Название: Web Application Security: Exploitation and Countermeasures for Modern Web Applications, 2nd Edition (Final) Автор: Andrew Hoffman Издательство: O’Reilly Media, Inc. Год: 2024 Страниц: 444 Язык: английский Формат: pdf (true) Размер: 14.2 MB
In the first edition of this critically acclaimed book, Andrew Hoffman defined the three pillars of application security: reconnaissance, offense, and defense. In this revised and updated second edition, he examines dozens of related topics, from the latest types of attacks and mitigations to threat modeling, the secure software development lifecycle (SSDL/SDLC), and more.
Hoffman, senior staff security engineer at Ripple, also provides information regarding exploits and mitigations for several additional web application technologies such as GraphQL, cloud-based deployments, content delivery networks (CDN) and server-side rendering (SSR). Following the curriculum from the first book, this second edition is split into three distinct pillars comprising three separate skill sets.
Pillar 1: Recon—Learn techniques for mapping and documenting web applications remotely, including procedures for working with web applications Pillar 2: Offense—Explore methods for attacking web applications using a number of highly effective exploits that have been proven by the best hackers in the world. These skills are valuable when used alongside the skills from Pillar 3. Pillar 3: Defense—Build on skills acquired in the first two parts to construct effective and long-lived mitigations for each of the attacks described in Pillar 2.
Most modern web applications you will run into either make use of RESTful APIs or a REST-like API that serves JSON. It is becoming increasingly rare to encounter SOAP APIs and XML outside of specific enterprise apps that maintain such rigid design for legacy compatibility. Understanding the structure of REST APIs is important as you attempt to reverse engineer a web application’s API layer. Mastering the basic fundamentals of REST APIs will give you an advantage, as you will find that many APIs you wish to investigate follow REST architecture—but additionally, many tools you may wish to use or integrate your workflow with will be exposed via REST APIs.
Because modern web applications require a lot of client/server communication (for the downstream exchange of data and upstream requests in the form of HTTP verbs), it is not feasible to send data in ad hoc formats. The in-transit format of the data must be standardized. JSON is one potential solution to this problem. JSON is an open standard (not proprietary) file format that meets a number of interesting requirements:
• It is very lightweight (reduces network bandwidth). • It requires very little parsing (reduces server/client hardware load). • It is easily human readable. • It is hierarchical (can represent complex relationships between data). • JSON objects are represented very similarly to jаvascript objects, making consumption of JSON and building new JSON objects quite easy in the browser.
All major browsers today support the parsing of JSON natively (and fast!), which, in addition to the preceding bullet points, makes JSON a great format for transmitting data between a stateless server and a web browser.
jаvascript is a dynamic programming language that was originally designed for use in internet browsers. jаvascript is not only a programming language but also the sole programming language for client-side scripting in web browsers. jаvascript is now used in many applications, from mobile to the internet of things, or IoT. Many code examples throughout this book are written in jаvascript. When possible, the backend code examples are written using a jаvascript syntax as well so that no time is wasted in context switching. I’ll try to keep the jаvascript as clean and simple as possible, but I may use some constructs that jаvascript supports that are not as popular (or well known) in other languages. jаvascript is a unique language as development is tied to the growth of the browser and its partner, the Document Object Model (DOM).
Скачать Web Application Security: Exploitation and Countermeasures for Modern Web Applications, 2nd Edition (Final)