Defending your web applications against hackers and attackers The top-selling book Web Application Hacker's Handbook showed how attackers and hackers identify and attack vulnerable live web applications. This new Web Application Defender's Cookbook is the perfect counterpoint to that book: it shows you how to defend. Authored by a highly credentialed defensive security expert, this new book details defensive security methods and can be used as courseware for training network security personnel, web server administrators, and security consultants. Each "recipe" shows you a way to detect and defend against malicious behavior and provides working code examples for the ModSecurity web application firewall module. Topics include identifying vulnerabilities, setting hacker traps, defending different access points, enforcing application flows, and much more. Provides practical tactics for detecting web attacks and malicious behavior and defending against them Written by a preeminent authority on web application firewall technology and web application defense tactics  Offers a series of "recipes" that include working code examples for the open-source ModSecurity web application firewall module Find the tools, techniques, and expert information you need to detect and respond to web application attacks with Web Application Defender's Cookbook: Battling Hackers and Protecting Users.

Table of Contents:
Foreword xix Introduction xxiii I Preparing the Battle Space 1 1 Application Fortification 7 Recipe 1-1: Real-time Application Profiling 7 Recipe 1-2: Preventing Data Manipulation with Cryptographic Hash Tokens 15 Recipe 1-3: Installing the OWASP ModSecurity Core Rule Set (CRS) 19 Recipe 1-4: Integrating Intrusion Detection System Signatures 33 Recipe 1-5: Using Bayesian Attack Payload Detection 38 Recipe 1-6: Enable Full HTTP Audit Logging 48 Recipe 1-7: Logging Only Relevant Transactions 52 Recipe 1-8: Ignoring Requests for Static Content 53 Recipe 1-9: Obscuring Sensitive Data in Logs 54 Recipe 1-10: Sending Alerts to a Central Log Host Using Syslog 58 Recipe 1-11: Using the ModSecurity AuditConsole 60 2 Vulnerability Identification and Remediation 67 Recipe 2-1: Passive Vulnerability Identification 70 Recipe 2-2: Active Vulnerability Identification 79 Recipe 2-3: Manual Scan Result Conversion 88 Recipe 2-4: Automated Scan Result Conversion 92 Recipe 2-5: Real-time Resource Assessments and Virtual Patching 99 3 Poisoned Pawns (Hacker Traps) 115 Recipe 3-1: Adding Honeypot Ports 116 Recipe 3-2: Adding Fake robots txt Disallow Entries 118 Recipe 3-3: Adding Fake HTML Comments 123 Recipe 3-4: Adding Fake Hidden Form Fields 128 Recipe 3-5: Adding Fake Cookies 131 II Asymmetric Warfare 137 4 Reputation and Third-Party Correlation 139 Recipe 4-1: Analyzing the Client’s Geographic Location Data 141 Recipe 4-2: Identifying Suspicious Open Proxy Usage 147 Recipe 4-3: Utilizing Real-time Blacklist Lookups (RBL) 150 Recipe 4-4: Running Your Own RBL 157 Recipe 4-5: Detecting Malicious Links 160 5 Request Data Analysis 171 Recipe 5-1: Request Body Access 172 Recipe 5-2: Identifying Malformed Request Bodies 178 Recipe 5-3: Normalizing Unicode 182 Recipe 5-4: Identifying Use of Multiple Encodings 186 Recipe 5-5: Identifying Encoding Anomalies 189 Recipe 5-6: Detecting Request Method Anomalies 193 Recipe 5-7: Detecting Invalid URI Data 197 Recipe 5-8: Detecting Request Header Anomalies 200 Recipe 5-9: Detecting Additional Parameters 209 Recipe 5-10: Detecting Missing Parameters 212 Recipe 5-11: Detecting Duplicate Parameter Names 214 Recipe 5-12: Detecting Parameter Payload Size Anomalies 216 Recipe 5-13: Detecting Parameter Character Class Anomalies 219 6 Response Data Analysis 223 Recipe 6-1: Detecting Response Header Anomalies 224 Recipe 6-2: Detecting Response Header Information Leakages 234 Recipe 6-3: Response Body Access 238 Recipe 6-4: Detecting Page Title Changes 240 Recipe 6-5: Detecting Page Size Deviations 243 Recipe 6-6: Detecting Dynamic Content Changes 246 Recipe 6-7: Detecting Source Code Leakages 249 Recipe 6-8: Detecting Technical Data Leakages 253 Recipe 6-9: Detecting Abnormal Response Time Intervals 256 Recipe 6-10: Detecting Sensitive User Data Leakages 259 Recipe 6-11: Detecting Trojan, Backdoor, and Webshell Access Attempts 262 7 Defending Authentication 265 Recipe 7-1: Detecting the Submission of Common/Default Usernames 266 Recipe 7-2: Detecting the Submission of Multiple Usernames 269 Recipe 7-3: Detecting Failed Authentication Attempts 272 Recipe 7-4: Detecting a High Rate of Authentication Attempts 274 Recipe 7-5: Normalizing Authentication Failure Details 280 Recipe 7-6: Enforcing Password Complexity 283 Recipe 7-7: Correlating Usernames with SessionIDs 286 8 Defending Session State 291 Recipe 8-1: Detecting Invalid Cookies 291 Recipe 8-2: Detecting Cookie Tampering 297 Recipe 8-3: Enforcing Session Timeouts 302 Recipe 8-4: Detecting Client Source Location Changes During Session Lifetime 307 Recipe 8-5: Detecting Browser Fingerprint Changes During Sessions 314 9 Preventing Application Attacks 323 Recipe 9-1: Blocking Non-ASCII Characters 323 Recipe 9-2: Preventing Path-Traversal Attacks 327 Recipe 9-3: Preventing Forceful Browsing Attacks 330 Recipe 9-4: Preventing SQL Injection Attacks 332 Recipe 9-5: Preventing Remote File Inclusion (RFI) Attacks 336 Recipe 9-6: Preventing OS Commanding Attacks 340 Recipe 9-7: Preventing HTTP Request Smuggling Attacks 342 Recipe 9-8: Preventing HTTP Response Splitting Attacks 345 Recipe 9-9: Preventing XML Attacks 347 10 Preventing Client Attacks 353 Recipe 10-1: Implementing Content Security Policy (CSP) 353 Recipe 10-2: Preventing Cross-Site Scripting (XSS) Attacks 362 Recipe 10-3: Preventing Cross-Site Request Forgery (CSRF) Attacks 371 Recipe 10-4: Preventing UI Redressing (Clickjacking) Attacks 377 Recipe 10-5: Detecting Banking Trojan (Man-in-the-Browser) Attacks 381 11 Defending File Uploads 387 Recipe 11-1: Detecting Large File Sizes 387 Recipe 11-2: Detecting a Large Number of Files 389 Recipe 11-3: Inspecting File Attachments for Malware 390 12 Enforcing Access Rate and Application Flows 395 Recipe 12-1: Detecting High Application Access Rates 395 Recipe 12-2: Detecting Request/Response Delay Attacks 405 Recipe 12-3: Identifying Inter-Request Time Delay Anomalies 411 Recipe 12-4: Identifying Request Flow Anomalies 413 Recipe 12-5: Identifying a Significant Increase in Resource Usage 414 III Tactical Response 419 13 Passive Response Actions 421 Recipe 13-1: Tracking Anomaly Scores 421 Recipe 13-2: Trap and Trace Audit Logging 427 Recipe 13-3: Issuing E‐mail Alerts 428 Recipe 13-4: Data Sharing with Request Header Tagging 436 14 Active Response Actions 441 Recipe 14-1: Using Redirection to Error Pages 442 Recipe 14-2: Dropping Connections 445 Recipe 14-3: Blocking the Client Source Address 447 Recipe 14-4: Restricting Geolocation Access Through Defense Condition (DefCon) Level Changes 452 Recipe 14-5: Forcing Transaction Delays 455 Recipe 14-6: Spoofing Successful Attacks 462 Recipe 14-7: Proxying Traffic to Honeypots 468 Recipe 14-8: Forcing an Application Logout 471 Recipe 14-9: Temporarily Locking Account Access 476 15 Intrusive Response Actions 479 Recipe 15-1: JavaScript Cookie Testing 479 Recipe 15-2: Validating Users with CAPTCHA Testing 481 Recipe 15-3: Hooking Malicious Clients with BeEF 485 Index 495