The Web Application Hacker's Handbook and over 2 million other books are available for Amazon Kindle . Learn more

Sign in to turn on 1-Click ordering.
Trade in Yours
For a £7.95 Gift Card
Trade in
More Buying Choices
Have one to sell? Sell yours here
Sorry, this item is not available in
Image not available for
Image not available

Start reading The Web Application Hacker's Handbook on your Kindle in under a minute.

Don't have a Kindle? Get your Kindle here, or download a FREE Kindle Reading App.

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws [Paperback]

Dafydd Stuttard , Marcus Pinto
4.4 out of 5 stars  See all reviews (11 customer reviews)
RRP: £33.99
Price: £23.11 & FREE Delivery in the UK. Details
You Save: £10.88 (32%)
o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o
In stock.
Dispatched from and sold by Amazon. Gift-wrap available.
Want it tomorrow, 16 Sept.? Choose Express delivery at checkout. Details


Amazon Price New from Used from
Kindle Edition £21.01  
Paperback £23.11  
Trade In this Item for up to £7.95
Trade in The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws for an Amazon Gift Card of up to £7.95, which you can then spend on millions of items across the site. Trade-in values may vary (terms apply). Learn more

Book Description

5 Oct 2011
The highly successful security book returns with a new edition, completely updated Web applications are the front door to most organizations, exposing them to attacks that may disclose personal information, execute fraudulent transactions, or compromise ordinary users. This practical book has been completely updated and revised to discuss the latest step–by–step techniques for attacking and defending the range of ever–evolving web applications. You′ll explore the various new technologies employed in web applications that have appeared since the first edition and review the new attack techniques that have been developed, particularly in relation to the client side. Reveals how to overcome the new technologies and techniques aimed at defending web applications against attacks that have appeared since the previous edition Discusses new remoting frameworks, HTML5, cross–domain integration techniques, UI redress, framebusting, HTTP parameter pollution, hybrid file attacks, and more Features a companion web site hosted by the authors that allows readers to try out the attacks described, gives answers to the questions that are posed at the end of each chapter, and provides a summarized methodology and checklist of tasks Focusing on the areas of web application security where things have changed in recent years, this book is the most current resource on the critical topic of discovering, exploiting, and preventing web application security flaws.

Frequently Bought Together

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws + Metasploit: The Penetration Tester's Guide + Violent Python
Price For All Three: £73.18

Buy the selected items together

Product details

  • Paperback: 912 pages
  • Publisher: John Wiley & Sons; 2nd Edition edition (5 Oct 2011)
  • Language: English
  • ISBN-10: 1118026470
  • ISBN-13: 978-1118026472
  • Product Dimensions: 23.4 x 18.8 x 5 cm
  • Average Customer Review: 4.4 out of 5 stars  See all reviews (11 customer reviews)
  • Amazon Bestsellers Rank: 21,492 in Books (See Top 100 in Books)
  • See Complete Table of Contents

More About the Author

Discover books, learn about writers, and more.

Product Description

From the Back Cover

New technologies. New attack techniques. Start hacking. Web applications are everywhere, and they′re insecure. Banks, retailers, and others have deployed millions of applications that are full of holes, allowing attackers to steal personal data, carry out fraud, and compromise other systems. This book shows you how they do it. This fully updated edition contains the very latest attack techniques and countermeasures, showing you how to break into today′s complex and highly functional applications. Roll up your sleeves and dig in. Discover how cloud architectures and social networking have added exploitable attack surfaces to applications Leverage the latest HTML features to deliver powerful cross–site scripting attacks Deliver new injection exploits, including XML external entity and HTTP parameter pollution attacks Learn how to break encrypted session tokens and other sensitive data found in cloud services Discover how technologies like HTML5, REST, CSS and JSON can be exploited to attack applications and compromise users Learn new techniques for automating attacksand dealing with CAPTCHAs and cross–site request forgery tokens Steal sensitive data across domains using seemingly harmless application functions and new browser features Find help and resources at Source code for some of the scripts in the book Links to tools and other resources A checklist of tasks involved in most attacks Answers to the questions posed in each chapter Hundreds of interactive vulnerability labs

About the Author

DAFYDD STUTTARD is an independent security consultant, author, and software developer specializing in penetration testing of web applications and compiled software. Under the alias PortSwigger, Dafydd created the popular Burp Suite of hacking tools. MARCUS PINTO delivers security consultancy and training on web application attack and defense to leading global organizations in the financial, government, telecom, gaming, and retail sectors. The authors cofounded MDSec, a consulting company that provides training in attack and defense–based security.

Inside This Book (Learn More)
Browse Sample Pages
Front Cover | Copyright | Table of Contents | Excerpt | Index | Back Cover
Search inside this book:

What Other Items Do Customers Buy After Viewing This Item?

Customer Reviews

Most Helpful Customer Reviews
4 of 4 people found the following review helpful
3.0 out of 5 stars Disapointing supporting Lab environment. 21 Jun 2013
Format:Paperback|Verified Purchase
I had high hopes of this book being a great study aid for taking the Crest or Tigerscheme web application CTL exam.

I wanted a book to refer to and also an online lab environment to practice the topics discussed in the book - although I have purchased 50 hrs of supporting lab time, I am so disappointed with the supporting labs that I am actually writing this review whilst having an active lab session open a waste of $7 or whatever a lab hr is.

Firstly - when reading the book there are references to specific labs which should contain the same content discussed right ?? yeah well no unfortunately. Either the labs have been re-written since they wrote the book or a different person wrote the labs.

The lab menu itself doesn't include all of the labs mentioned in the book so you have to find them manually, which isn't to bad I suppose but when you do find the lab from putting the reference directly into the browser and follow the content exactly as per the book - you find that all of the parameters are different and out of context.

So you carry on and presume this is intended to get you thinking right ?? no wrong, unfortunately the vulnerabilities being discussed in the book are not present on all of the referenced labs - so it looks as though they have either been removed or re-written, hence why they are not directly linked to the online lab menu.

OK - so not ideal, but then you could just use the Labs independently to the book?? well yes you could but then this is supposed to be a learning environment right ?? so if you can't find the problem or are struggling you would want to refer to something or have some form of Help, hints, explanations or even answers as a last resort yeah??
Read more ›
Comment | 
Was this review helpful to you?
4 of 4 people found the following review helpful
5.0 out of 5 stars Much more than SQL Injection and XSS 18 Dec 2011
Format:Paperback|Verified Purchase
I read this book in preparation for the Live Course which was presented by Marcus.

While reading the book i found it was quite dry because i was not doing the practical excersises available online. As you have to pay for them i wasn't sure if it would be worth it. With hindsight after doing the course i would highly recommend using them. It will make the content a lot more interesting but also teach a key skill which the book doesn't:

The key to most pen testing and vulnerability research is persistence and logical thinking. It is very well to think you know how a certain bug works but it can still be quite a challenge to actually implement it.

I feel very lucky to have been able to attend the live course for hands on help from the authors but you can definitely get all the information and practice you need purely from the book and the website. Its a shame that there isn't a couple of hours of practical time included when you buy the book.

It is very well written and covers all the areas you would expect. A lot of the old school web bugs explained such as SQL injection and less common now because of better programming practices and interfaces. Later chapters in the book such as the methodologies and logic flaw errors are timeless.

The book also provides real world solutions and mitigation's for the attacks described so this is highly recommended for anyone who develops web applications swell as people who carry out penetration testing on them.

While this may not be the best book ever written i think it definitively describes the topic therefore i have given it 5 stars.
Comment | 
Was this review helpful to you?
2 of 2 people found the following review helpful
5.0 out of 5 stars A must have 6 Feb 2013
By dmarcos
Format:Paperback|Verified Purchase
Great book. A must have on my daily work. I keep it on my desk to some situation i need to review something
Comment | 
Was this review helpful to you?
2 of 2 people found the following review helpful
5.0 out of 5 stars Great Book 12 Jan 2013
Format:Paperback|Verified Purchase
I've actually met these guys before in Dublin at the Google building at set of OWASP presentations on web app security - and the guys definitely know their stuff. The book itself is really good and i find it very helpful to have on the desk, and to be able to reference to understand a topic better and to get ideas.
Comment | 
Was this review helpful to you?
2 of 2 people found the following review helpful
Format:Paperback|Verified Purchase
My title says it all, this book is a reference, it is a bible, it has it all! Everything you may come across in web security, this book has it!
It is an amazing reference! How could I survive without this book so far?
Comment | 
Was this review helpful to you?
Format:Kindle Edition|Verified Purchase
One of the best books on the subject of web application pen testing. The use of a strong logical approach (maybe using Dafydd philosophy background) helps to get the key concepts across. The test checklist at the end of the book is very useful if you need a quick guide to get you started while testing websites.
Comment | 
Was this review helpful to you?
Would you like to see more reviews about this item?
Were these reviews helpful?   Let us know

Customer Discussions

This product's forum
Discussion Replies Latest Post
No discussions yet

Ask questions, Share opinions, Gain insight
Start a new discussion
First post:
Prompts for sign-in

Search Customer Discussions
Search all Amazon discussions

Look for similar items by category