Contents
1 Welcome to the Wide World of Web Application Security
Misplaced Priorities and the Need for a New Focus
Network Security versus Application Security: The Parable of the Wizard and the Magic Fruit Trees
#2. Cross-Site Scripting (XSS)
#3. Broken Authentication and Session Management
#4. Insecure Direct Object References
#5. Cross-Site Request Forgery
#7. Insecure Cryptographic Storage
#8. Failure to Restrict URL Access
#9. Insufficient Transport Layer Protection
#10. Unvalidated Redirects and Forwards
Secure Features, Not Just Security Features
Attack Surface Reduction Rules of Thumb
Classifying and Prioritizing Threats
Common Weakness Enumeration (CWE)
Common Vulnerability Scoring System (CVSS)
PART II Web Application Security Principles
Two-Factor and Three-Factor Authentication
Web Application Authentication
Password-Based Authentication Systems
Securing Password-Based Authentication
The Importance of Password Complexity
Secure Authentication Best Practices
When and Where to Perform Authentication
Securing Web Authentication Mechanisms
Detailed Authorization Check Process
Custom Authorization Mechanisms
Web Authorization Best Practices
Session Management Fundamentals
Why Do We Need Session Management?
Jetty: Session Predictability in the Real World
Securing Web Application Session Management
Session Management Best Practices
5 Browser Security Principles: The Same-Origin Policy
Defining the Same-Origin Policy
An Important Distinction: Client-Side vs. Server-Side
A World Without the Same-Origin Policy
Exceptions to the Same-Origin Policy
iframes and JavaScript document.domain
Adobe Flash Player Cross-Domain Policy File
XMLHttpRequest (Ajax) and Cross-Origin Resource Sharing
Final Thoughts on the Same-Origin Policy
6 Browser Security Principles: Cross-Site Scripting and Cross-Site Request Forgery
Cross-Site Scripting Explained
Another Variation: HTML Injection
XSS Defense: Using a Reduced Markup Language
XSS Defense-in-Depth: HttpOnly
XSS Defense-in-Depth: Content Security Policy (CSP)
Final Thoughts on Cross-Site Scripting
Cross-Site Request Forgery Explained
HTTP GET and the Concept of Safe Methods
Ineffective CSRF Defense: Relying on POST
Ineffective CSRF Defense: Checking the Referer Header
Ineffective CSRF Defense: URL Rewriting
Better CSRF Defense: Shared Secrets
Better CSRF Defense: Double-Submitted Cookies
Final Thoughts on Cross-Site Request Forgery
7 Database Security Principles
Structured Query Language (SQL) Injection
SQL Injection Effects and Confidentiality-Integrity-Availability
The Dangers of Detailed Errors
Blind SQL Injection: No Errors Required
Solving the Problem: Validating Input
Solving the Problem: Escaping Input
Separate Accounts for Separate Roles
The Stored-Procedures-Only Approach: Reducing Permissions Even Further
SQL Injection in Stored Procedures
Insecure Direct Object References
No Technical Knowledge Required
Insecure Direct Object References and Confidentiality-Integrity-Availability
Solving the Problem: Pre- or Post-Request Authorization Checks
Final Thoughts on Insecure Direct Object References
Keeping Your Source Code Secret
Static Content and Dynamic Content
Interpreted versus Compiled Code
Keep Secrets Out of Static Files
Exposing Sensitive Functionality
Forceful Browsing and Insecure Direct Object References
Redirect Workflow Manipulation
More Directory Traversal Vulnerabilities
PART III Secure Development and Deployment
9 Secure Development Methodologies
The Penetrate-and-Patch Approach
The Holistic Approach to Application Security
Security Incident Response Planning
Industry Standard Secure Development Methodologies and Maturity Models
The Microsoft Security Development Lifecycle (SDL)
OWASP Comprehensive Lightweight Application Security Process (CLASP)
The Software Assurance Maturity Model (SAMM)
The Building Security In Maturity Model (BSIMM)
Conclusions on Secure Development Methodologies and Maturity Models
Epilogue The Wizard, the Giant, and the Magic Fruit Trees: A Happy Ending