Grokking Web Application Security

Grokking Web Application Security....1

brief contents....6

сontents....8

foreword....14

preface....16

acknowledgments....18

about this book....20

about the author....22

Part 1 ....24

1 Know your enemy....26

Figuring out how hackers attack you (and why)....27

Surviving the fallout from getting hacked....31

Determining how paranoid you should be....32

Knowing where to start protecting yourself....34

Summary....36

2 Browser security....38

The parts of a browser....39

The JavaScript sandbox....40

Disk access....51

Cookies....54

Cross-site tracking....60

Summary....62

3 Encryption....64

The principles of encryption....65

Encryption keys....65

Encryption in transit....68

Encryption at rest....73

Integrity checking....77

Summary....79

4 Web server security....80

Validating input....81

Escaping output....88

Handling resources....98

Representation State Transfer (REST)....100

Defense in depth....101

The principle of least privilege....103

Summary....104

5 Security as a process....106

Using the four-eyes principle....107

Applying the principle of least privilege to processes....109

Automating everything you can....110

Not reinventing the wheel....111

Keeping audit trails....112

Writing code securely....114

Using tools to protect yourself....122

Owning your mistakes....126

Summary....127

Part 2 ....130

6 Browser vulnerabilities....132

Cross-site scripting....133

Cross-site request forgery....143

Clickjacking....151

Cross-site script inclusion....154

Summary....157

7 Network vulnerabilities....158

Monster-in-the-middle vulnerabilities....159

Misdirection vulnerabilities....165

Certificate compromise....176

Stolen keys....179

Summary....180

8 Authentication vulnerabilities....182

Brute-force attacks....183

Single sign-on....184

Strengthening your authentication....189

Multifactor authentication....193

Biometrics....195

Storing credentials....197

User enumeration....201

Summary....208

9 Session vulnerabilities....210

How sessions work....211

Session hijacking....216

Session tampering....220

Summary....221

10 Authorization vulnerabilities....222

Modeling authorization....224

Designing authorization....226

Implementing access control....226

Testing authorization....236

Spotting common authorization flaws....238

Summary....240

11 Payload vulnerabilities....242

Deserialization attacks....243

XML vulnerabilities....250

File upload vulnerabilities....256

Path traversal....261

Mass assignment....263

Summary....265

12 Injection vulnerabilities....266

Remote code execution....267

SQL injection....273

NoSQL injection....280

LDAP injection....282

Command injection....284

CRLF injection....286

Regex injection....288

Summary....290

13 Vulnerabilities in third-party code....292

Dependencies....295

Farther down the stack....300

Information leakage....301

Insecure configuration....305

Summary....307

14 Being an unwitting accomplice....308

Server-side request forgery....309

Email spoofing....313

Open redirects....315

Summary....317

15 What to do when you get hacked....318

Knowing when you’ve been hacked....319

Stopping an attack in progress....319

Figuring out what went wrong....321

Preventing the attack from happening again....322

Communicating details about the incident to users....322

Deescalating future attacks....323

Summary....324

index....326

index....326

Symbols....326

A....326

B....327

C....327

D....328

E....329

F....329

G....329

H....329

I....330

J....330

K....331

L....331

M....331

N....331

O....331

P....332

Q....332

R....332

S....333

T....334

U....334

V....335

W....335

X....335

Y....335

Z....335

Application security is a front-burner concern for web developers. Whether working on the UI with a frontend framework or building out the server side, it’s up to you to understand the threats and know exactly how to keep the black hats from getting the upper hand.

Grokking Web Application Security covers everything a working developer needs to know about securing applications in the browser and on the server. The tested techniques apply to any stack and are illustrated with concrete examples plucked from author Malcolm McDonald’s extensive career. You’ll discover must-implement security principles and even learn the fascinating tools and techniques the bad guys use to crack systems.

What's inside

• A security-first development process
• Encryption in web applications
• Supply-chain and API attacks
• What to do when a hacker gets in

About the reader

For readers who understand basic web application design and technologies.