What do you think?
Rate this book
The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws
This book is a practical guide to discovering and exploiting security flaws in web applications. The authors explain each category of vulnerability using real-world examples, screen shots and code extracts. The book is extremely practical in focus, and describes in detail the steps involved in detecting and exploiting each kind of security weakness found within a variety of applications such as online banking, e-commerce and other web applications. The topics covered include bypassing login mechanisms, injecting code, exploiting logic flaws and compromising other users. Because every web application is different, attacking them entails bringing to bear various general principles, techniques and experience in an imaginative way. The most successful hackers go beyond this, and find ways to automate their bespoke attacks. This handbook describes a proven methodology that combines the virtues of human intelligence and computerized brute force, often with devastating results. The authors are professional penetration testers who have been involved in web application security for nearly a decade. They have presented training courses at the Black Hat security conferences throughout the world. Under the alias "PortSwigger", Dafydd developed the popular Burp Suite of web application hack tools.
722 pages, Paperback
First published October 1, 2007
591 people are currently reading
3900 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 30 of 60 reviews
January 24, 2020
We are so fucked. I'm a professional software engineer who cares a great deal about correctness and about security. I've worked on the security team at Google. And I didn't know half of the exploits listed in this book. The underlying technology is sufficiently complicated that I would be very surprised to learn that a nontrivial piece of software is adequately defended against _all_ of them. Even if you aren't interested in breaking systems, this is a fantastic, eye-opening book on things to pay attention to when writing robust software.
November 27, 2013
If you have the basic understanding of security and you want to be a web pen-tester / hacker. This is the book you want to read.
+ Technical just like the way I like books
+ Explains many methods you couldn't possible imagine before.
+ Step by Step explanation
+ New ideas and exploitation methods
- Labs cost 7$ / Hr ---> Not much practice; however you can find many free practice labs (e.g. pentesterlab.com)
- Focuses on Burp Proxy only -- there are many other tools
- a bit outdated ! <- many of vulnerabilities described are already mitigated in new browsers and applications
Follow me for more tech/pen-testing books reviews!
+ Technical just like the way I like books
+ Explains many methods you couldn't possible imagine before.
+ Step by Step explanation
+ New ideas and exploitation methods
- Labs cost 7$ / Hr ---> Not much practice; however you can find many free practice labs (e.g. pentesterlab.com)
- Focuses on Burp Proxy only -- there are many other tools
- a bit outdated ! <- many of vulnerabilities described are already mitigated in new browsers and applications
Follow me for more tech/pen-testing books reviews!
October 15, 2019
Many good points in this book. Not all of them were applicable to my software development experience.
October 30, 2014
Really good book, I learned a ton and it's great for creativity as well.
I remember waking up everyday for ~2-3 weeks and reading this for 1 hour straight at 5:30-6am, just to finish the toughest thing first thing in the day haha. Very hard to read, looking back I have no idea how I did it :)
I remember waking up everyday for ~2-3 weeks and reading this for 1 hour straight at 5:30-6am, just to finish the toughest thing first thing in the day haha. Very hard to read, looking back I have no idea how I did it :)
July 25, 2014
This is the best web security book period. Absolutely awesome, easy to read and filled with practical tips and tricks with no bullshit. Highly recommended.
August 16, 2010
Loved the book. Maybe overdetailed in some parts, but it covers really lots and lots of things explained in a very good way :) a must-read for web application developers
August 22, 2013
This is a necessary read for anyone looking to get a better idea of web application security, particularly those who haven't had a background in the security field at all. It's a long read, and not one that I think people can sit down to and push through quickly. I got through this while reading a few others at the same time.
It's fairly well edited with just a few simple mistakes. The exercises are interesting, though they feel a little laborious by the end.
I enjoyed reading it and would recommend it to others. I think it's a great starting point, but should be backed up with other reading.
It's fairly well edited with just a few simple mistakes. The exercises are interesting, though they feel a little laborious by the end.
I enjoyed reading it and would recommend it to others. I think it's a great starting point, but should be backed up with other reading.
November 27, 2021
2★
Outrageously overrated and hilariously outdated, not to mention tries so hard to be approachable and ends up being inaccessible as f.
The interactive and mostly freesequel
is here.
Outrageously overrated and hilariously outdated, not to mention tries so hard to be approachable and ends up being inaccessible as f.
The interactive and mostly free
July 2, 2012
Pretty much the definitive guide to testing and defending web apps. Anyone looking to enter the field can't do much better than reading this book cover to cover.
June 15, 2024
It's always good to go back to the basics! There are a couple of chapters that are no longer apply in the modern web, and some chapters feel like a comercial to get you to buy burp suite (well, the author of the book is the author of that tool after all). But, there is a LOT of useful and relevant information about web security, a must read!
December 26, 2024
It is an excellent book to get you started with. However, it is quite outdated. New tools and methods are available so use this book as theory and practice somewhere else.
May 14, 2017
I bought this book quite a while back, but only started it a few months ago. Being almost 10 years old, some of the information is a bit outdated, but the general principles still old true.
Web Applications are omnipresent: be them to manage your bank account, order stuff, keep in touch with friends or seek for a job, chances are this is through one of these. For most of them, security is an absolute requirement, and we trust the various controls to protect our money, credit card and personal information, job and other interests safe. without that trust, the whole "digital economy" would fall on its face.
Web App pentest has become an important part of the security business, as finding vulnerabilities before the bad guys do is paramount to preserve that trust. Simply think "Home Depot".
As for all pentest, this is 80% knowledge and 20% improvisation. The former is covered, with a solid introduction to all facets of a Web applications, or at least of 2007 Web applications. While this stays a very good introduction to the topic, it is due for a refresh, to take into account for example API accessible through Web interfaces.
Web Applications are omnipresent: be them to manage your bank account, order stuff, keep in touch with friends or seek for a job, chances are this is through one of these. For most of them, security is an absolute requirement, and we trust the various controls to protect our money, credit card and personal information, job and other interests safe. without that trust, the whole "digital economy" would fall on its face.
Web App pentest has become an important part of the security business, as finding vulnerabilities before the bad guys do is paramount to preserve that trust. Simply think "Home Depot".
As for all pentest, this is 80% knowledge and 20% improvisation. The former is covered, with a solid introduction to all facets of a Web applications, or at least of 2007 Web applications. While this stays a very good introduction to the topic, it is due for a refresh, to take into account for example API accessible through Web interfaces.
February 1, 2014
Well this was a really long journey. This book has a massive number of pages, about 900. It took me a month to read all the contents here and the conclusion is, this is just the begining. The technics used to hack into web applications, and in a more general perspective, computer systems are many, furthermore the can and should be combined to optimize the effectiveness of your attack. This book introduces you into the world of hacking in a web application perspective. You should be advised that this is by no far the end of the story and the only thing you know for sure is that you must practice and master some of the not so interesting stuff as encodings schemes communication protocols and other gray stuff people tend to not give a crap. In a nutshell this is a must read book for anyone involved on the security area of computer systems. It is also very advisable to those who want to develop secure systems in general.
December 2, 2020
decided to switch to the online academy by PortSwigger, they have 'moved' their much requested 3d Edition of this book online which is great, some things seem to be dated in the second edition I got my hands on. even the exercises within this book are pointing to http://mdsec.net/shop/104/ which leads to PortSwigger (one of the co-authors is the someone behind PortSwigger responsible for Burp proxy).
ME LOVE IT!
ME LOVE IT!
August 4, 2016
The content is good. Though is too lengthy and fuzzy. I would suggest to start reading with the last chapter to get an overall idea what will be in the book. I gave it three stars because I think the book could be presented in more easily digestible way. If you plan to read, you should read this book. Suggested.
November 8, 2015
Finished the book long time ago , but had to return to it again these days
well , i consider it as the web app pentesting bible xD
totally worth 5 stars , but took off one because it depend a lot on the paid online labs which cant be afford for long time
waiting for the 3rd edition
well , i consider it as the web app pentesting bible xD
totally worth 5 stars , but took off one because it depend a lot on the paid online labs which cant be afford for long time
waiting for the 3rd edition
June 29, 2012
Still reading it, but helps to sharpen the swords and buff the armor ;)
July 6, 2023
Summary of the learnings I had: https://miparnisariblog.wordpress.com...
This book took me months to finish, but it's worth it. Some of the hacking tools mentioned don't exist anymore and you cannot test the vulnerabilities on the WAHH website because it doesn't exist. All the vulnerabilities mentioned are still relevant, except for a few related to Flash and Silverlight which I promptly skipped. The summary and questions at the end of each chapter are good to consolidate knowledge.
Chapter 12 on cross site scripting is simultaneously the longest, most important, and most boring, in my opinion.
It's funny that there is an entire chapter (9) devoted to SQL but only a paragraph about NoSQL which says "it's not popular enough so we won't discuss it". How times have changed!
This book took me months to finish, but it's worth it. Some of the hacking tools mentioned don't exist anymore and you cannot test the vulnerabilities on the WAHH website because it doesn't exist. All the vulnerabilities mentioned are still relevant, except for a few related to Flash and Silverlight which I promptly skipped. The summary and questions at the end of each chapter are good to consolidate knowledge.
Chapter 12 on cross site scripting is simultaneously the longest, most important, and most boring, in my opinion.
It's funny that there is an entire chapter (9) devoted to SQL but only a paragraph about NoSQL which says "it's not popular enough so we won't discuss it". How times have changed!
February 28, 2024
The book is very detailed on the subject but very old. Therefore I would suggest this to only for security enthusiasts not for general developers. Also a note for security enthusiasts this book contains most of the outdated tools, configurations, applications so in general you can gain general approach knowledge but not the recent security things. But you can implement or more precisely transpile the idea or thoughts from this book to your vulnerability identification.
Some of the outdated things discussed in the books are very predated like IE, never released PHP 6, Firebug, etc.
Some of the outdated things discussed in the books are very predated like IE, never released PHP 6, Firebug, etc.
Read
July 7, 2024Hello! I would recommend using a software development service. In my opinion, this is the best way to start a business right now! In addition, it is not very expensive. A small market at first, which expands over time! You can learn more about staff augmentation in UK at 9NEXUS.
August 3, 2017
Good overview of common web application vulnerabilities and how to protect or exploit them. A little heavy on tools and promoting the author's paid practice website, but the content is very clear and accessible.
Definitely go through Natas at OverTheWire to apply the concepts after reading.
Definitely go through Natas at OverTheWire to apply the concepts after reading.
February 21, 2020
If you get a book that was written by people who developed an actual Web Application Testing framework, you can just make your best bet on the value you find in it. This is a behemoth of a book with its 912 pages. It was last updated in the year 2011, so the content is still very relevant today
September 14, 2023
Note: Just bought this book, reading the first few pages already has grabbed my interested compared to other popular books. I will write an after review when I finish this book, but so far so good for those looking into this field. Looks promising!
June 2, 2025
This book was once perceived as "The Bibble" for web application offensive security. Some of its information is now slightly outdated but I believe its still a good resource that well explains and encapsulates all the moving parts of what modern web application security is today.
November 11, 2017
very good book
February 9, 2018
A+. Required reading for webapp pentesting, no exceptions. Though it is often a bit wordy to convey simple messages.
April 15, 2019
A bit outdated, but still some good advise in there.
December 10, 2019
A bit too old and verbose
January 30, 2020
hola quiero leer este libro
This entire review has been hidden because of spoilers.
Displaying 1 - 30 of 60 reviews