Hacking Exposed Web Applications, Second Edition and over 2 million other books are available for Amazon Kindle . Learn more
FREE Delivery in the UK.
Usually dispatched within 9 to 13 days.
Dispatched from and sold by Amazon.
Gift-wrap available.
Hacking Exposed Web Appli... has been added to your Basket
FREE Delivery on orders over £10.
Condition: Used: Good
Comment: Used Good condition book may have signs of cover wear and/or marks on corners and page edges. Inside pages may have highlighting, writing and underlining. All purchases eligible for Amazon customer service and a 30-day return policy.
Have one to sell?
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See this image

Hacking Exposed Web Applications, Second Edition: Web Application Security Secrets and Solutions Paperback – 1 Jul 2006

See all 3 formats and editions Hide other formats and editions
Amazon Price New from Used from
Kindle Edition
"Please retry"
"Please retry"
£15.36 £1.29

There is a newer edition of this item:

£34.99 FREE Delivery in the UK. Usually dispatched within 9 to 13 days. Dispatched from and sold by Amazon. Gift-wrap available.

Product details

More About the Authors

Discover books, learn about writers, and more.

Product Description


It's quite amazing what people can do with web applications ... this book
tells you how to plug the holes
-- Hacking Exposed Web Applications, Oraclehome.co.uk, September 2006

From the Inside Flap

The second edition has been completely updated to cover:

New exploitation techniques
The latest Denial of Service attacks
New phishing scams
Leading-edge preventive website development practices

Inside This Book (Learn More)
Browse Sample Pages
Front Cover | Copyright | Table of Contents | Excerpt | Index
Search inside this book:

Customer Reviews

There are no customer reviews yet on Amazon.co.uk.
5 star
4 star
3 star
2 star
1 star

Most Helpful Customer Reviews on Amazon.com (beta)

Amazon.com: 5 reviews
18 of 18 people found the following review helpful
The best book to start your Web application hacking experience 5 Oct. 2006
By Richard Bejtlich - Published on Amazon.com
Format: Paperback
I recently received copies of Hacking Exposed: Web Applications, 2nd Ed (HE:WA2E) by Joel Scambray, Mike Shema, and Caleb Sima, and Professional Pen Testing for Web Applications (PPTFWA) by Andres Andreu. I read HE:WA2E first, then PPTFWA. Both are excellent books, but I expect potential readers want to know which is best for them. I could honestly recommend readers buy either (or both) books. Most people should start by reading HE:WA2E, and then fill in gaps by reading PPTFWA.

Before proceeding I should note I used to work with the two ex-Foundstone authors of HE:WA2E, although I haven't been afraid in the past to review books honestly.

I read and reviewed the first edition of HE:WA about four years ago, and I rated that book five stars. Authors like Scambray and Shema exemplify the best aspects of the HE series: explaining technology, then showing how to exploit it. Frequently the first time security people hear about new applications is when they are being attacked. By digesting books in the core HE series, readers become familiar with the latest services, their flaws, and attacks against those technologies. HE:WA2E continues this tradition.

I was pleased to see HE:WA2E is largely a thorough reworking of the first edition. (This has not always been the case with HE books, considering there are five editions.) In one case, however, this worked against the authors. Ch 8 (Attacking XML Web Services) references non-existent material in Ch 1. Ch 1 in HE:WA2E is completely different from Ch 1 in the first edition, which contains the referenced diagram. A positive aspect of the rewrite is the frequent reference to outside material, instead of repeating techniques and tools already published. Combined with the extensive chapter-ending references list, this makes for a book packed with value. Note that the second edition still offers 520 pp, vastly exceeding the 386 pp of the first.

HE:WA2E is very consulting-oriented, which delivers some excellent real-world experience. For example, Ch 2 (Profiling) explains how to identify and deal with load balancers and web application firewalls. This seems to contrast with PPTFWA which says, for "IDS/IPS Systems," "[m]ake sure your client disables these." I thought HE:WA2E took a more realistic approach to this problem.

HE:WA2E's major weakness is its coverage of Web Services. PPTFWA does a better job addressing this important area. In fact, HE:WA2E's Web Services coverage seems fairly similar to the first edition's material. PPTFWA also includes a larger variety of attacks and tools, albeit in a manner not as organized as HE:WA2E. Ch 12 of HE:WA2E would be conceptually stronger if so-called "threat trees" were called "attack trees," as originally developed by Bruce Schneier in 1999. Furthermore, the list of "threats" on pp 404-5 are mostly vulnerabilities. The figures of Ollydbg in Ch 12 are also too small.

Despite these issues, I think HE:WA2E is the best general-purpose Web application security book available. I would definitely add it to your HE library. In other words, if you have HE:5E, you still need HE:WA2E. If you have the first edition of HE:WA, it's time for an update. After reading HE:WA2E, read PPTFWA. Perhaps both sets of authors could collaborate on a comprehensive Web app attack, defend, and test virtual machine, building on the one Andres Andreu built?
4 of 4 people found the following review helpful
Required reading. A standard reference 13 Mar. 2009
By Paco Hope - Published on Amazon.com
Format: Paperback
This book is a few years old, but by golly you'll get plenty of use out of it. I do security assessments for a living and the fundamentals in this book are the meat and potatoes of web security testing. Every time I get a young pup security consultant to train on web security, the first book I point them to is this book (No, you _can't_ have mine... go get your own). Ok, actually I point them to my own book first. But this is definitely the SECOND book I point them to, and it was a big inspiration behind my own.

Back when I bought this book, I thought I knew enough about cross-site scripting and SQL injection. It taught me a thing or two, though. They really hit web apps from all sides and all the major attacks you need to know.


It's thorough and lasting. Until web developers finally figure out how to avoid these silly pitfalls, you'll get plenty of use out of it time and time again.


If you're a developer, don't kid yourself that this book will teach you how to avoid these common mistakes. This book is written to security assessors, testers, and auditors. Developers need more pragmatic and context-specific guidance on what to do right. Knowing that your app is chock full of SQL injection doesn't mean that you know the right way to use parameterized queries in your language and your environment to protect against them.

Now, having said that, it is eye-opening for many developers to have their fundamental assumptions destroyed by seeing a standard exploit work against their own application. Nothing brings it home like the real thing. But that doesn't mean they know how to avoid making the same mistake again, having the mistake pointed out in gory detail.
3 of 3 people found the following review helpful
I still go back to this book for reference 5 May 2008
By Chris Griffin - Published on Amazon.com
Format: Paperback
I bought this book about 4 years ago, and still find myself going back to it again and again for reference. To this day its the only technical book that I have read cover to cover. While I have not yet checked out the 2.0 book for web apps, I still feel you can't go wrong adding this book to your arsenal.
1 of 1 people found the following review helpful
Best book which gives you the feeling of how things are fragile 13 Nov. 2009
By Alexander Pushkin - Published on Amazon.com
Format: Paperback Verified Purchase
Read this book in a week. It's a book that gives you the full image of today's web application security. Even if it's 3 years old, it still covers very actual topics and could be very helpful also as a reference.
A Must Have thing.
2 of 7 people found the following review helpful
A very good book 12 May 2007
By Emanuelly Barros - Published on Amazon.com
Format: Paperback
this book is quite complete, very utile to learn all about security on web applications.
Were these reviews helpful? Let us know