In the first edition of this critically acclaimed book, Andrew Hoffman defined the three pillars of application security: reconnaissance, offense, and defense. In this revised and updated second edition, he examines dozens of related topics, from the latest types of attacks and mitigations to threat modeling, the secure software development lifecycle (SSDL/SDLC), and more.
Hoffman, senior staff security engineer at Ripple, also provides information regarding exploits and mitigations for several additional web application technologies such as GraphQL, cloud-based deployments, content delivery networks (CDN) and server-side rendering (SSR). Following the curriculum from the first book, this second edition is split into three distinct pillars comprising three separate skill sets:
Pillar 1: Recon—Learn techniques for mapping and documenting web applications remotely, including procedures for working with web applications
Pillar 2: Offense—Explore methods for attacking web applications using a number of highly effective exploits that have been proven by the best hackers in the world. These skills are valuable when used alongside the skills from Pillar 3.
Pillar 3: Defense—Build on skills acquired in the first two parts to construct effective and long-lived mitigations for each of the attacks described in Pillar 2.
Author(s): Andrew Hoffman
Edition: 2
Publisher: O'Reilly Media
Year: 2023
Preface
Changes from the First Edition
Prerequisite Knowledge and Learning Goals
Why Are Examples in JavaScript?
Why Teach Concepts Instead of Tools?
Suggested Background
Minimum Required Skills
Who Benefits Most from Reading This Book?
Software Engineers and Web Application Developers
General Learning Goals
Security Engineers, Pen Testers, and Bug Bounty Hunters
How Is This Book Organized?
Recon
Offense
Defense
Language and Terminology
Summary
Conventions Used in This Book
O’Reilly Online Learning
How to Contact Us
Acknowledgments
1. The History of Software Security
The Origins of Hacking
The Enigma Machine, Circa 1930
Automated Enigma Code Cracking, Circa 1940
Telephone “Phreaking,” Circa 1950
Anti-Phreaking Technology, Circa 1960
The Origins of Computer Hacking, Circa 1980
The Rise of the World Wide Web, Circa 2000
Hackers in the Modern Era, Circa 2015+
Summary
I. Recon
2. Introduction to Web Application Reconnaissance
Information Gathering
Web Application Mapping
Summary
3. The Structure of a Modern Web Application
Modern Versus Legacy Web Applications
REST APIs
JavaScript Object Notation
JavaScript
Variables and Scope
Functions
Context
Prototypal Inheritance
Asynchrony
Browser DOM
SPA Frameworks
Authentication and Authorization Systems
Authentication
Authorization
Web Servers
Server-Side Databases
Client-Side Data Stores
GraphQL
Version Control Systems
CDN/Cache
Summary
4. Finding Subdomains
Multiple Applications per Domain
The Browser’s Built-In Network Analysis Tools
Taking Advantage of Public Records
Search Engine Caches
Accidental Archives
Social Snapshots
Zone Transfer Attacks
Brute Forcing Subdomains
Dictionary Attacks
Summary
5. API Analysis
Endpoint Discovery
Authentication Mechanisms
Endpoint Shapes
Common Shapes
Application-Specific Shapes
Summary
6. Identifying Third-Party Dependencies
Detecting Client-Side Frameworks
Detecting SPA Frameworks
Detecting JavaScript Libraries
Detecting CSS Libraries
Detecting Server-Side Frameworks
Header Detection
Default Error Messages and 404 Pages
Database Detection
Summary
7. Identifying Weak Points in Application Architecture
Secure Versus Insecure Architecture Signals
Multiple Layers of Security
Adoption and Reinvention
Summary
8. Part I Summary
II. Offense
9. Introduction to Hacking Web Applications
The Hacker’s Mindset
Applied Recon
10. Cross-Site Scripting
XSS Discovery and Exploitation
Stored XSS
Reflected XSS
DOM-Based XSS
Mutation-Based XSS
Bypassing Filters
Self-Closing HTML Tags
Protocol-Relative URLs
Malformed Tags
Encoding Escapes
Polyglot Payloads
XSS Sinks and Sources
Summary
11. Cross-Site Request Forgery
Query Parameter Tampering
Alternate GET Payloads
CSRF Against POST Endpoints
Bypassing CSRF Defenses
Header Validation
Token Pools
Weak Tokens
Content Types
Regex Filter Bypasses
Iframe Payloads
AJAX Payloads
Zero Interaction Forms
Summary
12. XML External Entity
XXE Fundamentals
Direct XXE
Indirect XXE
Out-of-Band Data Exfiltration
Account Takeover Workflow
Obtaining System User Data
Obtaining Password Hashes
Cracking Password Hashes
SSH Remote Login
Summary
13. Injection
SQL Injection
Code Injection
Command Injection
Injection Data Exfiltration Techniques
Data Exfiltration Fundamentals
In-Band Data Exfiltration
Out-of-Band Data Exfiltration
Inferential Data Exfiltration
Bypassing Common Defenses
Summary
14. Denial of Service
Regex DoS
Logical DoS Vulnerabilities
Distributed DoS
Advanced DoS
YoYo Attacks
Compression Attacks
Proxy-Based DoS
Summary
15. Attacking Data and Objects
Mass Assignment
Insecure Direct Object Reference
Serialization Attacks
Web Serialization Explained
Attacking Weak Serialization
Summary
16. Client-Side Attacks
Methods of Attacking a Browser Client
Client-Targeted Attacks
Client-Specific Attacks
Advantages of Client-Side Attacks
Prototype Pollution Attacks
Understanding Prototype Pollution
Attacking with Prototype Pollution
Prototype Pollution Archetypes
Clickjacking Attacks
Camera and Microphone Exploit
Creating Clickjacking Exploits
Tabnabbing and Reverse Tabnabbing
Traditional Tabnabbing
Reverse Tabnabbing
Summary
17. Exploiting Third-Party Dependencies
Methods of Integration
Branches and Forks
Self-Hosted Application Integrations
Source Code Integration
Package Managers
JavaScript
Java
Other Languages
Common Vulnerabilities and Exposures Database
Summary
18. Business Logic Vulnerabilities
Custom Math Vulnerabilities
Programmed Side Effects
Quasi-Cash Attacks
Vulnerable Standards and Conventions
Exploiting Business Logic Vulnerabilities
Summary
19. Part II Summary
III. Defense
20. Securing Modern Web Applications
Defensive Software Architecture
Comprehensive Code Reviews
Vulnerability Discovery
Vulnerability Analysis
Vulnerability Management
Regression Testing
Mitigation Strategies
Applied Recon and Offense Techniques
Summary
21. Secure Application Architecture
Analyzing Feature Requirements
Authentication and Authorization
Secure Sockets Layer and Transport Layer Security
Secure Credentials
Hashing Credentials
MFA
PII and Financial Data
Search Engines
Zero Trust Architecture
The History of Zero Trust
Implicit Versus Explicit Trust
Authentication and Authorization
Summary
22. Secure Application Configuration
Content Security Policy
Implementing CSP
CSP Structure
Important Directives
CSP Sources and Source Lists
Strict CSP
Example Secure CSP Policy
Cross-Origin Resource Sharing
Types of CORS Requests
Simple CORS Requests
Preflighted CORS Requests
Implementing CORS
Headers
Strict Transport Security
Cross-Origin-Opener Policy (COOP)
Cross-Origin-Resource-Policy (CORP)
Headers with Security Implications
Legacy Security Headers
Cookies
Creating and Securing Cookies
Testing Cookies
Framing and Sandboxing
Traditional Iframe
Web Workers
Subresource Integrity
Shadow Realms
Summary
23. Secure User Experience
Information Disclosures and Enumeration
Information Disclosures
Enumeration
Secure User Experience Best Practices
Summary
24. Threat Modeling Applications
Designing an Effective Threat Model
Threat Modeling by Example
Logic Design
Technical Design
Threat Identification (Threat Actors)
Threat Identification (Attack Vectors)
Identifying Mitigations
Delta Identification
Summary
25. Reviewing Code for Security
How to Start a Code Review
Archetypical Vulnerabilities Versus Business Logic Vulnerabilities
Where to Start a Security Review
Secure-Coding Anti-Patterns
Blocklists
Boilerplate Code
Trust-by-Default
Client/Server Separation
Summary
26. Vulnerability Discovery
Security Automation
Static Analysis
Dynamic Analysis
Vulnerability Regression Testing
Responsible Disclosure Programs
Bug Bounty Programs
Third-Party Penetration Testing
Summary
27. Vulnerability Management
Reproducing Vulnerabilities
Ranking Vulnerability Severity
Common Vulnerability Scoring System
CVSS: Base Scoring
CVSS: Temporal Scoring
CVSS: Environmental Scoring
Advanced Vulnerability Scoring
Beyond Triage and Scoring
Summary
28. Defending Against XSS Attacks
Anti-XSS Coding Best Practices
Sanitizing User Input
DOMParser Sink
SVG Sink
Blob Sink
Sanitizing Hyperlinks
HTML Entity Encoding
CSS XSS
Content Security Policy for XSS Prevention
Script Source
Unsafe Eval and Unsafe Inline
Implementing a CSP
Summary
29. Defending Against CSRF Attacks
Header Verification
CSRF Tokens
Anti-CRSF Coding Best Practices
Stateless GET Requests
Application-Wide CSRF Mitigation
Summary
30. Defending Against XXE
Evaluating Other Data Formats
Advanced XXE Risks
Summary
31. Defending Against Injection
Mitigating SQL Injection
Detecting SQL Injection
Prepared Statements
Database-Specific Defenses
Generic Injection Defenses
Potential Injection Targets
Principle of Least Authority
Allowlisting Commands
Summary
32. Defending Against DoS
Protecting Against Regex DoS
Protecting Against Logical DoS
Protecting Against DDoS
Summary
33. Defending Data and Objects
Defending Against Mass Assignment
Validation and Allowlisting
Data Transfer Objects
Defending Against IDOR
Defending Against Serialization Attacks
Summary
34. Defense Against Client-Side Attacks
Defending Against Prototype Pollution
Key Sanitization
Prototype Freezing
Null Prototypes
Defending Against Clickjacking
Frame Ancestors
Framebusting
Defending Against Tabnabbing
Cross-Origin-Opener Policy
Link Blockers
Isolation Policies
Summary
35. Securing Third-Party Dependencies
Evaluating Dependency Trees
Modeling a Dependency Tree
Dependency Trees in the Real World
Automated Evaluation
Secure Integration Techniques
Separation of Concerns
Secure Package Management
Summary
36. Mitigating Business Logic Vulnerabilities
Architecture-Level Mitigations
Statistical Modeling
Modeling Inputs
Modeling Actions
Model Development
Model Analysis
Summary
37. Part III Summary
Conclusion
The History of Software Security
Recon
Offense
Defense
More to Learn
Index
About the Author
