Re: Web Application Hacker's Handbook

From: David Barnett (dbarn064@gmail.com)
Date: Fri Oct 26 2007 - 05:59:02 EDT

• Next message: jfvanmeter@comcast.net: "Re: Directory Transversal - safe_path(char *path) function"
• Previous message: Robin Wood: "Re: google hacking book"
• In reply to: Ivan .: "Re: Web Application Hacker's Handbook"
• Next in thread: cross-site-scripting-security@xssworm.com: "Re: Re: Web Application Hacker's Handbook"
• Maybe reply: cross-site-scripting-security@xssworm.com: "Re: Re: Web Application Hacker's Handbook"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I am sorry but Hacking Exposed Web Applications is almost worthless as
a web Pen testing book today. Sure, back in the day it gave a very
high level overview on web pen testing, but even then, it was very
weak.
I just ordered "The Web Application Hacker's Handbook: Discovering
and Exploiting Security Flaws, by Dafydd Stuttard, Marcus Pinto?" and
had the same reservations as Jerry. I sure have an overgrown library
and would this just be another paper weight?
I decided to order the book. I find Dafydd Stuttard work at
portwsigger.com on Burp suite and especially his documentation of the
tool very refreshing and a great learning experience.
Some books and marterail I have found helpful for web pen testing:

 Jeremiah Grossman and Robert "RSnake" Hansen's Cross Site Scripting
Attacks Xss Exploits and Defense - one of the best books out there,
even if it is only on XSS. Jeremiah, please write another book. There
is a big whole for a quality book.

All of the OWASP documentation.

Microsoft's Improving Web Application Security books. Even if they are
not pen test-centric and heavy on .Net, MS really gets Web App
security. Also Hacking the code.

 There are a slew of useful books but must seem stale and didn't hold
their value over the years. People mix the book up with timely attack
vectors, how-to's BUT also give the reader a USEFUL methodology that
they can pick up and take with them for years.

My .02 cents.

Cheers,

David

On 10/25/07, Ivan . <ivanhec@gmail.com> wrote:
> I have these 2
>
> Hacking Exposed Web Applications
> http://www.amazon.com/Hacking-Exposed-Web-Applications-2nd/dp/0072262990/ref=sr_1_2/102-8778972-6481707?ie=UTF8&s=books&qid=1193353161&sr=1-2
>
> Professional Pen Testing for Web Applications
> http://www.amazon.com/Professional-Pen-Testing-Applications-Programmer/dp/0471789666/ref=sr_1_7/102-8778972-6481707?ie=UTF8&s=books&qid=1193353161&sr=1-7
>
> Both reasonable good books, would be keen to hear what Dafydd/Marcus
> book is like
>
> cheers
> Ivan
>
> On 10/26/07, Shenk, Jerry A <jshenk@decommunications.com> wrote:
> > While we're talking about books - anybody have any recommendations about The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws, by Dafydd Stuttard, Marcus Pinto? Looks good but I've never heard of either of these guys.
> >
> > My library keeps growing and I just don't want to end up with another book unless it's worthwhile.
> >
> >
> > **DISCLAIMER
> > This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.
> >
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

-- 
-- 
 -=--=--=--=-----ooO--(_)--Ooo---=--=--=--=--
David Barnett, CISSP, CCSE, QSA, QPASP
Manager, Forensics and Incident Response dbarnett@403labs.com |
708-288-6791 | Chicago IL | 403labs.com
   -=--=--=---=--=--=---=--=--=--=--=---=--=--=
CONFIDENTIALITY NOTICE: This email message and any attachments are
only for the use of the intended recipient and may contain
information that is privileged, confidential or exempt from disclosure
under applicable law. If you are not the intended recipient,
do not read, distribute or reproduce this transmission (including any
attachments). If you have received this email message in
error, please delete and notify the sender immediately.
Thank you.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: jfvanmeter@comcast.net: "Re: Directory Transversal - safe_path(char *path) function"
• Previous message: Robin Wood: "Re: google hacking book"
• In reply to: Ivan .: "Re: Web Application Hacker's Handbook"
• Next in thread: cross-site-scripting-security@xssworm.com: "Re: Re: Web Application Hacker's Handbook"
• Maybe reply: cross-site-scripting-security@xssworm.com: "Re: Re: Web Application Hacker's Handbook"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:11 EDT