This is also an excellent book, although I did not read it thoroughly enough to warrant a review. On p xxix the authors note that 30% of the book is "new or extensively revised" and 70% of the book has "minor or no modifications." I was very impressed to see the authors outline changes by chapter on pages xxx-xxxii. That is not common in second editions, in my experience.
The book is very thorough and introduces technology along with attacks and defenses. Their "hack steps" sections provide a playbook for assessing Web applications. Some sections even mention logging and/or alerting -- I'd like to see more of that here and elsewhere! The book also includes end-of-chapter questions with answers posted on the book Web site, mdsec.net/wahh.
Speaking of the Web site, the authors also post source code, links to tools, and checklists, plus labs costing a $7/hour fee. That is a new approach I haven't seen elsewhere, but I think it's an interesting idea.
At 912 pages WAHH2E offers a ton of content written in a clear and convincing style. Great work guys. My only concern was their refusal to cite sources. That makes a real difference in my mind; give credit where credit is due in the third edition.