In the first edition of this critically acclaimed book, Andrew Hoffman defined the three pillars of application security: reconnaissance, offense, and defense. In this revised and updated second edition, he examines dozens of related topics, from the latest types of attacks and mitigations to threat modeling, the secure software development lifecycle (SSDL/SDLC), and more.

Hoffman, senior staff security engineer at Ripple, also provides information regarding exploits and mitigations for several additional web application technologies such as GraphQL, cloud-based deployments, content delivery networks (CDN) and server-side rendering (SSR). Following the curriculum from the first book, this second edition is split into three distinct pillars comprising three separate skill sets:

• Pillar 1: Recon—Learn techniques for mapping and documenting web applications remotely, including procedures for working with web applications
• Pillar 2: Offense—Explore methods for attacking web applications using a number of highly effective exploits that have been proven by the best hackers in the world. These skills are valuable when used alongside the skills from Pillar 3.
• Pillar 3: Defense—Build on skills acquired in the first two parts to construct effective and long-lived mitigations for each of the attacks described in Pillar 2.

Table of Contents

Chapter 1. The History of Software Security

Part I. Recon

Chapter 2. Introduction to Web Application Reconnaissance

Chapter 3. The Structure of a Modern Web Application

Chapter 4. Finding Subdomains

Chapter 5. API Analysis

Chapter 6. Identifying Third-Party Dependencies

Chapter 7. Identifying Weak Points in

Application Architecture

Chapter 8. Part I Summary

Part II. Offense

Chapter 9. Introduction to Hacking Web Applications

Chapter 10. Cross-Site Scripting

Chapter 11 . Cross-Site Request Forgery

Chapter 12. XML External Entity

Chapter 13. Injection

Chapter 14. Denial of Service

Chapter 15. Attacking Data and Objects

Chapter 16. Client-Side Attacks

Chapter 17. Exploiting Third-Party Dependencies

Chapter 18. Business Logic Vulnerabilities

Chapter 19. Part II Summary

Part Ill. Defense

Chapter 20. Securing Modern Web Applications

Chapter 21. Secure Application Architecture

Chapter 22. Secure Application Configuration

Chapter 23. Secure User Experience

Chapter 24. Threat Modeling Applications

Chapter 25. Reviewing Code for Security

Chapter 26. Vulnerability Discovery

Chapter 27. Vulnerability Management

Chapter 28. Defending Against XSS Attacks

Chapter 29. Defending Against CSRF Attacks

Chapter 30. Defending Against XXE

Chapter 31. Defending Against Injection

Chapter 32. Defending Against DoS

Chapter 33. Defending Data and Objects

Chapter 34. Defense Against Client-Side Attacks

Chapter 35. Securing Third-Party Dependencies

Chapter 36. Mitigating Business Logic Vulnerabilities

Chapter 37. Part Ill Summary

Changes from the First Edition

You will find a significant number of changes when comparing this book to its prior first edition. There are over one hundred pages of new content, but beyond that there are dozens of edited pages.

The first edition was primarily focused at the entry- and mid-level engineer, but feedback often requested more advanced content from which you could continue down a particular learning path for each chapter. Most chapters now have advanced content offered, and as such my hope is that senior security professionals will now benefit more from reading this book.

Additionally, the book has had a significant amount of updates to incorporate recent technologies. I felt it imperative to add example cases and code for securing and attacking new but common forms of technology in web applications, for example GraphQL and NoSQL databases.

The second edition has significant swaths of new security content including content covering the latest and most popular web application technologies. It also has been modified to include more advanced content per chapter and to incorporate dozens, if not hundreds, of reader and editor suggestions and requests within its pages.

I hope you find this book well organized and enjoyable to read, and that once you have finished it, you walk away with new knowledge and perspectives that enhance your information security skill set.

Prerequisite Knowledge and Learning Goals

This is a book that will not only aid you in learning how to defend your web application against hackers, but will also walk you through the steps hackers take in order to investigate and break into a web application.

Throughout this book we will discuss many techniques that hackers are using today to break into web applications hosted by corporations, governments, and occasionally even hobbyists. Following sufficient investigation into the previously mentioned techniques, we begin a discussion on how to secure web applications against these hackers.

In doing so you will discover brand-new ways of thinking about application architecture. You will also learn how to integrate security best practices into an engineering organization. Finally, we will evaluate a number of techniques for defending against the most common and dangerous types of attacks that occur against web applications today.

After completing Web Application Security, you will have the required knowledge to perform recon techniques against applications you do not have code-level access to. You will also be able to identify threat vectors and vulnerabilities in web applications and craft payloads designed to compromise application data, interrupt execution flow, or interfere with the intended function of a web application.

With these skills in hand, and the knowledge gained from the final section on securing web applications, you will be able to identify risky areas of a web application’s codebase and understand how to write code to defend against attacks that would otherwise leave your application and its users at risk.

Minimum Required Skills

In this book, an “intermediary-level background in software engineering” implies the following:

• You can write basic CRUD (create, read, update, delete) programs in at least one programming language.
• You can write code that runs on a server somewhere (such as backend code).
• You can write at least some code that runs in a browser (frontend code, usually JavaScript).
• You know what HTTP is, and can make, or at least read, GET/POST calls over HTTP in some language or framework.
• You can write, or at least read and understand, applications that make use of both server-side and client-side code, and communicate between the two over HTTP.
• You are familiar with at least one popular database (MySQL, MongoDB, etc.).

These skills represent the minimum criteria for successfully following the examples in this book. Any experience you have beyond these bullet points is a plus and will make this book that much easier for you to consume and derive educational value from.

About the Author

Andrew Hoffman is a senior staff security engineer at Ripple. His expertise is in deep DOM and JavaScript security vulnerabilities. He's worked with every major browser vendor, including TC39 and the Web Hypertext Application Technology Working Group (WHATWG) - organizations responsible for the upcoming version of JavaScript and the browser DOM spec.