Author: Dafydd Stuttard & Marcus Pinto
Reviewer(s): OM NARAYAN, JAYESH MHATRE

Helpful links: Course&Book

Chapter 1: Web Application (In)security

Web-based application security has become an essential element for almost every web application developed today reason being they are the favorite targets among attackers. For all concerned, the stakes are high: for businesses that derive increasing revenue from Internet commerce, for users who trust web applications with sensitive information, and for criminals who can make big money by stealing payment details or compromising bank accounts. Reputation plays a critical role. Few people want to do business with an insecure website, so few organizations want to disclose details about their own security vulnerabilities or breaches. Hence, it is not a trivial task to obtain reliable information about the state of web application security today.

Book is essentially splitted in three sections:

• Vulnerability - XSS,CSRF,Dos.
• Attacks - Tools based- Burpsuite,
• Mitigation Techniques - Input Sanitization, Firewalls,IDS,IPS.

Chapter 2: Core Defense Mechanisms

This chapter deals with a various defense mechanism that can be applied in a web application. Since, the fundamental security problem with web applications — that all user input is untrusted — gives rise to a number of security mechanisms that applications use to defend themselves against attack. Virtually all applications employ mechanisms that are conceptually similar, although the details of the design and the effectiveness of the implementation vary greatly. The defense mechanisms employed by web applications comprise the following core elements:

• Handling user access to the application’s data and functionality to prevent users from gaining unauthorized access.
• Handling user input to the application’s functions to prevent malformed input from causing undesirable behavior.
• Managing the application itself by enabling administrators to monitor its activities and confi gure its functionality.

Chapter 3: Web Application Technologies

The chapter includes a myriad of web application technologies used across the world. It deals primarily with the underlying protocols and various methods supported in it -post, get, head, delete to name a few. The chapter covers support of various web application frameworks along with language support for each of them.

Chapter 4: Mapping the Application

This chapter describes the first exercise you need to perform when targeting a new application — gathering as much information as possible to map its attack surface and formulate your plan of attack. This process includes exploring and probing the application to catalog all its content and functionality, identifying all the entry points for user input, and discovering the technologies in use.

Chapter 5: Bypassing Client-Side Controls

This chapter covers the first area of actual vulnerability, which arises when an application relies on controls implemented on the client side for its security. This approach normally is flawed, because any client-side controls can, of course, be circumvented. The two main ways in which applications make themselves vulnerable are by transmitting data via the client on the assumption that it will not be modified, and by relying on client-side checks on user input. This chapter describes a range of interesting technologies, including lightweight controls implemented within HTML, HTTP, and JavaScript, and more heavyweight controls using Java applets, ActiveX controls, Silverlight, and Flash objects.

Chapter 6: Attacking Authentication

This chapter first describes various authentication mechanism like HTML forms-based authentication, Multifactor mechanisms, such as those combining passwords and physical, Client SSL certificates and/or smart cards, HTTP basic and digest authentication, Windows-integrated authentication using NTLM or Kerberos, Authentication services. Further, it explains the various flaws in Authentication mechanism.

• Bad Passwords
• Brute-Forcible Login
• Verbose Failure Messages
• Vulnerable Transmission of Credentials
• Password Change Functionality
• Forgotten Password Functionality
• User Impersonation Functionality
• Incomplete Validation of Credentials
• Nonunique Usernames

Chapter 7: Attacking Session Management

“Attacking Session Management,” examines the mechanism by which most applications supplement the stateless HTTP protocol with the concept of different requests. This mechanism is a key target when you are attacking a web application because if you can break it, you can effectively bypass the login and masquerade as other users without knowing their credentials.

Chapter 8: Attacking Access Controls

This chapter deals with categories of access controls which can be implemented in Web Based Application and how such access control can be vulnerable and exploited and further provides solution to mitigate such attacks. These are some of the access control mechanism which can be exploited if it is not implemented securely.

• Completely Unprotected Functionality
• Direct Access to Methods
• Identifier-Based Functions
• Platform Misconfiguration

Below are the various defense mechanism which can be deployed to mitigate potential attacks.

• Using central application to check user access control.
• Driving access control decision from user's session.
• A multilayer priviledged model.
• Role based access control

Chapter 9 and 10: Attacking Datastores and Back-End components

This chapter discusses potential attack surface with datastores like SQL databases,XML-Based repositories,LDAP directories, and servies like SOAP and SMTP. The vulnerability in web application can allow to perform sql-injection,injection in xml also known as xpath injection, LDAP injection which can reveal insensitive data. There are numerous approaches to mitigate these attacks and the most important and generic one is to sanitize user input and place a validation mechanism both on client and server.

Chapter 11: Attacking Application Logic

This chapter deals with various application logic flaws which can be exploited to gain unathorise access. Missing null checks, failing to check size of input, improper exception and error handling can be categorise as application logic flaw. Sometimes inherent assumption can led to a logical or functional flaw. Chapter states few secure coding practice but that can't be considerd as silver bullet to mitigate. Few of the secure coding practice are.

• Ensuring application’s design to be clearly documented in sufficient detail for an outsider to understand every assumption the designer made.
• Mandating all source code to be clearly commented to be readble and easily understandable for any person.

Chapter 12: Attacking Users: Cross-Site Scripting

This chapter discusses the most prevalent attack in web applications. These attacks are featured as the top 10 OWASP vulnerability in Web Server. It explains about XSS and its various types in details and mitigation techniques for each of them. Below are the various types of XSS.

• Stored XSS
• Reflected XSS
• DOM-based XSS
• Cross Site Request Forgery

It mentions various mitigation techniques but again there is no silver bullet. The best practices to mitigate these potential attacks are.

• Input Sanitization and Validation
• Implementing Web Application Firewalls
• Client side input encoding
• Whitelisting User Input Characters.

Chapter 13: Attacking Users: Other Techniques

This chapter deals with other types of techniques followed by hackers to destroy a web application. The author explains each of the technique in-depth and also discusses the precautions to be taken for mitigating the risk. For example:

• UI Redress
• Capturing data cross-domain
• HTTP header injection
• Session fixation
• Client-side SQL Injection
• Open redirection

The chapter also covers the implementation of such attacks on different browser extensions and the changes brought by HTML5. The chapter concludes with explanation on attacks that do not depend on the vulnerabilities of any web application, but the ones that can be delivered by other user(attacker) or any other malicious/compromised website.

Chapter 14: Automating Customized Attacks

This chapter talks about the hurdles in automation and how we can overcome them. Most of the applications make use of session-handling mechanisms that terminate compromised sessions. This chapter deals with customized attacks, how we can tailor the attack to application's behavior. Situations in which customized automation techniques can be employed:

• Enumerating identifiers
• Harvesting data
• Web application fuzzing

The author also describes how to automate the attacks and make them more faster, easier and effective and thus overcome the laborious manual attacks. The chapter concludes with explaining the vulnerabilities in CAPTCHA control and tools and techniques to mitigate them.

Chapter 15: Exploiting Information Disclosure

As the name suggests, this chapter examines different ways in which an application leaks information when attacked. The author describes how we should monitor the application to get further sources of information disclosure by using the attacks explained in this book. The chapter explains how we can get a deeper understanding of the application behavior and functioning by exploiting information disclosure. Different types of sources to get information:

• Script error messages
• Stack traces
• Informative debug messages
• Server and database messages
• Enginnering informative error messages

There are new sections in this book that gives detailed explanation on XSS in error messages.

Chapter 16: Attacking Native Compiled Applications

This chapter focuses on the vulnerabilities and setbacks that occur in applications written in native code languages such as C and C++. Some of these include:

• Buffer overflow vulnerabilities
• Off by one vulnerabilities
• Integer vulnerabilities
• Format String vulnerabilities

And ways to detect them:

• Send long strings of data to an identified target and monitor.
• Avoid passing integer values as parameters within the strings or cookies.
• Submit data containing different format specifiers and monitor.

The author explains the vulnerabilities mentioned above in a detailed manner giving real-world examples.

Chapter 17: Attacking Application Architecture

This chapter focuses on the vulnerabilities that the attacker can exploit related to the architecture of the application. Many application developers fail to differentiate the architecture layers of web application which enables an attacker to find a defect in one of the component of the application and hence the entire environment is compromised. The author also explains the precautions to be taken for securing the architecture:

• Minimize trust relationships.
• Segregate different components.
• Apply defense in depth.

The chapter concludes with the detailed explanation of the threats that arise in shared hosting environments i.e Cloud-based architectures. And the ways to prevent those threats:

• Secure Customer access
• Segregate customer functionality
• Segregate components in a shared application

Chapter 18: Attacking the Application Server

This chapter deals with attacking the web-server and application server rather than attacking application. It intially enumerates possible attack avenues from server infrastrcture standpoint and then provides mitigation techniques for each of them. They are broadly categorised as below.

• Vulnerable Server Configuration
• Default Credentials.
• Default Content.
• Debug Functionality.
• Directory Listings.
• The Application Server as a Proxy.
• Misconfigured Virtual Hosting.
• Securing Web Server Configuration
• Changing default credentials and removing any unrequired default accounts.
• Blocking public access to administrative interfaces by ACLs on the required paths within root or by restrciting access to nonstandard ports.
• Removing unnecessary default content and functionality. Tools like Nikto can be used as secondary check to ensure cleanup.
• Disable directory listing whereever possible.
• Disbaling all other methods than GET and POST.
• Ensure Webserver is not configured as a proxy and if is harden its security to allow connections only to legitimate host and port.
• If web server supports virtual hosting,security hardening applied must be enforced on the default host.
• Vulnerable Server Software
• Application Framework Flaws.
• Memory Management Vulnerabilities.
• Encoding and Canonicalization.
• Securing Web Server Software
• Choosing Software with a Good Track Record.
• Readily applying vendor patches.
• Performing Security Hardening.
• Using defense-in-depth strategy.
• Enforcing Web Application Firewall.

Chapter 19: Finding Vulnerabilities in Source Code

This chapter focussed towards finding vulnerability in source code of web application. It enumerates some methods for code review to maximize effectiveness in discovering vulnerbaility in source code.

• Black-Box and White-Box testing approach
• A three fold approach
• Tracing user input from entry points to application and reviewing code responsible for reviewing.
• Searching codebase for vulnerable instances pattern and reviewing further to determine its presence.
• Performing line by line code review of risky code to detect presence of security vulnerability.

It mentions that the vulnerability exists in programming technique, rather than the actual APIs and syntax. It enlist signature of some of common vulnerability.

• Cross-Site Scripting
• SQL Injection
• Path Traversal
• Arbitrary Redirection
• OS Command Injection
• Backdoor Passwords

It further enlist various langauage specific potentially dangerous APIs which can result in malicious code execution depending on user supplied input. Finally, the solution to above problem will be a source code review which can help to find atleast low hanging fruits but again this technique is not a silver bullet.

Chapter 20: A Web Application Hacker’s Toolkit

This chapter actually is a overview of all the tools that are explained in the book. The author talks about various scenarios in which we can use these tools and also explains key features to get the best out of them. This chapter also talks about the ways in which an automated tool can assist in finding application vulnerabilities. Also explains the tools given below that the security testers use:

• Burp Suite
• WebScarab
• Paros
• Zed Attack Proxy
• Fiddler
• Andiparos
• CAT
• Charles

The chapter concludes with detailed explanation on Web application scanners, fuzzers and spiders.

Chapter 21: A Web Application Hacker’s Methodology

This chapter is an overview or summary of the procedures and techniques explained in this book. This chapter provides a general guidelines/checklist and work plan to carry an attack against a web application. And the author also explains the precautions or steps to be taken to avoid such attacks:

• Map the Application’s Content
• Analyze the Application
• Test Client-Side Controls
• Test the Authentication Mechanism
• Test the Session Management Mechanism
• Test Access Controls
• Test for Input-Based Vulnerabilities
• Test for Function-Specific Input Vulnerabilities
• Test for Logic Flaws
• Test for Shared Hosting Vulnerabilities
• Test for Application Server Vulnerabilities
• Follow Up Any Information Leakage