book

Web Application Security, 2nd Edition

by Andrew Hoffman

January 2024

Intermediate to advanced

444 pages

11h 10m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Includes

Includes Quizzes

Changes from the First EditionPrerequisite Knowledge and Learning GoalsWhy Are Examples in JavaScript?Why Teach Concepts Instead of Tools?Suggested BackgroundMinimum Required SkillsWho Benefits Most from Reading This Book?Software Engineers and Web Application DevelopersGeneral Learning GoalsSecurity Engineers, Pen Testers, and Bug Bounty HuntersHow Is This Book Organized?ReconOffenseDefenseLanguage and TerminologySummaryConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments
The Origins of HackingThe Enigma Machine, Circa 1930Automated Enigma Code Cracking, Circa 1940Telephone “Phreaking,” Circa 1950Anti-Phreaking Technology, Circa 1960The Origins of Computer Hacking, Circa 1980The Rise of the World Wide Web, Circa 2000Hackers in the Modern Era, Circa 2015+Summary
Information GatheringWeb Application MappingSummary
Modern Versus Legacy Web ApplicationsREST APIsJavaScript Object NotationJavaScriptVariables and ScopeFunctionsContextPrototypal InheritanceAsynchronyBrowser DOMSPA FrameworksAuthentication and Authorization SystemsAuthenticationAuthorizationWeb ServersServer-Side DatabasesClient-Side Data StoresGraphQLVersion Control SystemsCDN/CacheSummary
Multiple Applications per DomainThe Browser’s Built-In Network Analysis ToolsTaking Advantage of Public RecordsSearch Engine CachesAccidental ArchivesSocial SnapshotsZone Transfer AttacksBrute Forcing SubdomainsDictionary AttacksSummary
Endpoint DiscoveryAuthentication MechanismsEndpoint ShapesCommon ShapesApplication-Specific ShapesSummary
Detecting Client-Side FrameworksDetecting SPA FrameworksDetecting JavaScript LibrariesDetecting CSS LibrariesDetecting Server-Side FrameworksHeader DetectionDefault Error Messages and 404 PagesDatabase DetectionSummary
Secure Versus Insecure Architecture SignalsMultiple Layers of SecurityAdoption and ReinventionSummary

The Hacker’s MindsetApplied Recon
XSS Discovery and ExploitationStored XSSReflected XSSDOM-Based XSSMutation-Based XSSBypassing FiltersSelf-Closing HTML TagsProtocol-Relative URLsMalformed TagsEncoding EscapesPolyglot PayloadsXSS Sinks and SourcesSummary
Query Parameter TamperingAlternate GET PayloadsCSRF Against POST EndpointsBypassing CSRF DefensesHeader ValidationToken PoolsWeak TokensContent TypesRegex Filter BypassesIframe PayloadsAJAX PayloadsZero Interaction FormsSummary
XXE FundamentalsDirect XXEIndirect XXEOut-of-Band Data ExfiltrationAccount Takeover WorkflowObtaining System User DataObtaining Password HashesCracking Password HashesSSH Remote LoginSummary
SQL InjectionCode InjectionCommand InjectionInjection Data Exfiltration TechniquesData Exfiltration FundamentalsIn-Band Data ExfiltrationOut-of-Band Data ExfiltrationInferential Data ExfiltrationBypassing Common DefensesSummary
Regex DoSLogical DoS VulnerabilitiesDistributed DoSAdvanced DoSYoYo AttacksCompression AttacksProxy-Based DoSSummary
Mass AssignmentInsecure Direct Object ReferenceSerialization AttacksWeb Serialization ExplainedAttacking Weak SerializationSummary
Methods of Attacking a Browser ClientClient-Targeted AttacksClient-Specific AttacksAdvantages of Client-Side AttacksPrototype Pollution AttacksUnderstanding Prototype PollutionAttacking with Prototype PollutionPrototype Pollution ArchetypesClickjacking AttacksCamera and Microphone ExploitCreating Clickjacking ExploitsTabnabbing and Reverse TabnabbingTraditional TabnabbingReverse TabnabbingSummary
Methods of IntegrationBranches and ForksSelf-Hosted Application IntegrationsSource Code IntegrationPackage ManagersJavaScriptJavaOther LanguagesCommon Vulnerabilities and Exposures DatabaseSummary
Custom Math VulnerabilitiesProgrammed Side EffectsQuasi-Cash AttacksVulnerable Standards and ConventionsExploiting Business Logic VulnerabilitiesSummary
Defensive Software ArchitectureComprehensive Code ReviewsVulnerability DiscoveryVulnerability AnalysisVulnerability ManagementRegression TestingMitigation StrategiesApplied Recon and Offense TechniquesSummary
Analyzing Feature RequirementsAuthentication and AuthorizationSecure Sockets Layer and Transport Layer SecuritySecure CredentialsHashing CredentialsMFAPII and Financial DataSearch EnginesZero Trust ArchitectureThe History of Zero TrustImplicit Versus Explicit TrustAuthentication and AuthorizationSummary
Content Security PolicyImplementing CSPCSP StructureImportant DirectivesCSP Sources and Source ListsStrict CSPExample Secure CSP PolicyCross-Origin Resource SharingTypes of CORS RequestsSimple CORS RequestsPreflighted CORS RequestsImplementing CORSHeadersStrict Transport SecurityCross-Origin-Opener Policy (COOP)Cross-Origin-Resource-Policy (CORP)Headers with Security ImplicationsLegacy Security HeadersCookiesCreating and Securing CookiesTesting CookiesFraming and SandboxingTraditional IframeWeb WorkersSubresource IntegrityShadow RealmsSummary
Information Disclosures and EnumerationInformation DisclosuresEnumerationSecure User Experience Best PracticesSummary
Designing an Effective Threat ModelThreat Modeling by ExampleLogic DesignTechnical DesignThreat Identification (Threat Actors)Threat Identification (Attack Vectors)Identifying MitigationsDelta IdentificationSummary
How to Start a Code ReviewArchetypical Vulnerabilities Versus Business Logic VulnerabilitiesWhere to Start a Security ReviewSecure-Coding Anti-PatternsBlocklistsBoilerplate CodeTrust-by-DefaultClient/Server SeparationSummary
Security AutomationStatic AnalysisDynamic AnalysisVulnerability Regression TestingResponsible Disclosure ProgramsBug Bounty ProgramsThird-Party Penetration TestingSummary
Reproducing VulnerabilitiesRanking Vulnerability SeverityCommon Vulnerability Scoring SystemCVSS: Base ScoringCVSS: Temporal ScoringCVSS: Environmental ScoringAdvanced Vulnerability ScoringBeyond Triage and ScoringSummary
Anti-XSS Coding Best PracticesSanitizing User InputDOMParser SinkSVG SinkBlob SinkSanitizing HyperlinksHTML Entity EncodingCSS XSSContent Security Policy for XSS PreventionScript SourceUnsafe Eval and Unsafe InlineImplementing a CSPSummary
Header VerificationCSRF TokensAnti-CRSF Coding Best PracticesStateless GET RequestsApplication-Wide CSRF MitigationSummary
Evaluating Other Data FormatsAdvanced XXE RisksSummary
Mitigating SQL InjectionDetecting SQL InjectionPrepared StatementsDatabase-Specific DefensesGeneric Injection DefensesPotential Injection TargetsPrinciple of Least AuthorityAllowlisting CommandsSummary
Protecting Against Regex DoSProtecting Against Logical DoSProtecting Against DDoSSummary
Defending Against Mass AssignmentValidation and AllowlistingData Transfer ObjectsDefending Against IDORDefending Against Serialization AttacksSummary
Defending Against Prototype PollutionKey SanitizationPrototype FreezingNull PrototypesDefending Against ClickjackingFrame AncestorsFramebustingDefending Against TabnabbingCross-Origin-Opener PolicyLink BlockersIsolation PoliciesSummary
Evaluating Dependency TreesModeling a Dependency TreeDependency Trees in the Real WorldAutomated EvaluationSecure Integration TechniquesSeparation of ConcernsSecure Package ManagementSummary
Architecture-Level MitigationsStatistical ModelingModeling InputsModeling ActionsModel DevelopmentModel AnalysisSummary
The History of Software SecurityReconOffenseDefenseMore to Learn

Content preview from Web Application Security, 2nd Edition

Chapter 1. The History of Software Security

Before delving into actual offensive and defensive security techniques, it is important to have at least some understanding of software security’s long and interesting history. A brief overview of major security events in the last one hundred years should be enough to give you an understanding of the foundational technology underlying today’s web applications. Furthermore, it will show off the ongoing relationship between the development of security mechanisms and the improvisation of forward-thinking hackers looking for opportunities to break or bypass those mechanisms.

The Origins of Hacking

In the past two decades, hackers have gained more publicity and notoriety than ever before. As a result, it’s easy for anyone without the appropriate background to assume that hacking is a concept closely tied to the internet and that most hackers emerged in the last 20 years.

But that’s only a partial truth. While the number of hackers worldwide has definitely exploded with the rise of the World Wide Web, hackers have been around since the middle of the 20th century—potentially even earlier depending on what you define as “hacking.” Many experts debate the decade that marks the true origin of modern hackers because a few significant events in the early 1900s showed significant resemblance to the hacking you see today.

For example, there were specific isolated incidents that would likely qualify as hacking in the 1910s and 1920s, most of which ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781098143923Errata Page

Web Application Security, 2nd Edition

by Andrew Hoffman

Chapter 1. The History of Software Security

The Origins of Hacking

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Grokking Web Application Security