WingNews logo WingNews GitHub [2]
top | item 10027055

Ask HN: Best resources on webapp security?

165 points| zipfle | 10 years ago | reply

TLDR; What are your favorite resources for how to build a secure webapp?

I've been looking to learn how to secure web apps more systematically. Just thinngs that (should be) well-understood by now--logins, customer data security, how to take payments with or without storing credit card info (even if that's just using a third-party processor). I've found the OWASP site, which seems poorly maintained and terribly organized, and a bunch of books that focus on how to pentest existing apps. The books that focus systematically on security, like Security Engineering, are extremely general and don't explicitly cover the webapp use case.

42 comments

order
[+] jsingleton|10 years ago|reply
OWASP is good especially the top 10:

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...

Troy Hunt has some good advice on his blog and a site for checking for issues:

http://www.troyhunt.com/

https://asafaweb.com/

[+] dguido|10 years ago|reply
OWASP is a massively disorganized, vendor-driven, volunteer (read: soapbox-as-a-service) organization littered with half-completed, abandoned projects. That said, there are a small few that are "ok".

I like using ASVS as a checklist when doing a webapp pentest:

https://www.owasp.org/index.php/Category:OWASP_Application_S...

The OWASP testing guide is an incredibly verbose walkthrough for finding most types of web vulns:

https://www.owasp.org/index.php/Category:OWASP_Testing_Proje...

Some of the cheat sheets are ok, but many are littered with incorrect and incomplete info, so take them with a grain of salt:

https://www.owasp.org/index.php/Cheat_Sheets

All that said, I think that most (all?) professional web security testers use Burp Suite and have a copy of The Web Application Hacker's Handbook (2nd) on their desk. The book's authors wrote an on-demand assault course to help learn the concepts in the book and it is pretty decent. About $200 and you'll get most of the way through it. A few people I've known that went through it gave it good reviews.

http://mdsec.net/

I think the second book most web security testers have on their desk is The Tangled Web by Michal Zalewski (of afl-fuzz and ratproxy fame). If you have a chance, reading the ratproxy source can be an informative way to learn how a web scanner is built and about the vulns it can find:

http://www.amazon.com/The-Tangled-Web-Securing-Applications/...

https://code.google.com/p/ratproxy/

Finally, the last and probably best way to learn web security is to play in a CTF. These are time-compressed challenges that last 24-72 hours where teams of competitors hack purposefully vulnerable applications to score points. Here's a calendar of upcoming competitions and a little guide I wrote about them:

https://ctftime.org/calendar/

https://trailofbits.github.io/ctf/

EDIT: Ah, I realize I wrote this from the perspective of learning to break web applications and included few development resources. While some of that knowledge is generic (password storage, for instance), much of that knowledge is framework-specific. For example, see the Rails security guide and brakeman:

http://guides.rubyonrails.org/security.html

http://brakemanscanner.org/

[+] tptacek|10 years ago|reply
The Web App Hacker's Handbook is the gold standard for web security books.

The Tangled Web is a good primer on browser security, which is a deeper topic.

The OWASP Top 10 is worth knowing because it's a widely recognized metric, but OWASP itself is not an especially great resource.

[+] dsacco|10 years ago|reply
To add some color to this great suggestion - The Web Application Hacker's Handbook is a better resource for learning to break web applications than for learning to build them properly. It will teach you every about almost every vulnerability that can be classified and how to find it.

The Tangled Web is better for learning the underlying causes of various issues presented in the former book and for learning how to prevent them. It has excellent, practical checklists at the end of every chapter for anyone building an application.

[+] exceptione|10 years ago|reply
The Web Application Hacker's Handbook does get quite some bad reviews though on Amazon. The book seems to rely on the commercial offerings of the author, like the Blurp software and online material for which he charges by the hour.
[+] jradd|10 years ago|reply
In addition to Web App Hacker's Handbook, I would like to recommend "Gray Hat Hacking The Ethical Handbook" (3rd or 4th Ed.) Focuses on the attack and defense in equal light.
[+] hising|10 years ago|reply
There is a good list in an answer on Stack Exchange about this, maybe you can find something there - http://programmers.stackexchange.com/questions/46716/what-te...
[+] jeffreyrogers|10 years ago|reply
This seems like the best answer here. Everyone else is coming at it from a pentesting perspective, where this is actually has a developer perspective, which is far more useful for someone actually building an application.
[+] shazow|10 years ago|reply
It's easy to tunnel-vision into the security of your own code and forget that everything you depend on must also be secure. This could span from your framework's cookie signing to the version of OpenSSL you're using on the server to the access controls of your VPS.

Unattended upgrades are a good start for your OS-managed dependencies, but make sure to keep up with your app-managed dependencies. You could setup a continuous-integration thing that runs your tests against the latest minor versions of all of your dependencies and upgrades when deemed safe, though you need excellent test coverage to get away with it.

Anyone know of great resources for managing your deployments and dependencies? Something other than "here's how we use docker."

Related plug: There is https://appcanary.com/ which is a dependency vulnerability alerting service (disclaimer: I'm friends with the founders, swell folks who genuinely care about improving the safety of code everywhere). Many vulnerability databases are public, but keeping track of things—especially across platforms and database providers—is really painful.

[+] elptacek|10 years ago|reply
Skimmed the responses, and I don't think anyone has said this, so...

Write a web app. Find the least friendly, most bare bones server in whatever your favorite language is (sinatra, flask, gin-gonic). Write as much of the MVC stuff as you can yourself. You will unintentionally implement at least one of the OWASP top 10 bugs. Maybe try to intentionally implement as many of them as you can.

So far the most educational coding I've done is writing a web proxy and a web router. Pentesting forced me to look at most parts of an HTTP request... rewriting headers, implementing session stores and (trying to) handle SSL has all been painfully educational.

[+] captn3m0|10 years ago|reply
This. For me, the "aha" moment of web security was when I completely understood HTTP. Once you understand the protocol itself, and start realizing things like "cookies are a hack, because they are just another header" and "why do we need SNI".

The second most common issue I see is XSS vectors, and for that, you just have to get down and learn about all the features (and edge cases) that javascript/HTML5 has. For instance, things like not storing sensitive data in localStorage.

[+] neuroo|10 years ago|reply
The top 10 is way too high level to be of any use, but the cheatsheets are actually not bad: https://www.owasp.org/index.php/XSS_Prevention_Cheatsheet (end of the page)
[+] tim333|10 years ago|reply
And if you don't read the cheatsheets there's something to be said for using a framework that implements most of the stuff by default. For example web2py tends to secure by default for the owasp stuff: http://www.web2py.com/book/default/chapter/01#Security

Personally I think I'm too dumb to implement all that stuff by hand without screwing something up.

[+] bsmartt|10 years ago|reply
If you're using django, there's a chapter in the Two-scoops of django 1.6 book that covers django security. Have you looked into framework specific resources? If you're using one of the big ones, this may be the most practical place to start.

Nikto, and other free web app vulnerability scanners can be good for both learning and practical use in the real world (albeit not much more useful than low-hanging fruit). http://sectools.org/tag/web-scanners/

[+] ronjouch|10 years ago|reply
Also if you're using django, give django.nV ( https://github.com/nVisium/django.nV ) a try:

"a purposefully vulnerable Django application. comes with a series of writeups for the vulnerabilities we've added to the code. Each tutorial comes with a description of the vuln, a hint to where to find it, and then the exact bug and how it could be remedied."

"You can access these tutorials within the app at http://localhost:8000/taskManager/tutorials/, or by clicking on the 'Tutorials' link in the top-right of the web interface."

[+] kylequest|10 years ago|reply
SANS is a good resource for training material about security. They have a number of courses for "defenders" and "builders" including web security (e.g., DEV522: Defending Web Applications Security Essentials: https://www.sans.org/ondemand/course/defending-web-applicati... ). It's not free though :-)

Check out the AppSec conference videos (https://www.owasp.org/index.php/Category:OWASP_Video). You can find useful talks for "defenders" and "builders" there. For example, one of the first videos on their Vimeo channel (https://vimeo.com/appsecusa) is a talk by Douglas Crockford about securing JavaScript.

One of the biggest problems with the security information out there is that it's mostly geared towards "breakers" (and to a lesser degree "defenders"), but to change the state of security we need more (quality) information for "builders", so they can build more secure apps...

By the way, if you are a web app builder and you care about security learn and use CSP (Content Security Policy). CSP is one of the most effective ways to deal with the XSS attacks. Here's a place to get started: https://developer.mozilla.org/en-US/docs/Web/Security/CSP/In...

[+] vezzy-fnord|10 years ago|reply
The Art of Software Security Assessment is a gold standard in infosec that goes well beyond simply web applications, but it does cover those, as well.

Definitely read that to get a holistic image.

[+] aikah|10 years ago|reply
Webapp security is important, but server security is in my opinion the most difficult thing to get right, ie how to configure a server properly in the era of apps pushed directly on VPS , IAAS , containers and co . Any resources about the matter appreciated.
[+] technion|10 years ago|reply
I feel a huge part of this is "culture".

If a junior developer logs an issue stating "I'm concerned that this function could lead to SQL injection", what is the reaction?

In most companies I've seen, the answer is a senior developer saying either "show me an exploit or accept that you're wrong". If the attitude was instead to say "I disagree about exploitability, but the fact there's a question there is a code smell regardless so send a PR", a lot of vulnerabilities would go away.

[+] minthd|10 years ago|reply
Maybe, if you can allow it and you care enough for security , the best thing is to use a framework designed for security like Scala lift.

That way, everything is built in.

[+] talles|10 years ago|reply
Don't forget that if you are aiming for security knowing what's going on under the hood it's a must.

Knowledge comes before tooling (IMO).