The remaining bulk of the book consists of a practical guide to attacking and defending web applications. Organized around categories of vulnerability, the authors explain each using concrete examples of real-world vulnerabilities to highlight the problem – usually accompanied by a screenshot or code sample. The authors describe in detail the techniques which an attacker can use to identify and exploit the vulnerability, and the specific countermeasures which application developers and administrators can use to defend against these attacks. On most pages, the prose-based discussion is punctuated by practical steps relating to the attacks being discussed. Where relevant, the best hack tools for a particular task are described, and specific instructions are given for using them.

The book concludes with some chapters describing practical techniques which do not fit neatly into a particular area of vulnerability, including application mapping, automation of bespoke attacks, and code review techniques. The authors also provide a unified web application hacker’s toolkit and methodology, pulling together in one location a checklist-style summary all of the techniques described through the book.