The Web Application Hacker's Handbook
Finding and Exploiting Security Flaws · 2nd Edition
The exhaustive reference for web app pentesting, comprehensive but increasingly a historical document.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Dafydd Stuttard,Marcus Pinto
- Published
- 2011
- Publisher
- Wiley
- Pages
- 912
- Edition
- 2nd Edition
- Language
- English
Table of contents
21 chapters · 30 sections- 1
Web Application (In)security
- 2
Core Defense Mechanisms
- 3
Web Application Technologies
- 4
Mapping the Application
- Enumerating content and functionality
- Analyzing the application
- Identifying entry points for user input
- Identifying server-side technologies
- Mapping the attack surface
- 5
Bypassing Client-Side Controls
- 6
Attacking Authentication
- Authentication technologies
- Design flaws in authentication mechanisms
- Implementation flaws
- Securing authentication
- 7
Attacking Session Management
- The need for state
- Weaknesses in token generation
- Weaknesses in session token handling
- Securing session management
- 8
Attacking Access Controls
- 9
Attacking Data Stores
- Injecting into interpreted contexts
- Injecting into SQL
- Injecting into NoSQL
- Injecting into XPath
- Injecting into LDAP
- 10
Attacking Back-End Components
- OS command injection
- File path traversal
- File inclusion
- Mail-service injection
- 11
Attacking Application Logic
- 12
Attacking Users: Cross-Site Scripting
- Varieties of XSS
- Finding and exploiting XSS
- Preventing XSS
- 13
Attacking Users: Other Techniques
- Request forgery
- UI redress (clickjacking)
- Cross-domain data capture
- Same-origin policy
- Browser exploitation
- 14
Automating Customized Attacks
- 15
Exploiting Information Disclosure
- 16
Attacking Native Compiled Applications
- 17
Attacking Application Architecture
- 18
Attacking the Application Server
- 19
Finding Vulnerabilities in Source Code
- 20
A Web Application Hacker's Toolkit
- 21
A Web Application Hacker's Methodology
Prerequisites
Working knowledge of HTTP, HTML, and at least one server-side language. Familiarity with Burp Suite helps; the book is written by its creators.
Read this if
Anyone moving from CTF web challenges into real engagements who needs a systematic mental model of attack surface.
Skip this if
Frontend-heavy apps in 2024. SPA-specific bugs, JWT pitfalls, GraphQL, and modern CSP are barely covered or absent entirely.
Key takeaways
- Authentication, session management, and access control are still where most real bugs live.
- Methodology beats tooling, the structure of how you map an app matters more than which scanner you run.
- Use it as a reference for the classes of bug, then cross-check with PortSwigger Academy for the modern exploitation details.
Notes
Structured like a taxonomy, written by people who have done the work. The web changed underneath it (SameSite, JWT, prototype pollution, SSRF in cloud metadata are absent), so use it as the foundational map and overlay PortSwigger Academy for the modern territory. A third edition would be the most useful book in the field.
What to read before
What to read before The Web Application Hacker's Handbook →Intermediate · 2023
Black Hat GraphQL
Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.
Intermediate · 2022
Hacking APIs
Corey Ball's structured approach to attacking REST and GraphQL APIs: enumeration, auth flaws, business logic, mass assignment, and the testing harness around them.
Beginner · 2021
Bug Bounty Bootcamp
Vickie Li's pragmatic walk through the bug-bounty workflow, from picking a program and recon to reporting findings that actually pay out.
What to read next
What to read after The Web Application Hacker's Handbook →Intermediate · 2023
Black Hat GraphQL
Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.
Intermediate · 2022
Hacking APIs
Corey Ball's structured approach to attacking REST and GraphQL APIs: enumeration, auth flaws, business logic, mass assignment, and the testing harness around them.
Advanced · 2011
The Tangled Web
The deepest book ever written on the strange, accreted security model of the web browser.
Explore similar books
Alternatives to The Web Application Hacker's Handbook →Intermediate · 2023
Black Hat GraphQL
Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.
Intermediate · 2022
Hacking APIs
Corey Ball's structured approach to attacking REST and GraphQL APIs: enumeration, auth flaws, business logic, mass assignment, and the testing harness around them.
Intermediate · 2021
Real-World Cryptography
David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.