Product Description: This book is a practical guide to discovering and exploiting security flaws in web applications. The authors explain each category of vulnerability using real-world examples, screen shots and code extracts. The book is extremely practical in focus, and describes in detail the steps involved in detecting and exploiting each kind of security weakness found within a variety of applications such as online banking, e-commerce and other web applications.
The topics covered include bypassing login mechanisms, injecting code, exploiting logic flaws and compromising other users. Because every web application is different, attacking them entails bringing to bear various general principles, techniques and experience in an imaginative way. The most successful hackers go beyond this, and find ways to automate their bespoke attacks. This handbook describes a proven methodology that combines the virtues of human intelligence and computerized brute force, often with devastating results.
The authors are professional penetration testers who have been involved in web application security for nearly a decade. They have presented training courses at the Black Hat security conferences throughout the world. Under the alias "PortSwigger", Dafydd developed the popular Burp Suite of web application hack tools.
Good book This was my first web application security book. I've been reading online blogs and web-sites about web security for a while, and I've been waiting for this book to come out. Because of the lack of web security books on the market. But I am impressed with this book. It covers just about everything and shows the reader how hackers exploit web applications in a multitude of ways. This will definately help me secure my own websites and I'm already practicing a lot of what I've learned in this book for security at my company.
I actually was able to log into my jobs intranet website as administrator using some of the techniques I learned from this book. Then I went to my boss and showed him how and then showed how we can prevent it. Short story short they were impressed.
More than just words! This is an excellent book. Many books of this nature leave you wanting. They talk in complicated jargon, excite you about learning new concepts, and then leave you hanging with no real application of what you are learning. This is not the case with This book.
This book is excellent for both the beginner and the advanced! Plenty of real examples! Walks the beginner through the concepts of foot printing. It explains the technologies and then for the advanced it talks about creating custom code for each vulnerability.
This is a must have for any security professional's library! it was worth every penny!
A Truely Excellent Resource for any Professional Web Hacker! If you do any type of professional Web Application Assessments then this is your bible. I have read many books on web app assessments and perform many Web Application Assessments for many large companies and government agencies and this is an excellent resource. I use Dafydd's Burp Suite and I can not say enough about it. If you are serious about Web Application security then this is a must read. Thanks to Dafydd and Marcus for a great book.
Kevin
An excellent thorough resource for web application security This is a great read for anyone interested in the security of modern web applications. It covers the hacking process from mapping the attack surface to exploiting input validation, access control, session management, and authentication vulnerabilities using real-world examples and diagrams. There is an in-depth 100pg chapter on injecting code(e.g. SQL, OS, script, etc injection) and a 95pg chapter on attacking other users(e.g. XSS, request forgery, etc attacks). There is information about bypassing common sanitization techniques in cases where user input is sanitized. The book also covers how to write your own scripts to automate complex attacks. At the end of each section are the steps necessary to defend your application against the attacks that were described with an emphasis on "defense-in-depth"; an approach where one tries to prevent the compromise of the whole application even if one component of it is already compromised.
This book is extremely up to date with its coverage of new AJAX and XSS-type attacks while still covering the relatively old vulnerabilities like buffer overflows and sql injections.
The authors are both professional penetration testers which gives them credibility over the information they provide in this book, and one of them is the author of the excellent free web application hacking tool called Burp Suite.
I would recommend this book to anyone that has a basic knowledge of how the Web works (http, javascript, cookies, html, and basics of a programming language like php or java) although you could learn these technologies as you are reading the book which would take some more time.
Everything You Need to Know This is the most important IT security title written in the past year or more. Why? Custom web applications offer more opportunities for exploitation than all of the publicized vulnerabilities your hear about combined. This book gives expert treatment to the subject. I found the writing to be very clear and concise in this 727 page volume. There is minimal fluff. While everything is clearly explained, this is not a beginners book. The authors assume that you can read html, JavaScript, etc... Usually with a book like this there are a few really good chapters and some so-so chapters, but that's not the case here. Chapters 3-18 in this book rock all the way through. Another huge plus is the tools in this book are free.
The first few chapters provide context and background information. Chapter 3 on Web Application Technologies provides particularly useful background info. The next 666 pages of the book are all about attacking the applications.
There next five chapters cover mapping application functionality, client side controls, authentication, sessions, and access controls. The coverage is comprehensive. I'm not new to these topics, but I learned so much in every chapter. The depth of coverage is amazing.
The next six chapters are the heart of this book. They cover injection, path traversal, application logic, XSS and related attacks, automating attacks, and information disclosure. You'll find full treatment of attacks we're all familiar with like SQL injection and cross site scripting as well as many that most of us haven't heard of before. The danger is real and these chapters need to be read.
The final next four chapters cover attacks against compiled applications, application architecture, web servers, and source code. The final two chapters are more useful as a quick reference. They provide an overview of the tools covered throughout the book and describe attack methodology discussed throughout the book for exploiting each technology.
This book scores five easily based on the relevance and value of the information.
Anything Goes Trivia
Megaton Man
Tailipoe
Trevor
