Hacking Web Apps

Mike Shema

Published by






Reviewed by



8 out of 10

It is in no way clear from the cover that this is an updated edition of the same author’s book Seven Deadliest Web Application Attacks, published in 2010.

The tabloid-style title has been replaced with something less sensational (and arguably less silly), but almost all content from the previous book is intact, although expanded.

This is probably for the best as the original volume did an excellent job of explaining the complexities of web security and how to bypass it in an accessible way although it may come as a shock to anyone who unwittingly buys both books.

There are multiple improvements on the previous volume, although maybe not enough improvements to justify doubling the cover price.

Newer discoveries or additional technical information has been added to most sections with some welcome new material on the effects of HTML 5 in relation to Cross-Site Scripting (XSS) and SQL injection.

All of the most important issues are covered in sufficient depth including XSS, SQL injection, Cross-Site Request Forgery (CSRF), authentication attacks and business-logic attacks.

XSS is given an interesting and thorough treatment. Curiously, the section divides attacks into three types although the three that are listed are not the three conventional groups given by most experts.

Instead of dividing attacks into reflected, persistent and DOM-based they are grouped as reflected, persistent and out of band. The book follows this with a good clear explanation of CSRF and a subject that confuses many people is made much more accessible. As mentioned above the treatment of every subject is comprehensive but still accessible.

Overall there is some excellent new material and the compact size in combination with attention to detail makes it ideal as a reference to take on external assignments.

Conversely one of the best things about the previous edition was its brevity (without sacrificing technical detail), which allowed it to serve as a crash course in web security that could be read in an afternoon.

This is not the case with the expanded edition and the reader is no longer able to go from novice to semi-expert in a few hours.

Further information: Syngress

November 2012