book

Web Application Security, 2nd Edition

by Andrew Hoffman

January 2024

Intermediate to advanced

444 pages

11h 10m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Includes

Includes Quizzes

Changes from the First EditionPrerequisite Knowledge and Learning GoalsWhy Are Examples in JavaScript?Why Teach Concepts Instead of Tools?Suggested BackgroundMinimum Required SkillsWho Benefits Most from Reading This Book?Software Engineers and Web Application DevelopersGeneral Learning GoalsSecurity Engineers, Pen Testers, and Bug Bounty HuntersHow Is This Book Organized?ReconOffenseDefenseLanguage and TerminologySummaryConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments
The Origins of HackingThe Enigma Machine, Circa 1930Automated Enigma Code Cracking, Circa 1940Telephone “Phreaking,” Circa 1950Anti-Phreaking Technology, Circa 1960The Origins of Computer Hacking, Circa 1980The Rise of the World Wide Web, Circa 2000Hackers in the Modern Era, Circa 2015+Summary
Information GatheringWeb Application MappingSummary
Modern Versus Legacy Web ApplicationsREST APIsJavaScript Object NotationJavaScriptVariables and ScopeFunctionsContextPrototypal InheritanceAsynchronyBrowser DOMSPA FrameworksAuthentication and Authorization SystemsAuthenticationAuthorizationWeb ServersServer-Side DatabasesClient-Side Data StoresGraphQLVersion Control SystemsCDN/CacheSummary
Multiple Applications per DomainThe Browser’s Built-In Network Analysis ToolsTaking Advantage of Public RecordsSearch Engine CachesAccidental ArchivesSocial SnapshotsZone Transfer AttacksBrute Forcing SubdomainsDictionary AttacksSummary
Endpoint DiscoveryAuthentication MechanismsEndpoint ShapesCommon ShapesApplication-Specific ShapesSummary
Detecting Client-Side FrameworksDetecting SPA FrameworksDetecting JavaScript LibrariesDetecting CSS LibrariesDetecting Server-Side FrameworksHeader DetectionDefault Error Messages and 404 PagesDatabase DetectionSummary
Secure Versus Insecure Architecture SignalsMultiple Layers of SecurityAdoption and ReinventionSummary

The Hacker’s MindsetApplied Recon
XSS Discovery and ExploitationStored XSSReflected XSSDOM-Based XSSMutation-Based XSSBypassing FiltersSelf-Closing HTML TagsProtocol-Relative URLsMalformed TagsEncoding EscapesPolyglot PayloadsXSS Sinks and SourcesSummary
Query Parameter TamperingAlternate GET PayloadsCSRF Against POST EndpointsBypassing CSRF DefensesHeader ValidationToken PoolsWeak TokensContent TypesRegex Filter BypassesIframe PayloadsAJAX PayloadsZero Interaction FormsSummary
XXE FundamentalsDirect XXEIndirect XXEOut-of-Band Data ExfiltrationAccount Takeover WorkflowObtaining System User DataObtaining Password HashesCracking Password HashesSSH Remote LoginSummary
SQL InjectionCode InjectionCommand InjectionInjection Data Exfiltration TechniquesData Exfiltration FundamentalsIn-Band Data ExfiltrationOut-of-Band Data ExfiltrationInferential Data ExfiltrationBypassing Common DefensesSummary
Regex DoSLogical DoS VulnerabilitiesDistributed DoSAdvanced DoSYoYo AttacksCompression AttacksProxy-Based DoSSummary
Mass AssignmentInsecure Direct Object ReferenceSerialization AttacksWeb Serialization ExplainedAttacking Weak SerializationSummary
Methods of Attacking a Browser ClientClient-Targeted AttacksClient-Specific AttacksAdvantages of Client-Side AttacksPrototype Pollution AttacksUnderstanding Prototype PollutionAttacking with Prototype PollutionPrototype Pollution ArchetypesClickjacking AttacksCamera and Microphone ExploitCreating Clickjacking ExploitsTabnabbing and Reverse TabnabbingTraditional TabnabbingReverse TabnabbingSummary
Methods of IntegrationBranches and ForksSelf-Hosted Application IntegrationsSource Code IntegrationPackage ManagersJavaScriptJavaOther LanguagesCommon Vulnerabilities and Exposures DatabaseSummary
Custom Math VulnerabilitiesProgrammed Side EffectsQuasi-Cash AttacksVulnerable Standards and ConventionsExploiting Business Logic VulnerabilitiesSummary
Defensive Software ArchitectureComprehensive Code ReviewsVulnerability DiscoveryVulnerability AnalysisVulnerability ManagementRegression TestingMitigation StrategiesApplied Recon and Offense TechniquesSummary
Analyzing Feature RequirementsAuthentication and AuthorizationSecure Sockets Layer and Transport Layer SecuritySecure CredentialsHashing CredentialsMFAPII and Financial DataSearch EnginesZero Trust ArchitectureThe History of Zero TrustImplicit Versus Explicit TrustAuthentication and AuthorizationSummary
Content Security PolicyImplementing CSPCSP StructureImportant DirectivesCSP Sources and Source ListsStrict CSPExample Secure CSP PolicyCross-Origin Resource SharingTypes of CORS RequestsSimple CORS RequestsPreflighted CORS RequestsImplementing CORSHeadersStrict Transport SecurityCross-Origin-Opener Policy (COOP)Cross-Origin-Resource-Policy (CORP)Headers with Security ImplicationsLegacy Security HeadersCookiesCreating and Securing CookiesTesting CookiesFraming and SandboxingTraditional IframeWeb WorkersSubresource IntegrityShadow RealmsSummary
Information Disclosures and EnumerationInformation DisclosuresEnumerationSecure User Experience Best PracticesSummary
Designing an Effective Threat ModelThreat Modeling by ExampleLogic DesignTechnical DesignThreat Identification (Threat Actors)Threat Identification (Attack Vectors)Identifying MitigationsDelta IdentificationSummary
How to Start a Code ReviewArchetypical Vulnerabilities Versus Business Logic VulnerabilitiesWhere to Start a Security ReviewSecure-Coding Anti-PatternsBlocklistsBoilerplate CodeTrust-by-DefaultClient/Server SeparationSummary
Security AutomationStatic AnalysisDynamic AnalysisVulnerability Regression TestingResponsible Disclosure ProgramsBug Bounty ProgramsThird-Party Penetration TestingSummary
Reproducing VulnerabilitiesRanking Vulnerability SeverityCommon Vulnerability Scoring SystemCVSS: Base ScoringCVSS: Temporal ScoringCVSS: Environmental ScoringAdvanced Vulnerability ScoringBeyond Triage and ScoringSummary
Anti-XSS Coding Best PracticesSanitizing User InputDOMParser SinkSVG SinkBlob SinkSanitizing HyperlinksHTML Entity EncodingCSS XSSContent Security Policy for XSS PreventionScript SourceUnsafe Eval and Unsafe InlineImplementing a CSPSummary
Header VerificationCSRF TokensAnti-CRSF Coding Best PracticesStateless GET RequestsApplication-Wide CSRF MitigationSummary
Evaluating Other Data FormatsAdvanced XXE RisksSummary
Mitigating SQL InjectionDetecting SQL InjectionPrepared StatementsDatabase-Specific DefensesGeneric Injection DefensesPotential Injection TargetsPrinciple of Least AuthorityAllowlisting CommandsSummary
Protecting Against Regex DoSProtecting Against Logical DoSProtecting Against DDoSSummary
Defending Against Mass AssignmentValidation and AllowlistingData Transfer ObjectsDefending Against IDORDefending Against Serialization AttacksSummary
Defending Against Prototype PollutionKey SanitizationPrototype FreezingNull PrototypesDefending Against ClickjackingFrame AncestorsFramebustingDefending Against TabnabbingCross-Origin-Opener PolicyLink BlockersIsolation PoliciesSummary
Evaluating Dependency TreesModeling a Dependency TreeDependency Trees in the Real WorldAutomated EvaluationSecure Integration TechniquesSeparation of ConcernsSecure Package ManagementSummary
Architecture-Level MitigationsStatistical ModelingModeling InputsModeling ActionsModel DevelopmentModel AnalysisSummary
The History of Software SecurityReconOffenseDefenseMore to Learn

Content preview from Web Application Security, 2nd Edition

Chapter 24. Threat Modeling Applications

Threat modeling is a valuable method of improving your application’s security posture—if implemented correctly. With an improper or hasty implementation, threat modeling exercises do nothing but check boxes and waste valuable time.

When properly implemented, threat modeling allows software and security engineers to work together in a cohesive manner. The shared engineering and security workflow resulting from a well-implemented threat model allows companies to identify threats (e.g., potential vulnerabilities), threat actors (e.g., potential hackers), existing mitigations (e.g., security controls), and the delta between threats and mitigations.

A well-implemented threat modeling process, in addition to the preceding benefits, serves as a living document for rapidly and effectively handing off security knowledge from one engineer to another. It implements robustness in your organization’s security knowledge in a way not possible through most other methods.

While you don’t want to make use of a hastily implemented threat modeling process, learning how to design and implement a robust threat modeling workflow will dramatically improve your organization’s security posture in the long run.

Designing an Effective Threat Model

A proper threat model should be able to accomplish a number of goals. If all of these goals aren’t accomplished, the impact of the threat model is limited: