book

Web Security for Developers

Name: Web Security for Developers
Author: Malcolm McDonald
ISBN: 9781593279943

by Malcolm McDonald

June 2020

Beginner to intermediate

216 pages

6h 4m

English

No Starch Press

Read now

Unlock full access

Cover Page
Title Page
Copyright Page
About the Authors
BRIEF CONTENTS
CONTENTS IN DETAIL
ACKNOWLEDGMENTS
INTRODUCTION
About This BookWho Should Read This BookA Brief History of the InternetWhat’s in This Book
1 LET’S HACK A WEBSITE
Software Exploits and the Dark WebHow to Hack a Website
Part I: The Basics

2 HOW THE INTERNET WORKS
The Internet Protocol SuiteApplication Layer ProtocolsStateful ConnectionsEncryptionSummary
3 HOW BROWSERS WORK
Web Page RenderingJavaScriptBefore and After Rendering: Everything Else the Browser DoesSummary
4 HOW WEB SERVERS WORK
Static and Dynamic ResourcesStatic ResourcesDynamic ResourcesSummary
5 HOW PROGRAMMERS WORK
Phase 1: Design and AnalysisPhase 2: Writing CodePhase 3: Pre-Release TestingPhase 4: The Release ProcessPhase 5: Post-Release Testing and ObservationDependency ManagementSummary
Part II: The Threats
6 INJECTION ATTACKS
SQL InjectionCommand InjectionRemote Code ExecutionFile Upload VulnerabilitiesSummary
7 CROSS-SITE SCRIPTING ATTACKS
Stored Cross-Site Scripting AttacksReflected Cross-Site Scripting AttacksDOM-Based Cross-Site Scripting AttacksSummary
8 CROSS-SITE REQUEST FORGERY ATTACKS
Anatomy of a CSRF AttackMitigation 1: Follow REST PrinciplesMitigation 2: Implement Anti-CSRF CookiesMitigation 3: Use the SameSite Cookie AttributeBonus Mitigation: Require Reauthentication for Sensitive ActionsSummary
9 COMPROMISING AUTHENTICATION
Implementing AuthenticationMitigation 1: Use Third-Party AuthenticationMitigation 2: Integrate with Single Sign-OnMitigation 3: Secure Your Own Authentication SystemSummary
10 SESSION HIJACKING
How Sessions WorkHow Attackers Hijack SessionsSummary
11 PERMISSIONS
Privilege EscalationAccess ControlDirectory TraversalSummary
12 INFORMATION LEAKS
Mitigation 1: Disable Telltale Server HeadersMitigation 2: Use Clean URLsMitigation 3: Use Generic Cookie ParametersMitigation 4: Disable Client-Side Error ReportingMitigation 5: Minify or Obfuscate Your JavaScript FilesMitigation 6: Sanitize Your Client-Side FilesStay on Top of Security AdvisoriesSummary
13 ENCRYPTION
Encryption in the Internet ProtocolEnabling HTTPSAttacking HTTP (and HTTPS)Summary
14 THIRD-PARTY CODE
Securing DependenciesSecuring ConfigurationSecuring the Services That You UseServices as an Attack VectorSummary
15 XML ATTACKS
The Uses of XMLValidating XMLXML BombsXML External Entity AttacksSecuring Your XML ParserOther ConsiderationsSummary
16 DON’T BE AN ACCESSORY
Email FraudDisguising Malicious Links in EmailClickjackingServer-Side Request ForgeryBotnetsSummary
17 DENIAL-OF-SERVICE ATTACKS
Denial-of-Service Attack TypesDenial-of-Service Attack MitigationSummary
18 SUMMING UP
INDEX

Overview

The world has changed. Today, every time you make a site live, you’re opening it up to attack.

A first-time developer can easily be discouraged by the difficulties involved with properly securing a website. But have hope: an army of security researchers is out there discovering, documenting, and fixing security flaws. Thankfully, the tools you’ll need to secure your site are freely available and generally easy to use.

Web Security for Developers will teach you how your websites are vulnerable to attack and how to protect them. Each chapter breaks down a major security vulnerability and explores a real-world attack, coupled with plenty of code to show you both the vulnerability and the fix. You’ll learn how to:

•Protect against SQL injection attacks, malicious JavaScript, and cross-site request forgery
•Add authentication and shape access control to protect accounts
•Lock down user accounts to prevent attacks that rely on guessing passwords, stealing sessions, or escalating privileges
•Implement encryption
•Manage vulnerabilities in legacy code
•Prevent information leaks that disclose vulnerabilities
•Mitigate advanced attacks like malvertising and denial-of-service

As you get stronger at identifying and fixing vulnerabilities, you’ll learn to deploy disciplined, secure code and become a better programmer along the way.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098122683

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills