The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws

Author: Dafydd Stuttard, Marcus Pinto
All Hacker News 10
This Year Stack Overflow 2
This Month Reddit 2


by B0b_Howard   2018-11-10

The best book for this is "The Web Application Hacker's Handbook" .

It's written by the same people that wrote Burp Suite.

From there, you'll be able to read to a point where you can find videos for specific issues that you are hitting.

by klunkthespacecat   2018-11-10

Unfortunately I don't have a lot of experience in training new people up. When I started, it was the WAHH . There may be something better out there now. I'm not really sure. Like a lot of work in technology, you'll learn as you go and will need to find ways to keep up with the evolving tech. Good luck!

by anonymous   2017-08-20

Professionals handle this problem by carefully screening all input, enforcing strong password standards (so that users can't guess other users' passwords), and by storing the credentials in the code on the page but rather by using a randomly generated session token to map the user's token to identity on the server.

Client's can easily send any data they want by circumventing all of your client code. You have to assume the client is evil and look at protecting your server from that perspective.


If you need some help with tokens and their usage, this question might help you: PHP cookies and member security

If you are new to security I would highly recommend the Web Application Hacker's Handbook. I have read it and it is very thorough and interesting to read.

There is also a new book out called the Web Application Defender's Cookbook that looks quite promising, though I haven't read it.

by anonymous   2017-08-20

I assume from your list that you're looking at the Open Web Application Security Project Top Ten. Good!

Really, the best advice I can give is to read through the OWASP site. A good first step would be to go through the individual links on that page (e.g. Broken Authentication and Session Management) and check the "Am I vulnerable?" section. Here are some further hints:


The XSS Cheat Sheet can be pretty helpful here. More examples than you can shake a stick at, ready to paste into your site.


OWASP's wiki has a CSRF Testing Guide full of great links and suggestions.

Auth/Session hijacking

Well, are you using HTTPS? See this answer for more.

More resources

If you want to Go Deeper and do some real testing, here are some things you can do:

  • Read the Web Application Hacker's Handbook.
  • Try out some of the examples on and the Google Gruyere project and see if you can break into them.
  • Download Kali Linux and learn to use some of the tools that come with it.
  • Go to a security conference or minicon near you and connect with other infosec people. Maybe I'll see you there :)
by gverri   2017-08-19
by eganist   2017-08-19
So given that I may likely be hiring in the web and mobile application security spaces again next year (I've _somehow_ filled all of my open positions this year; appsec is difficult to fill with external hires), I'm focusing specifically on three skills:

  • ability to assess tech/architecture risks in apps

  • experience in devops automation ("secdevops" if you will)

  • proven skill in communication regardless of depth

The ideal candidate would have all three, but I could settle with any two of these and still be happy.

I am not currently hiring, but I'll gladly keep any CVs I receive and prioritize follow-ups with anyone who reaches out to me directly. Austin/DC for curious souls.


p.s. the web appsec space is in ludicrous demand. If you've got a breaker mindset, you'll probably come out ahead if you read up on it. If you're a developer right now and want to dip into it, I'd suggest:

Trust me, us security folk will thank you. Heck I'd suggest it to non-hackery devs too. It's a good way to find out how us security types see the world.

by andrew-d   2017-08-19
For what it's worth, that's a fair concern. I offer two things that make it not quite as bad as you may think, though :-)

1. We don't expect applicants to be amazing at this already. Having a background in security is good, of course, but not necessary. As a data point: in the office I work out of, we have someone who used to work in a bakery, someone who worked for an insurance company, and several people who had never done security before applying to Matasano. It's my opinion that you generally learn more "on the job", as it were, than you would preparing for an interview anyway. @tptacek's post at [0] is a good example of the type of people we have working for us.

2. We generally send candidates resources to help them prepare - I believe a couple recent applicants got free copies of "The Web Application Hacker's Handbook" [1].


by pixel1   2017-08-19

I don't know if you're specifically interested in learning about the security and security flaws of web apps specifically, but I would definitely recommend The Web Application Hacker's Handbook as it's an amazingly thorough guide on vulnerabilities.

Typically you start testing sites by using a security toolkit underneath your browser, such as Burp Suite. I don't do much of this stuff myself so hopefully this'll get you started.

Also /r/howtohack might be helpful, along with this thread to find some good hacking practice (DONT hack sites you don't have permission for)

Good luck!

by Ch1gg1ns   2017-08-19

/u/_o7 hit the nail on the head with the /r/netsec link, but I just want to throw this here as well