 |
VOOZH | about |
|
VOOZH | about |
Download the free Kindle app and start reading Kindle books instantly on your smartphone, tablet, or computer - no Kindle device required.
Read instantly on your browser with Kindle for Web.
Using your mobile phone camera - scan the code below and download the Kindle app.
OK
Web applications are everywhere, and they're insecure. Banks, retailers, and others have deployed millions of applications that are full of holes, allowing attackers to steal personal data, carry out fraud, and compromise other systems. This book shows you how they do it.
This fully updated edition contains the very latest attack techniques and countermeasures, showing you how to break into today's complex and highly functional applications. Roll up your sleeves and dig in.
Discover how cloud architectures and social networking have added exploitable attack surfaces to applications
Leverage the latest HTML features to deliver powerful cross-site scripting attacks
Deliver new injection exploits, including XML external entity and HTTP parameter pollution attacks
Learn how to break encrypted session tokens and other sensitive data found in cloud services
Discover how technologies like HTML5, REST, CSS and JSON can be exploited to attack applications and compromise users
Learn new techniques for automating attacksand dealing with CAPTCHAs and cross-site request forgery tokens
Steal sensitive data across domains using seemingly harmless application functions and new browser features
Find help and resources at http://mdsec.net/wahh
Source code for some of the scripts in the book
Links to tools and other resources
A checklist of tasks involved in most attacks
Answers to the questions posed in each chapter
Hundreds of interactive vulnerability labs
MARCUS PINTO delivers security consultancy and training on web application attack and defense to leading global organizations in the financial, government, telecom, gaming, and retail sectors.
The authors cofounded MDSec, a consulting company that provides training in attack and defense-based security.
Discover more of the authorβs books, see similar authors, read book recommendations and more.
Customer Reviews, including Product Star Ratings help customers to learn more about the product and decide whether it is the right product for them.
To calculate the overall star rating and percentage breakdown by star, we donβt use a simple average. Instead, our system considers things like how recent a review is and if the reviewer bought the item on Amazon. It also analyzed reviews to verify trustworthiness.
Learn more how customers reviews work on AmazonThis book offers tons of techniques and strategies for attacking and defending web applications. The beginning chapters discuss the major components of websites and their vulnerabilites.
The middle of the book gets much more specific showing "Hack Steps" for different components like the client side, sessions, databases, and authentication.
Sections about custom code development show how you can develop your own solution to probe a web app. There were code examples in different languages such as JavaScript, C++, Java, and ASP.NET. The authors highlight many kinds of tools you can use to learn more about a website, including a product they developed themselves called Burp Suite.
For readers interested in the testing the techniques there is a website offered by the book but it costs $7 an hour to play around on the site. This fee is for keeping the website running apparently, but I thought it would make more sense to have a monthly fee. I did not subscribe to this site myself though because I was more interested in getting a broad overview of website security.
The book is showing its 2011 publication date in some places. For example, IE and Firefox are said to be the dominant browsers while Chrome is a minor player. Additionally, Flash and Silverlight are spoken of as being components of many websites. One issue was I was not really sure where techniques might be outdated and others are still relevant.
I would definitely be interested in a 3rd edition for this book. The authors presented a solid foundation for learning about website security.
Reading this book up to around page 600 made me seriously question how anyone could give it less than 5 stars. The amount of knowledge it gave me for a mere $25 is absolutely astounding. I was eagerly waiting to finish it so I could come review it.
Then I finished it, and I understood some of the criticisms. It starts to feel like it's repeating itself after a while, and the product placement for Burp start to become a bit more annoying.
Still, the rest of the book is chock full of great, detailed information. If you're like me and had a basic understanding of how SQL injection worked, but wanted to get a deeper look, this book is perfect. If you chopped off the last 200 pages you would have a book that was STILL worth well over $25. It's hard for me to give it less than 5 stars when my major complaint is that it gives too much information.
Bottom line: if you're a beginner or intermediate to web application security and you're wondering whether you should buy this, just do it. You won't be disappointed.
There's a running joke we have on our assessment team about the Web Application Hackers Handbook. Every time we see a new technology, or have to deal with a one-off situation, we start doing research online only to find it was already referenced in WAHH somewhere. We've all read this book several times too, it's like Dafydd and Marcus sneak into our houses at night and add content...
Joking aside though, there is no other reference for web hacking as thorough or complete as WAHH.
With WAHH2 the authors added a significant amount content and rehashed existing chapters that were already deeply technical. The bonus in WAHH2 is its associated labs. Dafydd and Marcus have been giving a live WAHH training for years and have now moved the stellar CTF like challenges to the cloud. You can buy credits ($7 for 1hr) and move right along as you read the book (MDSec.net). When I say the labs are stellar, I mean it. The labs come almost straight from the class and start trivial and then get crazy. The injection labs were by far my favorite, housing 30-40 different injection types/variants each between XSS/SQLi. The CTF in the class (which i'll mention again is where the MDSec.com labs are based from) gets ridiculous toward the end. Even seasoned web testers fall around questions 14-16. But i digress...
WAHH2 is now the defacto buy for any pentest/QA/Audit team. Its usage will surpass any other book on your bookshelf if you are doing practical testing.
5 stars, i'd give it 10 if I could.
Don't let the age of this book fool you. While its not exactly a new book, the foundational principles of web security are in here. This book starts with the foundational principles of web technologies and then moves on to advanced attack methodologies like SQLi, XSS, CSRF and more complex business logic attacks. the book is well written, highly detailed,. and offers practical techniques. The only down side is that the links in the book no longer work.
I can't even tell you how many times I find myself referencing this book. Despite what some have suggested you don't need to have Burp Suite or do any labs. It's so full of insightful knowledge that it can replace a whole reference library all by itself. It doesn't just show you "how-tos" but helps you THINK differently - better - methodical. One little example is how the authors present the idea of overcoming filtering deployed by a WAF or web server. "<script>" might get filtered but what would happen if you passed "<scr<script>ipt>"? Now run with it and get creative! Can't thank the authors enough for their contribution. This is right up there with Homer's Odyssey, Shakespeare's Romeo and Juliet and quite frankly, The Bible. Ok, maybe that's pushing it but you get the idea.
This book is worth every penny, no matter how many pennies are spent. Much like the Shellcoder's Handbook and their other books, this one is written with the same professional quality and technical detail. It's incredibly accurate, and starts on a very low level of understanding. Even if you are an experienced web hacker, it's useful to see new angles on things or get a few ideas for more advanced ideas of your own creation. The tool JAttack it takes you through making is a superb tool to build off of later. It waits to take you to the tool-building until after its built your foundation with techniques, as well, which is perfect progression.
All in all, this book will take beginners and pros alike and serve as an excellent reference and lesson to bump you to whatever level of web application hacker you can be.
Delivery intime and in perfect state
The techniques and methodologies in this book are still relevant in 2025.
SI quereis aprender seguridad web desde 0, es mejor pista para comenzar, va desde bases hasta cosas muy avanzadas. y facil de leer! Asi que recomendable
il m'aura fallu du temps pour le finir mais le contenu vaut le prix sans soucis :)
un bon bouquin interessant et relativement complet.
This book took me months to finish, but it's worth it. Some of the hacking tools mentioned don't exist anymore and you cannot test the vulnerabilities on the WAHH website because it doesn't exist. All the vulnerabilities mentioned are still relevant, except for a few related to Flash and Silverlight which I promptly skipped. The summary and questions at the end of each chapter are good to consolidate knowledge.
Chapter 12 on cross site scripting is simultaneously the longest, most important, and most boring, in my opinion.
It's funny that there is an entire chapter (9) devoted to SQL but only a paragraph about NoSQL which says "it's not popular enough so we won't discuss it". How times have changed!
Very good condition book
Portswigger web academy labları yardımcı olması için aldım kesinlikle alınır
