“Modern web applications are built on a tangle of technologies that have been developed over time and then haphazardly pieced together.” This quote is from the back cover of “The Tangled Web: A Guide to Securing Modern Web Applications” by Michal Zalewski (Book’s website, Amazon) and I think that the quote pretty well summarizes the content of the book.
The book goes through different pieces of the web application stack and describes the basics of each piece and various peculiarities related to them, quirks in different browsers etc. Zalewski does a pretty good job going through these, even though a couple of times I would gladly have read a bit more concrete example of how certain vulnerability could be exposed etc.
The book is recommended reading to get the 101 (and a bit more) of the internals of the Web and web applications and their security aspects.
Some links related to the topic:
- Browser Security Handbook This project prepends in a way The Tangled Web book
- HTML5 Security Cheat sheet – Good resource on potential (HTML5 related) attack vectors.
- See also https://github.com/cure53/H5SC
- The Open Web Application Security Project – Organization focused on improving the security of software
- OWASP Top 10 – Collection of the most critical web application security flaws
- XSS Prevention Cheat Sheet
- XSS Filter Evasion Cheat Sheet
- …
- There are also some deliberately insecure applications created for teaching web application security
- WebGoat Project (Deliberately insecure JavaEE application)
- HacmeBank (.NET application)
- Mutillidae
- Kali Linux – advertising itself as “the most advanced and versatile penetration testing distribution ever created”
Books to deepen the understanding of the (web application) security could include the following:
- Browser Hacker’s Handbook
- Penetration testing by Georgia Weidman
- Hacking, 2nd Edition by Jon Erickson (somewhat old, published 2008)
- The art of Deception by Kevin Mitnick (human elements related to (computer) security)
If somebody happens to read this and has link/book recommendations, please share!
No comments:
Post a Comment