Limited-time offer! Save up to 50% Off | Solutions starting at $6 each  

The Web Application Hacker's Handbook Second Edition Finding and

Added on - 24 Jan 2022

Trusted by 2+ million users,
1000+ happy students everyday
Showing pages 1 to 8 of 914 pages
Stuttardflast.inddV2 - 08/10/2011 Page xxii
flast.inddxxiiflast.inddxxii8/19/201112:23:07 PM8/19/201112:23:07 PM
Stuttardffirs.inddV4 - 08/17/2011 Page i
The Web Application
Hacker’s Handbook
Second Edition
Finding and Exploiting Security Flaws
Dafydd Stuttard
Marcus Pinto
ffirs.inddiffirs.inddi8/19/201112:22:33 PM8/19/201112:22:33 PM
Stuttardffirs.inddV4 - 08/17/2011 Page ii
The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, Second Edition
Published by
John Wiley & Sons, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2011 by Dafydd Stuttard and Marcus Pinto
Published by John Wiley & Sons, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-1-118-02647-2
ISBN: 978-1-118-17522-4 (ebk)
ISBN: 978-1-118-17524-8 (ebk)
ISBN: 978-1-118-17523-1 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted
under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permis-
sion of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright
Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the
Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111
River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online athttp://www.wiley.
com/go/permissions.
Limit of Liability/Disclaimer of Warranty:The publisher and the author make no representations or war-
ranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all
warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be
created or extended by sales or promotional materials. The advice and strategies contained herein may not
be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in
rendering legal, accounting, or other professional services. If professional assistance is required, the services
of a competent professional person should be sought. Neither the publisher nor the author shall be liable for
damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation
and/or a potential source of further information does not mean that the author or the publisher endorses
the information the organization or website may provide or recommendations it may make. Further, readers
should be aware that Internet websites listed in this work may have changed or disappeared between when
this work was written and when it is read.
For general information on our other products and services please contact our Customer Care Department
within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Not all content
that is available in standard print versions of this book may appear or be packaged in all book formats. If
you have purchased a version of this book that did not include media that is referenced by or accompanies
a standard print version, you may request this media by visitinghttp://booksupport.wiley.
com. For more information about Wiley products, visit us atwww.wiley.com.
Library of Congress Control Number:2011934639
Trademarks:Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc.
and/or its affiliates, in the United States and other countries, and may not be used without written permission.
All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated
with any product or vendor mentioned in this book.
ffirs.inddiiffirs.inddii8/19/201112:22:37 PM8/19/201112:22:37 PM
Stuttardffirs.inddV4 - 08/17/2011 Page iii
iii
Dafydd Stuttardis an independent security consultant, author, and software
developer. With more than 10 years of experience in security consulting, he
specializes in the penetration testing of web applications and compiled soft-
ware. Dafydd has worked with numerous banks, retailers, and other enterprises
to help secure their web applications. He also has provided security consulting to
several software manufacturers and governments to help secure their compiled
software. Dafydd is an accomplished programmer in several languages. His
interests include developing tools to facilitate all kinds of software security
testing. Under the alias “PortSwigger,” Dafydd created the popular Burp Suite
of web application hacking tools; he continues to work actively on Burp’s devel-
opment. Dafydd is also cofounder of MDSec, a company providing training and
consultancy on Internet security attack and defense. Dafydd has developed and
presented training courses at various security conferences around the world,
and he regularly delivers training to companies and governments. He holds
master’s and doctorate degrees in philosophy from the University of Oxford.
Marcus Pintois cofounder of MDSec, developing and delivering training
courses in web application security. He also performs ongoing security con-
sultancy for financial, government, telecom, and retail verticals. His 11 years
of experience in the industry have been dominated by the technical aspects of
application security, from the dual perspectives of a consulting and end-user
implementation role. Marcus has a background in attack-based security assess-
ment and penetration testing. He has worked extensively with large-scale web
application deployments in the fi nancial services industry. Marcus has been
developing and presenting database and web application training courses since
2005 at Black Hat and other worldwide security conferences, and for private-
sector and government clients. He holds a master’s degree in physics from the
University of Cambridge.
About the Authors
ffirs.inddiiiffirs.inddiii8/19/201112:22:37 PM8/19/201112:22:37 PM
Stuttardffirs.inddV4 - 08/17/2011 Page iv
iv
About the Technical Editor
Dr. Josh Paulireceived his Ph.D. in Software Engineering from North Dakota
State University (NDSU) with an emphasis in secure requirements engineering
and now serves as an Associate Professor of Information Security at Dakota
State University (DSU). Dr. Pauli has published nearly 20 international jour-
nal and conference papers related to software security and his work includes
invited presentations from the Department of Homeland Security and Black
Hat Briefings. He teaches both undergraduate and graduate courses in system
software security and web software security at DSU. Dr. Pauli also conducts web
application penetration tests as a Senior Penetration Tester for an Information
Security consulting firm where his duties include developing hands-on techni-
cal workshops in the area of web software security for IT professionals in the
financial sector.
ffirs.inddivffirs.inddiv8/19/201112:22:37 PM8/19/201112:22:37 PM
Stuttardffirs.inddV4 - 08/17/2011 Page v
v
MDSec: The Authors’ Company
Dafydd and Marcus are cofounders of MDSec, a company that provides training
in attack and defense-based security, along with other consultancy services. If
while reading this book you would like to put the concepts into practice, and
gain hands-on experience in the areas covered, you are encouraged to visit our
website,http://mdsec.net. This will give you access to hundreds of interactive
vulnerability labs and other resources that are referenced throughout the book.
ffirs.inddvffirs.inddv8/19/201112:22:37 PM8/19/201112:22:37 PM
Stuttardffirs.inddV4 - 08/17/2011 Page vi
vi
Executive Editor
Carol Long
Senior Project Editor
Adaobi Obi Tulton
Technical Editor
Josh Pauli
Production Editor
Kathleen Wisor
Copy Editor
Gayle Johnson
Editorial Manager
Mary Beth Wakefield
Freelancer Editorial Manager
Rosemarie Graham
Associate Director of
Marketing
David Mayhew
Marketing Manager
Ashley Zurcher
Business Manager
Amy Knies
Production Manager
Tim Tate
Vice President and Executive
Group Publisher
Richard Swadley
Vice President and Executive
Publisher
Neil Edde
Associate Publisher
Jim Minatel
Project Coordinator, Cover
Katie Crocker
Proofreaders
Sarah Kaikini, Word One
Sheilah Ledwidge, Word One
Indexer
Robert Swanson
Cover Designer
Ryan Sneed
Cover Image
Wiley InHouse Design
Vertical Websites Project Manager
Laura Moss-Hollister
Vertical Websites Assistant Project
Manager
Jenny Swisher
Vertical Websites Associate
Producers
Josh Frank
Shawn Patrick
Doug Kuhn
Marilyn Hummel
Credits
ffirs.inddviffirs.inddvi8/19/201112:22:37 PM8/19/201112:22:37 PM
desklib-logo
You’re reading a preview
Preview Documents

To View Complete Document

Click the button to download
Subscribe to our plans

Download This Document