The Web Application Hacker's Handbook
36%
off

The Web Application Hacker's Handbook : Finding and Exploiting Security Flaws

4.14 (780 ratings by Goodreads)
By (author)  , By (author) 

Free delivery worldwide

Available. Dispatched from the UK in 3 business days
When will my order arrive?

Description

The highly successful security book returns with a new edition, completely updated
Web applications are the front door to most organizations, exposing them to attacks that may disclose personal information, execute fraudulent transactions, or compromise ordinary users. This practical book has been completely updated and revised to discuss the latest step-by-step techniques for attacking and defending the range of ever-evolving web applications. You'll explore the various new technologies employed in web applications that have appeared since the first edition and review the new attack techniques that have been developed, particularly in relation to the client side.




Reveals how to overcome the new technologies and techniques aimed at defending web applications against attacks that have appeared since the previous edition
Discusses new remoting frameworks, HTML5, cross-domain integration techniques, UI redress, framebusting, HTTP parameter pollution, hybrid file attacks, and more
Features a companion web site hosted by the authors that allows readers to try out the attacks described, gives answers to the questions that are posed at the end of each chapter, and provides a summarized methodology and checklist of tasks


Focusing on the areas of web application security where things have changed in recent years, this book is the most current resource on the critical topic of discovering, exploiting, and preventing web application security flaws.

Also available as a set with, CEHv8: Certified Hacker Version 8 Study Guide, Ethical Hacking and Web Hacking Set, 9781119072171.
show more

Product details

  • Paperback | 912 pages
  • 188 x 234 x 50mm | 1,338.09g
  • New York, United States
  • English
  • 2nd Edition
  • 1118026470
  • 9781118026472
  • 26,426

Back cover copy

New technologies. New attack techniques. Start hacking.

Web applications are everywhere, and they're insecure. Banks, retailers, and others have deployed millions of applications thatare full of holes, allowing attackers to steal personal data, carryout fraud, and compromise other systems. This book shows you howthey do it.

This fully updated edition contains the very latest attacktechniques and countermeasures, showing you how to break intotoday's complex and highly functional applications. Roll up yoursleeves and dig in.



Discover how cloud architectures and social networking haveadded exploitable attack surfaces to applications



Leverage the latest HTML features to deliver powerful cross-sitescripting attacks



Deliver new injection exploits, including XML external entityand HTTP parameter pollution attacks



Learn how to break encrypted session tokens and other sensitivedata found in cloud services



Discover how technologies like HTML5, REST, CSS and JSON can beexploited to attack applications and compromise users



Learn new techniques for automating attacksand dealing withCAPTCHAs and cross-site request forgery tokens



Steal sensitive data across domains using seemingly harmlessapplication functions and new browser features



Find help and resources at http: //mdsec.net/wahh



Source code for some of the scripts in the book



Links to tools and other resources



A checklist of tasks involved in most attacks



Answers to the questions posed in each chapter



Hundreds of interactive vulnerability labs
show more

Table of contents

Introduction xxiii
Chapter 1 Web Application (In)security 1


Chapter 2 Core Defense Mechanisms 17


Chapter 3 Web Application Technologies 39


Chapter 4 Mapping the Application 73


Chapter 5 Bypassing Client-Side Controls 117


Chapter 6 Attacking Authentication 159


Chapter 7 Attacking Session Management 205


Chapter 8 Attacking Access Controls 257


Chapter 9 Attacking Data Stores 287


Chapter 10 Attacking Back-End Components 357


Chapter 11 Attacking Application Logic 405


Chapter 12 Attacking Users: Cross-Site Scripting 431


Chapter 13 Attacking Users: Other Techniques 501


Chapter 14 Automating Customized Attacks 571


Chapter 15 Exploiting Information Disclosure 615


Chapter 16 Attacking Native Compiled Applications 633


Chapter 17 Attacking Application Architecture 647


Chapter 18 Attacking the Application Server 669


Chapter 19 Finding Vulnerabilities in Source Code 701


Chapter 20 A Web Application Hacker s Toolkit 747


Chapter 21 A Web Application Hacker s Methodology 791


Index 853
show more

Review Text

The highly successful security book returns with a new edition, completely updated

Web applications are the front door to most organizations, exposing them to attacks that may disclose personal information, execute fraudulent transactions, or compromise ordinary users. This practical book has been completely updated and revised to discuss the latest step-by-step techniques for attacking and defending the range of ever-evolving web applications. You'll explore the various new technologies employed in web applications that have appeared since the first edition and review the new attack techniques that have been developed, particularly in relation to the client side.Reveals how to overcome the new technologies and techniques aimed at defending web applications against attacks that have appeared since the previous editionDiscusses new remoting frameworks, HTML5, cross-domain integration techniques, UI redress, framebusting, HTTP parameter pollution, hybrid file attacks, and moreFeatures a companion web site hosted by the authors that allows readers to try out the attacks described, gives answers to the questions that are posed at the end of each chapter, and provides a summarized methodology and checklist of tasks

Focusing on the areas of web application security where things have changed in recent years, this book is the most current resource on the critical topic of discovering, exploiting, and preventing web application security flaws.
show more

About Marcus Pinto

DAFYDD STUTTARD is an independent security consultant, author, and software developer specializing in penetration testing of web applications and compiled software. Under the alias PortSwigger, Dafydd created the popular Burp Suite of hacking tools.
MARCUS PINTO delivers security consultancy and training on web application attack and defense to leading global organizations in the financial, government, telecom, gaming, and retail sectors.
The authors cofounded MDSec, a consulting company that provides training in attack and defense-based security.
show more

Rating details

780 ratings
4.14 out of 5 stars
5 44% (345)
4 35% (273)
3 15% (117)
2 3% (20)
1 3% (25)
Book ratings by Goodreads
Goodreads is the world's largest site for readers with over 50 million reviews. We're featuring millions of their reader ratings on our book pages to help you find your new favourite book. Close X