Security book reviews from inside the infosec industry.

The Web Application Hacker's Handbook, 2nd Edition

The running joke at work is that there are two things you need for web app testing, Burp Suite Pro and the Web App Hacker's Handbook. It's not a very funny joke, but it is true. If you're looking at getting into web application security testing, you need this book.

The Web Application Hacker's Handbook, 2nd Edition (WAHHv2)

For those that have the first edition, you're probably asking whether or not it's worth getting the second edition, and the answer to that is most definitely yes. Although only 30% of the book has changed the changes are outlined by chapter, meaning that it's still a useful resource to keep up to date with current web application weaknesses.

It's a very thorough and hands-on book, introducing web application insecurity, followed by some core defence strategies with a little on different web application technologies. The book then dives into various specific attacks with links to relevant lab exercises (which I'll come back to later). There's also a tools section, some thoughts on approaches to code review and a general methodology to follow. All in all, the book's a complete a guide to web application security testing as you're likely to find, and the updates covering technologies such as Silverlight, LDAP and NoSQL are particularly welcome. Other substantial changes include new sections on XML external entity (XXE) injection, CSRF, HTML5 and major rewrites of areas covering XSS. Most of the updates in the book appear to be related to new attacks or new technologies.

One of the new features is a "Try it!" part with links to online labs. The labs cost $7 an hour, which for some I can see offputting but a lot of effort has been put into them, and not having to install or maintain purposely vulnerable software can be attractive to some. At Mandalorian we use the labs to test specific classes of attack consultants might not be familiar with and for training purposes, and it works quite well. For individuals looking to get into application security testing I'd suggest trying some of the free vulnerable applications available on the Internet first and then considering using the labs to fill the gaps. After all, $7 is roughly the cost of a beer in a London pub, and getting Marcus and Daf the equivalent of a beer for their trouble will hardly break the bank.

If you haven't bought the first edition, then I'd say that this is the de facto web application security testing reference. Whether you're an old hand or just starting out you need this book if you're involved or looking to get involved in the technical side of web application security.

If you have bought the first edition, then it's a harder call to make. If you're involved in web application security on a professional basis then I'd say it's a no-brainer. Go ahead and buy the book. If web application security doesn't fit into your day job or direct interests then the value in the changes are probably a bit more questionable. If you need a one-stop shop for web app security, this is it. If you don't, then much of the information in the book can be found elsewhere.

The MDSec Labs on the other hand are an interesting proposition. It's not something I've seen in books before and is definitely cheaper than doing the live training at BlackHat or 44Con. It's definitely worth it if it's work related and you can expense it as part of your training budget, but for individuals there may be cheaper (but not necessarily better) options elsewhere.

The Web Application Hacker's Handbook, 2nd Edition review score: 5/5.

The Web Application Hacker's Handbook, 2nd Edition* is available from Amazon. (What's the *?)

If you like what you've read, please feel free to tip me in bitcoin at 17zNBi3CDhuoaqHJmfyCMNzQcjttiD7e7W

Creative Commons License
Security Book Reviews is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.