You are previewing Web Application Defender's Cookbook: Battling Hackers and Protecting Users.
O'Reilly logo
Web Application Defender's Cookbook: Battling Hackers and Protecting Users

Book Description

Defending your web applications against hackers and attackers

The top-selling book Web Application Hacker's Handbook showed how attackers and hackers identify and attack vulnerable live web applications. This new Web Application Defender's Cookbook is the perfect counterpoint to that book: it shows you how to defend. Authored by a highly credentialed defensive security expert, this new book details defensive security methods and can be used as courseware for training network security personnel, web server administrators, and security consultants.

Each "recipe" shows you a way to detect and defend against malicious behavior and provides working code examples for the ModSecurity web application firewall module. Topics include identifying vulnerabilities, setting hacker traps, defending different access points, enforcing application flows, and much more.

  • Provides practical tactics for detecting web attacks and malicious behavior and defending against them

  • Written by a preeminent authority on web application firewall technology and web application defense tactics

  • Offers a series of "recipes" that include working code examples for the open-source ModSecurity web application firewall module

Find the tools, techniques, and expert information you need to detect and respond to web application attacks with Web Application Defender's Cookbook: Battling Hackers and Protecting Users.

Table of Contents

  1. Cover
  2. Titlepage
  3. Foreword
  4. Introduction
  5. Part I: Preparing the Battle Space
    1. Chapter 1: Application Fortification
      1. Recipe 1-1: Real-time Application Profiling
      2. Recipe 1-2: Preventing Data Manipulation with Cryptographic Hash Tokens
      3. Recipe 1-3: Installing the OWASP ModSecurity Core Rule Set (CRS)
      4. Recipe 1-4: Integrating Intrusion Detection System Signatures
      5. Recipe 1-5: Using Bayesian Attack Payload Detection
      6. HTTP Audit Logging
      7. Recipe 1-6: Enable Full HTTP Audit Logging
      8. Recipe 1-7: Logging Only Relevant Transactions
      9. Recipe 1-8: Ignoring Requests for Static Content
      10. Recipe 1-9: Obscuring Sensitive Data in Logs
      11. Recipe 1-10: Sending Alerts to a Central Log Host Using Syslog
      12. Recipe 1-11: Using the ModSecurity AuditConsole
    2. Chapter 2: Vulnerability Identification and Remediation
      1. Internally Developed Applications
      2. Externally Developed Applications
      3. Virtual Patching
      4. Recipe 2-1: Passive Vulnerability Identification
      5. Active Vulnerability Identification
      6. Recipe 2-2: Active Vulnerability Identification
      7. Manual Vulnerability Remediation
      8. Recipe 2-3: Manual Scan Result Conversion
      9. Recipe 2-4: Automated Scan Result Conversion
      10. Recipe 2-5: Real-time Resource Assessments and Virtual Patching
    3. Chapter 3: Poisoned Pawns (Hacker Traps)
      1. Honeytrap Concepts
      2. Recipe 3-1: Adding Honeypot Ports
      3. Recipe 3-2: Adding Fake robots.txt Disallow Entries
      4. Recipe 3-3: Adding Fake HTML Comments
      5. Recipe 3-4: Adding Fake Hidden Form Fields
      6. Recipe 3-5: Adding Fake Cookies
  6. Part II: Asymmetric Warfare
    1. Chapter 4: Reputation and Third-Party Correlation
      1. Suspicious Source Identification
      2. Recipe 4-1: Analyzing the Client's Geographic Location Data
      3. Recipe 4-2: Identifying Suspicious Open Proxy Usage
      4. Recipe 4-3: Utilizing Real-time Blacklist Lookups (RBL)
      5. Recipe 4-4: Running Your Own RBL
      6. Recipe 4-5: Detecting Malicious Links
    2. Chapter 5: Request Data Analysis
      1. Request Data Acquisition
      2. Recipe 5-1: Request Body Access
      3. Recipe 5-2: Identifying Malformed Request Bodies
      4. Recipe 5-3: Normalizing Unicode
      5. Recipe 5-4: Identifying Use of Multiple Encodings
      6. Recipe 5-5: Identifying Encoding Anomalies
      7. Input Validation Anomalies
      8. Recipe 5-6: Detecting Request Method Anomalies
      9. Recipe 5-7: Detecting Invalid URI Data
      10. Recipe 5-8: Detecting Request Header Anomalies
      11. Recipe 5-9: Detecting Additional Parameters
      12. Recipe 5-10: Detecting Missing Parameters
      13. Recipe 5-11: Detecting Duplicate Parameter Names
      14. Recipe 5-12: Detecting Parameter Payload Size Anomalies
      15. Recipe 5-13: Detecting Parameter Character Class Anomalies
    3. Chapter 6: Response Data Analysis
      1. Recipe 6-1: Detecting Response Header Anomalies
      2. Recipe 6-2: Detecting Response Header Information Leakages
      3. Recipe 6-3: Response Body Access
      4. Recipe 6-4: Detecting Page Title Changes
      5. Recipe 6-5: Detecting Page Size Deviations
      6. Recipe 6-6: Detecting Dynamic Content Changes
      7. Recipe 6-7: Detecting Source Code Leakages
      8. Recipe 6-8: Detecting Technical Data Leakages
      9. Recipe 6-9: Detecting Abnormal Response Time Intervals
      10. Recipe 6-10: Detecting Sensitive User Data Leakages
      11. Recipe 6-11: Detecting Trojan, Backdoor, and Webshell Access Attempts
    4. Chapter 7: Defending Authentication
      1. Recipe 7-1: Detecting Response Header Anomalies
      2. Recipe 7-2: Detecting the Submission of Multiple Usernames
      3. Recipe 7-3: Detecting Failed Authentication Attempts
      4. Recipe 7-4: Detecting a High Rate of Authentication Attempts
      5. Recipe 7-5: Normalizing Authentication Failure Details
      6. Recipe 7-6: Enforcing Password Complexity
      7. Recipe 7-7: Correlating Usernames with SessionIDs
    5. Chapter 8: Defending Session State
      1. Recipe 8-1: Detecting Invalid Cookies
      2. Recipe 8-2: Detecting Cookie Tampering
      3. Recipe 8-3: Enforcing Session Timeouts
      4. Recipe 8-4: Detecting Client Source Location Changes During Session Lifetime
      5. Recipe 8-5: Detecting Browser Fingerprint Changes During Sessions
    6. Chapter 9: Preventing Application Attacks
      1. Recipe 9-1: Blocking Non-ASCII Characters
      2. Recipe 9-2: Preventing Path-Traversal Attacks
      3. Recipe 9-3: Preventing Forceful Browsing Attacks
      4. Recipe 9-4: Preventing SQL Injection Attacks
      5. Recipe 9-5: Preventing Remote File Inclusion (RFI) Attacks
      6. Recipe 9-6: Preventing OS Commanding Attacks
      7. Recipe 9-7: Preventing HTTP Request Smuggling Attacks
      8. Recipe 9-8: Preventing HTTP Response Splitting Attacks
      9. Recipe 9-9: Preventing XML Attacks
    7. Chapter 10: Preventing Client Attacks
      1. Recipe 10-1: Implementing Content Security Policy (CSP)
      2. Recipe 10-2: Preventing Cross-Site Scripting (XSS) Attacks
      3. Recipe 10-3: Preventing Cross-Site Request Forgery (CSRF) Attacks
      4. Recipe 10-4: Preventing UI Redressing (Clickjacking) Attacks
      5. Recipe 10-5: Detecting Banking Trojan (Man-in-the-Browser) Attacks
    8. Chapter 11: Defending File Uploads
      1. Recipe 11-1: Detecting Large File Sizes
      2. Recipe 11-2: Detecting a Large Number of Files
      3. Recipe 11-3: Inspecting File Attachments for Malware
    9. Chapter 12: Enforcing Access Rate and Application Flows
      1. Recipe 12-1: Detecting High Application Access Rates
      2. Recipe 12-2: Detecting Request/Response Delay Attacks
      3. Recipe 12-3: Identifying Inter-Request Time Delay Anomalies
      4. Recipe 12-4: Identifying Request Flow Anomalies
      5. Recipe 12-5: Identifying a Significant Increase in Resource Usage
  7. Part III: Tactical Response
    1. Chapter 13: Passive Response Actions
      1. Recipe 13-1: Tracking Anomaly Scores
      2. Recipe 13-2: Trap and Trace Audit Logging
      3. Recipe 13-3: Issuing E-mail Alerts
      4. Recipe 13-4: Data Sharing with Request Header Tagging
    2. Chapter 14: Active Response Actions
      1. Recipe 14-1: Using Redirection to Error Pages
      2. Recipe 14-2: Dropping Connections
      3. Recipe 14-3: Blocking the Client Source Address
      4. Recipe 14-4: Restricting Geolocation Access Through Defense Condition (DefCon) Level Changes
      5. Recipe 14-5: Forcing Transaction Delays
      6. Recipe 14-6: Spoofing Successful Attacks
      7. Recipe 14-7: Proxying Traffic to Honeypots
      8. Recipe 14-8: Forcing an Application Logout
      9. Recipe 14-9: Temporarily Locking Account Access
    3. Chapter 15: Intrusive Response Actions
      1. Recipe 15-1: JavaScript Cookie Testing
      2. Recipe 15-2: Validating Users with CAPTCHA Testing
      3. Recipe 15-3: Hooking Malicious Clients with BeEF