Web Hacking: Attacks and Defense appeared in 2002, at a moment when web application security was only beginning to be understood as a distinct discipline from network security. The early internet had been built for functionality rather than security, and the result was a generation of web applications riddled with vulnerabilities — SQL injection, cross-site scripting, session management failures, authentication bypasses — that could be exploited with relatively modest technical skill.
Stuart McClure's contribution to this volume extended the Hacking Exposed methodology to the web layer: document the attack techniques in enough detail to be genuinely educational, then provide the specific countermeasures that address each vulnerability class. Web application security was an area where the gap between what developers were building and what attackers could exploit was particularly severe in 2002, and the book aimed to close that gap by putting the knowledge in front of people who were making the architectural and implementation decisions that determined vulnerability exposure.
The book arrived at the right moment. The dot-com era had produced an enormous population of web applications built by developers with little security training, and the professionalization of the criminal hacking underground in the early 2000s meant these applications were increasingly targeted. Web Hacking provided the systematic treatment of web attack techniques that practitioners needed to understand what they were defending against.
The topics the book covered — which were novel in 2002 — became the foundational curriculum of web application security training for the decade that followed. SQL injection and XSS, documented in detail in these pages, became the defining vulnerabilities of the early web era and remain among the most common vulnerability classes in production applications today.