Malcolm McDonald - Web Security for Developers

Real Threats, Practical Defense

by Malcolm McDonald

San Francisco

WEB SECURITY FOR DEVELOPERS. Copyright 2020 by Malcolm McDonald.

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.

ISBN-10: 1-59327-994-9
ISBN-13: 978-1-5932-7994-3

Publisher: William Pollock
Executive Editor: Barbara Yien
Production Manager: Laurel Chun
Production Editors: Katrina Taylor and Meg Sneeringer
Cover Illustration: Gina Redman
Interior Design: Octopod Studios
Project Editor: Dapinder Dosanjh
Developmental Editor: Athabasca Witschi
Technical Reviewer: Cliff Janzen
Copyeditor: Sharon Wilkey
Compositor: Danielle Foster
Proofreader: James Fraleigh
Indexer: BIM Creatives, LLC

For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly:
No Starch Press, Inc.
245 8th Street, San Francisco, CA 94103
phone: 1.415.863.9900;
www.nostarch.com

Library of Congress Cataloging-in-Publication Data

Names: McDonald, Malcolm, author.
Title: Web security for developers / Malcolm McDonald.
Description: San Francisco : No Starch Press, Inc., [2020] | Includes
index.
Identifiers: LCCN 2020006695 (print) | LCCN 2020006696 (ebook) | ISBN
9781593279943 (paperback) | ISBN 1593279949 (paperback) | ISBN
9781593279950 (ebook)
Subjects: LCSH: Hacking. | Computer networks--Security measures.
Classification: LCC TK5105.59 .M4833 2020 (print) | LCC TK5105.59 (ebook)
| DDC 005.8/7--dc23
LC record available at https://lccn.loc.gov/2020006695
LC ebook record available at https://lccn.loc.gov/2020006696

No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.

To my wife Monica, who put up with being ignored on weekends while I wrote this book, and my cat Haggis, who contributed content by walking over my keyboard periodically

About the Author

Malcolm McDonald is the creator of hacksplaining.com, one of the most popular security training resources for web development on the internet. He has spent two decades writing code for financial firms and start-ups, and drew on his experience as a team lead to produce straightforward, easy-to-grasp tutorials about security vulnerabilities and how to protect against them. He lives in Oakland, CA with his wife and cat.

About the Technical Reviewer

Since the early days of Commodore PET and VIC-20, technology has been a constant companion (and sometimes an obsession!) to Cliff Janzen. Cliff is grateful to have had the opportunity to work with and learn from some of the best people in the industry, including Malcolm and the fine people at No Starch. Cliff spends a majority of the work day managing and mentoring a great team of security professionals, but strives to stay technically relevant by tackling everything from security policy reviews to penetration testing. He feels lucky to have a career that is also his favorite hobby and a wife who supports him.

BRIEF CONTENTS

CONTENTS IN DETAIL

1
LETS HACK A WEBSITE

2
HOW THE INTERNET WORKS

3
HOW BROWSERS WORK

4
HOW WEB SERVERS WORK

5
HOW PROGRAMMERS WORK

6
INJECTION ATTACKS

7
CROSS-SITE SCRIPTING ATTACKS

8
CROSS-SITE REQUEST FORGERY ATTACKS

9
COMPROMISING AUTHENTICATION

10
SESSION HIJACKING

11
PERMISSIONS

12
INFORMATION LEAKS

13
ENCRYPTION

14
THIRD-PARTY CODE

15
XML ATTACKS

16
DONT BE AN ACCESSORY

17
DENIAL-OF-SERVICE ATTACKS

18
SUMMING UP

ACKNOWLEDGMENTS

I would like to thank all the folks at No Starch Press who massaged my words into some sort of readable form: Katrina, Laurel, Barbara, Dapinder, Meg, Liz, Matthew, Annie, Jan, Tyler, and Bill. Thanks to my colleagues Dmitri, Adrian, Dan, JJ, Pallavi, Mariam, Rachel, Meredith, Zo, and Charlotte for constantly asking is it done yet? Thanks to Hilary for proofreading the first chapter! Thanks to Robert Abela at NetSparker for setting up the website sponsorship. Im grateful to all those who pointed out typos on the website, you are the real heroes: Vinney, Jeremy, Cornel, Johannes, Devui, Connor, Ronans, Heath, Trung, Derek, Stuart, Tim, Jason, Scott, Daniel, Lanhowe, Bojan, Cody, Pravin, Gaurang, Adrik, Roman, Markus, Tommy, Daria, David, T, Alli, Cry0genic, Omar, Zeb, Sergey, Evans, and Marc. Thanks to my Mum and Dad for finally recognizing that, yes, I have a real job now that I have written a book, and I dont just do stuff with computers. And thanks to my brothers Scott and Ali, who are sadly not published authors, despite all their fancy PhDs and such. Finally, one last thanks to my wife Monica, who has been extraordinarily patient and supportive throughout the writing of the book. And thanks to Haggis for mostly staying away from the keyboard and only occasionally puking on the couch.

INTRODUCTION

The web is a wild place. Its easy to get the impression that the internet was designed very deliberately by experts and that everything works as it does for a good reason. In fact, the evolution of the internet has been rapid and haphazard, and the things we do on the network today go well beyond what the original inventors imagined.

As a result, securing your website can seem like a daunting proposition. Websites are a unique type of software that is available to millions of users immediately upon release, including an active and motivated community of hackers. Big companies routinely suffer security failures, and new data breaches are announced every week. How is a lone web developer supposed to protect themselves in the face of this?

About This Book

The big secret of web security is that the number of web vulnerabilities is actually rather smallcoincidentally, about the size to fit in a single bookand these vulnerabilities dont change much from year to year. This book you will teach you