Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Web Application Hacker's Handbook

from [David Barnett] Network Security [Permanent Link]
Subject: Re: Web Application Hacker's Handbook
Date: Fri, 26 Oct 2007 04:59:02 -0500 
I am sorry but Hacking Exposed Web Applications is almost worthless as
a web Pen testing book today. Sure, back in the day it gave a very
high level overview on web pen testing, but even then, it was very
weak.
I just ordered  "The Web Application Hacker's Handbook: Discovering
and Exploiting Security Flaws, by Dafydd Stuttard, Marcus Pinto?" and
had the same reservations as Jerry. I sure have an overgrown library
and would this just be another paper weight?
I decided to order the book. I find Dafydd Stuttard work at
portwsigger.com on Burp suite and especially his documentation of the
tool very refreshing and a great learning experience.
Some books and marterail I have found helpful for web pen testing:

 Jeremiah Grossman and Robert "RSnake" Hansen's  Cross Site Scripting
Attacks Xss Exploits and Defense - one of the best books out there,
even if it is only on XSS. Jeremiah, please write another book. There
is a big whole for a quality book.

All of the OWASP documentation.

Microsoft's Improving Web Application Security books. Even if they are
not pen test-centric and heavy on .Net, MS really gets Web App
security. Also Hacking the code.

 There are a slew of useful books but must seem stale and didn't hold
their value over the years. People mix the book up with timely attack
vectors, how-to's BUT also give the reader a USEFUL methodology that
they can pick up and take with them for years.

My .02 cents.

Cheers,

David



On 10/25/07, Ivan . <ivanhec@gmail.com> wrote:

I have these 2

Hacking Exposed Web Applications
http://www.amazon.com/Hacking-Exposed-Web-Applications-2nd/dp/0072262990/ref=sr_1_2/102-8778972-6481707?ie=UTF8&s=books&qid=1193353161&sr=1-2

Professional Pen Testing for Web Applications
http://www.amazon.com/Professional-Pen-Testing-Applications-Programmer/dp/0471789666/ref=sr_1_7/102-8778972-6481707?ie=UTF8&s=books&qid=1193353161&sr=1-7

Both reasonable good books, would be keen to hear what Dafydd/Marcus
book is like

cheers
Ivan

On 10/26/07, Shenk, Jerry A <jshenk@decommunications.com> wrote:

While we're talking about books - anybody have any recommendations about 
The Web Application Hacker's Handbook: Discovering and Exploiting Security 
Flaws, by Dafydd Stuttard, Marcus Pinto?  Looks good but I've never heard 
of either of these guys.

My library keeps growing and I just don't want to end up with another book 
unless it's worthwhile.


**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the 
use of the individual or entity to which they are addressed and may contain 
information that is privileged, proprietary and confidential. If you are 
not the intended recipient, you may not use, copy or disclose to anyone the 
message or any information contained in the message. If you have received 
this communication in error, please notify the sender and delete this 
e-mail message. The contents do not represent the opinion of D&E except to 
the extent that it relates to their official business.



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------






-- 
-- 
 -=--=--=--=-----ooO--(_)--Ooo---=--=--=--=--

David Barnett, CISSP, CCSE, QSA, QPASP
Manager, Forensics and Incident Response dbarnett@403labs.com |
708-288-6791 | Chicago IL | 403labs.com

   -=--=--=---=--=--=---=--=--=--=--=---=--=--=


CONFIDENTIALITY NOTICE: This email message and any attachments are
only for the use of the intended recipient and may contain
information that is privileged, confidential or exempt from disclosure
under applicable law. If you are not the intended recipient,
do not read, distribute or reproduce this transmission (including any
attachments). If you have received this email message in
error, please delete and notify the sender immediately.
Thank you.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: google hacking book, Robin Wood
Next by Date:  Re: Directory Transversal - safe_path(char *path) function, jfvanmeter
Previous by Thread:  Re: Web Application Hacker's Handbook, Ivan .
Next by Thread:  Re: google hacking book, Robin Wood
Indexes:  [Date] [Thread] [Top] [All Lists]