Author: Dafydd Stuttard & Marcus Pinto
Reviewer(s): OM NARAYAN, JAYESH MHATRE

Helpful links: Course&Book

Chapter 1: Web Application (In)security

Web-based application security has become an essential element for almost every web application developed today reason being they are the favorite targets among attackers. For all concerned, the stakes are high: for businesses that derive increasing revenue from Internet commerce, for users who trust web applications with sensitive information, and for criminals who can make big money by stealing payment details or compromising bank accounts. Reputation plays a critical role. Few people want to do business with an insecure website, so few organizations want to disclose details about their own security vulnerabilities or breaches. Hence, it is not a trivial task to obtain reliable information about the state of web application security today.

Book is essentially splitted in three sections:

Chapter 2: Core Defense Mechanisms

This chapter deals with a various defense mechanism that can be applied in a web application. Since, the fundamental security problem with web applications — that all user input is untrusted — gives rise to a number of security mechanisms that applications use to defend themselves against attack. Virtually all applications employ mechanisms that are conceptually similar, although the details of the design and the effectiveness of the implementation vary greatly. The defense mechanisms employed by web applications comprise the following core elements:

Chapter 3: Web Application Technologies

The chapter includes a myriad of web application technologies used across the world. It deals primarily with the underlying protocols and various methods supported in it -post, get, head, delete to name a few. The chapter covers support of various web application frameworks along with language support for each of them.

Chapter 4: Mapping the Application

This chapter describes the first exercise you need to perform when targeting a new application — gathering as much information as possible to map its attack surface and formulate your plan of attack. This process includes exploring and probing the application to catalog all its content and functionality, identifying all the entry points for user input, and discovering the technologies in use.

Chapter 5: Bypassing Client-Side Controls

This chapter covers the first area of actual vulnerability, which arises when an application relies on controls implemented on the client side for its security. This approach normally is flawed, because any client-side controls can, of course, be circumvented. The two main ways in which applications make themselves vulnerable are by transmitting data via the client on the assumption that it will not be modified, and by relying on client-side checks on user input. This chapter describes a range of interesting technologies, including lightweight controls implemented within HTML, HTTP, and JavaScript, and more heavyweight controls using Java applets, ActiveX controls, Silverlight, and Flash objects.

Chapter 6: Attacking Authentication

This chapter first describes various authentication mechanism like HTML forms-based authentication, Multifactor mechanisms, such as those combining passwords and physical, Client SSL certificates and/or smart cards, HTTP basic and digest authentication, Windows-integrated authentication using NTLM or Kerberos, Authentication services. Further, it explains the various flaws in Authentication mechanism.

Chapter 7: Attacking Session Management

“Attacking Session Management,” examines the mechanism by which most applications supplement the stateless HTTP protocol with the concept of different requests. This mechanism is a key target when you are attacking a web application because if you can break it, you can effectively bypass the login and masquerade as other users without knowing their credentials.

Chapter 8: Attacking Access Controls

This chapter deals with categories of access controls which can be implemented in Web Based Application and how such access control can be vulnerable and exploited and further provides solution to mitigate such attacks. These are some of the access control mechanism which can be exploited if it is not implemented securely.

Below are the various defense mechanism which can be deployed to mitigate potential attacks.

Chapter 9 and 10: Attacking Datastores and Back-End components

This chapter discusses potential attack surface with datastores like SQL databases,XML-Based repositories,LDAP directories, and servies like SOAP and SMTP. The vulnerability in web application can allow to perform sql-injection,injection in xml also known as xpath injection, LDAP injection which can reveal insensitive data. There are numerous approaches to mitigate these attacks and the most important and generic one is to sanitize user input and place a validation mechanism both on client and server.

Chapter 11: Attacking Application Logic

This chapter deals with various application logic flaws which can be exploited to gain unathorise access. Missing null checks, failing to check size of input, improper exception and error handling can be categorise as application logic flaw. Sometimes inherent assumption can led to a logical or functional flaw. Chapter states few secure coding practice but that can't be considerd as silver bullet to mitigate. Few of the secure coding practice are.

Chapter 12: Attacking Users: Cross-Site Scripting

This chapter discusses the most prevalent attack in web applications. These attacks are featured as the top 10 OWASP vulnerability in Web Server. It explains about XSS and its various types in details and mitigation techniques for each of them. Below are the various types of XSS.

It mentions various mitigation techniques but again there is no silver bullet. The best practices to mitigate these potential attacks are.

Chapter 13: Attacking Users: Other Techniques

This chapter deals with other types of techniques followed by hackers to destroy a web application. The author explains each of the technique in-depth and also discusses the precautions to be taken for mitigating the risk. For example:

The chapter also covers the implementation of such attacks on different browser extensions and the changes brought by HTML5. The chapter concludes with explanation on attacks that do not depend on the vulnerabilities of any web application, but the ones that can be delivered by other user(attacker) or any other malicious/compromised website.

Chapter 14: Automating Customized Attacks

This chapter talks about the hurdles in automation and how we can overcome them. Most of the applications make use of session-handling mechanisms that terminate compromised sessions. This chapter deals with customized attacks, how we can tailor the attack to application's behavior. Situations in which customized automation techniques can be employed:

The author also describes how to automate the attacks and make them more faster, easier and effective and thus overcome the laborious manual attacks. The chapter concludes with explaining the vulnerabilities in CAPTCHA control and tools and techniques to mitigate them.

Chapter 15: Exploiting Information Disclosure

As the name suggests, this chapter examines different ways in which an application leaks information when attacked. The author describes how we should monitor the application to get further sources of information disclosure by using the attacks explained in this book. The chapter explains how we can get a deeper understanding of the application behavior and functioning by exploiting information disclosure. Different types of sources to get information:

There are new sections in this book that gives detailed explanation on XSS in error messages.

Chapter 16: Attacking Native Compiled Applications

This chapter focuses on the vulnerabilities and setbacks that occur in applications written in native code languages such as C and C++. Some of these include:

And ways to detect them:

The author explains the vulnerabilities mentioned above in a detailed manner giving real-world examples.

Chapter 17: Attacking Application Architecture

This chapter focuses on the vulnerabilities that the attacker can exploit related to the architecture of the application. Many application developers fail to differentiate the architecture layers of web application which enables an attacker to find a defect in one of the component of the application and hence the entire environment is compromised. The author also explains the precautions to be taken for securing the architecture:

The chapter concludes with the detailed explanation of the threats that arise in shared hosting environments i.e Cloud-based architectures. And the ways to prevent those threats:

Chapter 18: Attacking the Application Server

This chapter deals with attacking the web-server and application server rather than attacking application. It intially enumerates possible attack avenues from server infrastrcture standpoint and then provides mitigation techniques for each of them. They are broadly categorised as below.

Chapter 19: Finding Vulnerabilities in Source Code

This chapter focussed towards finding vulnerability in source code of web application. It enumerates some methods for code review to maximize effectiveness in discovering vulnerbaility in source code.

It mentions that the vulnerability exists in programming technique, rather than the actual APIs and syntax. It enlist signature of some of common vulnerability.

It further enlist various langauage specific potentially dangerous APIs which can result in malicious code execution depending on user supplied input. Finally, the solution to above problem will be a source code review which can help to find atleast low hanging fruits but again this technique is not a silver bullet.

Chapter 20: A Web Application Hacker’s Toolkit

This chapter actually is a overview of all the tools that are explained in the book. The author talks about various scenarios in which we can use these tools and also explains key features to get the best out of them. This chapter also talks about the ways in which an automated tool can assist in finding application vulnerabilities. Also explains the tools given below that the security testers use:

The chapter concludes with detailed explanation on Web application scanners, fuzzers and spiders.

Chapter 21: A Web Application Hacker’s Methodology

This chapter is an overview or summary of the procedures and techniques explained in this book. This chapter provides a general guidelines/checklist and work plan to carry an attack against a web application. And the author also explains the precautions or steps to be taken to avoid such attacks: