Web Application Security

Web Application Security

by Andrew Hoffman
Released March 2020
Publisher(s): O'Reilly Media, Inc.
ISBN: 9781492053118

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Buy on Amazon
Start your free trial

Book description

While many resources for network and IT security are available, detailed knowledge regarding modern web application security has been lacking—until now. This practical guide provides both offensive and defensive security concepts that software engineers can easily learn and apply.

Andrew Hoffman, a senior security engineer at Salesforce, introduces three pillars of web application security: recon, offense, and defense. You’ll learn methods for effectively researching and analyzing modern web applications—including those you don’t have direct access to. You’ll also learn how to break into web applications using the latest hacking techniques. Finally, you’ll learn how to develop mitigations for use in your own web applications to protect against hackers.

  • Explore common vulnerabilities plaguing today's web applications
  • Learn essential hacking techniques attackers use to exploit applications
  • Map and document web applications for which you don’t have direct access
  • Develop and deploy customized exploits that can bypass common defenses
  • Develop and deploy mitigations to protect your applications against hackers
  • Integrate secure coding best practices into your development lifecycle
  • Get practical tips to help you improve the overall security of your web applications

Publisher resources

View/Submit Errata

Table of contents

  1. Preface
    1. Prerequisite Knowledge and Learning Goals
    2. Suggested Background
    3. Minimum Required Skills
    4. Who Benefits Most from Reading This Book?
      1. Software Engineers and Web Application Developers
      2. General Learning Goals
      3. Security Engineers, Pen Testers, and Bug Bounty Hunters
    5. How Is This Book Organized?
      1. Recon
      2. Offense
      3. Defense
    6. Language and Terminology
    7. Summary
    8. Conventions Used in This Book
    9. O’Reilly Online Learning
    10. How to Contact Us
  2. 1. The History of Software Security
    1. The Origins of Hacking
    2. The Enigma Machine, Circa 1930
    3. Automated Enigma Code Cracking, Circa 1940
      1. Introducing the “Bombe”
    4. Telephone “Phreaking,” Circa 1950
    5. Anti-Phreaking Technology, Circa 1960
    6. The Origins of Computer Hacking, Circa 1980
    7. The Rise of the World Wide Web, Circa 2000
    8. Hackers in the Modern Era, Circa 2015+
    9. Summary
  3. I. Recon
  4. 2. Introduction to Web Application Reconnaissance
    1. Information Gathering
    2. Web Application Mapping
    3. Summary
  5. 3. The Structure of a Modern Web Application
    1. Modern Versus Legacy Web Applications
    2. REST APIs
    3. JavaScript Object Notation
    4. JavaScript
      1. Variables and Scope
      2. Functions
      3. Context
      4. Prototypal Inheritance
      5. Asynchrony
      6. Browser DOM
    5. SPA Frameworks
    6. Authentication and Authorization Systems
      1. Authentication
      2. Authorization
    7. Web Servers
    8. Server-Side Databases
    9. Client-Side Data Stores
    10. Summary
  6. 4. Finding Subdomains
    1. Multiple Applications per Domain
    2. The Browser’s Built-In Network Analysis Tools
    3. Taking Advantage of Public Records
      1. Search Engine Caches
      2. Accidental Archives
      3. Social Snapshots
    4. Zone Transfer Attacks
    5. Brute Forcing Subdomains
    6. Dictionary Attacks
    7. Summary
  7. 5. API Analysis
    1. Endpoint Discovery
    2. Authentication Mechanisms
    3. Endpoint Shapes
      1. Common Shapes
      2. Application-Specific Shapes
    4. Summary
  8. 6. Identifying Third-Party Dependencies
    1. Detecting Client-Side Frameworks
      1. Detecting SPA Frameworks
      2. Detecting JavaScript Libraries
      3. Detecting CSS Libraries
    2. Detecting Server-Side Frameworks
      1. Header Detection
      2. Default Error Messages and 404 Pages
      3. Database Detection
    3. Summary
  9. 7. Identifying Weak Points in Application Architecture
    1. Secure Versus Insecure Architecture Signals
    2. Multiple Layers of Security
    3. Adoption and Reinvention
    4. Summary
  10. 8. Part I Summary
  11. II. Offense
  12. 9. Introduction to Hacking Web Applications
    1. The Hacker’s Mindset
    2. Applied Recon
  13. 10. Cross-Site Scripting (XSS)
    1. XSS Discovery and Exploitation
    2. Stored XSS
    3. Reflected XSS
    4. DOM-Based XSS
    5. Mutation-Based XSS
    6. Summary
  14. 11. Cross-Site Request Forgery (CSRF)
    1. Query Parameter Tampering
    2. Alternate GET Payloads
    3. CSRF Against POST Endpoints
    4. Summary
  15. 12. XML External Entity (XXE)
    1. Direct XXE
    2. Indirect XXE
    3. Summary
  16. 13. Injection
    1. SQL Injection
    2. Code Injection
    3. Command Injection
    4. Summary
  17. 14. Denial of Service (DoS)
    1. regex DoS (ReDoS)
    2. Logical DoS Vulnerabilities
    3. Distributed DoS
    4. Summary
  18. 15. Exploiting Third-Party Dependencies
    1. Methods of Integration
      1. Branches and Forks
      2. Self-Hosted Application Integrations
      3. Source Code Integration
    2. Package Managers
      1. JavaScript
      2. Java
      3. Other Languages
    3. Common Vulnerabilities and Exposures Database
    4. Summary
  19. 16. Part II Summary
  20. III. Defense
  21. 17. Securing Modern Web Applications
    1. Defensive Software Architecture
    2. Comprehensive Code Reviews
    3. Vulnerability Discovery
    4. Vulnerability Analysis
    5. Vulnerability Management
    6. Regression Testing
    7. Mitigation Strategies
    8. Applied Recon and Offense Techniques
  22. 18. Secure Application Architecture
    1. Analyzing Feature Requirements
    2. Authentication and Authorization
      1. Secure Sockets Layer and Transport Layer Security
      2. Secure Credentials
      3. Hashing Credentials
      4. 2FA
    3. PII and Financial Data
    4. Searching
    5. Summary
  23. 19. Reviewing Code for Security
    1. How to Start a Code Review
    2. Archetypical Vulnerabilities Versus Custom Logic Bugs
    3. Where to Start a Security Review
    4. Secure-Coding Anti-Patterns
      1. Blacklists
      2. Boilerplate Code
      3. Trust-By-Default Anti-Pattern
      4. Client/Server Separation
    5. Summary
  24. 20. Vulnerability Discovery
    1. Security Automation
      1. Static Analysis
      2. Dynamic Analysis
      3. Vulnerability Regression Testing
    2. Responsible Disclosure Programs
    3. Bug Bounty Programs
    4. Third-Party Penetration Testing
    5. Summary
  25. 21. Vulnerability Management
    1. Reproducing Vulnerabilities
    2. Ranking Vulnerability Severity
    3. Common Vulnerability Scoring System
      1. CVSS: Base Scoring
      2. CVSS: Temporal Scoring
      3. CVSS: Environmental Scoring
    4. Advanced Vulnerability Scoring
    5. Beyond Triage and Scoring
    6. Summary
  26. 22. Defending Against XSS Attacks
    1. Anti-XSS Coding Best Practices
    2. Sanitizing User Input
      1. DOMParser Sink
      2. SVG Sink
      3. Blob Sink
      4. Sanitizing Hyperlinks
      5. HTML Entity Encoding
    3. CSS
    4. Content Security Policy for XSS Prevention
      1. Script Source
      2. Unsafe Eval and Unsafe Inline
      3. Implementing a CSP
    5. Summary
  27. 23. Defending Against CSRF Attacks
    1. Header Verification
    2. CSRF Tokens
      1. Stateless CSRF Tokens
    3. Anti-CRSF Coding Best Practices
      1. Stateless GET Requests
      2. Application-Wide CSRF Mitigation
    4. Summary
  28. 24. Defending Against XXE
    1. Evaluating Other Data Formats
    2. Advanced XXE Risks
    3. Summary
  29. 25. Defending Against Injection
    1. Mitigating SQL Injection
      1. Detecting SQL Injection
      2. Prepared Statements
      3. Database-Specific Defenses
    2. Generic Injection Defenses
      1. Potential Injection Targets
      2. Principle of Least Authority
      3. Whitelisting Commands
    3. Summary
  30. 26. Defending Against DoS
    1. Protecting Against Regex DoS
    2. Protecting Against Logical DoS
    3. Protecting Against DDoS
      1. DDoS Mitigation
    4. Summary
  31. 27. Securing Third-Party Dependencies
    1. Evaluating Dependency Trees
      1. Modeling a Dependency Tree
      2. Dependency Trees in the Real World
      3. Automated Evaluation
    2. Secure Integration Techniques
      1. Separation of Concerns
      2. Secure Package Management
    3. Summary
  32. 28. Part III Summary
    1. The History of Software Security
    2. Web Application Reconnaissance
    3. Offense
    4. Defense
  33. 29. Conclusion
  34. Index

Product information

  • Title: Web Application Security
  • Author(s): Andrew Hoffman
  • Release date: March 2020
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781492053118