Web Application Security, 2nd Edition

Web Application Security, 2nd Edition

by Andrew Hoffman
Released January 2024
Publisher(s): O'Reilly Media, Inc.
ISBN: 9781098143930

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Buy on Amazon Buy on ebooks.com
Start your free trial

Book description

In the first edition of this critically acclaimed book, Andrew Hoffman defined the three pillars of application security: reconnaissance, offense, and defense. In this revised and updated second edition, he examines dozens of related topics, from the latest types of attacks and mitigations to threat modeling, the secure software development lifecycle (SSDL/SDLC), and more.

Hoffman, senior staff security engineer at Ripple, also provides information regarding exploits and mitigations for several additional web application technologies such as GraphQL, cloud-based deployments, content delivery networks (CDN) and server-side rendering (SSR). Following the curriculum from the first book, this second edition is split into three distinct pillars comprising three separate skill sets:

  • Pillar 1: Recon—Learn techniques for mapping and documenting web applications remotely, including procedures for working with web applications
  • Pillar 2: Offense—Explore methods for attacking web applications using a number of highly effective exploits that have been proven by the best hackers in the world. These skills are valuable when used alongside the skills from Pillar 3.
  • Pillar 3: Defense—Build on skills acquired in the first two parts to construct effective and long-lived mitigations for each of the attacks described in Pillar 2.

Publisher resources

View/Submit Errata

Table of contents

  1. Preface
    1. Changes from the First Edition
    2. Prerequisite Knowledge and Learning Goals
    3. Why Are Examples in JavaScript?
    4. Why Teach Concepts Instead of Tools?
    5. Suggested Background
    6. Minimum Required Skills
    7. Who Benefits Most from Reading This Book?
      1. Software Engineers and Web Application Developers
      2. General Learning Goals
      3. Security Engineers, Pen Testers, and Bug Bounty Hunters
    8. How Is This Book Organized?
      1. Recon
      2. Offense
      3. Defense
    9. Language and Terminology
    10. Summary
    11. Conventions Used in This Book
    12. O’Reilly Online Learning
    13. How to Contact Us
    14. Acknowledgments
  2. 1. The History of Software Security
    1. The Origins of Hacking
    2. The Enigma Machine, Circa 1930
    3. Automated Enigma Code Cracking, Circa 1940
    4. Telephone “Phreaking,” Circa 1950
    5. Anti-Phreaking Technology, Circa 1960
    6. The Origins of Computer Hacking, Circa 1980
    7. The Rise of the World Wide Web, Circa 2000
    8. Hackers in the Modern Era, Circa 2015+
    9. Summary
  3. I. Recon
  4. 2. Introduction to Web Application Reconnaissance
    1. Information Gathering
    2. Web Application Mapping
    3. Summary
  5. 3. The Structure of a Modern Web Application
    1. Modern Versus Legacy Web Applications
    2. REST APIs
    3. JavaScript Object Notation
    4. JavaScript
      1. Variables and Scope
      2. Functions
      3. Context
      4. Prototypal Inheritance
      5. Asynchrony
      6. Browser DOM
    5. SPA Frameworks
    6. Authentication and Authorization Systems
      1. Authentication
      2. Authorization
    7. Web Servers
    8. Server-Side Databases
    9. Client-Side Data Stores
    10. GraphQL
    11. Version Control Systems
    12. CDN/Cache
    13. Summary
  6. 4. Finding Subdomains
    1. Multiple Applications per Domain
    2. The Browser’s Built-In Network Analysis Tools
    3. Taking Advantage of Public Records
      1. Search Engine Caches
      2. Accidental Archives
      3. Social Snapshots
    4. Zone Transfer Attacks
    5. Brute Forcing Subdomains
    6. Dictionary Attacks
    7. Summary
  7. 5. API Analysis
    1. Endpoint Discovery
    2. Authentication Mechanisms
    3. Endpoint Shapes
      1. Common Shapes
      2. Application-Specific Shapes
    4. Summary
  8. 6. Identifying Third-Party Dependencies
    1. Detecting Client-Side Frameworks
      1. Detecting SPA Frameworks
      2. Detecting JavaScript Libraries
      3. Detecting CSS Libraries
    2. Detecting Server-Side Frameworks
      1. Header Detection
      2. Default Error Messages and 404 Pages
      3. Database Detection
    3. Summary
  9. 7. Identifying Weak Points in Application Architecture
    1. Secure Versus Insecure Architecture Signals
    2. Multiple Layers of Security
    3. Adoption and Reinvention
    4. Summary
  10. 8. Part I Summary
  11. II. Offense
  12. 9. Introduction to Hacking Web Applications
    1. The Hacker’s Mindset
    2. Applied Recon
  13. 10. Cross-Site Scripting
    1. XSS Discovery and Exploitation
    2. Stored XSS
    3. Reflected XSS
    4. DOM-Based XSS
    5. Mutation-Based XSS
    6. Bypassing Filters
      1. Self-Closing HTML Tags
      2. Protocol-Relative URLs
      3. Malformed Tags
      4. Encoding Escapes
      5. Polyglot Payloads
    7. XSS Sinks and Sources
    8. Summary
  14. 11. Cross-Site Request Forgery
    1. Query Parameter Tampering
    2. Alternate GET Payloads
    3. CSRF Against POST Endpoints
    4. Bypassing CSRF Defenses
      1. Header Validation
      2. Token Pools
      3. Weak Tokens
      4. Content Types
      5. Regex Filter Bypasses
      6. Iframe Payloads
      7. AJAX Payloads
      8. Zero Interaction Forms
    5. Summary
  15. 12. XML External Entity
    1. XXE Fundamentals
    2. Direct XXE
    3. Indirect XXE
    4. Out-of-Band Data Exfiltration
    5. Account Takeover Workflow
      1. Obtaining System User Data
      2. Obtaining Password Hashes
      3. Cracking Password Hashes
      4. SSH Remote Login
    6. Summary
  16. 13. Injection
    1. SQL Injection
    2. Code Injection
    3. Command Injection
    4. Injection Data Exfiltration Techniques
      1. Data Exfiltration Fundamentals
      2. In-Band Data Exfiltration
      3. Out-of-Band Data Exfiltration
      4. Inferential Data Exfiltration
    5. Bypassing Common Defenses
    6. Summary
  17. 14. Denial of Service
    1. Regex DoS
    2. Logical DoS Vulnerabilities
    3. Distributed DoS
    4. Advanced DoS
      1. YoYo Attacks
      2. Compression Attacks
      3. Proxy-Based DoS
    5. Summary
  18. 15. Attacking Data and Objects
    1. Mass Assignment
    2. Insecure Direct Object Reference
    3. Serialization Attacks
      1. Web Serialization Explained
      2. Attacking Weak Serialization
    4. Summary
  19. 16. Client-Side Attacks
    1. Methods of Attacking a Browser Client
      1. Client-Targeted Attacks
      2. Client-Specific Attacks
    2. Advantages of Client-Side Attacks
    3. Prototype Pollution Attacks
      1. Understanding Prototype Pollution
      2. Attacking with Prototype Pollution
      3. Prototype Pollution Archetypes
    4. Clickjacking Attacks
      1. Camera and Microphone Exploit
      2. Creating Clickjacking Exploits
    5. Tabnabbing and Reverse Tabnabbing
      1. Traditional Tabnabbing
      2. Reverse Tabnabbing
    6. Summary
  20. 17. Exploiting Third-Party Dependencies
    1. Methods of Integration
      1. Branches and Forks
      2. Self-Hosted Application Integrations
      3. Source Code Integration
    2. Package Managers
      1. JavaScript
      2. Java
      3. Other Languages
    3. Common Vulnerabilities and Exposures Database
    4. Summary
  21. 18. Business Logic Vulnerabilities
    1. Custom Math Vulnerabilities
    2. Programmed Side Effects
    3. Quasi-Cash Attacks
    4. Vulnerable Standards and Conventions
    5. Exploiting Business Logic Vulnerabilities
    6. Summary
  22. 19. Part II Summary
  23. III. Defense
  24. 20. Securing Modern Web Applications
    1. Defensive Software Architecture
    2. Comprehensive Code Reviews
    3. Vulnerability Discovery
    4. Vulnerability Analysis
    5. Vulnerability Management
    6. Regression Testing
    7. Mitigation Strategies
    8. Applied Recon and Offense Techniques
    9. Summary
  25. 21. Secure Application Architecture
    1. Analyzing Feature Requirements
    2. Authentication and Authorization
      1. Secure Sockets Layer and Transport Layer Security
      2. Secure Credentials
      3. Hashing Credentials
      4. MFA
    3. PII and Financial Data
    4. Search Engines
    5. Zero Trust Architecture
      1. The History of Zero Trust
      2. Implicit Versus Explicit Trust
      3. Authentication and Authorization
    6. Summary
  26. 22. Secure Application Configuration
    1. Content Security Policy
      1. Implementing CSP
      2. CSP Structure
      3. Important Directives
      4. CSP Sources and Source Lists
      5. Strict CSP
      6. Example Secure CSP Policy
    2. Cross-Origin Resource Sharing
      1. Types of CORS Requests
      2. Simple CORS Requests
      3. Preflighted CORS Requests
      4. Implementing CORS
    3. Headers
      1. Strict Transport Security
      2. Cross-Origin-Opener Policy (COOP)
      3. Cross-Origin-Resource-Policy (CORP)
      4. Headers with Security Implications
      5. Legacy Security Headers
    4. Cookies
      1. Creating and Securing Cookies
      2. Testing Cookies
    5. Framing and Sandboxing
      1. Traditional Iframe
      2. Web Workers
      3. Subresource Integrity
      4. Shadow Realms
    6. Summary
  27. 23. Secure User Experience
    1. Information Disclosures and Enumeration
      1. Information Disclosures
      2. Enumeration
    2. Secure User Experience Best Practices
    3. Summary
  28. 24. Threat Modeling Applications
    1. Designing an Effective Threat Model
    2. Threat Modeling by Example
      1. Logic Design
      2. Technical Design
      3. Threat Identification (Threat Actors)
      4. Threat Identification (Attack Vectors)
      5. Identifying Mitigations
      6. Delta Identification
    3. Summary
  29. 25. Reviewing Code for Security
    1. How to Start a Code Review
    2. Archetypical Vulnerabilities Versus Business Logic Vulnerabilities
    3. Where to Start a Security Review
    4. Secure-Coding Anti-Patterns
      1. Blocklists
      2. Boilerplate Code
      3. Trust-by-Default
      4. Client/Server Separation
    5. Summary
  30. 26. Vulnerability Discovery
    1. Security Automation
      1. Static Analysis
      2. Dynamic Analysis
      3. Vulnerability Regression Testing
    2. Responsible Disclosure Programs
    3. Bug Bounty Programs
    4. Third-Party Penetration Testing
    5. Summary
  31. 27. Vulnerability Management
    1. Reproducing Vulnerabilities
    2. Ranking Vulnerability Severity
    3. Common Vulnerability Scoring System
      1. CVSS: Base Scoring
      2. CVSS: Temporal Scoring
      3. CVSS: Environmental Scoring
    4. Advanced Vulnerability Scoring
    5. Beyond Triage and Scoring
    6. Summary
  32. 28. Defending Against XSS Attacks
    1. Anti-XSS Coding Best Practices
    2. Sanitizing User Input
      1. DOMParser Sink
      2. SVG Sink
      3. Blob Sink
      4. Sanitizing Hyperlinks
      5. HTML Entity Encoding
    3. CSS XSS
    4. Content Security Policy for XSS Prevention
      1. Script Source
      2. Unsafe Eval and Unsafe Inline
      3. Implementing a CSP
    5. Summary
  33. 29. Defending Against CSRF Attacks
    1. Header Verification
    2. CSRF Tokens
    3. Anti-CRSF Coding Best Practices
      1. Stateless GET Requests
      2. Application-Wide CSRF Mitigation
    4. Summary
  34. 30. Defending Against XXE
    1. Evaluating Other Data Formats
    2. Advanced XXE Risks
    3. Summary
  35. 31. Defending Against Injection
    1. Mitigating SQL Injection
      1. Detecting SQL Injection
      2. Prepared Statements
      3. Database-Specific Defenses
    2. Generic Injection Defenses
      1. Potential Injection Targets
      2. Principle of Least Authority
      3. Allowlisting Commands
    3. Summary
  36. 32. Defending Against DoS
    1. Protecting Against Regex DoS
    2. Protecting Against Logical DoS
    3. Protecting Against DDoS
    4. Summary
  37. 33. Defending Data and Objects
    1. Defending Against Mass Assignment
      1. Validation and Allowlisting
      2. Data Transfer Objects
    2. Defending Against IDOR
    3. Defending Against Serialization Attacks
    4. Summary
  38. 34. Defense Against Client-Side Attacks
    1. Defending Against Prototype Pollution
      1. Key Sanitization
      2. Prototype Freezing
      3. Null Prototypes
    2. Defending Against Clickjacking
      1. Frame Ancestors
      2. Framebusting
    3. Defending Against Tabnabbing
      1. Cross-Origin-Opener Policy
      2. Link Blockers
    4. Isolation Policies
    5. Summary
  39. 35. Securing Third-Party Dependencies
    1. Evaluating Dependency Trees
      1. Modeling a Dependency Tree
      2. Dependency Trees in the Real World
      3. Automated Evaluation
    2. Secure Integration Techniques
      1. Separation of Concerns
      2. Secure Package Management
    3. Summary
  40. 36. Mitigating Business Logic Vulnerabilities
    1. Architecture-Level Mitigations
    2. Statistical Modeling
      1. Modeling Inputs
      2. Modeling Actions
      3. Model Development
      4. Model Analysis
    3. Summary
  41. 37. Part III Summary
  42. Conclusion
    1. The History of Software Security
    2. Recon
    3. Offense
    4. Defense
    5. More to Learn
  43. Index
  44. About the Author

Product information

  • Title: Web Application Security, 2nd Edition
  • Author(s): Andrew Hoffman
  • Release date: January 2024
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781098143930