Defending your web applications against hackers and attackers
The top-selling book Web Application Hacker’s Handbook showed how attackers and hackers identify and attack vulnerable live web applications. This new Web Application Defender’s Cookbook is the perfect counterpoint to that book: it shows you how to defend. Authored by a highly credentialed defensive security expert, this new book details defensive security methods and can be used as courseware for training network security personnel, web server administrators, and security consultants.
Each ‘recipe’ shows you a way to detect and defend against malicious behavior and provides working code examples for the Mod Security web application firewall module. Topics include identifying vulnerabilities, setting hacker traps, defending different access points, enforcing application flows, and much more.
- Provides practical tactics for detecting web attacks and malicious behavior and defending against them
- Written by a preeminent authority on web application firewall technology and web application defense tactics
- Offers a series of ‘recipes’ that include working code examples for the open-source Mod Security web application firewall module
Find the tools, techniques, and expert information you need to detect and respond to web application attacks with Web Application Defender’s Cookbook: Battling Hackers and Protecting Users.
قائمة المحتويات
Foreword xix
Introduction xxiii
I Preparing the Battle Space 1
1 Application Fortification 7
Recipe 1-1: Real-time Application Profiling 7
Recipe 1-2: Preventing Data Manipulation with Cryptographic Hash Tokens 15
Recipe 1-3: Installing the OWASP Mod Security Core Rule Set (CRS) 19
Recipe 1-4: Integrating Intrusion Detection System Signatures 33
Recipe 1-5: Using Bayesian Attack Payload Detection 38
Recipe 1-6: Enable Full HTTP Audit Logging 48
Recipe 1-7: Logging Only Relevant Transactions 52
Recipe 1-8: Ignoring Requests for Static Content 53
Recipe 1-9: Obscuring Sensitive Data in Logs 54
Recipe 1-10: Sending Alerts to a Central Log Host Using Syslog 58
Recipe 1-11: Using the Mod Security Audit Console 60
2 Vulnerability Identification and Remediation 67
Recipe 2-1: Passive Vulnerability Identification 70
Recipe 2-2: Active Vulnerability Identification 79
Recipe 2-3: Manual Scan Result Conversion 88
Recipe 2-4: Automated Scan Result Conversion 92
Recipe 2-5: Real-time Resource Assessments and Virtual Patching 99
3 Poisoned Pawns (Hacker Traps) 115
Recipe 3-1: Adding Honeypot Ports 116
Recipe 3-2: Adding Fake robots.txt Disallow Entries 118
Recipe 3-3: Adding Fake HTML Comments 123
Recipe 3-4: Adding Fake Hidden Form Fields 128
Recipe 3-5: Adding Fake Cookies 131
II Asymmetric Warfare 137
4 Reputation and Third-Party Correlation 139
Recipe 4-1: Analyzing the Client’s Geographic Location Data 141
Recipe 4-2: Identifying Suspicious Open Proxy Usage?@147
Recipe 4-3: Utilizing Real-time Blacklist Lookups (RBL) 150
Recipe 4-4: Running Your Own RBL 157
Recipe 4-5: Detecting Malicious Links 160
5 Request Data Analysis 171
Recipe 5-1: Request Body Access 172
Recipe 5-2: Identifying Malformed Request Bodies 178
Recipe 5-3: Normalizing Unicode 182
Recipe 5-4: Identifying Use of Multiple Encodings 186
Recipe 5-5: Identifying Encoding Anomalies 189
Recipe 5-6: Detecting Request Method Anomalies 193
Recipe 5-7: Detecting Invalid URI Data 197
Recipe 5-8: Detecting Request Header Anomalies 200
Recipe 5-9: Detecting Additional Parameters 209
Recipe 5-10: Detecting Missing Parameters 212
Recipe 5-11: Detecting Duplicate Parameter Names 214
Recipe 5-12: Detecting Parameter Payload Size Anomalies 216
Recipe 5-13: Detecting Parameter Character Class Anomalies 219
6 Response Data Analysis 223
Recipe 6-1: Detecting Response Header Anomalies 224
Recipe 6-2: Detecting Response Header Information Leakages 234
Recipe 6-3: Response Body Access 238
Recipe 6-4: Detecting Page Title Changes 240
Recipe 6-5: Detecting Page Size Deviations 243
Recipe 6-6: Detecting Dynamic Content Changes 246
Recipe 6-7: Detecting Source Code Leakages 249
Recipe 6-8: Detecting Technical Data Leakages 253
Recipe 6-9: Detecting Abnormal Response Time Intervals 256
Recipe 6-10: Detecting Sensitive User Data Leakages 259
Recipe 6-11: Detecting Trojan, Backdoor, and Webshell Access Attempts 262
7 Defending Authentication 265
Recipe 7-1: Detecting the Submission of Common/Default Usernames 266
Recipe 7-2: Detecting the Submission of Multiple Usernames 269
Recipe 7-3: Detecting Failed Authentication Attempts 272
Recipe 7-4: Detecting a High Rate of Authentication Attempts 274
Recipe 7-5: Normalizing Authentication Failure Details 280
Recipe 7-6: Enforcing Password Complexity 283
Recipe 7-7: Correlating Usernames with Session IDs 286
8 Defending Session State 291
Recipe 8-1: Detecting Invalid Cookies 291
Recipe 8-2: Detecting Cookie Tampering 297
Recipe 8-3: Enforcing Session Timeouts 302
Recipe 8-4: Detecting Client Source Location Changes During Session Lifetime 307
Recipe 8-5: Detecting Browser Fingerprint Changes During Sessions 314
9 Preventing Application Attacks 323
Recipe 9-1: Blocking Non-ASCII Characters 323
Recipe 9-2: Preventing Path-Traversal Attacks 327
Recipe 9-3: Preventing Forceful Browsing Attacks 330
Recipe 9-4: Preventing SQL Injection Attacks 332
Recipe 9-5: Preventing Remote File Inclusion (RFI) Attacks 336
Recipe 9-6: Preventing OS Commanding Attacks 340
Recipe 9-7: Preventing HTTP Request Smuggling Attacks 342
Recipe 9-8: Preventing HTTP Response Splitting Attacks 345
Recipe 9-9: Preventing XML Attacks 347
10 Preventing Client Attacks 353
Recipe 10-1: Implementing Content Security Policy (CSP) 353
Recipe 10-2: Preventing Cross-Site Scripting (XSS) Attacks 362
Recipe 10-3: Preventing Cross-Site Request Forgery (CSRF) Attacks 371
Recipe 10-4: Preventing UI Redressing (Clickjacking) Attacks 377
Recipe 10-5: Detecting Banking Trojan (Man-in-the-Browser) Attacks 381
11 Defending File Uploads 387
Recipe 11-1: Detecting Large File Sizes 387
Recipe 11-2: Detecting a Large Number of Files 389
Recipe 11-3: Inspecting File Attachments for Malware 390
12 Enforcing Access Rate and Application Flows 395
Recipe 12-1: Detecting High Application Access Rates 395
Recipe 12-2: Detecting Request/Response Delay Attacks 405
Recipe 12-3: Identifying Inter-Request Time Delay Anomalies 411
Recipe 12-4: Identifying Request Flow Anomalies 413
Recipe 12-5: Identifying a Significant Increase in Resource Usage 414
III Tactical Response 419
13 Passive Response Actions 421
Recipe 13-1: Tracking Anomaly Scores 421
Recipe 13-2: Trap and Trace Audit Logging 427
Recipe 13-3: Issuing E-mail Alerts 428
Recipe 13-4: Data Sharing with Request Header Tagging 436
14 Active Response Actions 441
Recipe 14-1: Using Redirection to Error Pages 442
Recipe 14-2: Dropping Connections 445
Recipe 14-3: Blocking the Client Source Address 447
Recipe 14-4: Restricting Geolocation Access Through Defense Condition
(Def Con) Level Changes 452
Recipe 14-5: Forcing Transaction Delays 455
Recipe 14-6: Spoofing Successful Attacks 462
Recipe 14-7: Proxying Traffic to Honeypots 468
Recipe 14-8: Forcing an Application Logout 471
Recipe 14-9: Temporarily Locking Account Access 476
15 Intrusive Response Actions 479
Recipe 15-1: Java Script Cookie Testing 479
Recipe 15-2: Validating Users with CAPTCHA Testing 481
Recipe 15-3: Hooking Malicious Clients with Be EF 485
Index 495
عن المؤلف
RYAN BARNETT is a Lead Security Researcher in Trustwave’s Spider Labs Team, an advanced security team focused on penetration testing, incident response, and application security. He is the Mod Security web application firewall project lead, a SANS Institute certified instructor, and a frequent speaker at industry conferences.