Cover image for Web Security for Developers

Web Security for Developers

Author Malcolm McDonald
Release Date: 2020/06/01
Topic:
0%
31
Chapters
0-1
Hours read
0k
Total Words
    Start Reading Now    
       Add to Wishlist       
View table of contents

Book Description

The world has changed. Today, every time you make a site live, you’re opening it up to attack.

A first-time developer can easily be discouraged by the difficulties involved with properly securing a website. But have hope: an army of security researchers is out there discovering, documenting, and fixing security flaws. Thankfully, the tools you’ll need to secure your site are freely available and generally easy to use.

Web Security for Developers will teach you how your websites are vulnerable to attack and how to protect them. Each chapter breaks down a major security vulnerability and explores a real-world attack, coupled with plenty of code to show you both the vulnerability and the fix. You’ll learn how to:

•Protect against SQL injection attacks, malicious JavaScript, and cross-site request forgery
•Add authentication and shape access control to protect accounts
•Lock down user accounts to prevent attacks that rely on guessing passwords, stealing sessions, or escalating privileges
•Implement encryption
•Manage vulnerabilities in legacy code
•Prevent information leaks that disclose vulnerabilities
•Mitigate advanced attacks like malvertising and denial-of-service

As you get stronger at identifying and fixing vulnerabilities, you’ll learn to deploy disciplined, secure code and become a better programmer along the way.

Table of Contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. About the Authors
  5. BRIEF CONTENTS
  6. CONTENTS IN DETAIL
  7. ACKNOWLEDGMENTS
  8. INTRODUCTION
    1. About This Book
    2. Who Should Read This Book
    3. A Brief History of the Internet
    4. What’s in This Book
  9. 1 LET’S HACK A WEBSITE
    1. Software Exploits and the Dark Web
    2. How to Hack a Website
  10. Part I: The Basics
  11. 2 HOW THE INTERNET WORKS
    1. The Internet Protocol Suite
    2. Application Layer Protocols
    3. Stateful Connections
    4. Encryption
    5. Summary
  12. 3 HOW BROWSERS WORK
    1. Web Page Rendering
    2. JavaScript
    3. Before and After Rendering: Everything Else the Browser Does
    4. Summary
  13. 4 HOW WEB SERVERS WORK
    1. Static and Dynamic Resources
    2. Static Resources
    3. Dynamic Resources
    4. Summary
  14. 5 HOW PROGRAMMERS WORK
    1. Phase 1: Design and Analysis
    2. Phase 2: Writing Code
    3. Phase 3: Pre-Release Testing
    4. Phase 4: The Release Process
    5. Phase 5: Post-Release Testing and Observation
    6. Dependency Management
    7. Summary
  15. Part II: The Threats
  16. 6 INJECTION ATTACKS
    1. SQL Injection
    2. Command Injection
    3. Remote Code Execution
    4. File Upload Vulnerabilities
    5. Summary
  17. 7 CROSS-SITE SCRIPTING ATTACKS
    1. Stored Cross-Site Scripting Attacks
    2. Reflected Cross-Site Scripting Attacks
    3. DOM-Based Cross-Site Scripting Attacks
    4. Summary
  18. 8 CROSS-SITE REQUEST FORGERY ATTACKS
    1. Anatomy of a CSRF Attack
    2. Mitigation 1: Follow REST Principles
    3. Mitigation 2: Implement Anti-CSRF Cookies
    4. Mitigation 3: Use the SameSite Cookie Attribute
    5. Bonus Mitigation: Require Reauthentication for Sensitive Actions
    6. Summary
  19. 9 COMPROMISING AUTHENTICATION
    1. Implementing Authentication
    2. Mitigation 1: Use Third-Party Authentication
    3. Mitigation 2: Integrate with Single Sign-On
    4. Mitigation 3: Secure Your Own Authentication System
    5. Summary
  20. 10 SESSION HIJACKING
    1. How Sessions Work
    2. How Attackers Hijack Sessions
    3. Summary
  21. 11 PERMISSIONS
    1. Privilege Escalation
    2. Access Control
    3. Directory Traversal
    4. Summary
  22. 12 INFORMATION LEAKS
    1. Mitigation 1: Disable Telltale Server Headers
    2. Mitigation 2: Use Clean URLs
    3. Mitigation 3: Use Generic Cookie Parameters
    4. Mitigation 4: Disable Client-Side Error Reporting
    5. Mitigation 5: Minify or Obfuscate Your JavaScript Files
    6. Mitigation 6: Sanitize Your Client-Side Files
    7. Stay on Top of Security Advisories
    8. Summary
  23. 13 ENCRYPTION
    1. Encryption in the Internet Protocol
    2. Enabling HTTPS
    3. Attacking HTTP (and HTTPS)
    4. Summary
  24. 14 THIRD-PARTY CODE
    1. Securing Dependencies
    2. Securing Configuration
    3. Securing the Services That You Use
    4. Services as an Attack Vector
    5. Summary
  25. 15 XML ATTACKS
    1. The Uses of XML
    2. Validating XML
    3. XML Bombs
    4. XML External Entity Attacks
    5. Securing Your XML Parser
    6. Other Considerations
    7. Summary
  26. 16 DON’T BE AN ACCESSORY
    1. Email Fraud
    2. Disguising Malicious Links in Email
    3. Clickjacking
    4. Server-Side Request Forgery
    5. Botnets
    6. Summary
  27. 17 DENIAL-OF-SERVICE ATTACKS
    1. Denial-of-Service Attack Types
    2. Denial-of-Service Attack Mitigation
    3. Summary
  28. 18 SUMMING UP
  29. INDEX
3.12.36.30