book

Web Application Security, 2nd Edition

by Andrew Hoffman

January 2024

Intermediate to advanced

444 pages

11h 10m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Includes

Includes Quizzes

Changes from the First EditionPrerequisite Knowledge and Learning GoalsWhy Are Examples in JavaScript?Why Teach Concepts Instead of Tools?Suggested BackgroundMinimum Required SkillsWho Benefits Most from Reading This Book?Software Engineers and Web Application DevelopersGeneral Learning GoalsSecurity Engineers, Pen Testers, and Bug Bounty HuntersHow Is This Book Organized?ReconOffenseDefenseLanguage and TerminologySummaryConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments
The Origins of HackingThe Enigma Machine, Circa 1930Automated Enigma Code Cracking, Circa 1940Telephone “Phreaking,” Circa 1950Anti-Phreaking Technology, Circa 1960The Origins of Computer Hacking, Circa 1980The Rise of the World Wide Web, Circa 2000Hackers in the Modern Era, Circa 2015+Summary
Information GatheringWeb Application MappingSummary
Modern Versus Legacy Web ApplicationsREST APIsJavaScript Object NotationJavaScriptVariables and ScopeFunctionsContextPrototypal InheritanceAsynchronyBrowser DOMSPA FrameworksAuthentication and Authorization SystemsAuthenticationAuthorizationWeb ServersServer-Side DatabasesClient-Side Data StoresGraphQLVersion Control SystemsCDN/CacheSummary
Multiple Applications per DomainThe Browser’s Built-In Network Analysis ToolsTaking Advantage of Public RecordsSearch Engine CachesAccidental ArchivesSocial SnapshotsZone Transfer AttacksBrute Forcing SubdomainsDictionary AttacksSummary
Endpoint DiscoveryAuthentication MechanismsEndpoint ShapesCommon ShapesApplication-Specific ShapesSummary
Detecting Client-Side FrameworksDetecting SPA FrameworksDetecting JavaScript LibrariesDetecting CSS LibrariesDetecting Server-Side FrameworksHeader DetectionDefault Error Messages and 404 PagesDatabase DetectionSummary
Secure Versus Insecure Architecture SignalsMultiple Layers of SecurityAdoption and ReinventionSummary

The Hacker’s MindsetApplied Recon
XSS Discovery and ExploitationStored XSSReflected XSSDOM-Based XSSMutation-Based XSSBypassing FiltersSelf-Closing HTML TagsProtocol-Relative URLsMalformed TagsEncoding EscapesPolyglot PayloadsXSS Sinks and SourcesSummary
Query Parameter TamperingAlternate GET PayloadsCSRF Against POST EndpointsBypassing CSRF DefensesHeader ValidationToken PoolsWeak TokensContent TypesRegex Filter BypassesIframe PayloadsAJAX PayloadsZero Interaction FormsSummary
XXE FundamentalsDirect XXEIndirect XXEOut-of-Band Data ExfiltrationAccount Takeover WorkflowObtaining System User DataObtaining Password HashesCracking Password HashesSSH Remote LoginSummary
SQL InjectionCode InjectionCommand InjectionInjection Data Exfiltration TechniquesData Exfiltration FundamentalsIn-Band Data ExfiltrationOut-of-Band Data ExfiltrationInferential Data ExfiltrationBypassing Common DefensesSummary
Regex DoSLogical DoS VulnerabilitiesDistributed DoSAdvanced DoSYoYo AttacksCompression AttacksProxy-Based DoSSummary
Mass AssignmentInsecure Direct Object ReferenceSerialization AttacksWeb Serialization ExplainedAttacking Weak SerializationSummary
Methods of Attacking a Browser ClientClient-Targeted AttacksClient-Specific AttacksAdvantages of Client-Side AttacksPrototype Pollution AttacksUnderstanding Prototype PollutionAttacking with Prototype PollutionPrototype Pollution ArchetypesClickjacking AttacksCamera and Microphone ExploitCreating Clickjacking ExploitsTabnabbing and Reverse TabnabbingTraditional TabnabbingReverse TabnabbingSummary
Methods of IntegrationBranches and ForksSelf-Hosted Application IntegrationsSource Code IntegrationPackage ManagersJavaScriptJavaOther LanguagesCommon Vulnerabilities and Exposures DatabaseSummary
Custom Math VulnerabilitiesProgrammed Side EffectsQuasi-Cash AttacksVulnerable Standards and ConventionsExploiting Business Logic VulnerabilitiesSummary
Defensive Software ArchitectureComprehensive Code ReviewsVulnerability DiscoveryVulnerability AnalysisVulnerability ManagementRegression TestingMitigation StrategiesApplied Recon and Offense TechniquesSummary
Analyzing Feature RequirementsAuthentication and AuthorizationSecure Sockets Layer and Transport Layer SecuritySecure CredentialsHashing CredentialsMFAPII and Financial DataSearch EnginesZero Trust ArchitectureThe History of Zero TrustImplicit Versus Explicit TrustAuthentication and AuthorizationSummary
Content Security PolicyImplementing CSPCSP StructureImportant DirectivesCSP Sources and Source ListsStrict CSPExample Secure CSP PolicyCross-Origin Resource SharingTypes of CORS RequestsSimple CORS RequestsPreflighted CORS RequestsImplementing CORSHeadersStrict Transport SecurityCross-Origin-Opener Policy (COOP)Cross-Origin-Resource-Policy (CORP)Headers with Security ImplicationsLegacy Security HeadersCookiesCreating and Securing CookiesTesting CookiesFraming and SandboxingTraditional IframeWeb WorkersSubresource IntegrityShadow RealmsSummary
Information Disclosures and EnumerationInformation DisclosuresEnumerationSecure User Experience Best PracticesSummary
Designing an Effective Threat ModelThreat Modeling by ExampleLogic DesignTechnical DesignThreat Identification (Threat Actors)Threat Identification (Attack Vectors)Identifying MitigationsDelta IdentificationSummary
How to Start a Code ReviewArchetypical Vulnerabilities Versus Business Logic VulnerabilitiesWhere to Start a Security ReviewSecure-Coding Anti-PatternsBlocklistsBoilerplate CodeTrust-by-DefaultClient/Server SeparationSummary
Security AutomationStatic AnalysisDynamic AnalysisVulnerability Regression TestingResponsible Disclosure ProgramsBug Bounty ProgramsThird-Party Penetration TestingSummary
Reproducing VulnerabilitiesRanking Vulnerability SeverityCommon Vulnerability Scoring SystemCVSS: Base ScoringCVSS: Temporal ScoringCVSS: Environmental ScoringAdvanced Vulnerability ScoringBeyond Triage and ScoringSummary
Anti-XSS Coding Best PracticesSanitizing User InputDOMParser SinkSVG SinkBlob SinkSanitizing HyperlinksHTML Entity EncodingCSS XSSContent Security Policy for XSS PreventionScript SourceUnsafe Eval and Unsafe InlineImplementing a CSPSummary
Header VerificationCSRF TokensAnti-CRSF Coding Best PracticesStateless GET RequestsApplication-Wide CSRF MitigationSummary
Evaluating Other Data FormatsAdvanced XXE RisksSummary
Mitigating SQL InjectionDetecting SQL InjectionPrepared StatementsDatabase-Specific DefensesGeneric Injection DefensesPotential Injection TargetsPrinciple of Least AuthorityAllowlisting CommandsSummary
Protecting Against Regex DoSProtecting Against Logical DoSProtecting Against DDoSSummary
Defending Against Mass AssignmentValidation and AllowlistingData Transfer ObjectsDefending Against IDORDefending Against Serialization AttacksSummary
Defending Against Prototype PollutionKey SanitizationPrototype FreezingNull PrototypesDefending Against ClickjackingFrame AncestorsFramebustingDefending Against TabnabbingCross-Origin-Opener PolicyLink BlockersIsolation PoliciesSummary
Evaluating Dependency TreesModeling a Dependency TreeDependency Trees in the Real WorldAutomated EvaluationSecure Integration TechniquesSeparation of ConcernsSecure Package ManagementSummary
Architecture-Level MitigationsStatistical ModelingModeling InputsModeling ActionsModel DevelopmentModel AnalysisSummary
The History of Software SecurityReconOffenseDefenseMore to Learn

Content preview from Web Application Security, 2nd Edition

Chapter 27. Vulnerability Management

Part of any good SSDL process is a well-defined pipeline for obtaining, triaging, and resolving vulnerabilities found in a web application. We covered methods of discovering vulnerabilities in Chapter 26, and prior to that we covered methods of integrating SSDL into your architecture and development phases to reduce the number of outstanding vulnerabilities found.

Vulnerabilities in a large application will be found in all of these phases, from the architecture phase to production code. Vulnerabilities noted in the architecture phase can be defensively coded against, and countermeasures can be developed before any code is written. Vulnerabilities found any time after the architecture phase need to be properly managed so they can eventually be fixed and any affected environment patched with the fix. This is where a vulnerability management pipeline comes into play.

Reproducing Vulnerabilities

After a vulnerability report, the first step to manage it should be reproducing the vulnerability in a production-like environment. This has multiple benefits. First off, it allows you to determine if the vulnerability is indeed a vulnerability. Sometimes user-defined configuration errors can look like a vulnerability. For example, a user “accidentally” makes an image on your photo-hosting app “public” when they usually set their photos to “private.”

To reproduce vulnerabilities efficiently, you need to establish a staging environment that mimics your ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781098143923Errata Page

Web Application Security, 2nd Edition

by Andrew Hoffman

Chapter 27. Vulnerability Management

Reproducing Vulnerabilities

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Grokking Web Application Security