Book Name: Web Application Security
Author: Andrew Hoffman
Publisher: O’REILLY
Topic: Web Application Security – Offensive and Defensive
Level: Beginner-Intermediate (Personally)
Hİ all, in this blog post I want to say something about this book whom wrote Andrew Hoffman. I don’t want to bore you with a long article. I will review briefly. You may a coder, a pentester, a security researcher, a blue teamer, etc. Don’t care!… If you’re interested in web application security, especially when you have middle knowledge, you should read this book. Why? I came to them, stay up!…
I think you may want to refresh your web security knowledge. This book contains 3 excellent sections, Part I: Recon, Part II: Offense, Part III: Defense.
Let’s start with the recon phase.
Firstly, If you don’t know how to write your own recon/security tools, you may learn this in this book when you understand the mindset. In this book, lots of codes have written in javascript, THAT’S PERFECT!… Why may not you write your own script with JS? May not it? 🙂
In web application space, you must learn javascript and other languages like PHP, ASP, node.js, etc. In this book, you can familiarize yourself with, especially JS. The recon phase is much more important for us. You should think like a hacker. The information which you find increases your success rate. You’ll create your threat attack map with pieces of information that you find in the recon phase. In this part, you will learn to find information about a web application like subdomain finding, DOM, crawling, API analysis, and more.
Next station… We’re in the evil stage, you should be careful 🙂
You will learn some web application attacks or review your knowledge in the Offense part.
How XSS works? Why we can inject codes? Can ı send some coins to my game profile with SQLi?
Code injection, Command injection; what is the difference? How we can exploit an XML Parser with XXE?
Example code snippets, recommendations, usage cases, RgxDos, etc. You can find more in the book.
Personal Note: It can be nice if Owasp Top 10, extra vulnerabilities like SSRF or HTTP Smuggling, etc. and example codes about this type of vulnerabilities were added.
And the time to be an angel for web applications in Defense part.
Now, you will learn secure application architecture, what is vulnerability testing, what is vulnerability management.
Also, you will know what is CVSS, CWE, bug bounty, etc after reading. Sounds great!… But I think, the most important section is defending vulnerabilities like XSS, SQLi, Regex DOS. You can defend your own applications or you can bypass when you learn how to defend it.
If you want to win, you should know your enemy 🙂 Also, you can find lots of example code snippets in this part too.
Personal Note: The book teaches you from showing the example codes, this is really perfect. While you read, you can much more
familiarize the code patterns and mindset. Most programming languages look similar but javascript has its own style sometimes
like DOM or function chains, etc. You will understand the logic of code and you will be able to adapt to other languages more easily.
Of course! That’s my opinion.
Thanks for this book to Andrew. Sharing knowledge to the community is significant as Andrew said in the book.
Thanks for your time and your interest. Berk KIRAS – Cyber Security Specialist