Web Application Defender’s Cookbook is a consolidation of tutorials called recipes. They are designed to facilitate the expedient mitigation of the most critical vulnerabilities and attack methods that cyber criminals use today. Whether you’re mitigating a denial-of-service attack on your e-commerce application, responding to a fraud incident on your banking application, or protecting users of a newly deployed social networking application, this book gives you creative solutions to these challenges. This book shows you how to be as pragmatic as possible when performing remediation. Although each recipe includes adequate background information so that you understand how the web application attack or vulnerability works, theory is kept to a minimum. The recipes’ main intent is to provide step-by-step countermeasures you can use to thwart malicious activity within your web applications.
I obtained the information in this book through years of protecting government, educational, and commercial web sites from a wide range of adversaries who used an even wider array of attack methods. Because web attack methods employ multiple levels of complexity and sophistication, so do the remediation recipes presented in this book. All the recipes, however, have a foundation in the following skill sets and topics (listed in order of relevance):
Although the recipes in this book include the key elements of many web application attacks, this book is not meant as a comprehensive guide for describing web application weaknesses, attacks, or secure web application development. Numerous other books and public resources help developers secure their web applications.
Quite simply, the goal of this book is to make your web applications more difficult to hack. Web applications—or any software, for that matter—will never be completely secure and free from defects. It is only a matter of time before a determined attacker will find some vulnerability or misconfiguration to exploit and compromise either your site or one of its users. You should take a moment to come to terms with this truth before progressing. Many people wrongly assume that hiring “smart” developers or deploying commercial security products will magically make their sites “hacker proof.” Sadly, this is not reality. A more realistic goal for web application security is to gain visibility into your web transactions and to make your web applications more hacker resistant. If you can force any would-be attackers to spend a significant amount of time probing your site, looking for vulnerabilities, you will widen the window of opportunity for operational security personnel to initiate proper response methods.
This book arms you with information that will help you increase your web applications’ resistance to attacks. You will be able to perform the following critical web application security situational awareness tasks:
The target audience for this book is web application defenders. The term defender in this book refers to anyone who is charged with protecting live web applications from attacks. These people did not create the web application, but they are responsible for administering the application on the live network. Web application defenders are one of the three main communities who contribute to the overall security posture of web applications; the other two are builders and breakers. Builders are the development teams who are responsible for the actual source code and functionality of the web application. They are the initial creators of the application and are responsible for future enhancements and maintenance. Breakers, on the other hand, are the information security teams who assess applications by reviewing source code and attacking live web applications. All three communities contribute to the overall security of web applications, but this book is solely focused on helping defenders with their appointed tasks.
This book is organized as a set of recipes that solve specific web application security problems. Many of the recipes are self-contained, meaning that the vulnerability or attack is presented and a solution is outlined that mitigates the entire attack surface. Other recipes, however, individually address only a portion of the larger problem, so it may be necessary to implement multiple recipes together to fully reduce the risks involved.
From the highest conceptual view, this book is organized into three logical parts:
The order of these parts is based on the logical flow and dependencies of each topic. If you are initially deploying a new web application, we recommend that you read this book from start to finish. On the other hand, if you already have web applications deployed in production, you can easily jump directly to a recipe that addresses your specific concern. When appropriate, cross-references to other chapters, recipes, or external resources are provided. The following sections describe each part and its chapters.
This book begins with the concept of preparing your web application platform for the attacks that will eventually occur. You should complete the recipes in this part either right before or right after you put a new application into production.
After the web application is live on the production network and is exposed to real users, the recipes in this part will come into play. All of these recipes deal with analyzing web transactions for malicious activity.
After you have identified malicious behavior within your web application, the next logical question is what do you want to do about it. The final part of this book highlights how to best utilize the different response options at your disposal.
This book demonstrates hands-on techniques you can use to prevent web application attacks. Keep in mind that, because you are a web application defender, your tool set is not identical to that which is afforded to the web application developer. Your main tool is the web application platform itself, such as Apache’s web server or Microsoft’s Internet Information Services (IIS) web server. Unfortunately, the effective mitigation of web application vulnerabilities and attacks relies on advanced logic and analysis capabilities that normally are not present in standard web server software. To achieve the advanced defensive capabilities outlined in this book, you need to install additional software within your web server as an additional module or filter.
The recipes in this book use the open source web application firewall (WAF) module called ModSecurity,1 which is available for the Apache, Microsoft IIS, and Nginx web server platforms. You have other options for achieving basic input filtering for your web application, but no other defensive module has the same level of advanced capabilities as ModSecurity. These capabilities include the robust rules language, data modification, content injection, and even a Lua application programming interface (API), which facilitates custom logic and integration with other tools. By the end of this book, I am confident you will agree that ModSecurity is an outstanding tool for web application defense. Nevertheless, we include appropriate pointers and references to other tools that may provide similar functionality.
Although the recipes use ModSecurity, the underlying detection techniques may certainly be adapted for use within applications that use other tools or libraries. For instance, the OWASP AppSensor2 project (to which I am a contributor) includes Java code examples that implement many of the same concepts presented in this book.
The target web applications that you will protect throughout this book are taken from the OWASP Broken Web Application (OWASP BWA) project.3 The virtual machine image available for download provides a large number of intentionally broken web applications used for testing and learning about web application attacks and vulnerabilities. It also provides many real-world applications (such as WordPress) that have real flaws. If you want to follow along with the recipes in the book and practice hands-on with implementing the protection mechanisms, download the virtual machine image.
2 https://www.owasp.org/index.php/Category:OWASP_AppSensor_Project
3 http://code.google.com/p/owaspbwa/
To help you get the most out of this book and to keep track of the information contained in the recipes, we use several conventions throughout the book.
We use a monofont type with no highlighting for most code examples.
We use bold to emphasize code that is particularly important in the present context or to show changes from a previous code snippet.
As you work through the examples in this book, you may choose either to type in all the code manually or to use the source code files that accompany the book. All the source code used in this book is available for download at www.wiley.com/go/webappdefenderscookbook.
You can also search for the book at www.wiley.com.
3.149.26.246