book

Web Application Security, 2nd Edition

by Andrew Hoffman

January 2024

Intermediate to advanced

444 pages

11h 10m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Includes

Includes Quizzes

Changes from the First EditionPrerequisite Knowledge and Learning GoalsWhy Are Examples in JavaScript?Why Teach Concepts Instead of Tools?Suggested BackgroundMinimum Required SkillsWho Benefits Most from Reading This Book?Software Engineers and Web Application DevelopersGeneral Learning GoalsSecurity Engineers, Pen Testers, and Bug Bounty HuntersHow Is This Book Organized?ReconOffenseDefenseLanguage and TerminologySummaryConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments
The Origins of HackingThe Enigma Machine, Circa 1930Automated Enigma Code Cracking, Circa 1940Telephone “Phreaking,” Circa 1950Anti-Phreaking Technology, Circa 1960The Origins of Computer Hacking, Circa 1980The Rise of the World Wide Web, Circa 2000Hackers in the Modern Era, Circa 2015+Summary
Information GatheringWeb Application MappingSummary
Modern Versus Legacy Web ApplicationsREST APIsJavaScript Object NotationJavaScriptVariables and ScopeFunctionsContextPrototypal InheritanceAsynchronyBrowser DOMSPA FrameworksAuthentication and Authorization SystemsAuthenticationAuthorizationWeb ServersServer-Side DatabasesClient-Side Data StoresGraphQLVersion Control SystemsCDN/CacheSummary
Multiple Applications per DomainThe Browser’s Built-In Network Analysis ToolsTaking Advantage of Public RecordsSearch Engine CachesAccidental ArchivesSocial SnapshotsZone Transfer AttacksBrute Forcing SubdomainsDictionary AttacksSummary
Endpoint DiscoveryAuthentication MechanismsEndpoint ShapesCommon ShapesApplication-Specific ShapesSummary
Detecting Client-Side FrameworksDetecting SPA FrameworksDetecting JavaScript LibrariesDetecting CSS LibrariesDetecting Server-Side FrameworksHeader DetectionDefault Error Messages and 404 PagesDatabase DetectionSummary
Secure Versus Insecure Architecture SignalsMultiple Layers of SecurityAdoption and ReinventionSummary

The Hacker’s MindsetApplied Recon
XSS Discovery and ExploitationStored XSSReflected XSSDOM-Based XSSMutation-Based XSSBypassing FiltersSelf-Closing HTML TagsProtocol-Relative URLsMalformed TagsEncoding EscapesPolyglot PayloadsXSS Sinks and SourcesSummary
Query Parameter TamperingAlternate GET PayloadsCSRF Against POST EndpointsBypassing CSRF DefensesHeader ValidationToken PoolsWeak TokensContent TypesRegex Filter BypassesIframe PayloadsAJAX PayloadsZero Interaction FormsSummary
XXE FundamentalsDirect XXEIndirect XXEOut-of-Band Data ExfiltrationAccount Takeover WorkflowObtaining System User DataObtaining Password HashesCracking Password HashesSSH Remote LoginSummary
SQL InjectionCode InjectionCommand InjectionInjection Data Exfiltration TechniquesData Exfiltration FundamentalsIn-Band Data ExfiltrationOut-of-Band Data ExfiltrationInferential Data ExfiltrationBypassing Common DefensesSummary
Regex DoSLogical DoS VulnerabilitiesDistributed DoSAdvanced DoSYoYo AttacksCompression AttacksProxy-Based DoSSummary
Mass AssignmentInsecure Direct Object ReferenceSerialization AttacksWeb Serialization ExplainedAttacking Weak SerializationSummary
Methods of Attacking a Browser ClientClient-Targeted AttacksClient-Specific AttacksAdvantages of Client-Side AttacksPrototype Pollution AttacksUnderstanding Prototype PollutionAttacking with Prototype PollutionPrototype Pollution ArchetypesClickjacking AttacksCamera and Microphone ExploitCreating Clickjacking ExploitsTabnabbing and Reverse TabnabbingTraditional TabnabbingReverse TabnabbingSummary
Methods of IntegrationBranches and ForksSelf-Hosted Application IntegrationsSource Code IntegrationPackage ManagersJavaScriptJavaOther LanguagesCommon Vulnerabilities and Exposures DatabaseSummary
Custom Math VulnerabilitiesProgrammed Side EffectsQuasi-Cash AttacksVulnerable Standards and ConventionsExploiting Business Logic VulnerabilitiesSummary
Defensive Software ArchitectureComprehensive Code ReviewsVulnerability DiscoveryVulnerability AnalysisVulnerability ManagementRegression TestingMitigation StrategiesApplied Recon and Offense TechniquesSummary
Analyzing Feature RequirementsAuthentication and AuthorizationSecure Sockets Layer and Transport Layer SecuritySecure CredentialsHashing CredentialsMFAPII and Financial DataSearch EnginesZero Trust ArchitectureThe History of Zero TrustImplicit Versus Explicit TrustAuthentication and AuthorizationSummary
Content Security PolicyImplementing CSPCSP StructureImportant DirectivesCSP Sources and Source ListsStrict CSPExample Secure CSP PolicyCross-Origin Resource SharingTypes of CORS RequestsSimple CORS RequestsPreflighted CORS RequestsImplementing CORSHeadersStrict Transport SecurityCross-Origin-Opener Policy (COOP)Cross-Origin-Resource-Policy (CORP)Headers with Security ImplicationsLegacy Security HeadersCookiesCreating and Securing CookiesTesting CookiesFraming and SandboxingTraditional IframeWeb WorkersSubresource IntegrityShadow RealmsSummary
Information Disclosures and EnumerationInformation DisclosuresEnumerationSecure User Experience Best PracticesSummary
Designing an Effective Threat ModelThreat Modeling by ExampleLogic DesignTechnical DesignThreat Identification (Threat Actors)Threat Identification (Attack Vectors)Identifying MitigationsDelta IdentificationSummary
How to Start a Code ReviewArchetypical Vulnerabilities Versus Business Logic VulnerabilitiesWhere to Start a Security ReviewSecure-Coding Anti-PatternsBlocklistsBoilerplate CodeTrust-by-DefaultClient/Server SeparationSummary
Security AutomationStatic AnalysisDynamic AnalysisVulnerability Regression TestingResponsible Disclosure ProgramsBug Bounty ProgramsThird-Party Penetration TestingSummary
Reproducing VulnerabilitiesRanking Vulnerability SeverityCommon Vulnerability Scoring SystemCVSS: Base ScoringCVSS: Temporal ScoringCVSS: Environmental ScoringAdvanced Vulnerability ScoringBeyond Triage and ScoringSummary
Anti-XSS Coding Best PracticesSanitizing User InputDOMParser SinkSVG SinkBlob SinkSanitizing HyperlinksHTML Entity EncodingCSS XSSContent Security Policy for XSS PreventionScript SourceUnsafe Eval and Unsafe InlineImplementing a CSPSummary
Header VerificationCSRF TokensAnti-CRSF Coding Best PracticesStateless GET RequestsApplication-Wide CSRF MitigationSummary
Evaluating Other Data FormatsAdvanced XXE RisksSummary
Mitigating SQL InjectionDetecting SQL InjectionPrepared StatementsDatabase-Specific DefensesGeneric Injection DefensesPotential Injection TargetsPrinciple of Least AuthorityAllowlisting CommandsSummary
Protecting Against Regex DoSProtecting Against Logical DoSProtecting Against DDoSSummary
Defending Against Mass AssignmentValidation and AllowlistingData Transfer ObjectsDefending Against IDORDefending Against Serialization AttacksSummary
Defending Against Prototype PollutionKey SanitizationPrototype FreezingNull PrototypesDefending Against ClickjackingFrame AncestorsFramebustingDefending Against TabnabbingCross-Origin-Opener PolicyLink BlockersIsolation PoliciesSummary
Evaluating Dependency TreesModeling a Dependency TreeDependency Trees in the Real WorldAutomated EvaluationSecure Integration TechniquesSeparation of ConcernsSecure Package ManagementSummary
Architecture-Level MitigationsStatistical ModelingModeling InputsModeling ActionsModel DevelopmentModel AnalysisSummary
The History of Software SecurityReconOffenseDefenseMore to Learn

Content preview from Web Application Security, 2nd Edition

Preface

Welcome to Web Application Security: Exploitation and Countermeasures for Modern Web Applications. In this preface, we will discuss the book’s content and who this book is for, including the skill sets required to make the most of the technical content in the following chapters. Reading the preface will help you understand if this book is for you.

Changes from the First Edition

You will find a significant number of changes when comparing this book to its prior first edition. There are over one hundred pages of new content, but beyond that there are dozens of edited pages.

The first edition was primarily focused at the entry- and mid-level engineer, but feedback often requested more advanced content from which you could continue down a particular learning path for each chapter. Most chapters now have advanced content offered, and as such my hope is that senior security professionals will now benefit more from reading this book.

Additionally, the book has had a significant amount of updates to incorporate recent technologies. I felt it imperative to add example cases and code for securing and attacking new but common forms of technology in web applications, for example GraphQL and NoSQL databases.

The second edition has significant swaths of new security content including content covering the latest and most popular web application technologies. It also has been modified to include more advanced content per chapter and to incorporate dozens, if not hundreds, of reader and ...