[exceptione]

The Web Application Hacker's Handbook does get quite some bad reviews though on Amazon. The book seems to rely on the commercial offerings of the author, like the Blurp software and online material for which he charges by the hour.

[tptacek]

Ignore those reviews. In reality, Burp is to web application security what Photoshop is to graphic design. There are alternatives, and people do use them, but if they do it's because they already know how to do the job.

Burp is the industry standard. It's also a criminally underrated dev tool. If you're getting paid to build web applications, you should own a license.

[wglb]

I think the reviews are off the mark, as you can go a substantial distance with the free version of burp, and none of the material strictly depends on burp--any intercepting proxy will do.

Similarly, the online stuff is totally optional, and none of the master WAHH crafstmen I know have needed that in the slightest.

It is pretty clear in reading those reviews that a person can, with no investment of time or effort, write bad reviews about anything.

It takes effort and energy to get the most out of WAHH, and you can do it without spending an additional dime.

[exceptione]

Thanks for clearing that up!

[phaus]

The online material is a virtual lab where you can test out the things you learn in the book by breaking actual web applications. Technical books on niche subjects rarely leave the authors rolling in money, so it would be pretty silly to expect the labs to be free.

If you are too cheap to spend $7 an hour, you can set up a vulnerable VM and accomplish the same thing for free.

[tptacek]

We told Matasano candidates to do this, and how to do it and what to run, and it seemed to work pretty well for people.