I recently came across this book, Web Application Security by Andrew Hoffman, while searching for material to read on how to secure web applications. There are many books available on this topic. I picked this one specifically because of it's recent publication date. It was published in March 2020 (about 5 month back, at the time of writing).

Content overview

The tagline of the book, "Exploitation and Countermeasures for Modern Web Applications", says it all. The book is divided into three parts Recon, Offense and Defense, each part is then divided into chapters covering specific areas of web application security.

It starts by providing a glimpse into the history of software security and the evolution of web related attacks as we see them today. It lays the foundation for the first part, Recon. In this part the author describes various techniques for mapping a web application. One important lesson I learnt from this part is that recon is not just limited to the web application per se. When mapping out the web application, one needs to look at aspects such as:

• Structure of the application

• Subdomains

• APIs

• Third-party components

• Architecture

The second part of the book, Offense, covers the most common attacks related to web applications:

• Cross-site scripting (XSS)

• Cross-site request forgery (CSRF)

• XML External Entity (XXE)

• Injection

• Denial of Service (DoS and DDoS)

• Exploiting third-party components

In Defense (third part of this book), the author looks at securing web applications from a developer's point of view (one of the things I liked about this book). This part covers the following:

• Securing application architecture

• Secure code reviews

• Vulnerability discovery and management

• Defense techniques for each attack mentioned in the Offense section

Salient features

Here are a few things I liked about this book:

• It focuses on holistic view of securing web applications.

• Each offense technique is mapped to appropriate defense(s).

• Developer focused Defense part of the book.

• Author's focus on the importance of taking notes and his preferred notes format (you can find this out by reading the book).

• This book is good for developers, information security managers, beginners in web application security.

Not so salient features

Here are a few things I did not like about this book:

• Given the title and tag line, I thought it would be fairly more technical. It did not live up to those expectations.

• The offense part misses out on key web application attacks such as Local File Inclusion (LFI), Remote File Inclusion (RFI), Path Traversal, Insecure Direct Object Reference etc.

• Author has included examples for a fictitious website, a hands-on lab would have been nice.

My rating: 4.0 / 5.0

Join our book club on Discord and share your views on this book (or any other security book of your choice).

Other book reviews

• The Cybersecurity Manager's Guide by Todd Barnum

• Practical Social Engineering by Joe Gray

• Ethical Hacking by Daniel G. Graham

• How to Hack Like a GHOST by Sparc Flow

• How to Hack Like a LEGEND by Sparc Flow

• CCSP for dummies by Arthur J. Deane

• Cyber Warfare – Truth, Tactics, and Strategies by Dr. Chase Cunningham

• Practical Threat Intelligence and Data-Driven Threat Hunting by Valentina Costa-Gazcón

• Hacking APIs by Corey Ball

• Penetration Testing Azure for Ethical Hackers by David Okeyode, Karl Fosaaen

• Pentesting Azure Applications by Matt Burrough

• Red Team Development and Operations by Joe Vest and James Tubberville

• Container Security by Liz Rice