This is likely deadish, but anyhow..
Not only do you need 900 pages to cover web exploitation, but I also think they're not nearly enough.
For instance, the book merely touched on silverlight, Java applets, ActiveX controls and Flash objects. To reverse engineer native code, you need to know assembly, how to use ollydbg and IDA pro, how to beat obfuscation, etc... 1000 pages wouldn't be enough.
Web exploitation is way more complex than what you think, IMHO.
Directly from the book:
You have no idea what I think. Silverlight, ActiveX and Flash objects should not be considered a web exploitation subject unless the vector has to do with the regular web browser issues like xss / open redirection and such via a flash object and in that case it's not a flash vulnerability, but a problem related to the actionscript script. ActiveX, Flash or Java are usually binary exploitation with a remote vector e.g. a web browser with a plugin to handle the mentioned technologies. Web exploitation should consists of programming or logical errors related to the application running on a webservert or how the browser handle or are expected to handle HTML and Javascript. Getting RCE on Apache is not considered web hacking.
Generalising and even providing more specific / advanced examples of OWASP top 10 does not require 900 pages. Teaching stuff like abusing application logic to e.g. bypass security functionality or leaking information is not possible in a general way as it requires specific knowledge of the application.
I've read books about more theoretical stuff like discrete mathematics, computer architecture or data structures and algorithms, but I have to agree with the others, this topic needs hands on experience. From a hiring POV I've been to too many job interviews with people claiming to know simple stuff like in web exploitation, but when asked to coin poc's they fail.
