When I first saw the title of this book I groaned. “Not another lame hacker book. I really should write my own.” Then I saw who was writing it and thought it might not be that bad. I saw the table of contents and got excited. Finally someone is writing a Web Application Security book that covers the space in depth, at least the testing part. I immediately pre-ordered it from Amazon and my copy arrived yesterday.
The book weighs in at 727 pages so I think it is safe to say I will never read it all the way through. I cherry picked a few chapters to see if the authors “got it right”.
What I love about this book is that it covers the theory and the practice equally well. No other book I have seen does that very well, they are all stuck on the practice side. Chapter 8 Attacking Access Controls is a gold mine filled with great nuggets of information of not only how to attack access controls but great explanation of why and the steps you take to figure out what lines of attack to take.
The Hack Steps sections are nice short guides to the methodical breaking down of a vulnerability and the attack you would launch to find it. They are short and sweet, a great way to go from zero knowledge to at least some understanding of an issue.
My other favorite chapter is Chapter 12: Attacking Other Users. I don’t recall seeing this topic covered in such a clear and concise way. I often see these types of laws in web applications and it is a area no web application scanner scan cover effectively.
Speaking of scanners, anyone that still thinks running a web application scanner alone solves your Web Application Security issues needs to read Chapter 19 and the section on web application vulnerability scanners. The authors do a excellent job outlining the limitations of scanning tools. I am so excited to see someone put it down in a book so I don’t have to keep explaining it, I can just tell them to RTFB (Read The F***ing Book)
I can’t recommend this book enough for anyone who wants to understand what Web Application Security is all about. You are not going to get a lot of help fixing these issues after you find them from this book. I am glad the authors did not try as that subject could easily fill 10 other books. Staying focused on the testing side makes this a must have book.
Buy The Web Application Hacker’s Handbook
If you enjoyed this post, make sure you subscribe to my RSS feed!
