What do you think?
Rate this book
The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
The highly successful security book returns with a new edition, completely updated Web applications are the front door to most organizations, exposing them to attacks that may disclose personal information, execute fraudulent transactions, or compromise ordinary users. This practical book has been completely updated and revised to discuss the latest step-by-step techniques for attacking and defending the range of ever-evolving web applications. You'll explore the various new technologies employed in web applications that have appeared since the first edition and review the new attack techniques that have been developed, particularly in relation to the client side.
Reveals how to overcome the new technologies and techniques aimed at defending web applications against attacks that have appeared since the previous edition Discusses new remoting frameworks, HTML5, cross-domain integration techniques, UI redress, framebusting, HTTP parameter pollution, hybrid file attacks, and more Features a companion web site hosted by the authors that allows readers to try out the attacks described, gives answers to the questions that are posed at the end of each chapter, and provides a summarized methodology and checklist of tasks Focusing on the areas of web application security where things have changed in recent years, this book is the most current resource on the critical topic of discovering, exploiting, and preventing web application security flaws.
Also available as a set with, CEHv8: Certified Hacker Version 8 Study Guide, Ethical Hacking and Web Hacking Set, 9781119072171.
Reveals how to overcome the new technologies and techniques aimed at defending web applications against attacks that have appeared since the previous edition Discusses new remoting frameworks, HTML5, cross-domain integration techniques, UI redress, framebusting, HTTP parameter pollution, hybrid file attacks, and more Features a companion web site hosted by the authors that allows readers to try out the attacks described, gives answers to the questions that are posed at the end of each chapter, and provides a summarized methodology and checklist of tasks Focusing on the areas of web application security where things have changed in recent years, this book is the most current resource on the critical topic of discovering, exploiting, and preventing web application security flaws.
Also available as a set with, CEHv8: Certified Hacker Version 8 Study Guide, Ethical Hacking and Web Hacking Set, 9781119072171.
912 pages, Paperback
First published October 1, 2007
584 people are currently reading
3846 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 30 of 61 reviews
January 24, 2020
We are so fucked. I'm a professional software engineer who cares a great deal about correctness and about security. I've worked on the security team at Google. And I didn't know half of the exploits listed in this book. The underlying technology is sufficiently complicated that I would be very surprised to learn that a nontrivial piece of software is adequately defended against _all_ of them. Even if you aren't interested in breaking systems, this is a fantastic, eye-opening book on things to pay attention to when writing robust software.
November 27, 2013
If you have the basic understanding of security and you want to be a web pen-tester / hacker. This is the book you want to read.
+ Technical just like the way I like books
+ Explains many methods you couldn't possible imagine before.
+ Step by Step explanation
+ New ideas and exploitation methods
- Labs cost 7$ / Hr ---> Not much practice; however you can find many free practice labs (e.g. pentesterlab.com)
- Focuses on Burp Proxy only -- there are many other tools
- a bit outdated ! <- many of vulnerabilities described are already mitigated in new browsers and applications
Follow me for more tech/pen-testing books reviews!
+ Technical just like the way I like books
+ Explains many methods you couldn't possible imagine before.
+ Step by Step explanation
+ New ideas and exploitation methods
- Labs cost 7$ / Hr ---> Not much practice; however you can find many free practice labs (e.g. pentesterlab.com)
- Focuses on Burp Proxy only -- there are many other tools
- a bit outdated ! <- many of vulnerabilities described are already mitigated in new browsers and applications
Follow me for more tech/pen-testing books reviews!
October 15, 2019
Many good points in this book. Not all of them were applicable to my software development experience.
October 30, 2014
Really good book, I learned a ton and it's great for creativity as well.
I remember waking up everyday for ~2-3 weeks and reading this for 1 hour straight at 5:30-6am, just to finish the toughest thing first thing in the day haha. Very hard to read, looking back I have no idea how I did it :)
I remember waking up everyday for ~2-3 weeks and reading this for 1 hour straight at 5:30-6am, just to finish the toughest thing first thing in the day haha. Very hard to read, looking back I have no idea how I did it :)
July 25, 2014
This is the best web security book period. Absolutely awesome, easy to read and filled with practical tips and tricks with no bullshit. Highly recommended.
August 16, 2010
Loved the book. Maybe overdetailed in some parts, but it covers really lots and lots of things explained in a very good way :) a must-read for web application developers
August 22, 2013
This is a necessary read for anyone looking to get a better idea of web application security, particularly those who haven't had a background in the security field at all. It's a long read, and not one that I think people can sit down to and push through quickly. I got through this while reading a few others at the same time.
It's fairly well edited with just a few simple mistakes. The exercises are interesting, though they feel a little laborious by the end.
I enjoyed reading it and would recommend it to others. I think it's a great starting point, but should be backed up with other reading.
It's fairly well edited with just a few simple mistakes. The exercises are interesting, though they feel a little laborious by the end.
I enjoyed reading it and would recommend it to others. I think it's a great starting point, but should be backed up with other reading.
November 27, 2021
2★
Outrageously overrated and hilariously outdated, not to mention tries so hard to be approachable and ends up being inaccessible as f.
The interactive and mostly freesequel
is here.
Outrageously overrated and hilariously outdated, not to mention tries so hard to be approachable and ends up being inaccessible as f.
The interactive and mostly free
July 2, 2012
Pretty much the definitive guide to testing and defending web apps. Anyone looking to enter the field can't do much better than reading this book cover to cover.
June 15, 2024
It's always good to go back to the basics! There are a couple of chapters that are no longer apply in the modern web, and some chapters feel like a comercial to get you to buy burp suite (well, the author of the book is the author of that tool after all). But, there is a LOT of useful and relevant information about web security, a must read!
December 26, 2024
It is an excellent book to get you started with. However, it is quite outdated. New tools and methods are available so use this book as theory and practice somewhere else.
May 14, 2017
I bought this book quite a while back, but only started it a few months ago. Being almost 10 years old, some of the information is a bit outdated, but the general principles still old true.
Web Applications are omnipresent: be them to manage your bank account, order stuff, keep in touch with friends or seek for a job, chances are this is through one of these. For most of them, security is an absolute requirement, and we trust the various controls to protect our money, credit card and personal information, job and other interests safe. without that trust, the whole "digital economy" would fall on its face.
Web App pentest has become an important part of the security business, as finding vulnerabilities before the bad guys do is paramount to preserve that trust. Simply think "Home Depot".
As for all pentest, this is 80% knowledge and 20% improvisation. The former is covered, with a solid introduction to all facets of a Web applications, or at least of 2007 Web applications. While this stays a very good introduction to the topic, it is due for a refresh, to take into account for example API accessible through Web interfaces.
Web Applications are omnipresent: be them to manage your bank account, order stuff, keep in touch with friends or seek for a job, chances are this is through one of these. For most of them, security is an absolute requirement, and we trust the various controls to protect our money, credit card and personal information, job and other interests safe. without that trust, the whole "digital economy" would fall on its face.
Web App pentest has become an important part of the security business, as finding vulnerabilities before the bad guys do is paramount to preserve that trust. Simply think "Home Depot".
As for all pentest, this is 80% knowledge and 20% improvisation. The former is covered, with a solid introduction to all facets of a Web applications, or at least of 2007 Web applications. While this stays a very good introduction to the topic, it is due for a refresh, to take into account for example API accessible through Web interfaces.
February 1, 2014
Well this was a really long journey. This book has a massive number of pages, about 900. It took me a month to read all the contents here and the conclusion is, this is just the begining. The technics used to hack into web applications, and in a more general perspective, computer systems are many, furthermore the can and should be combined to optimize the effectiveness of your attack. This book introduces you into the world of hacking in a web application perspective. You should be advised that this is by no far the end of the story and the only thing you know for sure is that you must practice and master some of the not so interesting stuff as encodings schemes communication protocols and other gray stuff people tend to not give a crap. In a nutshell this is a must read book for anyone involved on the security area of computer systems. It is also very advisable to those who want to develop secure systems in general.
December 2, 2020
decided to switch to the online academy by PortSwigger, they have 'moved' their much requested 3d Edition of this book online which is great, some things seem to be dated in the second edition I got my hands on. even the exercises within this book are pointing to http://mdsec.net/shop/104/ which leads to PortSwigger (one of the co-authors is the someone behind PortSwigger responsible for Burp proxy).
ME LOVE IT!
ME LOVE IT!
August 4, 2016
The content is good. Though is too lengthy and fuzzy. I would suggest to start reading with the last chapter to get an overall idea what will be in the book. I gave it three stars because I think the book could be presented in more easily digestible way. If you plan to read, you should read this book. Suggested.
November 8, 2015
Finished the book long time ago , but had to return to it again these days
well , i consider it as the web app pentesting bible xD
totally worth 5 stars , but took off one because it depend a lot on the paid online labs which cant be afford for long time
waiting for the 3rd edition
well , i consider it as the web app pentesting bible xD
totally worth 5 stars , but took off one because it depend a lot on the paid online labs which cant be afford for long time
waiting for the 3rd edition
June 29, 2012
Still reading it, but helps to sharpen the swords and buff the armor ;)
July 6, 2023
Summary of the learnings I had: https://miparnisariblog.wordpress.com...
This book took me months to finish, but it's worth it. Some of the hacking tools mentioned don't exist anymore and you cannot test the vulnerabilities on the WAHH website because it doesn't exist. All the vulnerabilities mentioned are still relevant, except for a few related to Flash and Silverlight which I promptly skipped. The summary and questions at the end of each chapter are good to consolidate knowledge.
Chapter 12 on cross site scripting is simultaneously the longest, most important, and most boring, in my opinion.
It's funny that there is an entire chapter (9) devoted to SQL but only a paragraph about NoSQL which says "it's not popular enough so we won't discuss it". How times have changed!
This book took me months to finish, but it's worth it. Some of the hacking tools mentioned don't exist anymore and you cannot test the vulnerabilities on the WAHH website because it doesn't exist. All the vulnerabilities mentioned are still relevant, except for a few related to Flash and Silverlight which I promptly skipped. The summary and questions at the end of each chapter are good to consolidate knowledge.
Chapter 12 on cross site scripting is simultaneously the longest, most important, and most boring, in my opinion.
It's funny that there is an entire chapter (9) devoted to SQL but only a paragraph about NoSQL which says "it's not popular enough so we won't discuss it". How times have changed!
August 8, 2025
𝕀'𝕞 𝕚𝕞𝕡𝕣𝕖𝕤𝕤𝕖𝕕, 𝕥𝕠 𝕞𝕖 𝕀 𝕓𝕖𝕝𝕚𝕖𝕧𝕖 𝕤𝕠𝕞𝕖 𝕡𝕖𝕠𝕡𝕝𝕖 𝕤𝕙𝕠𝕦𝕝𝕕 𝕓𝕖 𝕔𝕒𝕝𝕝𝕖𝕕 𝕘𝕖𝕟𝕚𝕦𝕤 𝕚𝕟 𝕕𝕠𝕚𝕟𝕘 𝕨𝕙𝕒𝕥 𝕥𝕙𝕖𝕪 𝕜𝕟𝕠𝕨 𝕙𝕠𝕨 𝕥𝕠 𝕕𝕠 𝕓𝕖𝕤𝕥, 𝕨𝕙𝕖𝕟 𝕚𝕥 𝕔𝕠𝕞𝕖𝕤 𝕥𝕠 𝕕𝕖𝕒𝕝𝕚𝕟𝕘 𝕨𝕚𝕥𝕙 𝕘𝕖𝕥𝕥𝕚𝕟𝕘 𝕤𝕠𝕝𝕦𝕥𝕚𝕠𝕟𝕤 𝕒𝕟𝕕 𝕣𝕖𝕧𝕖𝕒𝕝𝕚𝕟𝕘 𝕤𝕖𝕔𝕣𝕖𝕥𝕤 𝕀 𝕔𝕒𝕟 𝕧𝕠𝕦𝕔𝕙 𝕗𝕠𝕣 𝕁𝔹𝔼𝔼 𝕊ℙ𝕐 𝕋𝔼𝔸𝕄 𝕙𝕒𝕔𝕜𝕚𝕟𝕘 𝕤𝕖𝕣𝕧𝕚𝕔𝕖𝕤 𝕒𝕤 𝕞𝕒𝕟𝕪 𝕥𝕚𝕞𝕖𝕤 𝕒𝕤 𝕡𝕠𝕤𝕤𝕚𝕓𝕝𝕖 ����𝕖𝕔𝕒𝕦𝕤𝕖 𝕠𝕗 𝕥𝕙𝕖 𝕓𝕣𝕚𝕝𝕝𝕚𝕒𝕟𝕥 𝕒𝕟𝕕 𝕤𝕦𝕡𝕖𝕣𝕓 𝕥𝕖𝕒𝕞𝕨𝕠𝕣𝕜 𝕥𝕙𝕖𝕪 𝕡𝕠𝕣𝕥𝕣𝕒𝕪𝕖𝕕. 𝕋𝕙𝕖𝕪 𝕒𝕣𝕖 𝕤𝕦𝕣𝕖𝕝𝕪 𝕥𝕙𝕖 𝕓𝕖𝕤𝕥 𝕀'𝕧𝕖 𝕤𝕖𝕖𝕟 𝕤𝕠 𝕗𝕒𝕣 𝕠𝕟 𝕀𝕟𝕤𝕥𝕒𝕘𝕣𝕒𝕞 𝕚𝕟 𝕞𝕪 𝕢𝕦𝕖𝕤𝕥 𝕗𝕠𝕣 𝕞𝕪 𝕕𝕖𝕤𝕚𝕣𝕖. 𝔼𝕧𝕖𝕣𝕪𝕠𝕟𝕖 𝕤𝕙𝕠𝕦𝕝𝕕 𝕖𝕟𝕕𝕖𝕒𝕧𝕠𝕣 𝕥𝕠 𝕝𝕖𝕒𝕧𝕖 𝕒 𝕣𝕖𝕧𝕚𝕖𝕨 𝕠𝕟𝕔𝕖 𝕥𝕙𝕖𝕪 𝕘𝕖𝕥 𝕤𝕒𝕥𝕚𝕤𝕗𝕚𝕖𝕕 𝕛𝕦𝕤𝕥 𝕥𝕙𝕖 𝕤𝕒𝕞𝕖 𝕨𝕒𝕪 𝕀 𝕡𝕣𝕠𝕞𝕚𝕤𝕖𝕕 𝕥𝕠 𝕕𝕠 𝕕𝕦𝕣𝕚𝕟𝕘 𝕞𝕪 𝕖𝕒𝕣𝕝𝕪 𝕕𝕒𝕪𝕤 𝕠𝕗 𝕙𝕚𝕣𝕚𝕟𝕘 𝕥𝕙𝕖𝕞. 𝕔𝕠𝕟𝕝𝕖𝕪𝕛𝕓𝕖𝕖𝕤𝕡𝕪𝟞𝟘𝟞@𝕘𝕞𝕒𝕚𝕝.𝕔𝕠𝕞 𝕕𝕚𝕕 𝕓𝕣𝕚𝕝𝕝𝕚𝕒𝕟𝕥, 𝔼𝕧𝕖𝕣𝕪𝕥𝕙𝕚𝕟𝕘 𝕨𝕒𝕤 𝕢𝕦𝕚𝕔𝕜, 𝕤𝕖𝕟𝕕 𝕕𝕞 𝕥𝕠 𝕥𝕖𝕒𝕞 𝕁𝔹𝔼𝔼 𝕊ℙ𝕐 𝕋𝔼𝔸𝕄 𝕠𝕟 𝕋𝕖𝕝𝕖𝕘𝕣𝕒𝕞 +𝟜𝟜 𝟟𝟜𝟝𝟞 𝟘𝟝𝟠𝟞𝟚𝟘
February 28, 2024
The book is very detailed on the subject but very old. Therefore I would suggest this to only for security enthusiasts not for general developers. Also a note for security enthusiasts this book contains most of the outdated tools, configurations, applications so in general you can gain general approach knowledge but not the recent security things. But you can implement or more precisely transpile the idea or thoughts from this book to your vulnerability identification.
Some of the outdated things discussed in the books are very predated like IE, never released PHP 6, Firebug, etc.
Some of the outdated things discussed in the books are very predated like IE, never released PHP 6, Firebug, etc.
Read
July 7, 2024Hello! I would recommend using a software development service. In my opinion, this is the best way to start a business right now! In addition, it is not very expensive. A small market at first, which expands over time! You can learn more about staff augmentation in UK at 9NEXUS.
August 26, 2025
ɪ ꜱᴀᴡ ᴀ ʀᴇᴄᴏᴍᴍᴇɴᴅᴀᴛɪᴏɴ ᴀʙᴏᴜᴛ ᴊʙᴇᴇ ꜱᴘʏ ᴛᴇᴀᴍ ʜᴇʀᴇ, ꜰʀᴏᴍ ᴀ ᴄᴏᴍᴍᴇɴᴛ ꜱᴇᴄᴛɪᴏɴ ᴀɴᴅ ᴛʜᴇʏ ᴏꜰꜰᴇʀꜱ ᴀɴʏ ʜᴀᴄᴋɪɴɢ ꜱᴇʀᴠɪᴄᴇꜱ. ᴛʜᴇʏ’ʀᴇ ᴛʜᴇ ɢʀᴇᴀᴛᴇꜱᴛ ɪ’ᴠᴇ ꜱᴇᴇɴ ꜱᴏ ꜰᴀʀ, ꜰɪɴᴀʟʟʏ ᴛʜᴇʏ ʜᴇʟᴘᴇᴅ ᴍᴇ ɢᴏᴛ ʀᴇᴍᴏᴛᴇ ᴀᴄᴄᴇꜱꜱ ᴛᴏ ᴍʏ ꜱᴘᴏᴜꜱᴇ ᴘʜᴏɴᴇ ᴡɪᴛʜᴏᴜᴛ ʜᴇʀ ɴᴏᴛɪᴄᴇ ɪ ᴄᴀɴ ᴇᴀꜱɪʟʏ ꜱᴇᴇ ᴀʟʟ ʜᴇʀ ɪɴꜰᴏ ɪ ʀᴇᴄᴏᴍᴍᴇɴᴅ ʏᴏᴜ ɢᴇᴛ ɪɴ ᴛᴏᴜᴄʜ ᴡɪᴛʜ ᴛʜᴇᴍ ᴛʜʀᴏᴜɢʜ ᴄᴏɴʟᴇʏᴊʙᴇᴇꜱᴘʏ606@ɢᴍᴀɪʟ.ᴄᴏᴍ/ ᴛᴇʟᴇɢʀᴀᴍ +44 7456 058620 ᴛʜᴇʏ’ʀᴇ ᴀʟꜱᴏ ʀᴇʟɪᴀʙʟᴇ ᴏɴ ɪɴꜱᴛᴀɢʀᴀᴍ
August 3, 2017
Good overview of common web application vulnerabilities and how to protect or exploit them. A little heavy on tools and promoting the author's paid practice website, but the content is very clear and accessible.
Definitely go through Natas at OverTheWire to apply the concepts after reading.
Definitely go through Natas at OverTheWire to apply the concepts after reading.
February 21, 2020
If you get a book that was written by people who developed an actual Web Application Testing framework, you can just make your best bet on the value you find in it. This is a behemoth of a book with its 912 pages. It was last updated in the year 2011, so the content is still very relevant today
September 14, 2023
Note: Just bought this book, reading the first few pages already has grabbed my interested compared to other popular books. I will write an after review when I finish this book, but so far so good for those looking into this field. Looks promising!
June 2, 2025
This book was once perceived as "The Bibble" for web application offensive security. Some of its information is now slightly outdated but I believe its still a good resource that well explains and encapsulates all the moving parts of what modern web application security is today.
November 11, 2017
very good book
February 9, 2018
A+. Required reading for webapp pentesting, no exceptions. Though it is often a bit wordy to convey simple messages.
April 15, 2019
A bit outdated, but still some good advise in there.
Displaying 1 - 30 of 61 reviews