book

Web Application Security, 2nd Edition

by Andrew Hoffman

January 2024

Intermediate to advanced

444 pages

11h 10m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Includes

Includes Quizzes

Changes from the First EditionPrerequisite Knowledge and Learning GoalsWhy Are Examples in JavaScript?Why Teach Concepts Instead of Tools?Suggested BackgroundMinimum Required SkillsWho Benefits Most from Reading This Book?Software Engineers and Web Application DevelopersGeneral Learning GoalsSecurity Engineers, Pen Testers, and Bug Bounty HuntersHow Is This Book Organized?ReconOffenseDefenseLanguage and TerminologySummaryConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments
The Origins of HackingThe Enigma Machine, Circa 1930Automated Enigma Code Cracking, Circa 1940Telephone “Phreaking,” Circa 1950Anti-Phreaking Technology, Circa 1960The Origins of Computer Hacking, Circa 1980The Rise of the World Wide Web, Circa 2000Hackers in the Modern Era, Circa 2015+Summary
Information GatheringWeb Application MappingSummary
Modern Versus Legacy Web ApplicationsREST APIsJavaScript Object NotationJavaScriptVariables and ScopeFunctionsContextPrototypal InheritanceAsynchronyBrowser DOMSPA FrameworksAuthentication and Authorization SystemsAuthenticationAuthorizationWeb ServersServer-Side DatabasesClient-Side Data StoresGraphQLVersion Control SystemsCDN/CacheSummary
Multiple Applications per DomainThe Browser’s Built-In Network Analysis ToolsTaking Advantage of Public RecordsSearch Engine CachesAccidental ArchivesSocial SnapshotsZone Transfer AttacksBrute Forcing SubdomainsDictionary AttacksSummary
Endpoint DiscoveryAuthentication MechanismsEndpoint ShapesCommon ShapesApplication-Specific ShapesSummary
Detecting Client-Side FrameworksDetecting SPA FrameworksDetecting JavaScript LibrariesDetecting CSS LibrariesDetecting Server-Side FrameworksHeader DetectionDefault Error Messages and 404 PagesDatabase DetectionSummary
Secure Versus Insecure Architecture SignalsMultiple Layers of SecurityAdoption and ReinventionSummary

The Hacker’s MindsetApplied Recon
XSS Discovery and ExploitationStored XSSReflected XSSDOM-Based XSSMutation-Based XSSBypassing FiltersSelf-Closing HTML TagsProtocol-Relative URLsMalformed TagsEncoding EscapesPolyglot PayloadsXSS Sinks and SourcesSummary
Query Parameter TamperingAlternate GET PayloadsCSRF Against POST EndpointsBypassing CSRF DefensesHeader ValidationToken PoolsWeak TokensContent TypesRegex Filter BypassesIframe PayloadsAJAX PayloadsZero Interaction FormsSummary
XXE FundamentalsDirect XXEIndirect XXEOut-of-Band Data ExfiltrationAccount Takeover WorkflowObtaining System User DataObtaining Password HashesCracking Password HashesSSH Remote LoginSummary
SQL InjectionCode InjectionCommand InjectionInjection Data Exfiltration TechniquesData Exfiltration FundamentalsIn-Band Data ExfiltrationOut-of-Band Data ExfiltrationInferential Data ExfiltrationBypassing Common DefensesSummary
Regex DoSLogical DoS VulnerabilitiesDistributed DoSAdvanced DoSYoYo AttacksCompression AttacksProxy-Based DoSSummary
Mass AssignmentInsecure Direct Object ReferenceSerialization AttacksWeb Serialization ExplainedAttacking Weak SerializationSummary
Methods of Attacking a Browser ClientClient-Targeted AttacksClient-Specific AttacksAdvantages of Client-Side AttacksPrototype Pollution AttacksUnderstanding Prototype PollutionAttacking with Prototype PollutionPrototype Pollution ArchetypesClickjacking AttacksCamera and Microphone ExploitCreating Clickjacking ExploitsTabnabbing and Reverse TabnabbingTraditional TabnabbingReverse TabnabbingSummary
Methods of IntegrationBranches and ForksSelf-Hosted Application IntegrationsSource Code IntegrationPackage ManagersJavaScriptJavaOther LanguagesCommon Vulnerabilities and Exposures DatabaseSummary
Custom Math VulnerabilitiesProgrammed Side EffectsQuasi-Cash AttacksVulnerable Standards and ConventionsExploiting Business Logic VulnerabilitiesSummary
Defensive Software ArchitectureComprehensive Code ReviewsVulnerability DiscoveryVulnerability AnalysisVulnerability ManagementRegression TestingMitigation StrategiesApplied Recon and Offense TechniquesSummary
Analyzing Feature RequirementsAuthentication and AuthorizationSecure Sockets Layer and Transport Layer SecuritySecure CredentialsHashing CredentialsMFAPII and Financial DataSearch EnginesZero Trust ArchitectureThe History of Zero TrustImplicit Versus Explicit TrustAuthentication and AuthorizationSummary
Content Security PolicyImplementing CSPCSP StructureImportant DirectivesCSP Sources and Source ListsStrict CSPExample Secure CSP PolicyCross-Origin Resource SharingTypes of CORS RequestsSimple CORS RequestsPreflighted CORS RequestsImplementing CORSHeadersStrict Transport SecurityCross-Origin-Opener Policy (COOP)Cross-Origin-Resource-Policy (CORP)Headers with Security ImplicationsLegacy Security HeadersCookiesCreating and Securing CookiesTesting CookiesFraming and SandboxingTraditional IframeWeb WorkersSubresource IntegrityShadow RealmsSummary
Information Disclosures and EnumerationInformation DisclosuresEnumerationSecure User Experience Best PracticesSummary
Designing an Effective Threat ModelThreat Modeling by ExampleLogic DesignTechnical DesignThreat Identification (Threat Actors)Threat Identification (Attack Vectors)Identifying MitigationsDelta IdentificationSummary
How to Start a Code ReviewArchetypical Vulnerabilities Versus Business Logic VulnerabilitiesWhere to Start a Security ReviewSecure-Coding Anti-PatternsBlocklistsBoilerplate CodeTrust-by-DefaultClient/Server SeparationSummary
Security AutomationStatic AnalysisDynamic AnalysisVulnerability Regression TestingResponsible Disclosure ProgramsBug Bounty ProgramsThird-Party Penetration TestingSummary
Reproducing VulnerabilitiesRanking Vulnerability SeverityCommon Vulnerability Scoring SystemCVSS: Base ScoringCVSS: Temporal ScoringCVSS: Environmental ScoringAdvanced Vulnerability ScoringBeyond Triage and ScoringSummary
Anti-XSS Coding Best PracticesSanitizing User InputDOMParser SinkSVG SinkBlob SinkSanitizing HyperlinksHTML Entity EncodingCSS XSSContent Security Policy for XSS PreventionScript SourceUnsafe Eval and Unsafe InlineImplementing a CSPSummary
Header VerificationCSRF TokensAnti-CRSF Coding Best PracticesStateless GET RequestsApplication-Wide CSRF MitigationSummary
Evaluating Other Data FormatsAdvanced XXE RisksSummary
Mitigating SQL InjectionDetecting SQL InjectionPrepared StatementsDatabase-Specific DefensesGeneric Injection DefensesPotential Injection TargetsPrinciple of Least AuthorityAllowlisting CommandsSummary
Protecting Against Regex DoSProtecting Against Logical DoSProtecting Against DDoSSummary
Defending Against Mass AssignmentValidation and AllowlistingData Transfer ObjectsDefending Against IDORDefending Against Serialization AttacksSummary
Defending Against Prototype PollutionKey SanitizationPrototype FreezingNull PrototypesDefending Against ClickjackingFrame AncestorsFramebustingDefending Against TabnabbingCross-Origin-Opener PolicyLink BlockersIsolation PoliciesSummary
Evaluating Dependency TreesModeling a Dependency TreeDependency Trees in the Real WorldAutomated EvaluationSecure Integration TechniquesSeparation of ConcernsSecure Package ManagementSummary
Architecture-Level MitigationsStatistical ModelingModeling InputsModeling ActionsModel DevelopmentModel AnalysisSummary
The History of Software SecurityReconOffenseDefenseMore to Learn

Content preview from Web Application Security, 2nd Edition

About the Author

Andrew Hoffman is a senior staff security engineer at Ripple where he is the technical leader for the product security organization.

Previously, Andrew has held roles in both software engineering and application security at companies like Coinbase and Salesforce. Andrew holds deep expertise in the field of web application security as for many years he focused primarily on security concerns of the browser, JavaScript, NodeJS, and surrounding ecosystems. During this time he researched complex and exotic forms of Cross-Site Scripting (XSS), browser sandbox escapes, and security mechanisms to mitigate and reduce the frequency of these issues.

In addition to having worked directly with every major browser vendor, Andrew has contributed to a number of global security initiatives, including working with ECMA International/TC39 (maintainers of the JavaScript programming language) on next-gen JavaScript security features like Shadow Realms.

In addition to his technical skills, Andrew is a natural security leader. He has designed entire application security programs for multiple companies, scaled teams from one to dozens of employees, and successfully managed multiple security personnel on groundbreaking initiatives like the world’s first crypto debit card (Coinbase Card) and the most used commercial UI framework (Lightning Web Components).

If you want to get in contact with Andrew, he is best reached via LinkedIn and offers technical consulting on a limited basis each ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781098143923Errata Page

Web Application Security, 2nd Edition

by Andrew Hoffman

About the Author

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Grokking Web Application Security