Monday, March 12, 2012

Impressions: The Web Application Hacker's Handbook, 2nd Ed

In late 2009 I reviewed the first edition of The Web Application Hacker's Handbook. It was my runner-up for Best Book Bejtlich Read 2009. Now authors Dafydd Stuttard and Marcus Pinto have returned with The Web Application Hacker's Handbook, 2nd Ed.

This is also an excellent book, although I did not read it thoroughly enough to warrant a review. On p xxix the authors note that 30% of the book is "new or extensively revised" and 70% of the book has "minor or no modifications." I was very impressed to see the authors outline changes by chapter on pages xxx-xxxii. That is not common in second editions, in my experience.

The book is very thorough and introduces technology along with attacks and defenses. Their "hack steps" sections provide a playbook for assessing Web applications. Some sections even mention logging and/or alerting -- I'd like to see more of that here and elsewhere! The book also includes end-of-chapter questions with answers posted on the book Web site, mdsec.net/wahh.

Speaking of the Web site, the authors also post source code, links to tools, and checklists, plus labs costing a $7/hour fee. That is a new approach I haven't seen elsewhere, but I think it's an interesting idea.

At 912 pages WAHH2E offers a ton of content written in a clear and convincing style. Great work guys. My only concern was their refusal to cite sources. That makes a real difference in my mind; give credit where credit is due in the third edition.

3 comments:

Anonymous said...

The labs costing $7 an hour. I get it. Another revenue stream. But couldn't the lab be simulated as a virtual machine you could download and restore when you needed to?

Kevin Hock said...

I'm reading this and Practical Malware Analysis right now they are both great. I wish all books were as hands-on.

Steve said...

The big question about this book is whether or not to get it if you have the first edition already. Like you said, 30% of the book has changed which doesn't sound like a lot.

There's also the $7 an hour lab, which some may find useful and some may see as gouging compared to a virtual machine (as anonymous mentioned). Personally having tried the labs I can see why they're $7 an hour and to put it into perspective, no-one's forcing you to do it, and if they hadn't created it then you'd be left with the same book as before minus a few links to further labs.

I discuss these points in my Web App Hacker's Handbook 2nd Edition review, which I hope you'll take a look at if you have the time.

Cheers,
Steve