现代Web应用安全攻防：霍夫曼的深度解析（2024年英文版）

59 浏览量更新于2024-06-17 收藏 14.16MB PDF 举报

身份认证购VIP最低享 7 折!

30元优惠券

"Web应用程序安全：现代Web应用程序的利用和对策（2024年，英文版）" 在《Web应用程序安全：现代Web应用程序的利用和对策》第二版中，作者安德鲁·霍夫曼深入探讨了现代Web应用程序的安全挑战。这本书是针对IT安全专业人士、开发人员以及对网络安全感兴趣的个人的一份宝贵资源。霍夫曼，作为Ripple的高级安全工程师，以其丰富的经验，详细阐述了如何应对不断演变的网络安全威胁。本书分为三个核心支柱：侦察、攻击和防御，每个支柱都涵盖了不同的技能集。 1. 侦察：这一部分旨在教会读者如何远程映射和记录Web应用程序，揭示其工作原理。这包括学习使用各种工具和技术来发现潜在的安全弱点，例如漏洞扫描、指纹识别和Web应用程序渗透测试的基本技巧。 2. 攻击：这部分详述了各种高效的Web应用攻击方法，这些方法已被世界顶级黑客实践证明有效。它涵盖了许多常见的安全漏洞，如SQL注入、跨站脚本（XSS）、跨站请求伪造（CSRF）等，并解释了如何利用这些漏洞进行攻击。 3. 防御：在前两个支柱的基础上，霍夫曼探讨了如何构建有效的长期缓解策略来抵御第二支柱中提到的各种攻击。这涉及到安全编码实践、安全软件开发生命周期（SSDL/SDLC）的集成，以及如何实施零信任架构来提高整体安全性。书中还涉及了其他新兴技术的漏洞利用和缓解，如GraphQL的应用安全、云环境中的安全部署、内容交付网络(CDN)的保护以及服务器端渲染(SSR)的安全考虑。此外，霍夫曼讨论了威胁建模的重要性，这是一种用于预测和预防攻击的策略，以及如何将其融入开发过程。通过实例和实战案例，霍夫曼的书不仅为技术背景的读者提供了深度的技术细节，同时也确保非技术背景的读者能够理解并应用其中的概念。无论你是负责保护Web应用程序的企业安全团队成员，还是致力于开发更安全产品的开发者，这本书都将提供宝贵的指导和见解。这本书对于那些希望提升自己在Web应用程序安全领域的专业水平的人来说，无疑是一本不可或缺的参考书。通过阅读，读者将能够更好地理解和应对当前及未来的网络安全威胁，从而为他们的组织提供更强的安全保障。

资源详情

资源推荐

33. Defending Data and Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Defending Against Mass Assignment 359

Validation and Allowlisting 360

Data Transfer Objects 360

Defending Against IDOR 360

Defending Against Serialization Attacks 361

Summary 361

34. Defense Against Client-Side Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Defending Against Prototype Pollution 363

Key Sanitization 364

Prototype Freezing 365

Null Prototypes 365

Defending Against Clickjacking 366

Frame Ancestors 366

Framebusting 367

Defending Against Tabnabbing 368

Cross-Origin-Opener Policy 368

Link Blockers 368

Isolation Policies 369

Summary 370

35.

Securing Third-Party Dependencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Evaluating Dependency Trees 371

Modeling a Dependency Tree 372

Dependency Trees in the Real World 373

Automated Evaluation 373

Secure Integration Techniques 373

Separation of Concerns 374

Secure Package Management 374

Summary 375

36.

Mitigating Business Logic Vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Architecture-Level Mitigations 377

Statistical Modeling 379

Modeling Inputs 379

Modeling Actions 380

Model Development 380

Model Analysis 381

Summary 382

xiv | Table of Contents

Prerequisite Knowledge and Learning Goals

This is a book that will not only aid you in learning how to defend your web applica‐

tion against hackers, but will also walk you through the steps hackers take in order to

investigate and break into a web application.

Throughout this book we will discuss many techniques that hackers are using today

to break into web applications hosted by corporations, governments, and occasionally

even hobbyists. Following sufficient investigation into the previously mentioned tech‐

niques, we begin a discussion on how to secure web applications against these

hackers.

In doing so you will discover brand-new ways of thinking about application architec‐

ture. You will also learn how to integrate security best practices into an engineering

organization. Finally, we will evaluate a number of techniques for defending against

the most common and dangerous types of attacks that occur against web applications

today.

After completing Web Application Security, you will have the required knowledge to

perform recon techniques against applications you do not have code-level access to.

You will also be able to identify threat vectors and vulnerabilities in web applications

and craft payloads designed to compromise application data, interrupt execution

flow, or interfere with the intended function of a web application.

With these skills in hand, and the knowledge gained from the final section on secur‐

ing web applications, you will be able to identify risky areas of a web application’s

codebase and understand how to write code to defend against attacks that would

otherwise leave your application and its users at risk.

The content in this book ramps up progressively, so if you choose

to skip ahead and find you are missing essential prerequisite infor‐

mation, just go back a few chapters to catch up. Any topics that are

not defined as a prerequisite in this preface should not be presen‐

ted in the book without prior explanation.

Why Are Examples in JavaScript?

The majority of code samples in this book are written in JavaScript, which is atypical

for software security–related books. You may wonder why I chose this when planning

the book.

All good security engineers must understand JavaScript because it is the only pro‐

gramming language that can be run on the client inside of a web browser at this point

in time. Therefore, I decided it would be better to present most of the server-side

examples in JavaScript, given the client-side examples have to be in JavaScript.

xviii | Preface

剩余443页未读，继续阅读

辰火流光

粉丝: 936
资源: 10

现代Web应用安全攻防：霍夫曼的深度解析（2024年英文版）

现代Web应用安全指南

Web应用安全的发展和未来.pdf

Web应用安全：Web应用现状.pptx

web应用程序安全技术研究国内外动态

云计算应用程序和web应用程序

web应用程序是什么

将MATLAB程序转换为Web应用程序

Web 应用程序如何与应用程序池相关联

delphi开发web应用程序

Java应用程序和web应用程序的区别

web应用程序的安全防范措施有哪些

嵌入式 web应用 程序

asp.net搭建web应用基础

java web应用程序

Web应用程序和普通应用程序的区别是什么

web应用程序开发优势

web应用程序测试_Web应用程序的功能测试

Web应用程序进行渗透测试的共同目标

web之困-现代web应用安全指南下载

什么是web应用程序

最新资源

嵌入式 web应用程序