Web Application Security: Exploitation and Countermeasures for Modern Web Applications

Inhaltsverzeichnis des Buches

• Preface
• Changes from the First Edition
• Prerequisite Knowledge and Learning Goals
• Why Are Examples in JavaScript?
• Why Teach Concepts Instead of Tools?
• Suggested Background
• Minimum Required Skills
• Who Benefits Most from Reading This Book?
• Software Engineers and Web Application Developers
• General Learning Goals
• Security Engineers, Pen Testers, and Bug Bounty Hunters
• How Is This Book Organized?
• Recon
• Offense
• Defense
• Language and Terminology
• Summary
• Conventions Used in This Book
• O’Reilly Online Learning
• How to Contact Us
• Acknowledgments
• 1. The History of Software Security
• The Origins of Hacking
• The Enigma Machine, Circa 1930
• Automated Enigma Code Cracking, Circa 1940
• Telephone “Phreaking,” Circa 1950
• Anti-Phreaking Technology, Circa 1960
• The Origins of Computer Hacking, Circa 1980
• The Rise of the World Wide Web, Circa 2000
• Hackers in the Modern Era, Circa 2015+
• Summary
• I. Recon
• 2. Introduction to Web Application Reconnaissance
• Information Gathering
• Web Application Mapping
• Summary
• 3. The Structure of a Modern Web Application
• Modern Versus Legacy Web Applications
• REST APIs
• JavaScript Object Notation
• JavaScript
• Variables and Scope
• Functions
• Context
• Prototypal Inheritance
• Asynchrony
• Browser DOM
• SPA Frameworks
• Authentication and Authorization Systems
• Authentication
• Authorization
• Web Servers
• Server-Side Databases
• Client-Side Data Stores
• GraphQL
• Version Control Systems
• CDN/Cache
• Summary
• 4. Finding Subdomains
• Multiple Applications per Domain
• The Browser’s Built-In Network Analysis Tools
• Taking Advantage of Public Records
• Search Engine Caches
• Accidental Archives
• Social Snapshots
• Zone Transfer Attacks
• Brute Forcing Subdomains
• Dictionary Attacks
• Summary
• 5. API Analysis
• Endpoint Discovery
• Authentication Mechanisms
• Endpoint Shapes
• Common Shapes
• Application-Specific Shapes
• Summary
• 6. Identifying Third-Party Dependencies
• Detecting Client-Side Frameworks
• Detecting SPA Frameworks
• Detecting JavaScript Libraries
• Detecting CSS Libraries
• Detecting Server-Side Frameworks
• Header Detection
• Default Error Messages and 404 Pages
• Database Detection
• Summary
• 7. Identifying Weak Points in Application Architecture
• Secure Versus Insecure Architecture Signals
• Multiple Layers of Security
• Adoption and Reinvention
• Summary
• 8. Part I Summary
• II. Offense
• 9. Introduction to Hacking Web Applications
• The Hacker’s Mindset
• Applied Recon
• 10. Cross-Site Scripting
• XSS Discovery and Exploitation
• Stored XSS
• Reflected XSS
• DOM-Based XSS
• Mutation-Based XSS
• Bypassing Filters
• Self-Closing HTML Tags
• Protocol-Relative URLs
• Malformed Tags
• Encoding Escapes
• Polyglot Payloads
• XSS Sinks and Sources
• Summary
• 11. Cross-Site Request Forgery
• Query Parameter Tampering
• Alternate GET Payloads
• CSRF Against POST Endpoints
• Bypassing CSRF Defenses
• Header Validation
• Token Pools
• Weak Tokens
• Content Types
• Regex Filter Bypasses
• Iframe Payloads
• AJAX Payloads
• Zero Interaction Forms
• Summary
• 12. XML External Entity
• XXE Fundamentals
• Direct XXE
• Indirect XXE
• Out-of-Band Data Exfiltration
• Account Takeover Workflow
• Obtaining System User Data
• Obtaining Password Hashes
• Cracking Password Hashes
• SSH Remote Login
• Summary
• 13. Injection
• SQL Injection
• Code Injection
• Command Injection
• Injection Data Exfiltration Techniques
• Data Exfiltration Fundamentals
• In-Band Data Exfiltration
• Out-of-Band Data Exfiltration
• Inferential Data Exfiltration
• Bypassing Common Defenses
• Summary
• 14. Denial of Service
• Regex DoS
• Logical DoS Vulnerabilities
• Distributed DoS
• Advanced DoS
• YoYo Attacks
• Compression Attacks
• Proxy-Based DoS
• Summary
• 15. Attacking Data and Objects
• Mass Assignment
• Insecure Direct Object Reference
• Serialization Attacks
• Web Serialization Explained
• Attacking Weak Serialization
• Summary
• 16. Client-Side Attacks
• Methods of Attacking a Browser Client
• Client-Targeted Attacks
• Client-Specific Attacks
• Advantages of Client-Side Attacks
• Prototype Pollution Attacks
• Understanding Prototype Pollution
• Attacking with Prototype Pollution
• Prototype Pollution Archetypes
• Clickjacking Attacks
• Camera and Microphone Exploit
• Creating Clickjacking Exploits
• Tabnabbing and Reverse Tabnabbing
• Traditional Tabnabbing
• Reverse Tabnabbing
• Summary
• 17. Exploiting Third-Party Dependencies
• Methods of Integration
• Branches and Forks
• Self-Hosted Application Integrations
• Source Code Integration
• Package Managers
• JavaScript
• Java
• Other Languages
• Common Vulnerabilities and Exposures Database
• Summary
• 18. Business Logic Vulnerabilities
• Custom Math Vulnerabilities
• Programmed Side Effects
• Quasi-Cash Attacks
• Vulnerable Standards and Conventions
• Exploiting Business Logic Vulnerabilities
• Summary
• 19. Part II Summary
• III. Defense
• 20. Securing Modern Web Applications
• Defensive Software Architecture
• Comprehensive Code Reviews
• Vulnerability Discovery
• Vulnerability Analysis
• Vulnerability Management
• Regression Testing
• Mitigation Strategies
• Applied Recon and Offense Techniques
• Summary
• 21. Secure Application Architecture
• Analyzing Feature Requirements
• Authentication and Authorization
• Secure Sockets Layer and Transport Layer Security
• Secure Credentials
• Hashing Credentials
• MFA
• PII and Financial Data
• Search Engines
• Zero Trust Architecture
• The History of Zero Trust
• Implicit Versus Explicit Trust
• Authentication and Authorization
• Summary
• 22. Secure Application Configuration
• Content Security Policy
• Implementing CSP
• CSP Structure
• Important Directives
• CSP Sources and Source Lists
• Strict CSP
• Example Secure CSP Policy
• Cross-Origin Resource Sharing
• Types of CORS Requests
• Simple CORS Requests
• Preflighted CORS Requests
• Implementing CORS
• Headers
• Strict Transport Security
• Cross-Origin-Opener Policy (COOP)
• Cross-Origin-Resource-Policy (CORP)
• Headers with Security Implications
• Legacy Security Headers
• Cookies
• Creating and Securing Cookies
• Testing Cookies
• Framing and Sandboxing
• Traditional Iframe
• Web Workers
• Subresource Integrity
• Shadow Realms
• Summary
• 23. Secure User Experience
• Information Disclosures and Enumeration
• Information Disclosures
• Enumeration
• Secure User Experience Best Practices
• Summary
• 24. Threat Modeling Applications
• Designing an Effective Threat Model
• Threat Modeling by Example
• Logic Design
• Technical Design
• Threat Identification (Threat Actors)
• Threat Identification (Attack Vectors)
• Identifying Mitigations
• Delta Identification
• Summary
• 25. Reviewing Code for Security
• How to Start a Code Review
• Archetypical Vulnerabilities Versus Business Logic Vulnerabilities
• Where to Start a Security Review
• Secure-Coding Anti-Patterns
• Blocklists
• Boilerplate Code
• Trust-by-Default
• Client/Server Separation
• Summary
• 26. Vulnerability Discovery
• Security Automation
• Static Analysis
• Dynamic Analysis
• Vulnerability Regression Testing
• Responsible Disclosure Programs
• Bug Bounty Programs
• Third-Party Penetration Testing
• Summary
• 27. Vulnerability Management
• Reproducing Vulnerabilities
• Ranking Vulnerability Severity
• Common Vulnerability Scoring System
• CVSS: Base Scoring
• CVSS: Temporal Scoring
• CVSS: Environmental Scoring
• Advanced Vulnerability Scoring
• Beyond Triage and Scoring
• Summary
• 28. Defending Against XSS Attacks
• Anti-XSS Coding Best Practices
• Sanitizing User Input
• DOMParser Sink
• SVG Sink
• Blob Sink
• Sanitizing Hyperlinks
• HTML Entity Encoding
• CSS XSS
• Content Security Policy for XSS Prevention
• Script Source
• Unsafe Eval and Unsafe Inline
• Implementing a CSP
• Summary
• 29. Defending Against CSRF Attacks
• Header Verification
• CSRF Tokens
• Anti-CRSF Coding Best Practices
• Stateless GET Requests
• Application-Wide CSRF Mitigation
• Summary
• 30. Defending Against XXE
• Evaluating Other Data Formats
• Advanced XXE Risks
• Summary
• 31. Defending Against Injection
• Mitigating SQL Injection
• Detecting SQL Injection
• Prepared Statements
• Database-Specific Defenses
• Generic Injection Defenses
• Potential Injection Targets
• Principle of Least Authority
• Allowlisting Commands
• Summary
• 32. Defending Against DoS
• Protecting Against Regex DoS
• Protecting Against Logical DoS
• Protecting Against DDoS
• Summary
• 33. Defending Data and Objects
• Defending Against Mass Assignment
• Validation and Allowlisting
• Data Transfer Objects
• Defending Against IDOR
• Defending Against Serialization Attacks
• Summary
• 34. Defense Against Client-Side Attacks
• Defending Against Prototype Pollution
• Key Sanitization
• Prototype Freezing
• Null Prototypes
• Defending Against Clickjacking
• Frame Ancestors
• Framebusting
• Defending Against Tabnabbing
• Cross-Origin-Opener Policy
• Link Blockers
• Isolation Policies
• Summary
• 35. Securing Third-Party Dependencies
• Evaluating Dependency Trees
• Modeling a Dependency Tree
• Dependency Trees in the Real World
• Automated Evaluation
• Secure Integration Techniques
• Separation of Concerns
• Secure Package Management
• Summary
• 36. Mitigating Business Logic Vulnerabilities
• Architecture-Level Mitigations
• Statistical Modeling
• Modeling Inputs
• Modeling Actions
• Model Development
• Model Analysis
• Summary
• 37. Part III Summary
• Conclusion
• The History of Software Security
• Recon
• Offense
• Defense
• More to Learn
• Index
• About the Author