Web Security for Developers: Real Threats, Practical Defense
Web Security

Web Security for Developers: Real Threats, Practical Defense

Malcolm McDonald, 2020

Inhaltsverzeichnis des Buches

  • Cover Page
  • Title Page
  • Copyright Page
  • About the Authors
  • BRIEF CONTENTS
  • CONTENTS IN DETAIL
  • ACKNOWLEDGMENTS
  • INTRODUCTION
  • About This Book
  • Who Should Read This Book
  • A Brief History of the Internet
  • What’s in This Book
  • 1 LET’S HACK A WEBSITE
  • Software Exploits and the Dark Web
  • How to Hack a Website
  • Part I: The Basics
  • 2 HOW THE INTERNET WORKS
  • The Internet Protocol Suite
  • Application Layer Protocols
  • Stateful Connections
  • Encryption
  • Summary
  • 3 HOW BROWSERS WORK
  • Web Page Rendering
  • JavaScript
  • Before and After Rendering: Everything Else the Browser Does
  • Summary
  • 4 HOW WEB SERVERS WORK
  • Static and Dynamic Resources
  • Static Resources
  • Dynamic Resources
  • Summary
  • 5 HOW PROGRAMMERS WORK
  • Phase 1: Design and Analysis
  • Phase 2: Writing Code
  • Phase 3: Pre-Release Testing
  • Phase 4: The Release Process
  • Phase 5: Post-Release Testing and Observation
  • Dependency Management
  • Summary
  • Part II: The Threats
  • 6 INJECTION ATTACKS
  • SQL Injection
  • Command Injection
  • Remote Code Execution
  • File Upload Vulnerabilities
  • Summary
  • 7 CROSS-SITE SCRIPTING ATTACKS
  • Stored Cross-Site Scripting Attacks
  • Reflected Cross-Site Scripting Attacks
  • DOM-Based Cross-Site Scripting Attacks
  • Summary
  • 8 CROSS-SITE REQUEST FORGERY ATTACKS
  • Anatomy of a CSRF Attack
  • Mitigation 1: Follow REST Principles
  • Mitigation 2: Implement Anti-CSRF Cookies
  • Mitigation 3: Use the SameSite Cookie Attribute
  • Bonus Mitigation: Require Reauthentication for Sensitive Actions
  • Summary
  • 9 COMPROMISING AUTHENTICATION
  • Implementing Authentication
  • Mitigation 1: Use Third-Party Authentication
  • Mitigation 2: Integrate with Single Sign-On
  • Mitigation 3: Secure Your Own Authentication System
  • Summary
  • 10 SESSION HIJACKING
  • How Sessions Work
  • How Attackers Hijack Sessions
  • Summary
  • 11 PERMISSIONS
  • Privilege Escalation
  • Access Control
  • Directory Traversal
  • Summary
  • 12 INFORMATION LEAKS
  • Mitigation 1: Disable Telltale Server Headers
  • Mitigation 2: Use Clean URLs
  • Mitigation 3: Use Generic Cookie Parameters
  • Mitigation 4: Disable Client-Side Error Reporting
  • Mitigation 5: Minify or Obfuscate Your JavaScript Files
  • Mitigation 6: Sanitize Your Client-Side Files
  • Stay on Top of Security Advisories
  • Summary
  • 13 ENCRYPTION
  • Encryption in the Internet Protocol
  • Enabling HTTPS
  • Attacking HTTP (and HTTPS)
  • Summary
  • 14 THIRD-PARTY CODE
  • Securing Dependencies
  • Securing Configuration
  • Securing the Services That You Use
  • Services as an Attack Vector
  • Summary
  • 15 XML ATTACKS
  • The Uses of XML
  • Validating XML
  • XML Bombs
  • XML External Entity Attacks
  • Securing Your XML Parser
  • Other Considerations
  • Summary
  • 16 DON’T BE AN ACCESSORY
  • Email Fraud
  • Disguising Malicious Links in Email
  • Clickjacking
  • Server-Side Request Forgery
  • Botnets
  • Summary
  • 17 DENIAL-OF-SERVICE ATTACKS
  • Denial-of-Service Attack Types
  • Denial-of-Service Attack Mitigation
  • Summary
  • 18 SUMMING UP
  • INDEX