Skip to content
FREE SHIPPING ON ALL DOMESTIC ORDERS $35+
FREE SHIPPING ON ALL US ORDERS $35+
Web Security for Developers: Real Threats, Practical Defense - Paperback | Diverse Reads

Web Security for Developers: Real Threats, Practical Defense

Availability:
Only 1 left!
Save 13% Save 13%
$29.95
$29.95 - $29.95
$29.95
$25.99
$25.99 - $25.99
$25.99
Website security made easy. This book covers the most common ways websites get hacked and how web developers can defend themselves.

The world has changed. Today, every time you make a site live, you're opening it up to attack.

A first-time developer can easily be discouraged by the difficulties involved with properly securing a website. But have hope: an army of security researchers is out there discovering, documenting, and fixing security flaws. Thankfully, the tools you'll need to secure your site are freely available and generally easy to use.

Web Security for Developers will teach you how your websites are vulnerable to attack and how to protect them. Each chapter breaks down a major security vulnerability and explores a real-world attack, coupled with plenty of code to show you both the vulnerability and the fix.

You'll learn how to:
  • Protect against SQL injection attacks, malicious JavaScript, and cross-site request forgery
  • Add authentication and shape access control to protect accounts
  • Lock down user accounts to prevent attacks that rely on guessing passwords, stealing sessions,
  • or escalating privileges
  • Implement encryption
  • Manage vulnerabilities in legacy code
  • Prevent information leaks that disclose vulnerabilities
  • Mitigate advanced attacks like malvertising and denial-of-service

    • As you get stronger at identifying and fixing vulnerabilities, you'll learn to deploy disciplined, secure code and become a better programmer along the way.

    ISBN-13: 9781593279943

    Media Type: Paperback

    Publisher: No Starch Press

    Publication Date: 06-19-2020

    Pages: 216

    Product Dimensions: 7.00(w) x 9.10(h) x 0.70(d)

    Malcolm McDonald has been programming for over 20 years. McDonald is the creator of www.hacksplaining.com, an online training program for web developers.

    Table of Contents

    Acknowledgments xvii

    Introduction xix

    About This Book xx

    Who Should Read This Book xx

    A Brief History of the Internet xx

    Scripting in the Browser xxi

    A New Challenger Enters the Arena xxi

    Machines for Writing HTML xxii

    A Series of Tubes xxii

    What to Worry About First xxiii

    What's in This Book xxiii

    1 Let's Hack a Website 1

    Software Exploits and the Dark Web 1

    How to Hack a Website 3

    Part I The Basics 5

    2 How the Internet Works 7

    The Internet Protocol Suite 7

    Internet Protocol Addresses 8

    The Domain Name System 9

    Application Layer Protocols 9

    HyperText Transfer Protocol 10

    Stateful Connections 13

    Encryption 14

    Summary 14

    3 How Browsers Work 15

    Web Page Rendering 15

    The Rendering Pipeline: An Overview 16

    The Document Object Model 17

    Styling Information 17

    JavaScript 18

    Before and After Rendering: Everything Else the Browser Does 20

    Summary 20

    4 How Web Servers Work 23

    Static and Dynamic Resources 24

    Static Resources 24

    URL Resolution 24

    Content Delivery Networks 26

    Content Management Systems 26

    Dynamic Resources 27

    Templates 28

    Databases 28

    Distributed Caches 30

    Web Programming Languages 31

    Summary 34

    5 How Programmers Work 35

    Phase 1 Design and Analysis 36

    Phase 2 Writing Code 37

    Distributed vs. Centralized Version Control 37

    Branching and Merging Code 38

    Phase 3 Pre-Release Testing 38

    Coverage and Continuous Integration 39

    Test Environments 39

    Phase 4 The Release Process 40

    Options for Standardized Deployment During Releases 41

    The Build Process 42

    Database Migration Scripts 43

    Phase 5 Post-Release Testing and Observation 43

    Penetration Testing 44

    Monitoring, Logging, and Error Reporting 44

    Dependency Management 45

    Summary 45

    Part II The Threats 47

    6 Injection Attacks 49

    SQL Injection 50

    What Is SQL? 50

    Anatomy of a SQL Injection Attack 51

    Mitigation 1 Use Parameterized Statements 52

    Mitigation 2 Use Object-Relational Mapping 54

    Bonus Mitigation: Use Defense in Depth 55

    Command Injection 56

    Anatomy of a Command Injection Attack 56

    Mitigation: Escape Control Characters 57

    Remote Code Execution 59

    Anatomy of a Remote Code Execution Attack 59

    Mitigation: Disable Code Execution During Deserialization 59

    File Upload Vulnerabilities 60

    Anatomy of a File Upload Attack 60

    Mitigations 61

    Summary 63

    7 Cross-Site Scripting Attacks 65

    Stored Cross-Site Scripting Attacks 66

    Mitigation 1 Escape HTML Characters 67

    Mitigation 2 Implement a Content Security Policy 69

    Reflected Cross-Site Scripting Attacks 70

    Mitigation: Escape Dynamic Content from HTTP Requests 71

    DOM-Based Cross-Site Scripting Attacks 71

    Mitigation: Escaping Dynamic Content from URI Fragments 73

    Summary 73

    8 Cross-Site Request Forgery Attacks 75

    Anatomy of a CSRF Attack 76

    Mitigation 1 Follow REST Principles 76

    Mitigation 2 Implement Anti-CSRF Cookies 77

    Mitigation 3 Use the SameSite Cookie Attribute 78

    Bonus Mitigation: Require Reauthentication for Sensitive Actions 79

    Summary 79

    9 Compromising Authentication 81

    Implementing Authentication 82

    HTTP-Native Authentication 82

    Non-Native Authentication 83

    Brute-Force Attacks 83

    Mitigation 1 Use Third-Party Authentication 84

    Mitigation 2 Integrate with Single Sign-On 84

    Mitigation 3 Secure Your Own Authentication System 85

    Requiring Usernames, Email Address, or Both 85

    Requiring Complex Passwords 87

    Securely Storing Passwords 88

    Requiring Multifactor Authentication 89

    Implementing and Securing the Logout Function 90

    Preventing User Enumeration 91

    Summary 92

    10 Session Hijacking 93

    How Sessions Work 94

    Server-Side Sessions 94

    Client-Side Sessions 96

    How Attackers Hijack Sessions 97

    Cookie Theft 97

    Session Fixation 99

    Taking Advantage of Weak Session IDs 100

    Summary 100

    11 Permissions 103

    Privilege Escalation 104

    Access Control 104

    Designing an Authorization Model 105

    Implementing Access Control 106

    Testing Access Control 107

    Adding Audit Trails 107

    Avoiding Common Oversights 108

    Directory Traversal 108

    Filepaths and Relative Filepaths 108

    Anatomy of a Directory Traversal Attack 109

    Mitigation 1 Trust Your Web Server 110

    Mitigation 2 Use a Hosting Service 110

    Mitigation 3 Use Indirect File References 111

    Mitigation 4 Sanitize File References 111

    Summary 112

    12 Information Leaks 113

    Mitigation 1 Disable Telltale Server Headers 114

    Mitigation 2 Use Clean URLs 114

    Mitigation 3 Use Generic Cookie Parameters 114

    Mitigation 4 Disable Client-Side Error Reporting 115

    Mitigation 5 Minify or Obfuscate Your JavaScript Files 115

    Mitigation 6 Sanitize Your Client-Side Files 116

    Stay on Top of Security Advisories 116

    Summary 116

    13 Encryption 117

    Encryption in the Internet Protocol 118

    Encryption Algorithms, Hashing, and Message Authentication Codes 118

    The TLS Handshake 120

    Enabling HTTPS 122

    Digital Certificates 122

    Obtaining a Digital Certificate 123

    Installing a Digital Certificate 125

    Attacking HTTP (and HTTPS) 127

    Wireless Routers 128

    Wi-Fi Hotspots 128

    Internet Service Providers 128

    Government Agencies 129

    Summary 129

    14 Third-Party Code 131

    Securing Dependencies 132

    Know What Code You Are Running 132

    Be Able to Deploy New Versions Quickly 134

    Stay Alert to Security Issues 135

    Know When to Upgrade 136

    Securing Configuration 136

    Disable Default Credentials 137

    Disable Open Directory Listings 137

    Protect Your Configuration Information 137

    Harden Test Environments 138

    Secure Administrative Frontends 138

    Securing the Services That You Use 138

    Protect Your API Keys 139

    Secure Your Webhooks 139

    Secure Content Served by Third Parties 140

    Services as an Attack Vector 140

    Be Wary of Malvertising 141

    Avoid Malware Delivery 141

    Use a Reputable Ad Platform 142

    Use SafeFrame 142

    Tailor Your Ad Preferences 143

    Review and Report Suspicious Ads 143

    Summary 143

    15 XML Attacks 145

    The Uses of XML 146

    Validating XML 147

    Document Type Definitions 147

    XML Bombs 148

    XML External Entity Attacks 149

    How Hackers Exploit External Entities 150

    Securing Your XML Parser 150

    Python 151

    Ruby 151

    Node.js 151

    Java 151

    .NET 151

    Other Considerations 152

    Summary 152

    16 Don't be an Accessory 153

    Email Fraud 154

    Implement the Sender Policy Framework 155

    Implement DomainKeys Identified Mail 155

    Securing Your Email: Practical Steps 156

    Disguising Malicious Links in Email 156

    Open Redirects 157

    Preventing Open Redirects 157

    Other Considerations 158

    Clickjacking 158

    Preventing Ciickjacking 158

    Server-Side Request Forgery 159

    Protecting Against Server-Side Forgery 160

    Botnets 160

    Protecting Against Malware Infection 160

    Summary 161

    17 Denial-of-Service Attacks 163

    Denial-of-Service Attack Types 164

    Internet Control Message Protocol Attacks 164

    Transmission Control Protocol Attacks 164

    Application Layer Attacks 165

    Reflected and Amplified Attacks 165

    Distributed Denial-of-Service Attacks 165

    Unintentional Denial-of-Service Attacks 166

    Denial-of-Service Attack Mitigation 166

    Firewalls and Intrusion Prevention Systems 166

    Distributed Denial-of-Service Protection Services 167

    Building for Scale 167

    Summary 168

    18 Summing Up 169

    Index 173