General Description
A book of 272 pages, consisting of 20 chapters and two appendices. At the end of each chapter there is a conclusion. The material is presented primarily as text information, there are code snippets, but not many. The same can be said about images and tables. The reading difficulty level is light, in rare chapters - medium.
Brief Overview
The book is structured in such a way that each chapter covers some vulnerability or attack vector. The simplest way to give a brief overview is to just list these chapters, that is, the attack vectors. So, here's what the author offers:
- Chapter 1. Fundamentals of vulnerability hunting
- Chapter 2. Open Redirect
- Chapter 3. HTTP parameter pollution
- Chapter 4. Cross-site request forgery
- Chapter 5. HTML element injection and content spoofing
- Chapter 6. Line feed injection
- Chapter 7. Cross-site scripting
- Chapter 8. Template injection
- Chapter 9. SQL injection
- Chapter 10. Server request forgery
- Chapter 11. External XML entities
- Chapter 12. Remote code execution
- Chapter 13. Memory vulnerabilities
- Chapter 14. Subdomain takeover
- Chapter 15. Race conditions
- Chapter 16. Insecure direct object references
- Chapter 17. OAuth vulnerabilities
- Chapter 18. Application logic and configuration vulnerabilities
- Chapter 19. Independent vulnerability discovery
- Chapter 20. Vulnerability reporting
Opinion
So far, this is the best book on web application computer security. The author reveals at least 17 possible types of attacks on websites and web applications and, accordingly, methods to defend against these attacks. A well-structured, detailed book that clearly deserves a high rating. After reading the book, most of it served as material with which I spoke at work to all employees of my company on the topic of computer security.
This article is strictly a review of the book and is not of a recommendable nature. The tools and methods described in the book are provided for informational purposes only - this is not a call to action on my part. Moreover, some technologies or practices may be restricted, blocked, or illegal in certain countries, and their use is evaluated by each reader independently, taking into account local legislation and personal responsibility.
