Penetration Testing mailing list archives
Re: Web Application Hacker's Handbook
From: "David Barnett" <dbarn064 () gmail com>
Date: Fri, 26 Oct 2007 04:59:02 -0500
I am sorry but Hacking Exposed Web Applications is almost worthless as a web Pen testing book today. Sure, back in the day it gave a very high level overview on web pen testing, but even then, it was very weak. I just ordered "The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws, by Dafydd Stuttard, Marcus Pinto?" and had the same reservations as Jerry. I sure have an overgrown library and would this just be another paper weight? I decided to order the book. I find Dafydd Stuttard work at portwsigger.com on Burp suite and especially his documentation of the tool very refreshing and a great learning experience. Some books and marterail I have found helpful for web pen testing: Jeremiah Grossman and Robert "RSnake" Hansen's Cross Site Scripting Attacks Xss Exploits and Defense - one of the best books out there, even if it is only on XSS. Jeremiah, please write another book. There is a big whole for a quality book. All of the OWASP documentation. Microsoft's Improving Web Application Security books. Even if they are not pen test-centric and heavy on .Net, MS really gets Web App security. Also Hacking the code. There are a slew of useful books but must seem stale and didn't hold their value over the years. People mix the book up with timely attack vectors, how-to's BUT also give the reader a USEFUL methodology that they can pick up and take with them for years. My .02 cents. Cheers, David On 10/25/07, Ivan . <ivanhec () gmail com> wrote:
I have these 2 Hacking Exposed Web Applications http://www.amazon.com/Hacking-Exposed-Web-Applications-2nd/dp/0072262990/ref=sr_1_2/102-8778972-6481707?ie=UTF8&s=books&qid=1193353161&sr=1-2 Professional Pen Testing for Web Applications http://www.amazon.com/Professional-Pen-Testing-Applications-Programmer/dp/0471789666/ref=sr_1_7/102-8778972-6481707?ie=UTF8&s=books&qid=1193353161&sr=1-7 Both reasonable good books, would be keen to hear what Dafydd/Marcus book is like cheers Ivan On 10/26/07, Shenk, Jerry A <jshenk () decommunications com> wrote:While we're talking about books - anybody have any recommendations about The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws, by Dafydd Stuttard, Marcus Pinto? Looks good but I've never heard of either of these guys. My library keeps growing and I just don't want to end up with another book unless it's worthwhile. **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
-- -- -=--=--=--=-----ooO--(_)--Ooo---=--=--=--=-- David Barnett, CISSP, CCSE, QSA, QPASP Manager, Forensics and Incident Response dbarnett () 403labs com | 708-288-6791 | Chicago IL | 403labs.com -=--=--=---=--=--=---=--=--=--=--=---=--=--= CONFIDENTIALITY NOTICE: This email message and any attachments are only for the use of the intended recipient and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient, do not read, distribute or reproduce this transmission (including any attachments). If you have received this email message in error, please delete and notify the sender immediately. Thank you. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- google hacking book Robin Wood (Oct 24)
- Re: google hacking book Bipin Upadhyay (Oct 25)
- RE: google hacking book Thor (Hammer of God) (Oct 25)
- Re: google hacking book Terry Cutler (Oct 25)
- Web Application Hacker's Handbook Shenk, Jerry A (Oct 25)
- Re: Web Application Hacker's Handbook Ivan . (Oct 25)
- Re: Web Application Hacker's Handbook David Barnett (Oct 26)
- Web Application Hacker's Handbook Shenk, Jerry A (Oct 25)
- Message not available
- Re: google hacking book Robin Wood (Oct 26)
- <Possible follow-ups>
- Re: google hacking book hackman (Oct 25)