INDEX
Page numbers followed by an italicized f or t refer to figures and tables respectively.
Symbols and Numbers
: (colon character), 82
/ (path separator character), 109
; (semicolon character), 52
' (single quote character), 51–53
10 Minute Mail, 86
401 status code (in HTTP), 82
A
aspects of, 104
common oversights, 108
defined, 104
models for
access control lists, 105
ownership-based access control, 106
role-based access control, 105–106
whitelists and blacklists, 105
testing, 107
access control lists (ACLs), 105
access tokens, 139
Active Directory, 137
ActiveX, xxi
administrative frontends, securing, 138
ad platforms, 142
Advanced Encryption Standard (AES), 121, 138
Advanced Research Projects Agency Network (ARPANET), 7
Airbrake, 44
Amazon
denial-of-service attacks, 163
one-click purchases, 76
Amazon CloudFront, 26
Amazon Elastic Compute Cloud (EC2), 41
Amazon Machine Images (AMIs), 62
Amazon Simple Storage Service (S3), 62, 140
Amazon Web Services (AWS), 105, 137, 168
Elastic Beanstalk, 41
Marketplace, 62
AMIs (Amazon Machine Images), 62
amplified attacks, 165
Ansible, 42
antivirus software
mitigating file upload vulnerability attacks, 63
protection against botnets, 160
Apache web servers, 53, 114, 125
disabling open directory listings, 137
disabling URL rewriting, 100
injection attacks, 132
application firewalls, 166
application layer attacks, 165
application programming interface (API) keys, 139
ARPANET (Advanced Research Projects Agency Network), 7
asymmetric encryption algorithms, 119
authentication
databases and, 29
defined, 81
implementing
basic authentication scheme, 82
digest authentication scheme, 82
HTTP-native authentication, 82–83, 83f
non-native authentication, 83
mitigation options
secure authentication system, 85–92
third-party authentication, 84
Authorization header, 82
AVG, 132
AWS. See Amazon Web Services (AWS)
B
Bachus-Naur Form (BNF), 147
Base64 algorithm, 82
bind parameters
object-relational mapping, 54
parameterized statements, 52–53
Bitly, 156
black hat hackers, 2
blacklists, 105
blind SQL injection attacks, 56
BNF (Bachus-Naur Form), 147
branching code, 38
brittleness, 39
browsers
cookies, 20
Domain Name System, 20
HTTP Secure, 20
security certificates, 20
web page rendering pipeline, 15–19
brute-force attacks, 100
bug trackers (issue-tracking software), 36
bundler-audit tool, 136
C
C#
build process, 42
overview of, 33
vulnerabilities, 33
C++, 33
Cache-Control header, 13
canonical name (CNAME) records, 9
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), 91–92, 92f, 158
Cascading Style Sheets (CSS)
build process, 43
in HTTP responses, 13
pre-processors, 43
selectors, 17
stylesheets, 17
styling rules, 17
use in clickjacking attacks, 158
CDNs. See content delivery networks (CDNs)
Center for Internet Security (CIS), 62
centralized version control systems, 37
Centrify, 84
CEO fraud, 154
CERN (European Organization for Nuclear Research), xx–xxi
certificate authorities, 117, 122–125
certificate signing requests (CSRs), 123–124
CGI (Common Gateway Interface), xxii
Chef, 42
chroot command, 58
CIS (Center for Internet Security), 62
Cisco, 128
cleartext storage, 88
click fraud, 160
client-server architecture, 49
client-side error reporting, 115
Clojure, 32
cloud-based storage
subdomain takeovers, 140
use in mitigating file upload vulnerability attacks, 62
CLR (Common Language Runtime), 33
CMSs. See content management systems (CMSs)
CNAME (canonical name) records, 9
code writing phase (in the software development lifecycle)
branching and merging code, 38
pushing changes to repository, 37
source control (version control), 37
colon character (:), 82
Comcast, 128
command injection attacks
defined, 56
escaping control characters, 57–58
file upload vulnerability and, 61
Common Gateway Interface (CGI), xxii
Common Language Runtime (CLR), 33
Comodo, 122
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), 91–92, 92f, 158
CONNECT requests (in TCP), 11t
consistent behavior
eventual consistency of NoSQL databases, 30
SQL databases, 29
containerization, 42
content delivery networks (CDNs), 26
distributed denial-of-service protect systems, 167
mitigating file upload vulnerability attacks, 62, 170
subdomain takeovers, 140
content management systems (CMSs)
defined, 26
mitigating file upload vulnerability attacks, 62, 170
plug-ins, 26
content security policies, 69–70, 110–111
Content-Security-Policy header, 69, 158–159, 172
Content-Type header, 13, 59, 63
continuous integration servers, 39
control characters
cookies, 171
defined, 13
generic cookie parameters, 114
implementing and securing a logout function, 90–91
SameSite cookie attribute, 78–79
vulnerabilities of, 13
cookie theft
cross-site request forgery (CSRF) attacks, 98–99
cross-site scripting (XSS) attacks, 97–98
man-in-the-middle attacks, 98
cracking password lists, 89
CREATE statements (in SQL), 55
cross-site request forgery (CSRF; XSRF) attacks
anatomy of, 76
defined, 75
mitigation options
requiring reauthentication for sensitive actions, 78–79
SameSite cookie attribute, 78–79
cross-site scripting (XSS) attacks, xxi, 19
defined, 65
DOM-based
defined, 71
escaping dynamic content, 73
defined, 70
escaping dynamic content, 71
stored
content security policies, 69–70
escaping control characters, 67–69
cryptographic hash algorithms and functions, 88–89, 119
cryptography, 117
CSRF attacks. See cross-site request forgery (CSRF) attacks
CSRs (certificate signing requests), 123–124
CSS. See Cascading Style Sheets (CSS)
D
database administrators (DBAs), 43
database drivers, 51
database migration scripts, 43
databases
authentication and, 29
for building dynamic web pages, 28–30
NoSQL, 30
origin of, 28
stored cross-site scripting attacks, 66
data definition language (DDL), 55
data manipulation language (DML), 55
data packets, 8
DBAs (database administrators), 43
DDL (data definition language), 55
DDoS (distributed denial-of-service) attacks, 165, 167
dedicated configuration stores, 137
default credentials, disabling, 137
defense in depth approach, 61
blind and nonblind SQL injection, 55–56
defined, 55
principle of least privilege, 55
defer attribute, 19
DELETE requests (in SQL), 11, 76–77
DELETE statements (in SQL), 50–51, 55
denial-of-service (DoS) attacks
mitigation options
firewalls, 166
intrusion prevention systems, 166
protection services, 167
types of
application layer attacks, 165
distributed denial-of-service attacks, 165
Internet Control Message Protocol (ICMP) attacks, 164
reflected and amplified attacks, 165
Transmission Control Protocol (TCP) attacks, 164
unintentional denial-of-service attacks, 166
dependencies, 171
build process, 42
defined, 45
deploying new versions quickly, 134
organizing dependencies
dependency management tools, 132–133
operating system patches, 133–134
subresource integrity checks, 134
security advisories
blogs, 135
mailing lists, 135
official advisories, 135
social media, 135
software tools, 136
timely upgrades, 136
vulnerability of, 45
dependency-check tool, 136
dependency management, 45, 132–133
dependency trees, 133
deserialization
defined, 59
disabling code-execution during, 59–60
design and analysis phase, 36
DevOps (developer operations) tools, 41–42
DigiCert, 122
digital certificates (public-key certificates)
certificate authorities, 122–123
defined, 122
installing
configuring web server to use HTTPS, 126
HTTP Strict Transport Security policies, 127
redirecting HTTP traffic to HTTPS, 126–127
web servers vs. application servers, 125–126
obtaining
certificate signing requests, 123–124
domain verification, 124
expiring certificates, 124
extended validation certificates, 124
paying for certificates, 125
revoking certificates, 124
self-signed certificates, 124–125
TLS handshakes, 121
directories, 109
directory traversal attacks, xxii, 108–112
anatomy of, 109–110, 109f–110f
defined, 108
filepaths and relative filepaths, 108–109
mitigation options, 171
indirect file references, 111
sanitizing file references, 111–112
web servers, 110
display names, 85
distinguished names (DNs), 123
distributed caches
defined, 30
injection attacks, 53
microservices, 30
publish-subscribe channels, 31
queues, 30
vulnerabilities of, 31
distributed denial-of-service (DDoS) attacks, 165, 167
distributed version control systems, 37
Django, 125
DKIM (DomainKeys Identified Mail), 155–156, 172
DML (data manipulation language), 55
DNS. See Domain Name System (DNS)
DNs (distinguished names), 123
DNS poisoning, 9
Docker Swarm, 42
Document Object Model (DOM)
defined, 16
DOM-based cross-site scripting attacks, 71–73
DOM nodes, 17
DOM tree, 17
HTML tags and, 17
document type definition (DTD) files, 147–150
DomainKeys Identified Mail (DKIM), 155–156, 172
domain name servers, 9
Domain Name System (DNS)
caching behavior, 9
canonical name records, 9
DNS poisoning, 9
domain verification, 124
Internet Protocol suite layers, 10f
mail exchange records, 9
purpose of, 9
registration of, 9
rendering pipeline, 20
subdomain takeovers, 140
validating email addresses, 86
domain registrars, 9
domain verification, 124
DOM-based cross-site scripting attacks
defined, 71
escaping dynamic content, 73
doppelganger domains, 154
DoS attacks. See denial-of-service (DoS) attacks
downgrade attacks, 128
DROP command and statements (in SQL), 52, 55
DTD (document type definition) files, 147–150
dynamic resources
defined, 24
templates, 28
web programming languages, 31–34
E
EC2 (Amazon Elastic Compute Cloud), 41
Eich, Brendan, xxi
Electronic Frontier Foundation, 125
Elliptic Curve Diffie-Hellman Exchange (ECDHE), 121
email addresses
requiring for authentication, 85
spoofing, 153
email fraud
avoiding
DomainKeys Identified Mail, 155–156, 172
Sender Policy Framework, 155–156, 171
email address spoofing, 153
phishing, 154
spam, 154
spearphishing, 154
email verification links, 86
embargoing resources, 108
Embedded Ruby (ERB) templates, 68
encoded separator characters, 111
encryption, 171
algorithms
asymmetric, 119
defined, 118
symmetric, 119
encrypting session cookies, 96
exploiting unencrypted communication
government agencies, 129
Internet service providers, 128–129
Wi-Fi hotspots, 128
wireless routers, 128
of configuration information, 138
handshakes, 14
HTTPS, 14
defined, 118
digital certificates, 117, 122–123
installing certificates, 125–127
obtaining certificates, 123–125
in the Internet Protocol
encryption algorithms, 118–119
message authentication codes, 120
Transport Layer Security (TLS), 14
entity encodings (in HTML), 67–68, 68t
enumeration of users
error messages, 91
password-reset screen, 91
timing attacks, 91
environmental variables, 137
ERB (Embedded Ruby) templates, 68
error reporting
defined, 44
escapeshellarg function (in PHP), 58
escaping control characters
in dynamic content from HTTP requests, 70
in dynamic content from URI fragments, 73
in SQL, 53
European Organization for Nuclear Research (CERN), xx–xxi
EV (extended validation) certificates, 124
exploits
defined, 1
white hat vs. black hat hackers, 2
zero-day exploits, 2
exploit scripts, 59
extended validation (EV) certificates, 124
Extensible Markup Language (XML)
defined, 145
document type definition files, 147–148
external entity attacks, 149–150
server-side request forgery attacks, 159
uses for, 146
Extensible Messaging and Presence Protocol (XMPP)
defined, 10
Internet Protocol suite layers, 10f
external entity declarations, 149–150
F
Facebook, xxii
likejacking, 158
React framework, 34
user permissions failure, 103–104
File Transfer Protocol (FTP)
defined, 10
Internet Protocol suite layers, 10f
file upload vulnerability attacks
defined, 60
file upload functions, defined, 60
mitigation options, 61–63, 170
ensuring uploaded files cannot be executed, 62
hosting files on secure system, 62
running antivirus software, 63
validating content of uploaded files, 63
firewalls, 166
Flask, 125
foreign keys (in SQL), 29
four eyes principle, 38
FTP. See File Transfer Protocol (FTP)
fully qualified domain names (FQDNs), 123
G
Galois/Counter Mode (GCM), 121
GET requests (in HTTP), 11, 49–50
cross-site request forgery attacks, 76–77
rendering pipeline, 20
SameSite attribute settings for cookies, 99
GitHub OAuth, 84
government snooping, 129
HTTP requests, 70
reCAPTCHA widget, 92
returning dynamic resources, 27
Google AdX, 142
Google Analytics, 26, 140–141, 168
Google App Engine, 41
Google Apps, 70
cipher suites, 121
V8 JavaScript engine, 32
Google Hacking Database, 136
Google OAuth, 84
Google Safe Browsing API, 158
government agencies, snooping by, 129
gzip algorithm, 25
H
Hacker News, 135
hacking
black hat hackers, 2
exploits, defined, 1
white hat hackers, 2
zero-day exploits, 2
hardening servers, 62
hashes, 171
digest authentication scheme, 82
hashing passwords, 88, 119–120
headers
HEAD requests (in HTTP), 11t
Heartbleed bug, 132
Heartland Payment Systems, 50
horizontal escalation, 104
HSTS (HTTP Strict Transport Security) policies, 126–127
HTML. See HyperText Markup Language (HTML)
HTTP. See HyperText Transfer Protocol (HTTP)
HTTP 404 Not Found error, 13
authentication, 82
command injection attacks, 56–58
CONNECT requests, 11t
cross-site request forgery attacks, 76
defined, 10
DELETE requests, 11
elements of
body, 10
universal resource locators, 10–11
exploit scripts, 59
file upload vulnerability attacks, 60, 63
GET requests, 11
HEAD requests, 11t
logging, 44
OPTIONS requests, 11t
PATCH requests, 11
POST requests, 11
privilege escalation, 104
PUT requests, 11
reflected cross-site scripting attacks, 70–71
server-side request forgery attacks, 159–160
static resources, 24
TRACE requests, 11t
use in SQL injection attacks, 51–52
HTTP responses
authentication, 82
defined, 10
disabling telltale headers, 114
elements of
status messages, 12
example of, 12
HTML, 13
monitoring, 44
returning dynamic resources, 27
returning static resources, 25
static resources, 24
HTTP Secure (HTTPS), 14
cookie theft, 98
defined, 118
digital certificates
defined, 122
redirecting HTTP traffic to, 126–127
rendering pipeline, 20
terminating, 126
vulnerabilities avoided by using, 128–129
HTTP sessions
cross-site scripting attacks, 65
defined, 13
implementing
opening, 94
tracking, 13
vulnerability of, 13
HTTP Strict Transport Security (HSTS) policies, 126–127
hug of death, 166
HyperText Markup Language (HTML)
dynamic page creation, xxii
origin of, xxi
HyperText Transfer Protocol (HTTP)
defined, 10
encryption, 14
HTTP requests
CONNECT requests, 11t
defined, 10
DELETE requests, 11
elements of, 10
GET requests, 11
HEAD requests, 11t
OPTIONS requests, 11t
PATCH requests, 11
POST requests, 11
PUT requests, 11
TRACE requests, 11t
HTTP responses
defined, 10
elements of, 12
example of, 12
HTML, 13
status messages, 12
Internet Protocol suite layers, 10f
origin of, xxi
purpose of, 10
redirecting traffic to HTTPS, 126–127
rendering pipeline, 20
stateful connections, 13
user agents, 10
vulnerabilities of
government agencies, 129
Internet service providers, 128–129
Wi-Fi hotspots, 128
wireless routers, 128
I
IaaS (Infrastructure as a Service), 41, 168
ICANN (Internet Corporation for Assigned Names and Numbers), 8
ICMP (Internet Control Message Protocol) attacks, 164
identity and access management (IAM) system, 105
images (configuration scripts), 42
indirection, 111
infinite scrolling, 72
information leaks, 171
disabling client-side error reporting, 115
disabling telltale Server headers, 114
minifying or obfuscating JavaScript files, 115
sanitizing client-side files, 116
use generic cookie parameters, 114
using clean URLs, 114
security advisories, 116
zero-day vulnerabilities, 112
Infrastructure as a Service (IaaS), 41, 168
injection attacks, xxii
anticipating, 170
client-server vulnerabilities, 49–50
command injection attacks
defined, 56
escaping control characters, 57–58
defined, 49
file upload vulnerability attacks
defined, 60
ensuring uploaded files cannot be executed, 62
hosting files on secure system, 62
running antivirus software, 63
validating content of uploaded files, 63
remote code execution attacks
anatomy of, 59
defined, 59
disabling code-execution during deserialization, 59–60
SQL injection attacks
object-relational mapping, 54–55
parameterized statements, 52–53
INSERT statements (in SQL), 50–51, 55
integration testing, 39
internal entity declarations, 148
internet, history of, xx–xxiii
Internet Control Message Protocol (ICMP) attacks, 164
Internet Corporation for Assigned Names and Numbers (ICANN), 8
Internet Protocol (IP)
encryption algorithms, 118–119
message authentication codes, 120
Internet Protocol (IP) addresses
allotment of, 8
defined, 8
IP version 4 (IPv4) syntax, 8–9
IP version 6 (IPv6) syntax, 9
rendering pipeline, 20
Internet Protocol suite
Domain Name System, 9
HyperText Transfer Protocol, 10–13
encryption, 14
stateful connections, 13
Internet Protocol addresses, 8–9
Transmission Control Protocol, 8
User Datagram Protocol, 8
Internet service providers (ISPs), 8, 128–129
Intrusion prevention systems (IPSs), 166
IP. See Internet Protocol (IP); Internet Protocol (IP) addresses
IP version 4 (IPv4) syntax, 8–9, 10f
IP version 6 (IPv6) syntax, 9, 10f
ISPs (Internet service providers), 8, 128–129
issue-tracking software (bug trackers), 36
J
Java
application servers, 125
build process, 42
command injection attacks, 56
dependency checker, 136
overview of, 32
securing XML parsers, 151
JavaScript
Comcast advertisements in HTTP traffic, 128
cookie theft, 97
cross-site request forgery attacks, 77–78
cross-site scripting attacks, 65–73
defined, 18
in HTTP responses, 13
<iframe> tags, 142
inline, preventing execution of, 69
Node.js, 32
obfuscating files, 115
origin of, xxi
password complexity ratings, 88
V8 JavaScript engine, 32
vulnerability of, 19
JavaScript Object Notation (JSON)
NoSQL databases, 30
session state, 96
XML vs., 146
JavaScript XML (JSX) files, 34
Java Servlet Specification, 99
Java Virtual Machine (JVM), 32–33
job queues, 167
JSESSIONID cookie, 114
JSON. See JavaScript Object Notation (JSON)
JSX (JavaScript XML) files, 34
JVM (Java Virtual Machine), 32–33
K
key-exchange algorithm, 121
key-value storage, 30
Kotlin, 33
Krebs, Brian, 135
Kubernetes, 42
L
Lightweight Directory Access Protocol (LDAP), 53
likejacking, 158
LinkedIn, 84
Linksys, 128
Linux, xiv
chroot command, 58
filepaths, 108
file permissions, 62
filesystem, 105
restricting web server-accessible directories, 152
wireless routers, 128
Lisp, 32
M
MACs (message authentication codes), 120
Mailchimp, 156
mail exchange (MX) records, 9, 86
Mailgun, 156
Mailinator, 86
malvertising, 141
man-in-the-middle attacks, 14
cookie theft, 98
by government agencies, 129
unsecured TCP conversations, 118
Wi-Fi hotspots, 128
wireless routers, 128
merge conflicts, 38
merging code, 38
message authentication codes (MACs), 120
Metasploit framework, 3–4, 3f, 52, 114
<meta> tags, 69
methods (verbs) in HTTP, 10–11
MFA. See multifactor authentication (MFA)
microframeworks, 31
microservices
defined, 30
distributed caches, 30
publish-subscribe channels, 31
queues, 30
Microsoft
dedicated configuration store, 137
operating system patches, 135
third-party authentication, 84
Microsoft Active Directory, 105–106
Microsoft Azure, 41
Microsoft Internet Explorer, xiii
Microsoft Windows, xiii
minifying JavaScript files, 42–43, 115
MODIFY statements (in SQL), 55
MongoDB, 53
monitoring, 44
Mono project, 33
Mosaic, xiii
Mozilla Firefox, xiii
Mozilla Foundation, 125
multifactor authentication (MFA)
third-party authentication, 84
MX (mail exchange) records, 9, 86
N
National Center for Supercomputing Applications, xiii
National Security Agency (NSA), 129
.NET, 33
dependency checker, 136
securing XML parsers, 151
Netflix
denial-of-service attacks, 163
technology blog, 168
Netgear, 128
Node Package Manager (NPM), 136
nonblind SQL injection attacks, 55
npm audit command, 136
NSA (National Security Agency), 129
O
OAuth (open authentication) standard, 84, 158
obfuscating JavaScript files, 115
object-relational mapping (ORM), 54–55
offloading static content, 167
Okta, 84
OneLogin, 84
open authentication (OAuth) standard, 84, 158
open directory listings, disabling, 137
OpenID standard, 84
open redirects, 153, 156–157, 172
OpenSSL, 132
Open Web Application Security Project (OWASP), 136
operating system patches, 133–134
OPTIONS requests (in HTTP), 11t
Oracle VirtualBox, 3
ORM (object-relational mapping), 54–55
os module (in Python), 62
OWASP (Open Web Application Security Project), 136
ownership-based access control, 106
P
PaaS (Platform as a Service), 41
padding input data, 119
parameterized statements, 52–53
password-reset links, 87
password-reset screens, 91
passwords. See also authentication
commonly used, 84
cracking password lists, 89
securely storing
salting hashes, 89
password-strength-calculator library, 88
PATCH requests (in HTTP), 11
path separator character (/), 109
Perl, 28
access control
access control lists, 105
aspects of, 104
common oversights, 108
defined, 104
ownership-based access control, 106
role-based access control, 105–106
testing, 107
whitelists and blacklists, 105
directory traversal
absolute filepaths vs. relative filepaths, 108–109
defined, 108
privilege escalation, 104
Petrobras, 129
phishing, 154
PHP, xiv
command injection attacks, 56–58
file upload vulnerability attacks, 60–61
overview of, 32
vulnerability of, 32
ping floods, 164
ping of death attacks, 164
Platform as a Service (PaaS), 41
post-release activities
monitoring, 44
penetration testing, 44
POST requests (in HTTP), 11, 50
authentication, 83
cross-site request forgery attacks, 76–77
rendering pipeline, 20
R-U-Dead-Yet? attack, 165
pre-production environments. See test environments
primary keys (in SQL), 29
principle of least privilege, 55, 58, 152, 173
privilege escalation, 104
public-key certificates. See digital certificates
public-key cryptography, 119, 139
pull requests, 38
Puma, 125
Puppet, 42
PUT requests (in HTTP), 11, 76–77
Python
application servers, 125
command injection attacks, 56, 58
mitigating file upload vulnerability attacks, 62
permissions, 106
securing XML parsers, 151
Python Software Foundation, 135
Q
quality assurance (QA), 39
quality assurance environments. See test environments
R
rainbow tables, 89
random number generation, 100
raw function (in Ruby), 68
RBAC (role-based access control), 105–106
reauthentication, requiring for sensitive actions, 79
reCAPTCHA widget, 92
reflected attacks, 165
reflected cross-site scripting attacks
defined, 70
escaping dynamic content, 71
regression testing, 135
regular expression (regex), 111
relational databases
consistent behavior, 29
data integrity constraints, 29
defined, 29
foreign keys, 29
primary keys, 29
transactional behavior, 29
vulnerability of, 30
release process
database migration scripts, 43
defined, 40
Infrastructure as a Service, 41
pushing changes vs. releasing changes, 37
reliability of, 40
revertibility of, 41
remote code execution attacks
anatomy of, 59
defined, 59
disabling code-execution during deserialization, 59–60
rendering blink, 72
rendering pipeline
Acid3 test, 18
replay attacks, 139
Representational State Transfer (REST), 76–77
Rivest-Shamir-Adleman (RSA) algorithm, 121
role-based access control (RBAC), 105–106
Rollbar, 44
rolling back releases, 41
root privilege, 104
RSA (Rivest-Shamir-Adleman) algorithm, 121
Ruby and Ruby on Rails, 111, 125
client-side error reporting, 115
client-side sessions, 96
command injection attacks, 56, 58
database migration scripts, 43
dependency checker, 136
overview of, 31
securing XML parsers, 151
RubyGems package manager, 31
R-U-Dead-Yet? (RUDY) attack, 165
S
S3 (Amazon Simple Storage Service), 62, 140
salting hashes, 171
same-origin policy, 78
SameSite cookie attribute, 78–79, 98–99
SAML (Security Assertion Markup Language), 85
sanitizing client-side files, 116
sanitizing file references, 111
Sass, 43
schemaless databases, 30
Schneier, Bruce, 135
reflected cross-site scripting attacks, 70
stored cross-site scripting attacks, 66–67, 69
subresource integrity checks, 134
SCSS, 43
SDKs. See software development kits (SDKs)
SDLC. See Software Development Life Cycle (SDLC)
secure authentication system
banning disposable email accounts, 86, 87f
implementing and securing logout function, 90–91
preventing user enumeration
error messages, 91
password-reset screen, 91
timing attacks, 91
requiring complex passwords, 87–88
requiring multifactor authentication, 89–90, 90f
requiring usernames, email addresses, or both, 85
securely storing passwords
salting hashes, 89
securing password resets, 87
validating email addresses, 85–86
Secure Hash Algorithm (SHA-256), 121
Secure keyword, 98
Security Assertion Markup Language (SAML), 85
security certificates, 20
security through obscurity, 108
seeds, 100
segregation of test and production environments, 39
SELECT statements (in SQL), 50–51, 53, 55
self-signed certificates, 124–125
semicolon character (;), 52
Sender Policy Framework (SPF), 155–156, 172
sequence numbers, 8
serialization, 59
serialization libraries, 59–60
Server header (in HTTP responses), 114, 171
server-side request forgery (SSRF) attacks, 150, 154, 159–160
generic cookie parameters, 114
session hijacking
defined, 93
opening sessions, 94
weak session IDs, 100
session identifiers (session IDs)
taking advantage of weak, 100
TLS handshakes, 121
Set-Cookie header, 13, 20, 77–78, 90–91, 95–98, 171
SHA-256 (Secure Hash Algorithm), 121
SharkLasers, 87f
Simple Mail Transport Protocol (SMTP), 154–155
defined, 10
Internet Protocol suite layers, 10f
single-page apps, 72
single quote character ('), 51–53
Slowloris attack, 165
smoke testing. See post-release testing
SMTP. See Simple Mail Transfer Protocol (SMTP)
Snowden, Edward, 129
social media
likejacking, 158
logout function, 90
ownership-based access control, 106
posting links to external URLs, 158
SameSite attribute settings for cookies, 99
security advisories, 135
third-party authentication, 84
software development kits (SDKs)
avoiding server-side request forgery attacks, 160
defined, 31
Software Development Life Cycle (SDLC)
code writing
branching and merging code, 38
pushing changes to repository, 37
source control, 37
defined, 36
design and analysis, 36
post-release testing and observation, 43–45
monitoring, 44
penetration testing, 44
pre-release testing
continuous integration servers, 39
coverage, 39
manual testing, 38
unit testing, 39
database migration scripts, 43
Infrastructure as a Service, 41
Platform as a Service, 41
source control (version control)
defined, 37
distributed vs. centralized, 37
pull requests, 38
Space Jam website, 24
spam email and filters, 105, 154, 160
spearphishing, 154
SPF (Sender Policy Framework), 155–156, 172
Splunk, 45
Spotify, 163
SQL. See Structured Query Language (SQL)
SQL injection attacks
defined, 50
mitigation options
object-relational mapping, 54–55
parameterized statements, 52–53
SSRF (server-side request forgery) attacks, 150, 154, 159–160
Stack Overflow, 138
staging environments. See test environments
Stanford University, 7
stateful connections, 13
static resources
content delivery networks, 26
content management systems, 26, 27f
defined, 24
status messages, 12
stored cross-site scripting attacks
content security policies, 69–70
escaping control characters, 67–69
Stripe, 138
Structured Query Language (SQL)
styling rules and information (in CSS)
build process, 43
defined, 16
subresource integrity checks, 134
symmetric encryption algorithms, 119
SYN floods, 164
system() function (in PHP), 58
T
TCP. See Transmission Control Protocol (TCP)
templates, xiv
dynamic resources, 28
stored cross-site scripting attacks, 68–69
test coverage, 39
test environments (staging, pre-production, or quality assurance environments)
close resemblance to production environment, 39–40
defined, 39
hardening, 138
scrubbed data for, 40
segregation production environment and, 40
testing
integration testing, 39
regression testing, 135
third-party authentication, 84
third-party code
securing configuration, 136–138
disabling default credentials, 137
disabling open directory listings, 137
hardening test environments, 138
protecting configuration information, 137–138
securing administrative frontends, 138
securing dependencies, 132–136, 171
deploying new versions quickly, 134
organizing dependencies, 132–134
staying alert to security issues, 135–136
timely upgrades, 136
protecting API keys, 139
securing third-party content, 140
securing webhooks, 139
third-party services risks, 140–143, 171
avoiding malware delivery, 141–142
malvertising, 141
reputable ad platforms, 142
reviewing and reporting suspicious ads, 143
tailoring ad preferences, 143
time-to-live (TTL) variable, 9
timing attacks, 91
TinyLetter, 156
TLS. See Transport Layer Security (TLS)
Tornado, 125
Tornado web server, 78
Torvalds, Linus, 37
TRACE requests (in HTTP), 11t
transactional behavior, 29
Transmission Control Protocol (TCP)
application layer protocols and, 9, 10f
checksums, 8
data packets, 8
denial-of-service attacks, 164
man-in-the-middle attacks, 118
origin of, 8
purpose of, 8
receipts, 8
rendering pipeline, 20
sequence numbers, 8
transpiling, 34
Transport Layer Security (TLS)
cipher suites, 121
HTTP Secure, 14
message authentication codes, 120
TTL (time-to-live) variable, 9
Tumblr, 84
U
UDP. See User Datagram Protocol
UglifyJS utility, 115
Unicorn, 125
unintentional denial-of-service attacks, 166
unit testing, 170
access control, 107
brittleness, 39
continuous integration servers, 39
defined, 39
test coverage, 39
universal resource locators (URLs)
clean, 114
open redirects, 157
relative vs. absolute, 157
URL-shortening services, 156
UPDATE statements (in SQL), 50–51, 55
URLs. See universal resource locators
User-Agent header (in HTTP requests), 10–11, 50
User Datagram Protocol (UDP), 8
denial-of-service attacks, 165
Internet Protocol suite layers, 10f
V
V8 JavaScript engine, 32
verbs (methods) in HTTP, 10–11
version control. See source control
version numbers, 133
vertical escalation, 104
violation reports, 70
VirtualBox, 3
virtual containers, 3
VPNFilter, 128
Vue.js, 72
W
web components specification, 141
webhooks, 139
webmasters, xiv
web page rendering
Acid3 test, 18
web programming languages
C#, 33
Node.js, 32
PHP, 32
Ruby on Rails, 31
web servers, xiv
defined, 23
directory traversal, 110
defined, 24
templates, 28
web programming languages, 31–34
installing certificates
application servers vs., 125–126
configuring web server to use HTTPS, 126
remote code execution attacks, 59–60
static resources
content delivery networks, 26
content management systems, 26, 27f
defined, 24
web shells
file upload vulnerability attacks, 60–61
privilege escalation, 104
where function (in ActiveRecord), 54
whitelists, 105
Wi-Fi hotspots, 128
wireless routers, 128
worms, 76
WWW-Authenticate header, 82
X
XML. See Extensible Markup Language (XML)
XML requests, 59
XML Schema Definition (XSD) files, 147
XMPP. See Extensible Messaging and Presence Protocol (XMPP)
XSRF attacks. See cross-site request forgery (XSRF) attacks
XSS attacks. See cross-site scripting (XSS) attacks
Y
Z
Zendesk, 26
zip bombs, 165