Amazon Prime Free Trial
FREE Delivery is available to Prime members. To join, select "Try Amazon Prime and start saving today with FREE Delivery" below the Add to Cart button and confirm your Prime free trial.
Amazon Prime members enjoy:- Cardmembers earn 5% Back at Amazon.com with a Prime Credit Card.
- Unlimited FREE Prime delivery
- Streaming of thousands of movies and TV shows with limited ads on Prime Video.
- A Kindle book to borrow for free each month - with no due dates
- Listen to over 2 million songs and hundreds of playlists
Important: Your credit card will NOT be charged when you start your free trial or if you cancel during the trial period. If you're happy with Amazon Prime, do nothing. At the end of the free trial, your membership will automatically upgrade to a monthly membership.
-13% $45.02$45.02
Ships from: Amazon.com Sold by: Amazon.com
$34.95$34.95
Ships from: Amazon Sold by: Dream Books Co.
Download the free Kindle app and start reading Kindle books instantly on your smartphone, tablet, or computer - no Kindle device required.
Read instantly on your browser with Kindle for Web.
Using your mobile phone camera - scan the code below and download the Kindle app.
Follow the author
OK
The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition
Purchase options and add-ons
- Reveals how to overcome the new technologies and techniques aimed at defending web applications against attacks that have appeared since the previous edition
- Discusses new remoting frameworks, HTML5, cross-domain integration techniques, UI redress, framebusting, HTTP parameter pollution, hybrid file attacks, and more
- Features a companion web site hosted by the authors that allows readers to try out the attacks described, gives answers to the questions that are posed at the end of each chapter, and provides a summarized methodology and checklist of tasks
- ISBN-101118026470
- ISBN-13978-1118026472
- Edition2nd
- PublisherWiley
- Publication dateSeptember 27, 2011
- LanguageEnglish
- Dimensions7.4 x 2 x 9.2 inches
- Print length912 pages
Frequently bought together
Customers who viewed this item also viewed
- Canonicalization is the process of converting or decoding data into a common character set.Highlighted by 497 Kindle readers
- In a production context, the application should never return any system-generated messages or other debug information in its responses.Highlighted by 403 Kindle readers
- Httprecon is a handy tool that performs a number of tests in an attempt to fingerprint a web server's software.Highlighted by 305 Kindle readers
Editorial Reviews
Review
Review
From the Author
From the Inside Flap
Web applications are everywhere, and they're insecure. Banks, retailers, and others have deployed millions of applications that are full of holes, allowing attackers to steal personal data, carry out fraud, and compromise other systems. This book shows you how they do it.
This fully updated edition contains the very latest attack techniques and countermeasures, showing you how to break into today's complex and highly functional applications. Roll up your sleeves and dig in.
Discover how cloud architectures and social networking have added exploitable attack surfaces to applications
Leverage the latest HTML features to deliver powerful cross-site scripting attacks
Deliver new injection exploits, including XML external entity and HTTP parameter pollution attacks
Learn how to break encrypted session tokens and other sensitive data found in cloud services
Discover how technologies like HTML5, REST, CSS and JSON can be exploited to attack applications and compromise users
Learn new techniques for automating attacksand dealing with CAPTCHAs and cross-site request forgery tokens
Steal sensitive data across domains using seemingly harmless application functions and new browser features
Find help and resources at http://mdsec.net/wahh
Source code for some of the scripts in the book
Links to tools and other resources
A checklist of tasks involved in most attacks
Answers to the questions posed in each chapter
Hundreds of interactive vulnerability labs
From the Back Cover
This fully updated edition contains the very latest attack techniques and countermeasures, showing you how to break into today's complex and highly functional applications. Roll up your sleeves and dig in.
- Discover how cloud architectures and social networking have added exploitable attack surfaces to applications
- Leverage the latest HTML features to deliver powerful cross-site scripting attacks
- Deliver new injection exploits, including XML external entity and HTTP parameter pollution attacks
- Learn how to break encrypted session tokens and other sensitive data found in cloud services
- Discover how technologies like HTML5, REST, CSS and JSON can be exploited to attack applications and compromise users
- Learn new techniques for automating attacksand dealing with CAPTCHAs and cross-site request forgery tokens
- Steal sensitive data across domains using seemingly harmless application functions and new browser features
- Source code for some of the scripts in the book
- Links to tools and other resources
- A checklist of tasks involved in most attacks
- Answers to the questions posed in each chapter
- Hundreds of interactive vulnerability labs
About the Author
MARCUS PINTO delivers security consultancy and training on web application attack and defense to leading global organizations in the financial, government, telecom, gaming, and retail sectors.
The authors cofounded MDSec, a consulting company that provides training in attack and defense-based security.
Product details
- Publisher : Wiley; 2nd edition (September 27, 2011)
- Language : English
- Paperback : 912 pages
- ISBN-10 : 1118026470
- ISBN-13 : 978-1118026472
- Item Weight : 2.9 pounds
- Dimensions : 7.4 x 2 x 9.2 inches
- Best Sellers Rank: #141,190 in Books (See Top 100 in Books)
- #62 in Privacy & Online Safety
- #105 in Computer Hacking
- #172 in Internet & Telecommunications
- Customer Reviews:
About the author
Discover more of the author’s books, see similar authors, read book recommendations and more.
Customer reviews
Customer Reviews, including Product Star Ratings help customers to learn more about the product and decide whether it is the right product for them.
To calculate the overall star rating and percentage breakdown by star, we don’t use a simple average. Instead, our system considers things like how recent a review is and if the reviewer bought the item on Amazon. It also analyzed reviews to verify trustworthiness.
Learn more how customers reviews work on AmazonCustomers say
Customers find the book provides good information on web application hacking and security. They describe it as a comprehensive guide for learning and expanding their skills. The book is considered an excellent reference for pros and beginners alike.
AI-generated from the text of customer reviews
Customers find the book provides great information and is comprehensive. They find it an excellent reference for web app/security experts with good explanations and references. The book breaks down topics in depth, covering topics like Cross-Site Scripting, Cross-Site Request Forgeries, SQL injection, and tools you can use to learn more about a website.
"...The authors highlight many kinds of tools you can use to learn more about a website, including a product they developed themselves called Burp..." Read more
"...When I say the labs are stellar, I mean it. The labs come almost straight from the class and start trivial and then get crazy...." Read more
"It’s an excellent reference book however I was more than surprised that the word IDOR is not mentioned anywhere in the book...." Read more
"...There is no other book out there to date that is as exhaustive as this book and covers absolutely everything you need to know to defend and exploit." Read more
Customers find the book helpful for learning and expanding their skills in web application hacking. They say it's comprehensive and focused on Burp, the creator of Burp Suite. The book provides techniques and strategies for attacking and defending web applications.
"This book offers tons of techniques and strategies for attacking and defending web applications...." Read more
"This book remains the authority in web application hacking...." Read more
"This book is a must have if you want to master your skills in web applications hacking and want to have access to a lot of different approaches,..." Read more
"...for beginners since it discusses a lot of techniques and strategies pertaining to attacking and defending web applications...." Read more
Reviews with images
Best Hacking Book on the Market
Top reviews from the United States
There was a problem filtering reviews right now. Please try again later.
- Reviewed in the United States on October 23, 2016This book offers tons of techniques and strategies for attacking and defending web applications. The beginning chapters discuss the major components of websites and their vulnerabilites.
The middle of the book gets much more specific showing "Hack Steps" for different components like the client side, sessions, databases, and authentication.
Sections about custom code development show how you can develop your own solution to probe a web app. There were code examples in different languages such as JavaScript, C++, Java, and ASP.NET. The authors highlight many kinds of tools you can use to learn more about a website, including a product they developed themselves called Burp Suite.
For readers interested in the testing the techniques there is a website offered by the book but it costs $7 an hour to play around on the site. This fee is for keeping the website running apparently, but I thought it would make more sense to have a monthly fee. I did not subscribe to this site myself though because I was more interested in getting a broad overview of website security.
The book is showing its 2011 publication date in some places. For example, IE and Firefox are said to be the dominant browsers while Chrome is a minor player. Additionally, Flash and Silverlight are spoken of as being components of many websites. One issue was I was not really sure where techniques might be outdated and others are still relevant.
I would definitely be interested in a 3rd edition for this book. The authors presented a solid foundation for learning about website security.
- Reviewed in the United States on October 14, 2011There's a running joke we have on our assessment team about the Web Application Hackers Handbook. Every time we see a new technology, or have to deal with a one-off situation, we start doing research online only to find it was already referenced in WAHH somewhere. We've all read this book several times too, it's like Dafydd and Marcus sneak into our houses at night and add content...
Joking aside though, there is no other reference for web hacking as thorough or complete as WAHH.
With WAHH2 the authors added a significant amount content and rehashed existing chapters that were already deeply technical. The bonus in WAHH2 is its associated labs. Dafydd and Marcus have been giving a live WAHH training for years and have now moved the stellar CTF like challenges to the cloud. You can buy credits ($7 for 1hr) and move right along as you read the book (MDSec.net). When I say the labs are stellar, I mean it. The labs come almost straight from the class and start trivial and then get crazy. The injection labs were by far my favorite, housing 30-40 different injection types/variants each between XSS/SQLi. The CTF in the class (which i'll mention again is where the MDSec.com labs are based from) gets ridiculous toward the end. Even seasoned web testers fall around questions 14-16. But i digress...
WAHH2 is now the defacto buy for any pentest/QA/Audit team. Its usage will surpass any other book on your bookshelf if you are doing practical testing.
5 stars, i'd give it 10 if I could.
- Reviewed in the United States on April 8, 2013Reading this book up to around page 600 made me seriously question how anyone could give it less than 5 stars. The amount of knowledge it gave me for a mere $25 is absolutely astounding. I was eagerly waiting to finish it so I could come review it.
Then I finished it, and I understood some of the criticisms. It starts to feel like it's repeating itself after a while, and the product placement for Burp start to become a bit more annoying.
Still, the rest of the book is chock full of great, detailed information. If you're like me and had a basic understanding of how SQL injection worked, but wanted to get a deeper look, this book is perfect. If you chopped off the last 200 pages you would have a book that was STILL worth well over $25. It's hard for me to give it less than 5 stars when my major complaint is that it gives too much information.
Bottom line: if you're a beginner or intermediate to web application security and you're wondering whether you should buy this, just do it. You won't be disappointed.
- Reviewed in the United States on August 23, 2024All OK.
- Reviewed in the United States on May 17, 2024It’s an excellent reference book however I was more than surprised that the word IDOR is not mentioned anywhere in the book. IDOR is one of the top most critical vulnerabilities in web hacking. I am not sure how it could be missed?
- Reviewed in the United States on July 29, 2022This book remains the authority in web application hacking. There is no other book out there to date that is as exhaustive as this book and covers absolutely everything you need to know to defend and exploit.
- Reviewed in the United States on November 30, 2018I can't even tell you how many times I find myself referencing this book. Despite what some have suggested you don't need to have Burp Suite or do any labs. It's so full of insightful knowledge that it can replace a whole reference library all by itself. It doesn't just show you "how-tos" but helps you THINK differently - better - methodical. One little example is how the authors present the idea of overcoming filtering deployed by a WAF or web server. "<script>" might get filtered but what would happen if you passed "<scr<script>ipt>"? Now run with it and get creative! Can't thank the authors enough for their contribution. This is right up there with Homer's Odyssey, Shakespeare's Romeo and Juliet and quite frankly, The Bible. Ok, maybe that's pushing it but you get the idea.
Top reviews from other countries
- Maria Ines ParnisariReviewed in Canada on July 6, 2023
5.0 out of 5 stars Still relevant!
This book took me months to finish, but it's worth it. Some of the hacking tools mentioned don't exist anymore and you cannot test the vulnerabilities on the WAHH website because it doesn't exist. All the vulnerabilities mentioned are still relevant, except for a few related to Flash and Silverlight which I promptly skipped. The summary and questions at the end of each chapter are good to consolidate knowledge.
Chapter 12 on cross site scripting is simultaneously the longest, most important, and most boring, in my opinion.
It's funny that there is an entire chapter (9) devoted to SQL but only a paragraph about NoSQL which says "it's not popular enough so we won't discuss it". How times have changed!
-
Max RibeiroReviewed in Brazil on March 10, 2023
5.0 out of 5 stars Top demais, a biblia do web hacking!
Produto chegou apenas com umas marquinhas na capa, mas pra um produto importado até que esta bem conservado, conteúdo perfeito, com certeza vou passar esse livro pros meus filhos e filhos dos meus filhos!
-
ALİ BAYKARAReviewed in Turkey on November 9, 2024
5.0 out of 5 stars Portswigger web academy
Portswigger web academy labları yardımcı olması için aldım kesinlikle alınır
- PlaceholderReviewed in India on September 9, 2024
5.0 out of 5 stars Book is useful
I have only read 10 to 30 pages of this book but the language and content that I found in it is high quality content and is very important topics are covered inside this book you can get a full road map and many useful important knowledge from this book's content
- SolangeReviewed in Germany on July 21, 2023
5.0 out of 5 stars Perfect condition
The product was in a very good condition and the delivery should be placed on 25 of July but I received it on 21 :D
I'm very satisfied.
I recommend