The web applications hackers handbook has been written by Dafydd Stuttard and Marcus Pinto. You can get it here. Interestingly enough it has been published in two editions. First in 2007 and then again in 2011. However both editions do not differ much. Which brings up a very interesting point. The web landscape has changed dramatically within these years and even further thereafter. However both editions cover only the most deadly flaws in web applications. Unfortunately those did not change. Even more interesting, we do see such flaws as well in medical devices, internet of things as well as cars.

So, in principal this book talks about security problems in connected / distributed systems focussing on the HTTP protocol as a transport protocol. While the chapters 1 to 3 provide you with an overall introduction to application security and concepts like session management, input validation and output encoding the later chapter focus on the attacks possible. The following chapters describe how you should analyse an web application. And the last part walks you through different attacks based on your analysis before. These last chapters of the book focus on how to detect and exploit such vulnerabilities.

I do mostly agree with the work of Stuttard and Pinto. However, I do disagree with their restriction on tools. BURP Suite is one the best tools on the market. But, as always a golden key does not fit every lock. So I do recommend that you try various available tools in your lab and test if they do fit your needs. Find out what the individual strength of each tool are. This does not put the statements of Stuttard and Pinto into question - but not everyone is comfortable with the same tool and not every tool is made to do every job. So go out and check for yourself.

Besides all the discussion of vulnerabilities and tools Suttard and Pinto do offer you a real word web application to test your skills up on. This has been hardly seen in books on web application security. Most books focus on the theory and neglect the rehearsal / dojo part.

In conclusion, I highly recommend this book to anyone new to application security. The knowledge therein is condensed, well illustrated and easily ported to fields other than web applications.

Take this good read and enjoy breaking out of your environment!

Cheers :)