What do you think?
Rate this book
Web Application Security: Exploitation and Countermeasures for Modern Web Applications
While many resources for network and IT security are available, detailed knowledge regarding modern web application security has been lacking―until now. This practical guide provides both offensive and defensive security concepts that software engineers can easily learn and apply. Andrew Hoffman, a senior security engineer at Salesforce, introduces three pillars of web application recon, offense, and defense. You’ll learn methods for effectively researching and analyzing modern web applications―including those you don’t have direct access to. You’ll also learn how to break into web applications using the latest hacking techniques. Finally, you’ll learn how to develop mitigations for use in your own web applications to protect against hackers.
327 pages, Paperback
Published April 7, 2020
66 people are currently reading
253 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 12 of 12 reviews
January 26, 2021
This is a relatively new book on web application security (as of early 2021) published by O'Reilly, so I was pretty excited to read it. The author is a security engineer at a well-known tech company who has worked with web standards organizations. The project leader of OWASP endorses it as "a comprehensive resource on web application security." The back cover promises "detailed knowledge regarding modern web application security." Unfortunately, I didn't realize it was only about 300 pages long. That is not a lot of space to cover recon techniques, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), XML External Entity (XXE), various types of injection, and defense against all of above, among other topics. I think the book is organized in a clever way. It is split into three parts: recon, offense, and defense. This steps you through the approaches an attacker or pentester may take to gather information then attack an application. If you are a developer who does not know much about web application security, that is a good lead in to defense and secure coding practices. Most of the code examples are in JavaScript (Express.js) and should be easy to understand even if you're more accustomed to another server-side language.
I understand the challenges writing good tech books. If you go into a lot of depth and detail, a lot of the content will become dated quickly. That being said, I think that this book goes too far in the other direction. Most of the chapters are roughly 10 pages long. Some of them are only about 5 pages. This often amounts to a code sample, screenshot or diagram, and a few paragraphs scratching the surface of a topic. For example, the XSS chapter in the offense section is 13 pages long. That is a one-page introduction, four pages setting up a thought experiment for stored XSS, then a few pages each explaining stored, reflected, DOM-based, and mutation-based XSS. The XSS chapter in the defense section is 10 pages long. It includes good advice (pass user input into the DOM as a string whenever possible, sanitize user input, use a CSP, etc.), but again does not go into much depth. The book's introduction says the primary audience is "an early-to-mid-career software engineer or web application developer," and I would agree. I did not get that impression from the book's description, though. If you're looking for a high-level intro to web app security, this book is for you. If you're looking for a modernized Web Application Hacker's Handbook, you're not going to find it here.
September 13, 2021
Not worth reading, "Modern" in the title means "web application attacks from 10 years ago". Padded with fluff about the "hacker mindset" and the enigma machine from WW2. Feels like the author was summarizing wiki pages when writing this thing. An actually good book would have you start with an example Express.js application and show you how vulnerabilities happen and the steps to fix them as a software developer.
December 31, 2023
This book serves as a good introduction to the topic of web application security. I particularly appreciate its structure, which is divided into three parts: reconnaissance, attack, and defense.
Most topics are explained at a high level and are easy to follow. The author explicitly mentions his intention to avoid discussing specific tools, which can quickly become outdated, and instead focuses on concepts. However, I find myself missing this aspect, as I had expected to learn about tools applicable in my daily work.
Additionally, I wish the author had included more real-world examples and specific CVEs. For instance, an example of SQL Injection found in version X of library Y, complete with the offending code and its patch, would have been beneficial. Including links or references to additional resources for more in-depth explanations would also be a valuable addition to the book.
Overall, it was a relatively easy read, and I recommend it to anyone interested in learning about web app security without much prior experience.
Most topics are explained at a high level and are easy to follow. The author explicitly mentions his intention to avoid discussing specific tools, which can quickly become outdated, and instead focuses on concepts. However, I find myself missing this aspect, as I had expected to learn about tools applicable in my daily work.
Additionally, I wish the author had included more real-world examples and specific CVEs. For instance, an example of SQL Injection found in version X of library Y, complete with the offending code and its patch, would have been beneficial. Including links or references to additional resources for more in-depth explanations would also be a valuable addition to the book.
Overall, it was a relatively easy read, and I recommend it to anyone interested in learning about web app security without much prior experience.
May 20, 2020
For anyone who's developing web applications, this is a must have. This book is practical and offers lots of code snippets, allowing you to apply the knowledge your picking up in the readings.
I've attempted to read a few security books in the past, but this one kept my attention due to it's practical nature. It's not heavy on jargon and reads smoothly.
I appreciate the programming language of choice used in this book as well - modern javascript/nodejs. The choice of language meant:
- less context switching between languages because both the clientside and serverside code in the book is plain vanilla javascript, allowing me to focus more on the concepts in this book
- being able to run the code in the browser or in server environments (with nodejs) for this book was a big plus
I've attempted to read a few security books in the past, but this one kept my attention due to it's practical nature. It's not heavy on jargon and reads smoothly.
I appreciate the programming language of choice used in this book as well - modern javascript/nodejs. The choice of language meant:
- less context switching between languages because both the clientside and serverside code in the book is plain vanilla javascript, allowing me to focus more on the concepts in this book
- being able to run the code in the browser or in server environments (with nodejs) for this book was a big plus
June 25, 2021
This is not a book for software developers. Maybe you can write a rails app, and bought this book expecting to read about deserialization attacks or how to securely handle user file uploads that need to be processed through imagemagick. There's nothing here for you.
Maybe you're more offensive minded, and want to learn about how to create a malicious npm package, or exploit vulnerable URL parsers for SSRF. You will get a description of XSS and SQL.
Maybe you put CISSP in your email signature at work. You might like this book.
Maybe you're more offensive minded, and want to learn about how to create a malicious npm package, or exploit vulnerable URL parsers for SSRF. You will get a description of XSS and SQL.
Maybe you put CISSP in your email signature at work. You might like this book.
March 6, 2021
OK for those who have no clue about security. However, if you are already familiar with security, look elsewhere.
April 17, 2021
General introduction to common web security vulnerabilities and mitigations.
Depending on how your are familiar with these vulnerabilities you may feel that this book is good or just generic.
Depending on how your are familiar with these vulnerabilities you may feel that this book is good or just generic.
June 5, 2021
It's a very basic book for anyone, who wants to learn web app sec, with no clear examples. I don't recommend this for professionals but could be good for noobs.
June 17, 2022
A very basic beginners book. Will benefit someone with no exposure to Web Security, not much to people who have been diving into it even if from on the sidelines.
September 14, 2020
I know that I still do not know many things about security. This book is good but more likely for an early-career software engineer. Nice sum up, not much new, almost nothing about nonce.
Available for free thanks to NGINX.
Available for free thanks to NGINX.
February 17, 2022
I read this, on the Safari Online site. It provides a good review of key categories of problems, that occur in application security problems (specific to the web of course).
February 17, 2021
A practical book on web security, starting with information gathering methods, exploiting common web vulnerabilities, and ending with defense techniques. I recommend it to every web developer!
Displaying 1 - 12 of 12 reviews