Kh\u00f4ng \u0111\u01a1n thu\u1ea7n l\u00e0 m\u1ed9t cu\u1ed1n s\u00e1ch li\u1ec7t k\u00ea l\u1ed7 h\u1ed5ng, t\u00e1c ph\u1ea9m n\u00e0y cung c\u1ea5p m\u1ed9t c\u00e1ch ti\u1ebfp c\u1eadn c\u00f3 h\u1ec7 th\u1ed1ng, m\u00f4 ph\u1ecfng to\u00e0n b\u1ed9 quy tr\u00ecnh t\u01b0 duy v\u00e0 h\u00e0nh \u0111\u1ed9ng c\u1ee7a m\u1ed9t hacker khi \u0111\u00e1nh gi\u00e1 v\u00e0 khai th\u00e1c \u1ee9ng d\u1ee5ng web. \u0110\u00e2y ch\u00ednh l\u00e0 \u0111i\u1ec3m khi\u1ebfn cu\u1ed1n s\u00e1ch gi\u1eef \u0111\u01b0\u1ee3c gi\u00e1 tr\u1ecb l\u00e2u d\u00e0i, b\u1ea5t ch\u1ea5p s\u1ef1 thay \u0111\u1ed5i nhanh ch\u00f3ng c\u1ee7a c\u00f4ng ngh\u1ec7.<\/p>\n\n\n\n
1. Th\u00f4ng tin c\u01a1 b\u1ea3n v\u1ec1 cu\u1ed1n s\u00e1ch<\/h2>\n\n\n\n
The Web Application Hacker\u2019s Handbook: Discovering and Exploiting Security Flaws<\/strong> l\u00e0 m\u1ed9t trong nh\u1eefng t\u00e1c ph\u1ea9m kinh \u0111i\u1ec3n v\u00e0 c\u00f3 \u1ea3nh h\u01b0\u1edfng s\u00e2u r\u1ed9ng nh\u1ea5t trong l\u0129nh v\u1ef1c b\u1ea3o m\u1eadt \u1ee9ng d\u1ee5ng web. Cu\u1ed1n s\u00e1ch \u0111\u01b0\u1ee3c xem nh\u01b0 t\u00e0i li\u1ec7u n\u1ec1n t\u1ea3ng cho c\u00e1c ho\u1ea1t \u0111\u1ed9ng ki\u1ec3m th\u1eed x\u00e2m nh\u1eadp (penetration testing) t\u1eadp trung v\u00e0o web, \u0111\u1ed3ng th\u1eddi l\u00e0 kim ch\u1ec9 nam cho c\u00e1c k\u1ef9 s\u01b0 ph\u1ea7n m\u1ec1m v\u00e0 chuy\u00ean gia an ninh khi thi\u1ebft k\u1ebf, \u0111\u00e1nh gi\u00e1 v\u00e0 b\u1ea3o v\u1ec7 h\u1ec7 th\u1ed1ng.<\/p>\n\n\n\n Hai t\u00e1c gi\u1ea3 c\u1ee7a cu\u1ed1n s\u00e1ch \u0111\u1ec1u l\u00e0 nh\u1eefng nh\u00e2n v\u1eadt c\u00f3 uy t\u00edn cao trong c\u1ed9ng \u0111\u1ed3ng an ninh m\u1ea1ng. Dafydd Stuttard l\u00e0 ng\u01b0\u1eddi s\u00e1ng l\u1eadp v\u00e0 ki\u1ebfn tr\u00fac s\u01b0 tr\u01b0\u1edfng c\u1ee7a Burp Suite<\/strong>, m\u1ed9t b\u1ed9 c\u00f4ng c\u1ee5 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng r\u1ed9ng r\u00e3i b\u1edfi c\u00e1c chuy\u00ean gia ki\u1ec3m th\u1eed x\u00e2m nh\u1eadp v\u00e0 \u0111\u1ed9i ng\u0169 b\u1ea3o m\u1eadt tr\u00ean to\u00e0n c\u1ea7u. Marcus Pinto l\u00e0 chuy\u00ean gia t\u01b0 v\u1ea5n an ninh \u1ee9ng d\u1ee5ng, t\u1eebng tr\u1ef1c ti\u1ebfp tham gia \u0111\u00e1nh gi\u00e1 b\u1ea3o m\u1eadt cho nhi\u1ec1u h\u1ec7 th\u1ed1ng doanh nghi\u1ec7p quy m\u00f4 l\u1edbn. Ch\u00ednh n\u1ec1n t\u1ea3ng th\u1ef1c ti\u1ec5n n\u00e0y \u0111\u00e3 gi\u00fap n\u1ed9i dung cu\u1ed1n s\u00e1ch mang \u0111\u1eadm d\u1ea5u \u1ea5n kinh nghi\u1ec7m th\u1ef1c t\u1ebf, thay v\u00ec ch\u1ec9 d\u1eebng l\u1ea1i \u1edf m\u1ee9c l\u00fd thuy\u1ebft.<\/p>\n\n\n\n V\u1ec1 m\u1eb7t c\u1ea5u tr\u00fac, cu\u1ed1n s\u00e1ch \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf nh\u01b0 m\u1ed9t h\u01b0\u1edbng d\u1eabn to\u00e0n di\u1ec7n, m\u00f4 ph\u1ecfng quy tr\u00ecnh l\u00e0m vi\u1ec7c c\u1ee7a m\u1ed9t hacker m\u0169 tr\u1eafng khi ti\u1ebfp c\u1eadn v\u00e0 \u0111\u00e1nh gi\u00e1 m\u1ed9t \u1ee9ng d\u1ee5ng web. Thay v\u00ec li\u1ec7t k\u00ea r\u1eddi r\u1ea1c c\u00e1c l\u1ed7 h\u1ed5ng, t\u00e1c gi\u1ea3 tr\u00ecnh b\u00e0y n\u1ed9i dung theo tr\u00ecnh t\u1ef1 logic: t\u1eeb vi\u1ec7c t\u00ecm hi\u1ec3u c\u00f4ng ngh\u1ec7 n\u1ec1n t\u1ea3ng, kh\u1ea3o s\u00e1t h\u1ec7 th\u1ed1ng, x\u00e1c \u0111\u1ecbnh b\u1ec1 m\u1eb7t t\u1ea5n c\u00f4ng, cho \u0111\u1ebfn khai th\u00e1c c\u00e1c \u0111i\u1ec3m y\u1ebfu trong x\u00e1c th\u1ef1c, ph\u00e2n quy\u1ec1n, x\u1eed l\u00fd d\u1eef li\u1ec7u v\u00e0 logic nghi\u1ec7p v\u1ee5. C\u00e1ch ti\u1ebfp c\u1eadn n\u00e0y gi\u00fap ng\u01b0\u1eddi \u0111\u1ecdc h\u00ecnh th\u00e0nh t\u01b0 duy h\u1ec7 th\u1ed1ng, hi\u1ec3u r\u00f5 m\u1ed1i li\u00ean h\u1ec7 gi\u1eefa c\u00e1c th\u00e0nh ph\u1ea7n trong \u1ee9ng d\u1ee5ng web.<\/p>\n\n\n\n C\u00f3 th\u1ec3 n\u00f3i, The Web Application Hacker\u2019s Handbook<\/em> kh\u00f4ng ch\u1ec9 \u0111\u01a1n thu\u1ea7n l\u00e0 m\u1ed9t cu\u1ed1n s\u00e1ch k\u1ef9 thu\u1eadt, m\u00e0 c\u00f2n l\u00e0 m\u1ed9t t\u00e0i li\u1ec7u \u0111\u00e0o t\u1ea1o t\u01b0 duy an ninh, \u0111\u1eb7t n\u1ec1n m\u00f3ng cho nhi\u1ec1u chu\u1ea9n m\u1ef1c v\u00e0 ph\u01b0\u01a1ng ph\u00e1p ki\u1ec3m th\u1eed b\u1ea3o m\u1eadt \u1ee9ng d\u1ee5ng web \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng r\u1ed9ng r\u00e3i trong ng\u00e0nh c\u00f4ng nghi\u1ec7p ph\u1ea7n m\u1ec1m hi\u1ec7n \u0111\u1ea1i.<\/p>\n\n\n\n N\u1ed9i dung c\u1ee7a The Web Application Hacker\u2019s Handbook: Discovering and Exploiting Security Flaws<\/strong> \u0111\u01b0\u1ee3c x\u00e2y d\u1ef1ng theo m\u1ed9t c\u1ea5u tr\u00fac logic, ph\u1ea3n \u00e1nh s\u00e1t th\u1ef1c quy tr\u00ecnh m\u00e0 m\u1ed9t hacker m\u0169 tr\u1eafng ho\u1eb7c chuy\u00ean gia ki\u1ec3m th\u1eed x\u00e2m nh\u1eadp ti\u1ebfn h\u00e0nh khi \u0111\u00e1nh gi\u00e1 m\u1ee9c \u0111\u1ed9 an to\u00e0n c\u1ee7a m\u1ed9t \u1ee9ng d\u1ee5ng web. Thay v\u00ec ti\u1ebfp c\u1eadn theo ki\u1ec3u li\u1ec7t k\u00ea l\u1ed7 h\u1ed5ng r\u1eddi r\u1ea1c, cu\u1ed1n s\u00e1ch d\u1eabn d\u1eaft ng\u01b0\u1eddi \u0111\u1ecdc \u0111i qua t\u1eebng giai \u0111o\u1ea1n c\u1ee7a qu\u00e1 tr\u00ecnh t\u1ea5n c\u00f4ng, t\u1eeb nh\u1eadn th\u1ee9c n\u1ec1n t\u1ea3ng \u0111\u1ebfn khai th\u00e1c chuy\u00ean s\u00e2u.<\/p>\n\n\n\n \u1ede ph\u1ea7n m\u1edf \u0111\u1ea7u, t\u00e1c gi\u1ea3 ph\u00e2n t\u00edch b\u1ee9c tranh to\u00e0n c\u1ea3nh v\u1ec1 an ninh \u1ee9ng d\u1ee5ng web trong m\u00f4i tr\u01b0\u1eddng Internet hi\u1ec7n \u0111\u1ea1i. \u1ee8ng d\u1ee5ng web \u0111\u01b0\u1ee3c m\u00f4 t\u1ea3 nh\u01b0 m\u1ed9t l\u1edbp trung gian ph\u1ee9c t\u1ea1p, n\u01a1i d\u1eef li\u1ec7u ng\u01b0\u1eddi d\u00f9ng, logic nghi\u1ec7p v\u1ee5 v\u00e0 h\u1ea1 t\u1ea7ng m\u00e1y ch\u1ee7 c\u00f9ng t\u1ed3n t\u1ea1i v\u00e0 t\u01b0\u01a1ng t\u00e1c li\u00ean t\u1ee5c. Ch\u00ednh s\u1ef1 ph\u1ee9c t\u1ea1p n\u00e0y, k\u1ebft h\u1ee3p v\u1edbi \u00e1p l\u1ef1c ph\u00e1t tri\u1ec3n nhanh v\u00e0 y\u00eau c\u1ea7u kinh doanh, \u0111\u00e3 khi\u1ebfn nhi\u1ec1u \u1ee9ng d\u1ee5ng ti\u1ec1m \u1ea9n c\u00e1c l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng.<\/p>\n\n\n\n T\u00e1c gi\u1ea3 nh\u1ea5n m\u1ea1nh r\u1eb1ng ph\u1ea7n l\u1edbn l\u1ed7 h\u1ed5ng kh\u00f4ng xu\u1ea5t ph\u00e1t t\u1eeb c\u00f4ng ngh\u1ec7 m\u1edbi hay k\u1ef9 thu\u1eadt cao si\u00eau, m\u00e0 t\u1eeb nh\u1eefng gi\u1ea3 \u0111\u1ecbnh sai l\u1ea7m trong thi\u1ebft k\u1ebf v\u00e0 tri\u1ec3n khai, ch\u1eb3ng h\u1ea1n nh\u01b0 tin t\u01b0\u1edfng d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o t\u1eeb ph\u00eda ng\u01b0\u1eddi d\u00f9ng ho\u1eb7c \u0111\u00e1nh gi\u00e1 th\u1ea5p kh\u1ea3 n\u0103ng ph\u00e2n t\u00edch c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng.<\/p>\n\n\n\n Ti\u1ebfp theo, cu\u1ed1n s\u00e1ch d\u00e0nh m\u1ed9t ph\u1ea7n quan tr\u1ecdng \u0111\u1ec3 tr\u00ecnh b\u00e0y c\u00e1c c\u00f4ng ngh\u1ec7 n\u1ec1n t\u1ea3ng c\u1ee7a \u1ee9ng d\u1ee5ng web, bao g\u1ed3m giao th\u1ee9c HTTP\/HTTPS, c\u01a1 ch\u1ebf request\u2013response, cookie, session v\u00e0 c\u00e1ch qu\u1ea3n l\u00fd tr\u1ea1ng th\u00e1i. M\u1ee5c ti\u00eau c\u1ee7a ph\u1ea7n n\u00e0y kh\u00f4ng ph\u1ea3i d\u1ea1y l\u1eadp tr\u00ecnh web, m\u00e0 gi\u00fap ng\u01b0\u1eddi \u0111\u1ecdc hi\u1ec3u r\u00f5 c\u00e1ch d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c truy\u1ec1n t\u1ea3i v\u00e0 x\u1eed l\u00fd, t\u1eeb \u0111\u00f3 nh\u1eadn di\u1ec7n nh\u1eefng \u0111i\u1ec3m y\u1ebfu c\u00f3 th\u1ec3 b\u1ecb l\u1ee3i d\u1ee5ng.<\/p>\n\n\n\n Vi\u1ec7c n\u1eafm v\u1eefng c\u00e1c kh\u00e1i ni\u1ec7m n\u1ec1n t\u1ea3ng n\u00e0y \u0111\u01b0\u1ee3c xem l\u00e0 \u0111i\u1ec1u ki\u1ec7n ti\u00ean quy\u1ebft \u0111\u1ec3 c\u00f3 th\u1ec3 hi\u1ec3u v\u00e0 \u00e1p d\u1ee5ng c\u00e1c k\u1ef9 thu\u1eadt t\u1ea5n c\u00f4ng \u1edf nh\u1eefng ch\u01b0\u01a1ng sau.<\/p>\n\n\n\n M\u1ed9t trong nh\u1eefng n\u1ed9i dung c\u1ed1t l\u00f5i c\u1ee7a s\u00e1ch l\u00e0 k\u1ef9 thu\u1eadt kh\u1ea3o s\u00e1t v\u00e0 l\u1eadp b\u1ea3n \u0111\u1ed3 \u1ee9ng d\u1ee5ng. T\u00e1c gi\u1ea3 m\u00f4 t\u1ea3 c\u00e1ch hacker thu th\u1eadp th\u00f4ng tin v\u1ec1 c\u1ea5u tr\u00fac, ch\u1ee9c n\u0103ng, tham s\u1ed1 v\u00e0 c\u00e1c \u0111i\u1ec3m truy c\u1eadp c\u1ee7a h\u1ec7 th\u1ed1ng. Qu\u00e1 tr\u00ecnh n\u00e0y gi\u00fap x\u00e1c \u0111\u1ecbnh \u201cb\u1ec1 m\u1eb7t t\u1ea5n c\u00f4ng\u201d \u2013 nh\u1eefng v\u1ecb tr\u00ed ti\u1ec1m n\u0103ng n\u01a1i l\u1ed7 h\u1ed5ng c\u00f3 th\u1ec3 t\u1ed3n t\u1ea1i.<\/p>\n\n\n\n Ph\u1ea7n n\u00e0y cho th\u1ea5y r\u00f5 t\u01b0 duy c\u00f3 h\u1ec7 th\u1ed1ng v\u00e0 ki\u00ean nh\u1eabn c\u1ee7a hacker, \u0111\u1ed3ng th\u1eddi gi\u00fap ng\u01b0\u1eddi \u0111\u1ecdc hi\u1ec3u r\u1eb1ng m\u1ed9t cu\u1ed9c t\u1ea5n c\u00f4ng hi\u1ec7u qu\u1ea3 lu\u00f4n b\u1eaft \u0111\u1ea7u b\u1eb1ng vi\u1ec7c hi\u1ec3u r\u00f5 m\u1ee5c ti\u00eau.<\/p>\n\n\n\n Cu\u1ed1n s\u00e1ch ti\u1ebfp t\u1ee5c ph\u00e2n t\u00edch c\u00e1c c\u01a1 ch\u1ebf ki\u1ec3m so\u00e1t ph\u00eda tr\u00ecnh duy\u1ec7t, ch\u1eb3ng h\u1ea1n nh\u01b0 ki\u1ec3m tra d\u1eef li\u1ec7u b\u1eb1ng JavaScript. T\u00e1c gi\u1ea3 ch\u1ec9 ra r\u1eb1ng c\u00e1c bi\u1ec7n ph\u00e1p n\u00e0y ch\u1ee7 y\u1ebfu mang t\u00ednh h\u1ed7 tr\u1ee3 tr\u1ea3i nghi\u1ec7m ng\u01b0\u1eddi d\u00f9ng, ch\u1ee9 kh\u00f4ng th\u1ec3 xem l\u00e0 c\u01a1 ch\u1ebf b\u1ea3o m\u1eadt th\u1ef1c s\u1ef1. Th\u00f4ng qua c\u00e1c v\u00ed d\u1ee5 minh h\u1ecda, ng\u01b0\u1eddi \u0111\u1ecdc th\u1ea5y r\u00f5 c\u00e1ch nh\u1eefng ki\u1ec3m so\u00e1t n\u00e0y c\u00f3 th\u1ec3 b\u1ecb v\u01b0\u1ee3t qua m\u1ed9t c\u00e1ch d\u1ec5 d\u00e0ng n\u1ebfu ph\u00eda m\u00e1y ch\u1ee7 kh\u00f4ng c\u00f3 bi\u1ec7n ph\u00e1p x\u00e1c th\u1ef1c b\u1ed5 sung.<\/p>\n\n\n\n \u0110\u00e2y l\u00e0 ph\u1ea7n n\u1ed9i dung quan tr\u1ecdng, ph\u1ea3n \u00e1nh nhi\u1ec1u l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng trong th\u1ef1c t\u1ebf. T\u00e1c gi\u1ea3 \u0111i s\u00e2u v\u00e0o c\u00e1c v\u1ea5n \u0111\u1ec1 nh\u01b0 x\u00e1c th\u1ef1c y\u1ebfu, qu\u1ea3n l\u00fd session k\u00e9m an to\u00e0n v\u00e0 sai s\u00f3t trong ph\u00e2n quy\u1ec1n. Nh\u1eefng l\u1ed7i t\u01b0\u1edfng ch\u1eebng nh\u1ecf trong c\u00e1c c\u01a1 ch\u1ebf n\u00e0y c\u00f3 th\u1ec3 d\u1eabn \u0111\u1ebfn h\u1eadu qu\u1ea3 nghi\u00eam tr\u1ecdng nh\u01b0 chi\u1ebfm quy\u1ec1n t\u00e0i kho\u1ea3n ho\u1eb7c truy c\u1eadp tr\u00e1i ph\u00e9p v\u00e0o d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m.<\/p>\n\n\n\n Cu\u1ed1n s\u00e1ch d\u00e0nh nhi\u1ec1u ch\u01b0\u01a1ng \u0111\u1ec3 ph\u00e2n t\u00edch c\u00e1c k\u1ef9 thu\u1eadt t\u1ea5n c\u00f4ng kinh \u0111i\u1ec3n nh\u01b0 SQL Injection, Cross-Site Scripting (XSS), c\u00f9ng v\u1edbi c\u00e1c l\u1ed7i logic nghi\u1ec7p v\u1ee5. \u0110\u1eb7c bi\u1ec7t, t\u00e1c gi\u1ea3 nh\u1ea5n m\u1ea1nh r\u1eb1ng l\u1ed7i logic nghi\u1ec7p v\u1ee5 th\u01b0\u1eddng kh\u00f3 ph\u00e1t hi\u1ec7n b\u1eb1ng c\u00f4ng c\u1ee5 t\u1ef1 \u0111\u1ed9ng, nh\u01b0ng l\u1ea1i mang t\u00ednh \u0111\u1eb7c th\u00f9 v\u00e0 nguy hi\u1ec3m cao, b\u1edfi ch\u00fang xu\u1ea5t ph\u00e1t tr\u1ef1c ti\u1ebfp t\u1eeb c\u00e1ch h\u1ec7 th\u1ed1ng \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf.<\/p>\n\n\n\n \u1ede ph\u1ea7n cu\u1ed1i, s\u00e1ch gi\u1edbi thi\u1ec7u c\u00e1ch s\u1eed d\u1ee5ng c\u00f4ng c\u1ee5 h\u1ed7 tr\u1ee3 v\u00e0 t\u1ef1 \u0111\u1ed9ng h\u00f3a m\u1ed9t s\u1ed1 b\u01b0\u1edbc trong qu\u00e1 tr\u00ecnh ki\u1ec3m th\u1eed x\u00e2m nh\u1eadp. N\u1ed9i dung n\u00e0y gi\u00fap ng\u01b0\u1eddi \u0111\u1ecdc hi\u1ec3u r\u00f5 vai tr\u00f2 c\u1ee7a c\u00f4ng c\u1ee5 trong vi\u1ec7c n\u00e2ng cao hi\u1ec7u qu\u1ea3 ki\u1ec3m th\u1eed, \u0111\u1ed3ng th\u1eddi nh\u1ea5n m\u1ea1nh r\u1eb1ng c\u00f4ng c\u1ee5 ch\u1ec9 th\u1ef1c s\u1ef1 ph\u00e1t huy gi\u00e1 tr\u1ecb khi \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng b\u1edfi ng\u01b0\u1eddi c\u00f3 t\u01b0 duy v\u00e0 ki\u1ebfn th\u1ee9c n\u1ec1n t\u1ea3ng v\u1eefng ch\u1eafc.<\/p>\n\n\n\n The Web Application Hacker\u2019s Handbook: Discovering and Exploiting Security Flaws<\/strong> \u0111\u01b0\u1ee3c xem l\u00e0 m\u1ed9t trong nh\u1eefng t\u00e0i li\u1ec7u n\u1ec1n t\u1ea3ng nh\u1ea5t v\u1ec1 b\u1ea3o m\u1eadt \u1ee9ng d\u1ee5ng web b\u1edfi n\u00f3 kh\u00f4ng ch\u1ec9 cung c\u1ea5p ki\u1ebfn th\u1ee9c k\u1ef9 thu\u1eadt, m\u00e0 c\u00f2n gi\u00fap ng\u01b0\u1eddi \u0111\u1ecdc x\u00e2y d\u1ef1ng t\u01b0 duy an ninh mang t\u00ednh h\u1ec7 th\u1ed1ng.<\/p>\n\n\n\n Tr\u01b0\u1edbc h\u1ebft, cu\u1ed1n s\u00e1ch gi\u00fap ng\u01b0\u1eddi \u0111\u1ecdc ti\u1ebfp c\u1eadn v\u1ea5n \u0111\u1ec1 b\u1ea3o m\u1eadt t\u1eeb g\u00f3c nh\u00ecn c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng. Thay v\u00ec ch\u1ec9 t\u1eadp trung v\u00e0o vi\u1ec7c tu\u00e2n th\u1ee7 checklist hay c\u00e1c ti\u00eau chu\u1ea9n b\u1ea3o m\u1eadt c\u00f3 s\u1eb5n, s\u00e1ch h\u01b0\u1edbng d\u1eabn c\u00e1ch ph\u00e2n t\u00edch \u1ee9ng d\u1ee5ng nh\u01b0 m\u1ed9t hacker th\u1ef1c th\u1ee5: x\u00e1c \u0111\u1ecbnh b\u1ec1 m\u1eb7t t\u1ea5n c\u00f4ng, th\u1eed nghi\u1ec7m c\u00e1c gi\u1ea3 \u0111\u1ecbnh thi\u1ebft k\u1ebf v\u00e0 khai th\u00e1c nh\u1eefng \u0111i\u1ec3m y\u1ebfu t\u01b0\u1edfng ch\u1eebng v\u00f4 h\u1ea1i. C\u00e1ch ti\u1ebfp c\u1eadn n\u00e0y gi\u00fap ng\u01b0\u1eddi \u0111\u1ecdc hi\u1ec3u r\u00f5 b\u1ea3n ch\u1ea5t c\u1ee7a l\u1ed7 h\u1ed5ng, thay v\u00ec ch\u1ec9 bi\u1ebft c\u00e1ch \u201cv\u00e1 l\u1ed7i\u201d m\u1ed9t c\u00e1ch b\u1ecb \u0111\u1ed9ng.<\/p>\n\n\n\n Th\u1ee9 hai, n\u1ed9i dung c\u1ee7a s\u00e1ch t\u1eadp trung m\u1ea1nh v\u00e0o c\u00e1c nguy\u00ean l\u00fd c\u1ed1t l\u00f5i c\u1ee7a b\u1ea3o m\u1eadt \u1ee9ng d\u1ee5ng web nh\u01b0 x\u00e1c th\u1ef1c, qu\u1ea3n l\u00fd phi\u00ean, ki\u1ec3m so\u00e1t truy c\u1eadp v\u00e0 x\u1eed l\u00fd d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o. \u0110\u00e2y l\u00e0 nh\u1eefng v\u1ea5n \u0111\u1ec1 mang t\u00ednh n\u1ec1n t\u1ea3ng, \u00edt thay \u0111\u1ed5i theo th\u1eddi gian v\u00e0 l\u00e0 nguy\u00ean nh\u00e2n g\u1ed1c r\u1ec5 c\u1ee7a ph\u1ea7n l\u1edbn c\u00e1c s\u1ef1 c\u1ed1 b\u1ea3o m\u1eadt nghi\u00eam tr\u1ecdng. Nh\u1edd \u0111\u00f3, ki\u1ebfn th\u1ee9c thu \u0111\u01b0\u1ee3c t\u1eeb cu\u1ed1n s\u00e1ch v\u1eabn gi\u1eef nguy\u00ean gi\u00e1 tr\u1ecb ngay c\u1ea3 khi c\u00f4ng ngh\u1ec7 web, framework hay ng\u00f4n ng\u1eef l\u1eadp tr\u00ecnh li\u00ean t\u1ee5c thay \u0111\u1ed5i.<\/p>\n\n\n\n B\u00ean c\u1ea1nh \u0111\u00f3, cu\u1ed1n s\u00e1ch c\u00f3 t\u00ednh th\u1ef1c ti\u1ec5n cao, v\u1edbi nhi\u1ec1u k\u1ecbch b\u1ea3n t\u1ea5n c\u00f4ng \u0111\u01b0\u1ee3c m\u00f4 t\u1ea3 chi ti\u1ebft, \u0111i k\u00e8m ph\u00e2n t\u00edch h\u1eadu qu\u1ea3 v\u00e0 h\u01b0\u1edbng ti\u1ebfp c\u1eadn ph\u00f2ng ng\u1eeba. \u0110i\u1ec1u n\u00e0y gi\u00fap ng\u01b0\u1eddi \u0111\u1ecdc kh\u00f4ng ch\u1ec9 hi\u1ec3u \u201c\u0111i\u1ec1u g\u00ec c\u00f3 th\u1ec3 x\u1ea3y ra\u201d, m\u00e0 c\u00f2n nh\u1eadn th\u1ee9c r\u00f5 m\u1ee9c \u0111\u1ed9 r\u1ee7i ro n\u1ebfu c\u00e1c l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt b\u1ecb b\u1ecf qua trong qu\u00e1 tr\u00ecnh ph\u00e1t tri\u1ec3n v\u00e0 v\u1eadn h\u00e0nh h\u1ec7 th\u1ed1ng.<\/p>\n\n\n\n Cu\u1ed1i c\u00f9ng, vi\u1ec7c \u0111\u1ecdc cu\u1ed1n s\u00e1ch c\u00f2n gi\u00fap ng\u01b0\u1eddi h\u1ecdc r\u00e8n luy\u1ec7n t\u01b0 duy ph\u1ea3n bi\u1ec7n v\u00e0 ch\u1ee7 \u0111\u1ed9ng v\u1ec1 an ninh, t\u1eeb \u0111\u00f3 g\u00f3p ph\u1ea7n n\u00e2ng cao ch\u1ea5t l\u01b0\u1ee3ng v\u00e0 \u0111\u1ed9 an to\u00e0n c\u1ee7a c\u00e1c \u1ee9ng d\u1ee5ng web trong th\u1ef1c t\u1ebf.<\/p>\n\n\n\n The Web Application Hacker\u2019s Handbook: Discovering and Exploiting Security Flaws<\/strong> h\u01b0\u1edbng t\u1edbi nhi\u1ec1u nh\u00f3m \u0111\u1ed9c gi\u1ea3 kh\u00e1c nhau trong l\u0129nh v\u1ef1c c\u00f4ng ngh\u1ec7 th\u00f4ng tin, \u0111\u1eb7c bi\u1ec7t l\u00e0 nh\u1eefng ng\u01b0\u1eddi tr\u1ef1c ti\u1ebfp tham gia v\u00e0o vi\u1ec7c x\u00e2y d\u1ef1ng, v\u1eadn h\u00e0nh ho\u1eb7c \u0111\u00e1nh gi\u00e1 an ninh c\u1ee7a c\u00e1c \u1ee9ng d\u1ee5ng web.<\/p>\n\n\n\n Tr\u01b0\u1edbc h\u1ebft, cu\u1ed1n s\u00e1ch \u0111\u1eb7c bi\u1ec7t ph\u00f9 h\u1ee3p v\u1edbi chuy\u00ean gia ki\u1ec3m th\u1eed x\u00e2m nh\u1eadp (penetration tester) v\u00e0 k\u1ef9 s\u01b0 b\u1ea3o m\u1eadt \u1ee9ng d\u1ee5ng. V\u1edbi c\u00e1ch ti\u1ebfp c\u1eadn c\u00f3 h\u1ec7 th\u1ed1ng v\u00e0 t\u1eadp trung v\u00e0o k\u1ef9 thu\u1eadt khai th\u00e1c th\u1ef1c t\u1ebf, s\u00e1ch cung c\u1ea5p n\u1ec1n t\u1ea3ng v\u1eefng ch\u1eafc \u0111\u1ec3 \u0111\u00e1nh gi\u00e1 m\u1ee9c \u0111\u1ed9 an to\u00e0n c\u1ee7a \u1ee9ng d\u1ee5ng web, t\u1eeb \u0111\u00f3 ph\u00e1t hi\u1ec7n c\u00e1c l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng m\u00e0 c\u00e1c c\u00f4ng c\u1ee5 t\u1ef1 \u0111\u1ed9ng kh\u00f3 nh\u1eadn di\u1ec7n.<\/p>\n\n\n\n \u0110\u1ed1i v\u1edbi l\u1eadp tr\u00ecnh vi\u00ean v\u00e0 ki\u1ebfn tr\u00fac s\u01b0 ph\u1ea7n m\u1ec1m, cu\u1ed1n s\u00e1ch \u0111\u00f3ng vai tr\u00f2 nh\u01b0 m\u1ed9t \u201ct\u1ea5m g\u01b0\u01a1ng ph\u1ea3n chi\u1ebfu\u201d nh\u1eefng sai s\u00f3t th\u01b0\u1eddng g\u1eb7p trong qu\u00e1 tr\u00ecnh thi\u1ebft k\u1ebf v\u00e0 tri\u1ec3n khai \u1ee9ng d\u1ee5ng. Vi\u1ec7c hi\u1ec3u \u0111\u01b0\u1ee3c c\u00e1ch hacker khai th\u00e1c l\u1ed7 h\u1ed5ng gi\u00fap l\u1eadp tr\u00ecnh vi\u00ean ch\u1ee7 \u0111\u1ed9ng h\u01a1n trong vi\u1ec7c vi\u1ebft m\u00e3 an to\u00e0n, thi\u1ebft k\u1ebf c\u01a1 ch\u1ebf x\u00e1c th\u1ef1c, ph\u00e2n quy\u1ec1n v\u00e0 x\u1eed l\u00fd d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o m\u1ed9t c\u00e1ch ch\u1eb7t ch\u1ebd ngay t\u1eeb \u0111\u1ea7u.<\/p>\n\n\n\n Ngo\u00e0i ra, s\u00e1ch c\u0169ng r\u1ea5t ph\u00f9 h\u1ee3p v\u1edbi sinh vi\u00ean v\u00e0 ng\u01b0\u1eddi t\u1ef1 h\u1ecdc trong l\u0129nh v\u1ef1c an ninh m\u1ea1ng. N\u1ed9i dung \u0111\u01b0\u1ee3c tr\u00ecnh b\u00e0y theo tr\u00ecnh t\u1ef1 logic, t\u1eeb n\u1ec1n t\u1ea3ng \u0111\u1ebfn n\u00e2ng cao, gi\u00fap ng\u01b0\u1eddi h\u1ecdc x\u00e2y d\u1ef1ng ki\u1ebfn th\u1ee9c m\u1ed9t c\u00e1ch c\u00f3 h\u1ec7 th\u1ed1ng. Tuy nhi\u00ean, \u0111\u1ec3 khai th\u00e1c hi\u1ec7u qu\u1ea3, ng\u01b0\u1eddi \u0111\u1ecdc n\u00ean c\u00f3 ki\u1ebfn th\u1ee9c c\u01a1 b\u1ea3n v\u1ec1 l\u1eadp tr\u00ecnh web v\u00e0 giao th\u1ee9c m\u1ea1ng.<\/p>\n\n\n\n Cu\u1ed1i c\u00f9ng, \u0111\u1ed1i v\u1edbi nh\u1eefng ng\u01b0\u1eddi qu\u1ea3n l\u00fd k\u1ef9 thu\u1eadt ho\u1eb7c ph\u1ee5 tr\u00e1ch an ninh h\u1ec7 th\u1ed1ng, cu\u1ed1n s\u00e1ch mang l\u1ea1i c\u00e1i nh\u00ecn s\u00e2u s\u1eafc v\u1ec1 r\u1ee7i ro th\u1ef1c t\u1ebf m\u00e0 \u1ee9ng d\u1ee5ng web c\u00f3 th\u1ec3 \u0111\u1ed1i m\u1eb7t. T\u1eeb \u0111\u00f3, h\u1ecd c\u00f3 th\u1ec3 \u0111\u01b0a ra c\u00e1c quy\u1ebft \u0111\u1ecbnh \u0111\u00fang \u0111\u1eafn h\u01a1n trong vi\u1ec7c \u0111\u1ea7u t\u01b0 ngu\u1ed3n l\u1ef1c, quy tr\u00ecnh v\u00e0 ch\u00ednh s\u00e1ch b\u1ea3o m\u1eadt.<\/p>\n\n\n\n The Web Application Hacker\u2019s Handbook: Discovering and Exploiting Security Flaws<\/strong> kh\u00f4ng ch\u1ec9 l\u00e0 m\u1ed9t cu\u1ed1n s\u00e1ch h\u01b0\u1edbng d\u1eabn k\u1ef9 thu\u1eadt t\u1ea5n c\u00f4ng \u1ee9ng d\u1ee5ng web, m\u00e0 c\u00f2n l\u00e0 m\u1ed9t t\u00e0i li\u1ec7u mang t\u00ednh n\u1ec1n t\u1ea3ng trong vi\u1ec7c x\u00e2y d\u1ef1ng t\u01b0 duy an ninh cho nh\u1eefng ng\u01b0\u1eddi l\u00e0m vi\u1ec7c trong l\u0129nh v\u1ef1c c\u00f4ng ngh\u1ec7 th\u00f4ng tin. Th\u00f4ng qua c\u00e1ch ti\u1ebfp c\u1eadn c\u00f3 h\u1ec7 th\u1ed1ng, cu\u1ed1n s\u00e1ch gi\u00fap ng\u01b0\u1eddi \u0111\u1ecdc hi\u1ec3u r\u00f5 b\u1ea3n ch\u1ea5t c\u1ee7a c\u00e1c l\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt, nguy\u00ean nh\u00e2n h\u00ecnh th\u00e0nh v\u00e0 c\u00e1ch ch\u00fang c\u00f3 th\u1ec3 b\u1ecb khai th\u00e1c trong th\u1ef1c t\u1ebf.<\/p>\n\n\n\n Gi\u00e1 tr\u1ecb l\u1edbn nh\u1ea5t c\u1ee7a cu\u1ed1n s\u00e1ch n\u1eb1m \u1edf vi\u1ec7c k\u1ebft h\u1ee3p ch\u1eb7t ch\u1ebd gi\u1eefa l\u00fd thuy\u1ebft v\u00e0 th\u1ef1c ti\u1ec5n. C\u00e1c nguy\u00ean l\u00fd v\u1ec1 x\u00e1c th\u1ef1c, qu\u1ea3n l\u00fd phi\u00ean, ki\u1ec3m so\u00e1t truy c\u1eadp v\u00e0 x\u1eed l\u00fd d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o \u0111\u01b0\u1ee3c ph\u00e2n t\u00edch m\u1ed9t c\u00e1ch s\u00e2u s\u1eafc, cho th\u1ea5y v\u00ec sao nh\u1eefng sai s\u00f3t t\u01b0\u1edfng ch\u1eebng nh\u1ecf trong thi\u1ebft k\u1ebf v\u00e0 tri\u1ec3n khai l\u1ea1i c\u00f3 th\u1ec3 d\u1eabn \u0111\u1ebfn h\u1eadu qu\u1ea3 nghi\u00eam tr\u1ecdng cho to\u00e0n b\u1ed9 h\u1ec7 th\u1ed1ng. \u0110i\u1ec1u n\u00e0y gi\u00fap ng\u01b0\u1eddi \u0111\u1ecdc kh\u00f4ng ch\u1ec9 n\u00e2ng cao ki\u1ebfn th\u1ee9c chuy\u00ean m\u00f4n, m\u00e0 c\u00f2n h\u00ecnh th\u00e0nh th\u00f3i quen t\u01b0 duy c\u1ea9n tr\u1ecdng v\u00e0 ch\u1ee7 \u0111\u1ed9ng h\u01a1n v\u1ec1 b\u1ea3o m\u1eadt.<\/p>\n\n\n\n M\u1eb7c d\u00f9 c\u00f4ng ngh\u1ec7 web li\u00ean t\u1ee5c ph\u00e1t tri\u1ec3n v\u00e0 xu\u1ea5t hi\u1ec7n nhi\u1ec1u k\u1ef9 thu\u1eadt t\u1ea5n c\u00f4ng m\u1edbi, nh\u1eefng n\u1ed9i dung c\u1ed1t l\u00f5i m\u00e0 cu\u1ed1n s\u00e1ch \u0111\u1ec1 c\u1eadp v\u1eabn gi\u1eef nguy\u00ean t\u00ednh th\u1eddi s\u1ef1 v\u00e0 gi\u00e1 tr\u1ecb \u1ee9ng d\u1ee5ng. Do \u0111\u00f3, The Web Application Hacker\u2019s Handbook<\/em> x\u1ee9ng \u0111\u00e1ng \u0111\u01b0\u1ee3c xem l\u00e0 m\u1ed9t t\u00e0i li\u1ec7u tham kh\u1ea3o quan tr\u1ecdng, n\u00ean c\u00f3 trong th\u01b0 vi\u1ec7n c\u1ee7a b\u1ea5t k\u1ef3 ai quan t\u00e2m \u0111\u1ebfn b\u1ea3o m\u1eadt \u1ee9ng d\u1ee5ng web v\u00e0 ph\u00e1t tri\u1ec3n ph\u1ea7n m\u1ec1m an to\u00e0n.<\/p>\n\n\n\n B\u1ea1n c\u00f3 th\u1ec3 d\u1ec5 d\u00e0ng t\u1ea3i xu\u1ed1ng ho\u1eb7c \u0111\u1ecdc tr\u1ef1c tuy\u1ebfn cu\u1ed1n s\u00e1ch n\u00e0y tr\u00ean nhi\u1ec1u n\u1ec1n t\u1ea3ng kh\u00e1c nhau nh\u01b0 SlideShare, Scribd, Issuu hay Studylid. M\u1ed7i n\u1ec1n t\u1ea3ng \u0111\u1ec1u h\u1ed7 tr\u1ee3 \u0111\u1ecdc tr\u1ef1c ti\u1ebfp, l\u01b0u l\u1ea1i \u0111\u1ec3 xem sau v\u00e0 t\u1ea3i v\u1ec1 khi c\u1ea7n, r\u1ea5t ti\u1ec7n cho c\u1ea3 m\u00e1y t\u00ednh<\/a> l\u1eabn \u0111i\u1ec7n tho\u1ea1i. H\u00e3y ch\u1ecdn n\u01a1i ph\u00f9 h\u1ee3p nh\u1ea5t v\u1edbi th\u00f3i quen s\u1eed d\u1ee5ng c\u1ee7a b\u1ea1n \u0111\u1ec3 tr\u1ea3i nghi\u1ec7m tr\u1ecdn v\u1eb9n n\u1ed9i dung cu\u1ed1n s\u00e1ch.<\/p>\n\n\n\n [1] D. Stuttard and M. Pinto, The Web Application Hacker\u2019s Handbook: Discovering and Exploiting Security Flaws<\/em>, 2nd ed. Indianapolis, IN, USA: Wiley Publishing, 2011. <\/p>\n","protected":false},"excerpt":{"rendered":" The Web Application Hacker\u2019s Handbook: Discovering and Exploiting Security Flaws l\u00e0 m\u1ed9t trong nh\u1eefng t\u00e1c ph\u1ea9m kinh \u0111i\u1ec3n v\u00e0 c\u00f3 \u1ea3nh h\u01b0\u1edfng s\u00e2u r\u1ed9ng nh\u1ea5t trong l\u0129nh v\u1ef1c b\u1ea3o m\u1eadt \u1ee9ng d\u1ee5ng web. Cu\u1ed1n s\u00e1ch \u0111\u01b0\u1ee3c xem nh\u01b0 t\u00e0i li\u1ec7u n\u1ec1n t\u1ea3ng cho c\u00e1c ho\u1ea1t \u0111\u1ed9ng ki\u1ec3m th\u1eed x\u00e2m nh\u1eadp (penetration testing) t\u1eadp trung v\u00e0o web, \u0111\u1ed3ng th\u1eddi l\u00e0 kim ch\u1ec9 nam cho c\u00e1c k\u1ef9 s\u01b0 ph\u1ea7n m\u1ec1m v\u00e0 chuy\u00ean gia an ninh khi thi\u1ebft k\u1ebf, \u0111\u00e1nh gi\u00e1 v\u00e0 b\u1ea3o v\u1ec7 h\u1ec7 th\u1ed1ng.<\/p>\n","protected":false},"author":1,"featured_media":2990,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"googlesitekit_rrm_CAowieHDDA:productID":"","footnotes":""},"categories":[5],"tags":[66],"class_list":["post-2823","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tai-lieu","tag-tai-lieu"],"_links":{"self":[{"href":"https:\/\/kienthucmo.com\/vi\/wp-json\/wp\/v2\/posts\/2823","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kienthucmo.com\/vi\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kienthucmo.com\/vi\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kienthucmo.com\/vi\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kienthucmo.com\/vi\/wp-json\/wp\/v2\/comments?post=2823"}],"version-history":[{"count":3,"href":"https:\/\/kienthucmo.com\/vi\/wp-json\/wp\/v2\/posts\/2823\/revisions"}],"predecessor-version":[{"id":2993,"href":"https:\/\/kienthucmo.com\/vi\/wp-json\/wp\/v2\/posts\/2823\/revisions\/2993"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kienthucmo.com\/vi\/wp-json\/wp\/v2\/media\/2990"}],"wp:attachment":[{"href":"https:\/\/kienthucmo.com\/vi\/wp-json\/wp\/v2\/media?parent=2823"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kienthucmo.com\/vi\/wp-json\/wp\/v2\/categories?post=2823"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kienthucmo.com\/vi\/wp-json\/wp\/v2\/tags?post=2823"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
![\"The](\"https:\/\/kienthucmo.com\/wp-content\/uploads\/The-Web-Application-Hacker-Handbook-Discovering-and-Exploiting-Security-Flaws-2.jpg\")
<\/figure>\n\n\n\n2. T\u00f3m t\u1eaft s\u01a1 l\u01b0\u1ee3c n\u1ed9i dung<\/h2>\n\n\n\n
2.1 T\u1ed5ng quan v\u1ec1 an ninh \u1ee9ng d\u1ee5ng web<\/h3>\n\n\n\n
2.2 C\u00f4ng ngh\u1ec7 n\u1ec1n t\u1ea3ng c\u1ee7a \u1ee9ng d\u1ee5ng web<\/h3>\n\n\n\n
2.3 Kh\u1ea3o s\u00e1t v\u00e0 l\u1eadp b\u1ea3n \u0111\u1ed3 \u1ee9ng d\u1ee5ng (Mapping the Application)<\/h3>\n\n\n\n
2.4 V\u01b0\u1ee3t qua ki\u1ec3m so\u00e1t ph\u00eda client<\/h3>\n\n\n\n
2.5 T\u1ea5n c\u00f4ng x\u00e1c th\u1ef1c, qu\u1ea3n l\u00fd phi\u00ean v\u00e0 ki\u1ec3m so\u00e1t truy c\u1eadp<\/h3>\n\n\n\n
2.6 T\u1ea5n c\u00f4ng ch\u00e8n m\u00e3 v\u00e0 l\u1ed7i logic nghi\u1ec7p v\u1ee5<\/h3>\n\n\n\n
2.7 C\u00f4ng c\u1ee5 v\u00e0 t\u1ef1 \u0111\u1ed9ng h\u00f3a<\/h3>\n\n\n\n
3. V\u00ec sao b\u1ea1n n\u00ean \u0111\u1ecdc cu\u1ed1n s\u00e1ch n\u00e0y?<\/h2>\n\n\n\n
4. Cu\u1ed1n s\u00e1ch n\u00e0y d\u00e0nh cho ai?<\/h2>\n\n\n\n
5. K\u1ebft lu\u1eadn<\/h2>\n\n\n\n
6. T\u1ea3i xu\u1ed1ng, tr\u1ea3i nghi\u1ec7m<\/h2>\n\n\n\n
\n
7. T\u00e0i li\u1ec7u tham kh\u1ea3o<\/h2>\n\n\n\n
[2] OWASP Foundation, \u201cOWASP Top 10 \u2013 Web Application Security Risks,\u201d 2021. [Online]. Available: https:\/\/owasp.org\/www-project-top-ten\/<\/a>. [Accessed: 28-Dec-2025].
[3] D. Stuttard, \u201cBurp Suite Documentation,\u201d PortSwigger Ltd. [Online]. Available: https:\/\/portswigger.net\/burp\/documentation<\/a>. [Accessed: 28-Dec-2025].
[4] PortSwigger Web Security Academy, \u201cWeb Application Security Learning Materials.\u201d [Online]. Available: https:\/\/portswigger.net\/web-security<\/a>. [Accessed: 28-Dec-2025].
[5] M. Howard and D. LeBlanc, Writing Secure Code<\/em>, 2nd ed. Redmond, WA, USA: Microsoft Press, 2003.
[6] G. McGraw, Software Security: Building Security In<\/em>. Boston, MA, USA: Addison-Wesley, 2006.<\/p>\n\n\n\n