Goodreads helps you keep track of books you want to read.
Start by marking “The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws” as Want to Read:
The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
Enlarge cover
Rate this book
Clear rating
Open Preview

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws

4.20  ·  Rating details ·  1,018 ratings  ·  45 reviews
The highly successful security book returns with a new edition, completely updated Web applications are the front door to most organizations, exposing them to attacks that may disclose personal information, execute fraudulent transactions, or compromise ordinary users. This practical book has been completely updated and revised to discuss the latest step-by-step techniques ...more
Paperback, 878 pages
Published September 27th 2011 by Wiley Publishing (first published October 1st 2007)
More Details... Edit Details

Friend Reviews

To see what your friends thought of this book, please sign up.

Reader Q&A

To ask other readers questions about The Web Application Hacker's Handbook, please sign up.

Be the first to ask a question about The Web Application Hacker's Handbook

Community Reviews

Showing 1-30
Average rating 4.20  · 
Rating details
 ·  1,018 ratings  ·  45 reviews

More filters
Sort order
Start your review of The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
Jan 10, 2013 rated it it was amazing
Shelves: penttest, hacking
If you have the basic understanding of security and you want to be a web pen-tester / hacker. This is the book you want to read.

+ Technical just like the way I like books
+ Explains many methods you couldn't possible imagine before.
+ Step by Step explanation
+ New ideas and exploitation methods

- Labs cost 7$ / Hr ---> Not much practice; however you can find many free practice labs (e.g.
- Focuses on Burp Proxy only -- there are many other tools
- a bit outdated ! <- many of vulnera
Oct 14, 2019 rated it really liked it  ·  review of another edition
Many good points in this book. Not all of them were applicable to my software development experience.
deleted d
Oct 30, 2014 rated it really liked it  ·  review of another edition
Really good book, I learned a ton and it's great for creativity as well.

I remember waking up everyday for ~2-3 weeks and reading this for 1 hour straight at 5:30-6am, just to finish the toughest thing first thing in the day haha. Very hard to read, looking back I have no idea how I did it :)

Sandy Maguire
Jan 24, 2020 rated it it was amazing  ·  review of another edition
We are so fucked. I'm a professional software engineer who cares a great deal about correctness and about security. I've worked on the security team at Google. And I didn't know half of the exploits listed in this book. The underlying technology is sufficiently complicated that I would be very surprised to learn that a nontrivial piece of software is adequately defended against _all_ of them. Even if you aren't interested in breaking systems, this is a fantastic, eye-opening book on things to pa ...more
Elene Latsoshvili
Aug 16, 2010 rated it it was amazing  ·  review of another edition
Shelves: programming
Loved the book. Maybe overdetailed in some parts, but it covers really lots and lots of things explained in a very good way :) a must-read for web application developers
Oct 31, 2013 rated it it was amazing  ·  review of another edition
This is the best web security book period. Absolutely awesome, easy to read and filled with practical tips and tricks with no bullshit. Highly recommended.
Jan 01, 2013 rated it really liked it
Shelves: security
This is a necessary read for anyone looking to get a better idea of web application security, particularly those who haven't had a background in the security field at all. It's a long read, and not one that I think people can sit down to and push through quickly. I got through this while reading a few others at the same time.

It's fairly well edited with just a few simple mistakes. The exercises are interesting, though they feel a little laborious by the end.

I enjoyed reading it and would recomme
Jul 02, 2012 rated it it was amazing
Pretty much the definitive guide to testing and defending web apps. Anyone looking to enter the field can't do much better than reading this book cover to cover.
Jan 06, 2014 rated it really liked it  ·  review of another edition
Well this was a really long journey. This book has a massive number of pages, about 900. It took me a month to read all the contents here and the conclusion is, this is just the begining. The technics used to hack into web applications, and in a more general perspective, computer systems are many, furthermore the can and should be combined to optimize the effectiveness of your attack. This book introduces you into the world of hacking in a web application perspective. You should be advised that ...more
Mar 06, 2014 rated it liked it  ·  review of another edition
Shelves: security
The content is good. Though is too lengthy and fuzzy. I would suggest to start reading with the last chapter to get an overall idea what will be in the book. I gave it three stars because I think the book could be presented in more easily digestible way. If you plan to read, you should read this book. Suggested.
Ahmed Sultan
Nov 08, 2015 rated it really liked it  ·  review of another edition
Shelves: tech
Finished the book long time ago , but had to return to it again these days
well , i consider it as the web app pentesting bible xD
totally worth 5 stars , but took off one because it depend a lot on the paid online labs which cant be afford for long time
waiting for the 3rd edition
Jun 29, 2012 rated it really liked it
Still reading it, but helps to sharpen the swords and buff the armor ;)
May 14, 2017 rated it really liked it  ·  review of another edition
I bought this book quite a while back, but only started it a few months ago. Being almost 10 years old, some of the information is a bit outdated, but the general principles still old true.

Web Applications are omnipresent: be them to manage your bank account, order stuff, keep in touch with friends or seek for a job, chances are this is through one of these. For most of them, security is an absolute requirement, and we trust the various controls to protect our money, credit card and personal inf
Claudiu Lodromanean
Good overview of common web application vulnerabilities and how to protect or exploit them. A little heavy on tools and promoting the author's paid practice website, but the content is very clear and accessible.

Definitely go through Natas at OverTheWire to apply the concepts after reading.
Jovany Agathe
Feb 21, 2020 rated it it was amazing  ·  review of another edition
Shelves: favorites
If you get a book that was written by people who developed an actual Web Application Testing framework, you can just make your best bet on the value you find in it. This is a behemoth of a book with its 912 pages. It was last updated in the year 2011, so the content is still very relevant today
Feb 08, 2018 rated it it was amazing  ·  review of another edition
A+. Required reading for webapp pentesting, no exceptions. Though it is often a bit wordy to convey simple messages.
Thomas Kleinendorst
A bit outdated, but still some good advise in there.
Jul 08, 2020 rated it it was amazing  ·  review of another edition
This is the best book to start web application security!
John Chilton
This book is a little long winded and a bit dry, so based just on the writing of the book I would have given it two stars. However the book shines in that it has an unconventional perspective and it stands by this perspective. It is written as guide to attacking applications, not securing them. I thought that would be a gimmick and each chapter would be 1/5 how to hack and 4/5 how to defend, but no quite the opposite is true. I am not sure it is the greatest approach to learning the material, bu ...more
Dec 12, 2013 rated it liked it
started with this book on 2014 and here we are finished and amazed with the lifetime concepts gleaned from such thick reference, going through its tutorials enables you to witness the revolution of burp suite and how enriches your fundamental perspective on web application inner technology instead of HOW-TOs and kiddies recipes. JSON and XML are getting different through the years but principles never change ...
Good too much advertising

Overall, there was a lot of information. I hated the constant use burp suite for this and that. SHUT UP ABOUT BURP SUITE!!! Also, all over the book are links to highly expensive pay by the hour labs that do not even include an answer key. These are used as examples, also. Another thing I dis liked was the last couple of chapters. They barley fit within the book's title.
Jul 08, 2008 rated it liked it  ·  review of another edition
Useful for scoping, but omits finer details for obvious reasons. Almost all sections have examples that you will never see in the wild. Says, "Hack The Planet" on the back, so it's embarassing to carry around. Otherwise, a must-read... more for web app developers than auditors, though.
Nov 17, 2013 rated it it was amazing  ·  review of another edition
850 pages of defined wisdom from authors of Burp Suite. From plain simple to nifty tricks, all here with option of paid training on their own platform. As an alternative OWASP's isos can be used for training. Very cool.
Padala Srikanth murali krishna
Must Read for Web Application Security Testers

Good read for starters on web application security.Guides us in many ways all through our educational and professional career with easy language.
Jimi Olivo
I never got a chance to finish this book.
Mar 09, 2009 rated it it was amazing  ·  review of another edition
Dafydd Stuttard (more commonly known as portswigger) is not only an expert in the field of web application penetration testing, but also excels at conveying highly technical concepts with eloquence.
John George
Aug 31, 2009 rated it liked it  ·  review of another edition
Shelves: developer
Good reference books exposes you to various parts of a web application
it's very old now
i recommend the second edition
Dec 05, 2013 rated it it was amazing  ·  review of another edition
This one will stay front and center on my bookshelf. I'm strongly considering buying the print version. I read mine on safari bookshelf.
« previous 1 next »
topics  posts  views  last activity   
The book title is wrong 1 12 Sep 28, 2011 01:12AM  

Readers also enjoyed

  • Hacking: The Art of Exploitation
  • Red Team Field Manual (RTFM)
  • The Art of Deception: Controlling the Human Element of Security
  • Penetration Testing: A Hands-On Introduction to Hacking
  • Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
  • The Hacker Playbook 2: Practical Guide To Penetration Testing
  • The Hacker Playbook 3: Practical Guide To Penetration Testing
  • Ghost in the Wires: My Adventures as the World's Most Wanted Hacker
  • Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
  • Metasploit: The Penetration Tester's Guide
  • Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier
  • Industrial Society and Its Future
  • The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage
  • The Shellcoder's Handbook: Discovering and Exploiting Security Holes
  • Web Hacking 101
  • Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers
  • Social Engineering: The Art of Human Hacking
  • Hacking Exposed: Network Security Secrets & Solutions
See similar books…

Goodreads is hiring!

If you like books and love to build cool products, we may be looking for you.
Learn more »

News & Interviews

It’s time to turn your attention to something dark and twisty, to a story (or two or three) so engaging, the pages just fly by. In short, it’s...
46 likes · 11 comments