book

Web Application Security

Name: Web Application Security
Author: Andrew Hoffman
ISBN: 9781492053118

by Andrew Hoffman

March 2020

Intermediate to advanced

327 pages

8h 1m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Prerequisite Knowledge and Learning GoalsSuggested BackgroundMinimum Required SkillsWho Benefits Most from Reading This Book?Software Engineers and Web Application DevelopersGeneral Learning GoalsSecurity Engineers, Pen Testers, and Bug Bounty HuntersHow Is This Book Organized?ReconOffenseDefenseLanguage and TerminologySummaryConventions Used in This BookO’Reilly Online LearningHow to Contact Us
1. The History of Software Security
The Origins of HackingThe Enigma Machine, Circa 1930Automated Enigma Code Cracking, Circa 1940Introducing the “Bombe”Telephone “Phreaking,” Circa 1950Anti-Phreaking Technology, Circa 1960The Origins of Computer Hacking, Circa 1980The Rise of the World Wide Web, Circa 2000Hackers in the Modern Era, Circa 2015+Summary
I. Recon
2. Introduction to Web Application Reconnaissance
Information GatheringWeb Application MappingSummary
3. The Structure of a Modern Web Application
Modern Versus Legacy Web ApplicationsREST APIsJavaScript Object NotationJavaScriptVariables and ScopeFunctionsContextPrototypal InheritanceAsynchronyBrowser DOMSPA FrameworksAuthentication and Authorization SystemsAuthenticationAuthorizationWeb ServersServer-Side DatabasesClient-Side Data StoresSummary
4. Finding Subdomains
Multiple Applications per DomainThe Browser’s Built-In Network Analysis ToolsTaking Advantage of Public RecordsSearch Engine CachesAccidental ArchivesSocial SnapshotsZone Transfer AttacksBrute Forcing SubdomainsDictionary AttacksSummary
5. API Analysis
Endpoint DiscoveryAuthentication MechanismsEndpoint ShapesCommon ShapesApplication-Specific ShapesSummary
6. Identifying Third-Party Dependencies
Detecting Client-Side FrameworksDetecting SPA FrameworksDetecting JavaScript LibrariesDetecting CSS LibrariesDetecting Server-Side FrameworksHeader DetectionDefault Error Messages and 404 PagesDatabase DetectionSummary
7. Identifying Weak Points in Application Architecture
Secure Versus Insecure Architecture SignalsMultiple Layers of SecurityAdoption and ReinventionSummary
8. Part I Summary

II. Offense
9. Introduction to Hacking Web Applications
The Hacker’s MindsetApplied Recon
10. Cross-Site Scripting (XSS)
XSS Discovery and ExploitationStored XSSReflected XSSDOM-Based XSSMutation-Based XSSSummary
11. Cross-Site Request Forgery (CSRF)
Query Parameter TamperingAlternate GET PayloadsCSRF Against POST EndpointsSummary
12. XML External Entity (XXE)
Direct XXEIndirect XXESummary
13. Injection
SQL InjectionCode InjectionCommand InjectionSummary
14. Denial of Service (DoS)
regex DoS (ReDoS)Logical DoS VulnerabilitiesDistributed DoSSummary
15. Exploiting Third-Party Dependencies
Methods of IntegrationBranches and ForksSelf-Hosted Application IntegrationsSource Code IntegrationPackage ManagersJavaScriptJavaOther LanguagesCommon Vulnerabilities and Exposures DatabaseSummary
16. Part II Summary
III. Defense
17. Securing Modern Web Applications
Defensive Software ArchitectureComprehensive Code ReviewsVulnerability DiscoveryVulnerability AnalysisVulnerability ManagementRegression TestingMitigation StrategiesApplied Recon and Offense Techniques
18. Secure Application Architecture
Analyzing Feature RequirementsAuthentication and AuthorizationSecure Sockets Layer and Transport Layer SecuritySecure CredentialsHashing Credentials2FAPII and Financial DataSearchingSummary
19. Reviewing Code for Security
How to Start a Code ReviewArchetypical Vulnerabilities Versus Custom Logic BugsWhere to Start a Security ReviewSecure-Coding Anti-PatternsBlacklistsBoilerplate CodeTrust-By-Default Anti-PatternClient/Server SeparationSummary
20. Vulnerability Discovery
Security AutomationStatic AnalysisDynamic AnalysisVulnerability Regression TestingResponsible Disclosure ProgramsBug Bounty ProgramsThird-Party Penetration TestingSummary
21. Vulnerability Management
Reproducing VulnerabilitiesRanking Vulnerability SeverityCommon Vulnerability Scoring SystemCVSS: Base ScoringCVSS: Temporal ScoringCVSS: Environmental ScoringAdvanced Vulnerability ScoringBeyond Triage and ScoringSummary
22. Defending Against XSS Attacks
Anti-XSS Coding Best PracticesSanitizing User InputDOMParser SinkSVG SinkBlob SinkSanitizing HyperlinksHTML Entity EncodingCSSContent Security Policy for XSS PreventionScript SourceUnsafe Eval and Unsafe InlineImplementing a CSPSummary
23. Defending Against CSRF Attacks
Header VerificationCSRF TokensStateless CSRF TokensAnti-CRSF Coding Best PracticesStateless GET RequestsApplication-Wide CSRF MitigationSummary
24. Defending Against XXE
Evaluating Other Data FormatsAdvanced XXE RisksSummary
25. Defending Against Injection
Mitigating SQL InjectionDetecting SQL InjectionPrepared StatementsDatabase-Specific DefensesGeneric Injection DefensesPotential Injection TargetsPrinciple of Least AuthorityWhitelisting CommandsSummary
26. Defending Against DoS
Protecting Against Regex DoSProtecting Against Logical DoSProtecting Against DDoSDDoS MitigationSummary
27. Securing Third-Party Dependencies
Evaluating Dependency TreesModeling a Dependency TreeDependency Trees in the Real WorldAutomated EvaluationSecure Integration TechniquesSeparation of ConcernsSecure Package ManagementSummary
28. Part III Summary
The History of Software SecurityWeb Application ReconnaissanceOffenseDefense
29. Conclusion
Index

Content preview from Web Application Security

Chapter 2. Introduction to Web Application Reconnaissance

Web application reconnaissance refers to the explorative data-gathering phase that generally occurs prior to hacking a web application. Web application reconnaissance is typically performed by hackers, pen testers, or bug bounty hunters, but can also be an effective way for security engineers to find weakly secured mechanisms in a web application and patch them before a malicious actor find them. Reconnaissance (recon) skills by themselves do not have significant value, but become increasingly valuable when coupled with offensive hacking knowledge and defensive security engineering experience.

Information Gathering

We already know that recon is all about building a deep understanding of an application before attempting to hack it. We also know that recon is an essential part of a good hacker’s toolkit. But so far, our knowledge regarding recon stops about there. So let’s brainstorm some more technical reasons as to why recon is important.

Warning

Many of the recon techniques presented in the following chapters are useful for mapping applications, but also could get your IP flagged, potentially resulting in application bans or even legal action.

Most recon techniques should only be performed against applications you own, or have written permission to test.

Recon can be accomplished in many ways. Sometimes simply navigating through a web application and taking note of network requests will be all that you need to become ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781492053101Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design