Cyberattacks are becoming more commonplace and the Open Web Application Security Project (OWASP), estimates 94% of sites have flaws in their access control alone. Attacks evolve to work around new defenses, and defenses must evolve to remain effective. Developers need to understand the fundamentals of attacks and defenses in order to comprehend new techniques as they become available. This book teaches you how to write secure web applications.
The focus is highlighting how hackers attack applications along with a broad arsenal of defenses. This will enable you to pick appropriate techniques to close vulnerabilities while still providing users with their needed functionality.
Topics covered include:
- A framework for deciding what needs to be protected and how strongly
- Configuring services such as databases and web servers
- Safe use of HTTP methods such as GET, POST, etc, cookies and use of HTTPS
- Safe REST APIs
- Server-side attacks and defenses such as injection and cross-site scripting
- Client-side attacks and defenses such as cross-site request forgery
- Security techniques such as CORS, CSP
- Password management, authentication and authorization, including OAuth2
- Best practices for dangerous operations such as password change and reset
- Use of third-party components and supply chain security (Git, CI/CD etc)
What You'll Learn
- Review the defenses that can used to prevent attacks
- Model risks to better understand what to defend and how
- Choose appropriate techniques to defend against attacks
- Implement defenses in Python/Django applications
Who This Book Is For- Developers who already know how to build web applications but need to know more about security
- Non-professional software engineers, such as scientists, who must develop web tools and want to make their algorithms available to a wider audience.
- Engineers and managers who are responsible for their product/company technical security policy
Author(s): Matthew Baker
Edition: 1
Publisher: Apress
Year: 2022
Language: English
Pages: 483
Table of Contents
About the Author
About the Technical Reviewer
Acknowledgments
Chapter 1: Introduction
1.1 About This Book
1.2 Who This Book Is For
1.3 Types of Attack
Server-Side Attacks
Client-Side Attacks
1.4 Defense in Depth
1.5 Conventions Used in This Book
1.6 How This Book Is Organized
Chapter 2: The Hands-On Environment
2.1 Introducing the Hands-On Environment
2.2 Installing a Virtualization Back End (Mac with M1)
Install Docker Desktop
Install Xcode and Docker Mac Net Connect
2.3 Installing a Virtualization Back End (All Other Platforms)
Install VirtualBox
2.4 Install Other Dependencies (All Platforms)
Install Vagrant
Install Web Browsers
Install HTTP Toolkit
Install Windows Terminal (Optional)
Install a Text Editor (Optional)
2.5 Downloading and Building the VMs
Running Applications in Vagrant
Building the Vagrant VM
2.6 Directory Structure
2.7 Using the Hands-On Environment
Using the Vagrant VMs
The Web Server
The Database
MailCatcher
Changing the Code
Starting from Scratch
2.8 The Linux Command Line
Command-Line Input
Navigating the Filesystem
Linux Permissions
Set UserID and GroupID Flags
Permissions in Vagrant
Becoming a Different User
Environment Variables
Text Editors
Starting and Stopping Processes
Clearing the Terminal
Exiting Bash
2.9 Summary
Chapter 3: Threat Modelling
3.1 What Is Threat Modelling?
3.2 Asset-Based Threat Modelling
Assets
Threats
Threat Actors
3.3 STRIDE
3.4 Data-Flow Threat Modelling
Data-Flow Diagrams
Trust Boundaries
3.5 Responding to Threats
3.6 Attack Vectors
3.7 Attack Surfaces
3.8 Summary
Chapter 4: Transport and Encryption
4.1 The Hypertext Transfer Protocol
Requests and Responses
Request Methods
Response Codes
4.2 Symmetric and Public Key Cryptography
Types of Encryption
Symmetric-Key Algorithms
Public-Key Encryption Algorithms
Hashing
Base64 Encoding
Digital Signatures
Key Exchange
4.3 Authentication and Certificates
Proving Authenticity
Types of Certificates
Popular Authentication Authorities
4.4 HTTPS
TLS Version 1.2
Perfect Forward Secrecy
TLS Version 1.3
4.5 Summary
Chapter 5: Installing and Configuring Services
5.1 Designing the Service Architecture
5.2 Web Application Frameworks
5.3 Man-in-the-Middle Attacks
Defending Against Man-in-the-Middle Attacks
Session Hijacking Attacks
5.4 Denial-of-Service Attacks
The Slowloris Attack
Consuming Back-End Resources
5.5 Setting Up HTTPS
HTTPS with Let’s Encrypt
Creating a Self-Signed Certificate
Browser Requirements for Self-Signed Certificates
Permanent Redirects
5.6 Reverse Proxies and Tunnels
Reverse Proxies
SSH Tunnels
5.7 Server Configuration
Hiding Service Details
Host Firewalls
TCP Wrappers
Using a Host Firewall and TCP Wrappers Together
Hiding Errors
Custom 404 and 500 Pages
Default Passwords
5.8 Database Configuration
Database Password Management
Access to the Database Host and Port
Postgres Configuration
Web-Based Administration Consoles
5.9 Securing the Filesystem
The Web Server’s Public Path
Code Directories
Upload Directories
Django Static Directories
Secrets
5.10 Summary
Chapter 6: APIs and Endpoints
6.1 URLs
6.2 REST APIs
GET Requests
POST Requests
PUT Requests
PATCH Requests
DELETE Requests
REST APIs in Django
6.3 Unit Testing Permissions
6.4 Deserialization Attacks
XML Attacks
Function Calls and Creation
Defending Against Deserialization Attacks
6.5 Summary
Chapter 7: Cookies and User Input
7.1 Types of User Input
7.2 Cookies
The Expires and Max-Age Attributes
Domain and Path
The Secure and HttpOnly Attributes
The SameSite Cookie Setting
Session ID Cookies
Session IDs and the SameSite Setting
7.3 Injection Attacks
7.4 SQL Injection
Schema Discovery
Finding SQL Injection Vulnerabilities
Defending Against SQL Injection
7.5 Command Injection
Back Doors
Defending Against Command Injection
Combining SQL and Command Injection
7.6 Server-Side Request Forgery
Defending Against Server-Side Request Forgery
7.7 Cross-Site Scripting (XSS)
Reflected XSS
Stored XSS
DOM-Based XSS
Defending Against Cross-Site Scripting
HTML Injection
7.8 Content Sniffing
7.9 Summary
Chapter 8: Cross-Site Requests
8.1 Cross-Origin Resource Sharing (CORS)
CORS and Credentials
Setting CORS Headers
8.2 Cross-Site Request Forgery (CSRF)
CSRF Tokens
CSRF Tokens in Django
CSRF Attacks
CSRF and CORS
CSRF and Cookie Security
CSRF Summary
8.3 Clickjacking and Frame Security
8.4 Content Security Policy (CSP)
Inline Scripts and Styles
CSP Reporting
CSP in Django
Nonces in Django
8.5 Subresource Integrity (SRI)
8.6 Summary
Chapter 9: Password Management
9.1 Storing Passwords
Brute-Force Attacks
Rainbow Table Attacks
Salted Hashes
HMAC and PBKDF2 Password Security
9.2 Password Policies
9.3 Password Reset
Password Reset in Django
9.4 Passwords and Source Code Control
9.5 Summary
Chapter 10: Authentication and Authorization
10.1 Authentication vs. Authorization
10.2 Username and Password Authentication
HTTP Authentication
Basic Authentication
Digest Authentication
Limitations of HTTP Authentication
Form-Based Authentication
Form-Based Authentication in Django
Adding Authentication to URLs in Django
Disadvantages of Form-Based Authentication
10.3 One-Time Passwords
HMAC-Based One-Time Passwords
Time-Based One-Time Passwords
Sending OTPs via SMS
Google Authenticator
Installing the Secret Key
10.4 Authentication with Public-Key Cryptography
Registration
Authentication
10.5 Biometric Authentication
Biometric Authentication with WebAuthn
10.6 Role-Based Authorization
Role-Based Authorization in Django
Using Django Permissions
10.7 JSON Web Tokens (JWTs)
Storing and Transmitting JWTs
Revoking JWTs
10.8 API Keys
Sending API Keys
API Keys in Django
10.9 Summary
Chapter 11: OAuth2
11.1 OAuth2 Terminology
11.2 Authorization Code Flow
Attacks Prevented by the Authorization Code Flow
Omitting the Authorization Code
Authorization Code Redirect URI Manipulation
Cross-Site Request Forgery
Other Attacks
Authorization Code Flow in Django
11.3 Implicit Flow
11.4 Authorization Code with PKCE Flow
11.5 Password Flow
11.6 Client Credentials Flow
11.7 Device Flow
11.8 Refresh Token Flow
11.9 OpenID Connect
OIDC Authorization Code Flow
OIDC in Django
11.10 Summary
Chapter 12: Logging and Monitoring
12.1 Logging, Aggregating, and Analytics
12.2 The ELK Stack
Loading Log Files with Logstash
12.3 Creating Custom Log Files
12.4 Creating Alerts for Security Events
12.5 Summary
Chapter 13: Third-Party and Supply Chain Security
13.1 Staff Member Security
OSINT Threats to Staff Members
Example 1
Example 2
Example 3
Defenses Against OSINT Attacks
13.2 Third-Party Code
Back-End Dependencies
Front-End Dependencies
13.3 Supply Chain Security
The in-toto Framework
Using SLSA and in-toto
13.4 Summary
Chapter 14: Further Resources
14.1 Vulnerability Databases
14.2 News and Alerts Sites
14.3 The OWASP Top Ten
Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server-Side Request Forgery
14.4 Summary
Bibliography
Index
