
I recently came across this book, Web Application Security by Andrew Hoffman, while searching for material to read on how to secure web applications. There are many books available on this topic. I picked this one specifically because of it’s recent publication date. It was published in March 2020 (about 5 month back, at the time of writing).
Content overview
The tagline of the book, “Exploitation and Countermeasures for Modern Web Applications”, says it all. The book is divided into three parts Recon, Offense and Defense, each part is then divided into chapters covering specific areas of web application security.
It starts by providing a glimpse into the history of software security and the evolution of web related attacks as we see them today. It lays the foundation for the first part, Recon. In this part the author describes various techniques for mapping a web application. One important lesson I learnt from this part is that recon is not just limited to the web application per se. When mapping out the web application, one needs to look at aspects such as:
- Structure of the application
- Subdomains
- APIs
- Third-party components
- Architecture
The second part of the book, Offense, covers the most common attacks related to web applications:
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- XML External Entity (XXE)
- Injection
- Denial of Service (DoS and DDoS)
- Exploiting third-party components
In Defense (third part of this book), the author looks at securing web applications from a developer’s point of view (one of the things I liked about this book). This part covers the following:
- Securing application architecture
- Secure code reviews
- Vulnerability discovery and management
- Defense techniques for each attack mentioned in the Offense section
Salient features
Here are a few things I liked about this book:
- It focuses on holistic view of securing web applications.
- Each offense technique is mapped to appropriate defense(s).
- Developer focused Defense part of the book.
- Author’s focus on the importance of taking notes and his preferred notes format (you can find this out by reading the book).
- This book is good for developers, information security managers, beginners in web application security.
Not so salient features
Here are a few things I did not like about this book:
- Given the title and tag line, I thought it would be fairly more technical. It did not live up to those expectations.
- The offense part misses out on key web application attacks such as Local File Inclusion (LFI), Remote File Inclusion (RFI), Path Traversal, Insecure Direct Object Reference etc.
- Author has included examples for a fictitious website, a hands-on lab would have been nice.
My rating: 4.0 / 5.0
Join our book club on Discord and share your views on this book (or any other security book of your choice).
Related Posts

Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.