitation, 2nd Edition

by Jon Erickson

4.3 out of 5 stars (65) $32.97

Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast

by Paco Hope

5.0 out of 5 stars (5) $26.39

SQL Injection Attacks and Defense

by Justin Clarke

5.0 out of 5 stars (9) $31.68

Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd Edition)

by Edward Skoudis

4.8 out of 5 stars (45) $40.94

The Database Hacker's Handbook: Defending Database Servers

by David Litchfield

4.9 out of 5 stars (7) $33.75

› Explore similar items

Editorial Reviews

Review

"If you have an interest in web application security, I would highly recommend picking up a copy of this book, especially if you’re interested in being able to audit applications for vulnerabilities".
—Robert Wesley McGrew, McGrew Security

Product Description

This book is a practical guide to discovering and exploiting security flaws in web applications. The authors explain each category of vulnerability using real-world examples, screen shots and code extracts. The book is extremely practical in focus, and describes in detail the steps involved in detecting and exploiting each kind of security weakness found within a variety of applications such as online banking, e-commerce and other web applications.

The topics covered include bypassing login mechanisms, injecting code, exploiting logic flaws and compromising other users. Because every web application is different, attacking them entails bringing to bear various general principles, techniques and experience in an imaginative way. The most successful hackers go beyond this, and find ways to automate their bespoke attacks. This handbook describes a proven methodology that combines the virtues of human intelligence and computerized brute force, often with devastating results.

The authors are professional penetration testers who have been involved in web application security for nearly a decade. They have presented training courses at the Black Hat security conferences throughout the world. Under the alias "PortSwigger", Dafydd developed the popular Burp Suite of web application hack tools.

See all Editorial Reviews

Product Details

Paperback: 768 pages
Publisher: Wiley (October 22, 2007)
Language: English
ISBN-10: 0470170778
ISBN-13: 978-0470170779
Product Dimensions: 9.2 x 7.4 x 1.6 inches
Shipping Weight: 2.4 pounds (View shipping rates and policies)

Average Customer Review: 4.9 out of 5 stars See all reviews (16 customer reviews)

Amazon Bestsellers Rank: #24,532 in Books (See Top 100 in Books)

#16 in	Books > Computers & Internet > Certification Central > Security+
#13 in	Books > Computers & Internet > Business & Culture > Privacy
#8 in	Books > Computers & Internet > Business & Culture > Hacking

Would you like to update product info or give feedback on images?

More About the Authors

Discover books, learn about writers, read author blogs, and more.

Dafydd Stuttard

Marcus Pinto

Inside This Book (learn more)

Key Phrases - Statistically Improbable Phrases (SIPs): (learn more)
attacking authentication, web application technologies, burp proxy, backup file, exclusion list, web application hacker, path traversal vulnerabilities, bespoke attacks, attacking web applications, intercepting proxy, password change function, path traversal vulnerability, key attack surface, repeater comms, following test strings, new session token, path traversal sequences, randomly varying question, password quality rules, core security mechanisms, integer vulnerabilities, injected query, valid session token, path traversal attacks, session fixation vulnerabilities

Key Phrases - Capitalized Phrases (CAPs): (learn more)
Attacking Other Users, Web Application Hacker's Methodology, Web Application Hacker's Toolkit, Attacking Session Management, Bypassing Client-Side Controls, Internet Explorer, Mapping the Application, Automating Bespoke Attacks, Attacking Application Logic, Attacking Application Architecture, Attacking the Web Server, Questions Answers, Core Defense Mechanisms, Press Release, Server Driver, Netgear Hub, Exploiting Path Traversal, Exploiting Information Disclosure, Attacking Compiled Applications, World Wide Web, Burp Spider, Burp Repeater, David Litchfield, Java Platform, Done Figure

What Do Customers Ultimately Buy After Viewing This Item?

	80% buy the item featured on this page: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws by Dafydd Stuttard Paperback 4.9 out of 5 stars (16) $31.50
	11% buy Hacking: The Art of Exploitation, 2nd Edition by Jon Erickson Paperback 4.3 out of 5 stars (65) $32.97
	3% buy Hacking: The Next Generation (Animal Guide) by Nitesh Dhanjani Paperback 4.9 out of 5 stars (9) $26.39
	3% buy Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning by Gordon Fyodor Lyon Paperback 4.9 out of 5 stars (23) $32.97

› Explore similar items

Tags Customers Associate with This Product

(What's this?)

Click on a tag to find related items, discussions, and people.

hacking(17)

security(10)

xss(6)

internet security(5)

web application(5)

web applications(5)

sql(3)

asp(2)

burp suite(2)

php(2)

Agree with these tags?

See all 30 tags...

Customer Reviews

16 Reviews

5 star:		(14)
4 star:		(2)
3 star:		(0)
2 star:		(0)
1 star:		(0)

Average Customer Review

4.9 out of 5 stars (16 customer reviews)

Share your thoughts with other customers:

Create your own review

Most Helpful Customer Reviews

42 of 42 people found the following review helpful:

5.0 out of 5 stars Everything You Need to Know, January 16, 2008

By	Jeff Pike (Mechanicsville, VA United States) - See all my reviews

This review is from: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (Paperback)

This is the most important IT security title written in the past year or more. Why? Custom web applications offer more opportunities for exploitation than all of the publicized vulnerabilities your hear about combined. This book gives expert treatment to the subject. I found the writing to be very clear and concise in this 727 page volume. There is minimal fluff. While everything is clearly explained, this is not a beginners book. The authors assume that you can read html, JavaScript, etc... Usually with a book like this there are a few really good chapters and some so-so chapters, but that's not the case here. Chapters 3-18 in this book rock all the way through. Another huge plus is the tools in this book are free.

The first few chapters provide context and background information. Chapter 3 on Web Application Technologies provides particularly useful background info. The next 666 pages of the book are all about attacking the applications.

There next five chapters cover mapping application functionality, client side controls, authentication, sessions, and access controls. The coverage is comprehensive. I'm not new to these topics, but I learned so much in every chapter. The depth of coverage is amazing.

The next six chapters are the heart of this book. They cover injection, path traversal, application logic, XSS and related attacks, automating attacks, and information disclosure. You'll find full treatment of attacks we're all familiar with like SQL injection and cross site scripting as well as many that most of us haven't heard of before. The danger is real and these chapters need to be read.

The final next four chapters cover attacks against compiled applications, application architecture, web servers, and source code. The final two chapters are more useful as a quick reference. They provide an overview of the tools covered throughout the book and describe attack methodology discussed throughout the book for exploiting each technology.

This book scores five easily based on the relevance and value of the information.

Help other customers find the most helpful reviews

Was this review helpful to you?

Report this | Permalink

Comment Comment

15 of 15 people found the following review helpful:

5.0 out of 5 stars Excellent for both beginners and the experienced, November 14, 2007

By	R. Wesley McGrew - See all my reviews (REAL NAME)

This review is from: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (Paperback)

Before you even read a word, "The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws" should catch your interest for two reasons. The first is that, by name and cover art, it is being presented by Wiley as the web security counterpart of "The Shellcoder's Handbook", which I have already given a positive review. The second reason, which I did not realize it until the book arrived, is that one of the authors, Dafydd Stuttard, is the author of the excellent Burp Suite tools for exploring and exploiting web applications. I use the proxy features of it frequently, and I often tell people it's the only reason I install a Java VM on my laptop. I was very excited about reading a web application security by the author of such a great set of tools, and it did not let me down.

I will admit that I haven't read any other books that focus on attacking web applications, so I do not have anything to compare it to. I can say, however, that this book has very complete and thorough coverage of the topic, from mapping the application to exploitation. While a number of common attacks are covered (such as cross-site scripting and SQL injection), the real value of the book is in the way it teaches the process of finding vulnerabilities. Armed with this, you can more effectively discover problems that involve logical errors unique to the application you're looking at. The book reads very well cover-to-cover, with each chapter building up another step in a complete web application hacker's methodology that the authors have put together.

The topics covered encompass most of the vulnerabilities you'll see disclosed in applications daily on the mailing lists. Rather than having chapters for specific attacks, the authors gather them up into meaningful categories to present related content together. For example, SQL injection and remote-file-inclusion are rolled into a chapter titled "Injecting Code". Similarly, cross-site scripting attacks, session fixation, and request forgery are covered in "Attacking Other Users". There is introductory material in an early chapter on "Web Application Technologies", however I would recommend that anyone picking this book up be at least somewhat familiar with how web applications work, either from the viewpoint of a developer or understanding the basics of attacks. The questions at the end of each chapter are designed to test the reader's understanding of the chapter's material, and I found it helpful to at least read over them and give them some thought. Someone just getting started with web security would probably get a lot of value out of focusing on each question.

For such a large book, it is a very pleasant surprise to say that I ran across no obvious errors. The website for the book is very complete, and contains answers for all of the questions at the ends of chapters, the source code for a tool developed in one of the chapters, a list of tools described in the text, and a checklist for the methodology presented in the final chapter. If you have an interest in web application security, I would highly recommend picking up a copy of this book, especially if you're interested in being able to audit applications for vulnerabilities. Even for a web application developer, however, the book has a lot of merit. It's important to understand the ways in which your application will be attacked, and mitigation strategies are presented in the book for each attack.

I enjoyed the book, found the techniques presented to be very useful, and I plan on making use of the methodology presented.

Help other customers find the most helpful reviews

Was this review helpful to you?

Report this | Permalink

Comment Comment (1)

21 of 23 people found the following review helpful:

5.0 out of 5 stars Excellent resource for both developer and security pro, November 6, 2007

By	Seth Fogie - See all my reviews

This review is from: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (Paperback)

First off - I will come clean and admit that this review is biased on several levels. Since the public facing web application security community is small, any published work or presentation will draw the attention of others in the field and often conversations/reviews/blog comments will ensue. Why mention this? Well, Dafydd reviewed XSS Attacks on his blog - a book I co-authored along with other much bigger players in the field. I also have a bit of admiration for Burp, a program Dafydd wrote and is highlighted in most any valuable web app book. So, to say I have no connections to the authors would be misleading - to say the least.

Now, for the book - just buy it, you won't be disappointed. As I read through the book (scanning some of the familiar parts), I was overwhelmed with the fact that a full time web application penetration tester has to known A LOT - all of which this book touches on in one way or another. I really can't think of any other book that can compete...

For those new to the field, either as security professionals or as web developers, this book will most likely leave you a bit reeling. It does a good job illustrating and demonstrating the many facets of secure web app development. For the more seasoned professional, this book will no doubt serve as a resource to refresh your memory on a trick or technique you forgot about. I know it has already served this purpose for me...

So, where do I start with a more detailed expose on the book? Personally, I would start by reading chapter 20 - A Web Application Hackers Methodology. By doing this, you will get a look into the minds of the authors who spend a significant part of their lives breaking web apps. You will also gain an understanding as to why the book is laid out the way it is - simply because it is how an attack/penetration test is performed. Don't expect to understand everything in detail as this will come later. However, you should quickly get the feeling that this book is going to be an interesting read that you can quickly turn into practical coding/attack techniques.

The book is broken down in to several big parts. The first section will acclimate you to the terms, concepts, and environment that the rest of the book builds upon. This includes a brief look at each of the main sections of the server technology, how a web application functions, and an overview of the attack surface you are about to be exposed to.

The second section starts to take a look at the web application from an attacker's point of view by illustrating numerous ways that an application can be mapped for later analysis. If you are a web developer, chances are you will find that one or more of the techniques discussed will cause a bit of a concern as to how information is stored on your site - you can never assume anything on your web server is safe.

The big section of the book is where you find the fun stuff. Basically, the authors walk through the following stages of a web application attacks - authentication, session management, access control, code injection, web server bugs, logic errors, and compiled application reverse-engineering. In each section, you get a really in depth and comprehensive look at most every attack vector and technique that web application hackers (both good and bad) use to meet their goals.

One of the nice things about this book is that it is not just all theory. They include practical and pointed examples that illustrate the problem, but don't waste your time with pages and pages of source code that serve no purpose but to fill space. At 736 pages, the book doesn't need filler.

In addition to the exploit examples, the authors also provide the much needed `protection' aspect so web developers know how they can shore up their applications against the specific attacks. In my experience, knowing how to secure a web application is often harder than knowing how to break it - so seeing this in the book is a indication of the insight of the authors.

There were three sections that I paid close attention to - partly because I have a vested interest in the subject, and also because it is how I like to present concepts. The first was chapter 11, which covers Attacking Application Logic. In this chapter, the authors used a Function - Assumption - Attack process to outline the problem and how it was exploited. Since logic errors are 100% based on human error, it is very hard to categorize and illustrate without a good example. So, not only did I get to see how others failed, and how this failure resulted in an attack, but it read like a story.

The next section was chapter 12 - Attacking Other Users. This section dove into subjects like XSS, XSRF, and the like - all of which I enjoy as indicated by my work on XSS Attacks book.

And last, but not least, I really liked that the book discussed one aspect of web application security that is often overlooked - reverse-engineering of client side `thick client'. Whether this is a Flash, Java, ActiveX or C++ coded program, it is possible to reverse-engineer the client side code to inject unexpected content into a web based application. So, kudos to the authors for presenting this attack vector.

So, is there anything wrong with the book? Well, except for the fact that it could be bigger - no. This book is an excellent way to understand most every attack out there and it will be a valuable resource for any web developer/security professional. If you want more specific details on a subject, you can find that material elsewhere - Cross Site Scripting Attacks: XSS Exploits and Defense, The Database Hacker's Handbook: Defending Database Servers, and Exploiting Online Games: Cheating Massively Distributed Systems (Addison-Wesley Software Security Series) are a few examples.

Let's sum this up. The Web Application Hackers Handbook is a worth while investment, so go buy it.

Help other customers find the most helpful reviews

Was this review helpful to you?

Report this | Permalink

Comment Comment

Share your thoughts with other customers: Create your own review

› See all 16 customer reviews...

Most Recent Customer Reviews

5.0 out of 5 stars An essential handbook for web hacking
In my opinion this is the essential handbook for web hacking. I've spent years doing web application pen tests and this book has always been on my desk as a valuable reference... Read more

Published 7 months ago by David

5.0 out of 5 stars Serious candidate for Best Book Bejtlich Read 2009
The Web Application Hacker's Handbook (TWAHH) is an excellent book. I read several books on Web application security recently, and this is my favorite. Read more

Published 10 months ago by Richard Bejtlich

5.0 out of 5 stars Most Important Internet Security Book Available!!!
Not for the faint of heart kiddie scriptors.
This book actually shows just how vulnerable the Web really is and that it in fact is sometimes futile to hope for real... Read more

Published 14 months ago by William Scarbrough

4.0 out of 5 stars Perfect for auditors, less useful for developers
I was hoping that this book would give me a clear conception of how to secure my web applications against potential attackers. It did, but only peripherally. Read more

Published 18 months ago by Trevor Burnham

4.0 out of 5 stars Great reference
Great book. The beginning has some good explanation of how web apps are constructed. This section is a little tedious if you already know this material, but it is a good review,... Read more

Published 18 months ago by M. D'Aloisio

5.0 out of 5 stars Good book
This was my first web application security book. I've been reading online blogs and web-sites about web security for a while, and I've been waiting for this book to come out... Read more

Published 22 months ago by Evan Larsen

5.0 out of 5 stars More than just words!
This is an excellent book. Many books of this nature leave you wanting. They talk in complicated jargon, excite you about learning new concepts, and then leave you hanging with no... Read more

Published on February 22, 2008 by John A. Walley

5.0 out of 5 stars A Truely Excellent Resource for any Professional Web Hacker!
If you do any type of professional Web Application Assessments then this is your bible. I have read many books on web app assessments and perform many Web Application Assessments... Read more

Published on January 25, 2008 by Kevin M. Horvath

5.0 out of 5 stars An excellent thorough resource for web application security
This is a great read for anyone interested in the security of modern web applications. It covers the hacking process from mapping the attack surface to exploiting input... Read more

Published on January 20, 2008 by BruceMagnus

5.0 out of 5 stars excellent
This book is a complete guide and very easy to read. Simple said it's GOOD.

Mauri

Published on January 13, 2008 by M. Payne

› See all 16 customer reviews...

.jsOffDisplayBlock { display: block; } .jsOffDisplayInline { display: inline; } .jsOffVisibility { visibility: visible; } .jsOnDisplayBlock { display: none; } .jsOnDisplayNoneBlock { display: block; } .jsOnDisplayNoneInline { display: inline; } .jsOnDisplayInline { display: none; } .jsOnVisibility { visibility: hidden; } .jqOnDisplayBlock { display: none; } .jqOnDisplayInline { display: none; } .jqOnVisibility { visibility: hidden; } .jqOnDisplayNoneBlock { display: block; } .jqOnDisplayNoneInline { display: inline; }

Customer Discussions

This product's forum

Discussion	Replies	Latest Post
No discussions yet

Ask questions, Share opinions, Gain insight

Start a new discussion

Topic:

First post:

Receive e-mail when new posts are made

Prompts for sign-in

Guidelines

Active discussions in related forums

Discussion	Replies	Latest Post
textbook buyback trade in = scam	30	4 hours ago
textbook buyback Is it OK if I used it to nudge several people towards Death Valley with it?	1297	5 hours ago
textbook I just received a "very good" textbook without its disc - what are your thoughts?	84	8 hours ago
textbook buyback is it safe to buy books from amazon?	218	19 hours ago
textbook Have copy of Captain Hook to sell.....by gw	30	1 day ago
textbook buyback Scam	7	1 day ago
textbook buyback no refund for returned book	1	3 days ago