• 1-800-526-8630U.S. (TOLL FREE)
  • 1-917-300-0470EAST COAST U.S.
  • +353-1-416-8900REST OF WORLD
Web Application Defender's Cookbook. Battling Hackers and Protecting Users - Product Image

Web Application Defender's Cookbook. Battling Hackers and Protecting Users

  • ID: 2246152
  • December 2012
  • 552 Pages
  • John Wiley and Sons Ltd

Defending your web applications against hackers and attackers

The top-selling book Web Application Hacker's Handbook showed how attackers and hackers identify and attack vulnerable live web applications. This new Web Application Defender's Cookbook is the perfect counterpoint to that book: it shows you how to defend. Authored by a highly credentialed defensive security expert, this new book details defensive security methods and can be used as courseware for training network security personnel, web server administrators, and security consultants.

Each "recipe" shows you a way to detect and defend against malicious behavior and provides working code examples for the ModSecurity web application firewall module. Topics include identifying vulnerabilities, setting hacker traps, defending different access points, enforcing application flows, and much more.

- Provides practical tactics for detecting web attacks and malicious behavior and defending against them
- Written by a preeminent authority on web application firewall technology and web application defense tactics 
- Offers a series of "recipes" that include working code examples for the open-source ModSecurity web application firewall module

Find the tools, techniques, and expert information you need to detect and respond to web application attacks with Web Application Defender's Cookbook: Battling Hackers and Protecting Users.

Foreword xix

Introduction xxiii

I Preparing the Battle Space 1

1 Application Fortification 7

Recipe 1-1: Real-time Application Profiling 7

Recipe 1-2: Preventing Data Manipulation with Cryptographic Hash Tokens 15

Recipe 1-3: Installing the OWASP ModSecurity Core Rule Set (CRS) 19

Recipe 1-4: Integrating Intrusion Detection System Signatures 33

Recipe 1-5: Using Bayesian Attack Payload Detection 38

Recipe 1-6: Enable Full HTTP Audit Logging 48

Recipe 1-7: Logging Only Relevant Transactions 52

Recipe 1-8: Ignoring Requests for Static Content 53

Recipe 1-9: Obscuring Sensitive Data in Logs 54

Recipe 1-10: Sending Alerts to a Central Log Host Using Syslog 58

Recipe 1-11: Using the ModSecurity AuditConsole 60

2 Vulnerability Identification and Remediation 67

Recipe 2-1: Passive Vulnerability Identification 70

Recipe 2-2: Active Vulnerability Identification 79

Recipe 2-3: Manual Scan Result Conversion 88

Recipe 2-4: Automated Scan Result Conversion 92

Recipe 2-5: Real-time Resource Assessments and Virtual Patching 99

3 Poisoned Pawns (Hacker Traps) 115

Recipe 3-1: Adding Honeypot Ports 116

Recipe 3-2: Adding Fake robots.txt Disallow Entries 118

Recipe 3-3: Adding Fake HTML Comments 123

Recipe 3-4: Adding Fake Hidden Form Fields 128

Recipe 3-5: Adding Fake Cookies 131

II Asymmetric Warfare 137

4 Reputation and Third-Party Correlation 139

Recipe 4-1: Analyzing the Client’s Geographic Location Data 141

Recipe 4-2: Identifying Suspicious Open Proxy Usage?@147

Recipe 4-3: Utilizing Real-time Blacklist Lookups (RBL) 150

Recipe 4-4: Running Your Own RBL 157

Recipe 4-5: Detecting Malicious Links 160

5 Request Data Analysis 171

Recipe 5-1: Request Body Access 172

Recipe 5-2: Identifying Malformed Request Bodies 178

Recipe 5-3: Normalizing Unicode 182

Recipe 5-4: Identifying Use of Multiple Encodings 186

Recipe 5-5: Identifying Encoding Anomalies 189

Recipe 5-6: Detecting Request Method Anomalies 193

Recipe 5-7: Detecting Invalid URI Data 197

Recipe 5-8: Detecting Request Header Anomalies 200

Recipe 5-9: Detecting Additional Parameters 209

Recipe 5-10: Detecting Missing Parameters 212

Recipe 5-11: Detecting Duplicate Parameter Names 214

Recipe 5-12: Detecting Parameter Payload Size Anomalies 216

Recipe 5-13: Detecting Parameter Character Class Anomalies 219

6 Response Data Analysis 223

Recipe 6-1: Detecting Response Header Anomalies 224

Recipe 6-2: Detecting Response Header Information Leakages 234

Recipe 6-3: Response Body Access 238

Recipe 6-4: Detecting Page Title Changes 240

Recipe 6-5: Detecting Page Size Deviations 243

Recipe 6-6: Detecting Dynamic Content Changes 246

Recipe 6-7: Detecting Source Code Leakages 249

Recipe 6-8: Detecting Technical Data Leakages 253

Recipe 6-9: Detecting Abnormal Response Time Intervals 256

Recipe 6-10: Detecting Sensitive User Data Leakages 259

Recipe 6-11: Detecting Trojan, Backdoor, and Webshell Access Attempts 262

7 Defending Authentication 265

Recipe 7-1: Detecting the Submission of Common/Default Usernames 266

Recipe 7-2: Detecting the Submission of Multiple Usernames 269

Recipe 7-3: Detecting Failed Authentication Attempts 272

Recipe 7-4: Detecting a High Rate of Authentication Attempts 274

Recipe 7-5: Normalizing Authentication Failure Details 280

Recipe 7-6: Enforcing Password Complexity 283

Recipe 7-7: Correlating Usernames with SessionIDs 286

8 Defending Session State 291

Recipe 8-1: Detecting Invalid Cookies 291

Recipe 8-2: Detecting Cookie Tampering 297

Recipe 8-3: Enforcing Session Timeouts 302

Recipe 8-4: Detecting Client Source Location Changes During Session Lifetime 307

Recipe 8-5: Detecting Browser Fingerprint Changes During Sessions 314

9 Preventing Application Attacks 323

Recipe 9-1: Blocking Non-ASCII Characters 323

Recipe 9-2: Preventing Path-Traversal Attacks 327

Recipe 9-3: Preventing Forceful Browsing Attacks 330

Recipe 9-4: Preventing SQL Injection Attacks 332

Recipe 9-5: Preventing Remote File Inclusion (RFI) Attacks 336

Recipe 9-6: Preventing OS Commanding Attacks 340

Recipe 9-7: Preventing HTTP Request Smuggling Attacks 342

Recipe 9-8: Preventing HTTP Response Splitting Attacks 345

Recipe 9-9: Preventing XML Attacks 347

10 Preventing Client Attacks 353

Recipe 10-1: Implementing Content Security Policy (CSP) 353

Recipe 10-2: Preventing Cross-Site Scripting (XSS) Attacks 362

Recipe 10-3: Preventing Cross-Site Request Forgery (CSRF) Attacks 371

Recipe 10-4: Preventing UI Redressing (Clickjacking) Attacks 377

Recipe 10-5: Detecting Banking Trojan (Man-in-the-Browser) Attacks 381

11 Defending File Uploads 387

Recipe 11-1: Detecting Large File Sizes 387

Recipe 11-2: Detecting a Large Number of Files 389

Recipe 11-3: Inspecting File Attachments for Malware 390

12 Enforcing Access Rate and Application Flows 395

Recipe 12-1: Detecting High Application Access Rates 395

Recipe 12-2: Detecting Request/Response Delay Attacks 405

Recipe 12-3: Identifying Inter-Request Time Delay Anomalies 411

Recipe 12-4: Identifying Request Flow Anomalies 413

Recipe 12-5: Identifying a Significant Increase in Resource Usage 414

III Tactical Response 419

13 Passive Response Actions 421

Recipe 13-1: Tracking Anomaly Scores 421

Recipe 13-2: Trap and Trace Audit Logging 427

Recipe 13-3: Issuing E-mail Alerts 428

Recipe 13-4: Data Sharing with Request Header Tagging 436

14 Active Response Actions 441

Recipe 14-1: Using Redirection to Error Pages 442

Recipe 14-2: Dropping Connections 445

Recipe 14-3: Blocking the Client Source Address 447

Recipe 14-4: Restricting Geolocation Access Through Defense Condition

(DefCon) Level Changes 452

Recipe 14-5: Forcing Transaction Delays 455

Recipe 14-6: Spoofing Successful Attacks 462

Recipe 14-7: Proxying Traffic to Honeypots 468

Recipe 14-8: Forcing an Application Logout 471

Recipe 14-9: Temporarily Locking Account Access 476

15 Intrusive Response Actions 479

Recipe 15-1: JavaScript Cookie Testing 479

Recipe 15-2: Validating Users with CAPTCHA Testing 481

Recipe 15-3: Hooking Malicious Clients with BeEF 485

Index 495

RYAN BARNETT is a Lead Security Researcher in Trustwave's SpiderLabs Team, an advanced security team focused on penetration testing, incident response, and application security. He is the ModSecurity web application firewall project lead, a SANS Institute certified instructor, and a frequent speaker at industry conferences.

Note: Product cover images may vary from those shown

RELATED PRODUCTS

Our Clients

Our clients' logos