
Ask HN: Best resources on webapp security? - zipfle
TLDR; What are your favorite resources for how to build a secure webapp?<p>I&#x27;ve been looking to learn how to secure web apps more systematically. Just thinngs that (should be) well-understood by now--logins, customer data security, how to take payments with or without storing credit card info (even if that&#x27;s just using a third-party processor). I&#x27;ve found the OWASP site, which seems poorly maintained and terribly organized, and a bunch of books that focus on how to pentest existing apps. The books that focus systematically on security, like Security Engineering, are extremely general and don&#x27;t explicitly cover the webapp use case.
======
jsingleton
OWASP is good especially the top 10:

[https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project)

Troy Hunt has some good advice on his blog and a site for checking for issues:

[http://www.troyhunt.com/](http://www.troyhunt.com/)

[https://asafaweb.com/](https://asafaweb.com/)

~~~
dguido
OWASP is a massively disorganized, vendor-driven, volunteer (read: soapbox-as-
a-service) organization littered with half-completed, abandoned projects. That
said, there are a small few that are "ok".

I like using ASVS as a checklist when doing a webapp pentest:

[https://www.owasp.org/index.php/Category:OWASP_Application_S...](https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project)

The OWASP testing guide is an incredibly verbose walkthrough for finding most
types of web vulns:

[https://www.owasp.org/index.php/Category:OWASP_Testing_Proje...](https://www.owasp.org/index.php/Category:OWASP_Testing_Project)

Some of the cheat sheets are ok, but many are littered with incorrect and
incomplete info, so take them with a grain of salt:

[https://www.owasp.org/index.php/Cheat_Sheets](https://www.owasp.org/index.php/Cheat_Sheets)

All that said, I think that most (all?) professional web security testers use
Burp Suite and have a copy of The Web Application Hacker's Handbook (2nd) on
their desk. The book's authors wrote an on-demand assault course to help learn
the concepts in the book and it is pretty decent. About $200 and you'll get
most of the way through it. A few people I've known that went through it gave
it good reviews.

[http://mdsec.net/](http://mdsec.net/)

I think the second book most web security testers have on their desk is The
Tangled Web by Michal Zalewski (of afl-fuzz and ratproxy fame). If you have a
chance, reading the ratproxy source can be an informative way to learn how a
web scanner is built and about the vulns it can find:

[http://www.amazon.com/The-Tangled-Web-Securing-
Applications/...](http://www.amazon.com/The-Tangled-Web-Securing-
Applications/dp/1593273886/)

[https://code.google.com/p/ratproxy/](https://code.google.com/p/ratproxy/)

Finally, the last and probably best way to learn web security is to play in a
CTF. These are time-compressed challenges that last 24-72 hours where teams of
competitors hack purposefully vulnerable applications to score points. Here's
a calendar of upcoming competitions and a little guide I wrote about them:

[https://ctftime.org/calendar/](https://ctftime.org/calendar/)

[https://trailofbits.github.io/ctf/](https://trailofbits.github.io/ctf/)

EDIT: Ah, I realize I wrote this from the perspective of learning to break web
applications and included few development resources. While some of that
knowledge is generic (password storage, for instance), much of that knowledge
is framework-specific. For example, see the Rails security guide and brakeman:

[http://guides.rubyonrails.org/security.html](http://guides.rubyonrails.org/security.html)

[http://brakemanscanner.org/](http://brakemanscanner.org/)

~~~
wglb
With respect to the comment _Some of the cheat sheets are ok_ , the very best
of them is the XSS material contributed by rsnake.

------
tptacek
The Web App Hacker's Handbook is the gold standard for web security books.

The Tangled Web is a good primer on browser security, which is a deeper topic.

The OWASP Top 10 is worth knowing because it's a widely recognized metric, but
OWASP itself is not an especially great resource.

~~~
exceptione
The Web Application Hacker's Handbook does get quite some bad reviews though
on Amazon. The book seems to rely on the commercial offerings of the author,
like the Blurp software and online material for which he charges by the hour.

~~~
wglb
I think the reviews are off the mark, as you can go a substantial distance
with the free version of burp, and none of the material strictly depends on
burp--any intercepting proxy will do.

Similarly, the online stuff is totally optional, and none of the master WAHH
crafstmen I know have needed that in the slightest.

It is pretty clear in reading those reviews that a person can, with no
investment of time or effort, write bad reviews about anything.

It takes effort and energy to get the most out of WAHH, and you can do it
without spending an additional dime.

~~~
exceptione
Thanks for clearing that up!

------
hising
There is a good list in an answer on Stack Exchange about this, maybe you can
find something there -
[http://programmers.stackexchange.com/questions/46716/what-
te...](http://programmers.stackexchange.com/questions/46716/what-technical-
details-should-a-programmer-of-a-web-application-consider-before)

~~~
jeffreyrogers
This seems like the best answer here. Everyone else is coming at it from a
pentesting perspective, where this is actually has a developer perspective,
which is far more useful for someone actually building an application.

------
sarciszewski
We have a curated list here, which has all you want to know and then some:

[https://github.com/paragonie/awesome-
appsec](https://github.com/paragonie/awesome-appsec)

Our blog also have a bunch of posts about building secure web applications in
PHP:

[https://paragonie.com/blog/category/security-
engineering](https://paragonie.com/blog/category/security-engineering)

I hope either one helps.

------
shazow
It's easy to tunnel-vision into the security of your own code and forget that
everything you depend on must also be secure. This could span from your
framework's cookie signing to the version of OpenSSL you're using on the
server to the access controls of your VPS.

Unattended upgrades are a good start for your OS-managed dependencies, but
make sure to keep up with your app-managed dependencies. You could setup a
continuous-integration thing that runs your tests against the latest minor
versions of all of your dependencies and upgrades when deemed safe, though you
need excellent test coverage to get away with it.

Anyone know of great resources for managing your deployments and dependencies?
Something other than "here's how we use docker."

Related plug: There is [https://appcanary.com/](https://appcanary.com/) which
is a dependency vulnerability alerting service (disclaimer: I'm friends with
the founders, swell folks who genuinely care about improving the safety of
code everywhere). Many vulnerability databases are public, but keeping track
of things—especially across platforms and database providers—is really
painful.

------
elptacek
Skimmed the responses, and I don't think anyone has said this, so...

Write a web app. Find the least friendly, most bare bones server in whatever
your favorite language is (sinatra, flask, gin-gonic). Write as much of the
MVC stuff as you can yourself. You will unintentionally implement at least one
of the OWASP top 10 bugs. Maybe try to intentionally implement as many of them
as you can.

So far the most educational coding I've done is writing a web proxy and a web
router. Pentesting forced me to look at most parts of an HTTP request...
rewriting headers, implementing session stores and (trying to) handle SSL has
all been painfully educational.

~~~
captn3m0
This. For me, the "aha" moment of web security was when I completely
understood HTTP. Once you understand the protocol itself, and start realizing
things like "cookies are a hack, because they are just another header" and
"why do we need SNI".

The second most common issue I see is XSS vectors, and for that, you just have
to get down and learn about all the features (and edge cases) that
javascript/HTML5 has. For instance, things like not storing sensitive data in
localStorage.

~~~
elptacek
Or that some applications write their own cookie handlers (which are
injectable). Or that some frameworks don't handle the request header properly.
Or that you'll sometimes see custom headers that you can donk with.

Being clever at XSS/CSRF is what forced me to learn javascript in the first
place. Also worth writing your own instead of using existing stuff like
jquery.

------
neuroo
The top 10 is way too high level to be of any use, but the cheatsheets are
actually not bad:
[https://www.owasp.org/index.php/XSS_Prevention_Cheatsheet](https://www.owasp.org/index.php/XSS_Prevention_Cheatsheet)
(end of the page)

~~~
tim333
And if you don't read the cheatsheets there's something to be said for using a
framework that implements most of the stuff by default. For example web2py
tends to secure by default for the owasp stuff:
[http://www.web2py.com/book/default/chapter/01#Security](http://www.web2py.com/book/default/chapter/01#Security)

Personally I think I'm too dumb to implement all that stuff by hand without
screwing something up.

------
po
I think as a bare minimum, you should choose a web application that has a well
documented guide covering security and make sure you read it and understand
it. Django and rails both have well organized documentation around this topic.
Most of the attacks are relevant to any web app, but how you deal with it is
framework specific:

[https://docs.djangoproject.com/en/1.8/topics/security/](https://docs.djangoproject.com/en/1.8/topics/security/)

[http://guides.rubyonrails.org/security.html](http://guides.rubyonrails.org/security.html)

------
bsmartt
If you're using django, there's a chapter in the Two-scoops of django 1.6 book
that covers django security. Have you looked into framework specific
resources? If you're using one of the big ones, this may be the most practical
place to start.

Nikto, and other free web app vulnerability scanners can be good for both
learning and practical use in the real world (albeit not much more useful than
low-hanging fruit). [http://sectools.org/tag/web-
scanners/](http://sectools.org/tag/web-scanners/)

~~~
ronjouch
Also if you're using django, give django.nV (
[https://github.com/nVisium/django.nV](https://github.com/nVisium/django.nV) )
a try:

 _" a purposefully vulnerable Django application. comes with a series of
writeups for the vulnerabilities we've added to the code. Each tutorial comes
with a description of the vuln, a hint to where to find it, and then the exact
bug and how it could be remedied."_

 _" You can access these tutorials within the app at
[http://localhost:8000/taskManager/tutorials/](http://localhost:8000/taskManager/tutorials/),
or by clicking on the 'Tutorials' link in the top-right of the web
interface."_

------
kylequest
SANS is a good resource for training material about security. They have a
number of courses for "defenders" and "builders" including web security (e.g.,
DEV522: Defending Web Applications Security Essentials:
[https://www.sans.org/ondemand/course/defending-web-
applicati...](https://www.sans.org/ondemand/course/defending-web-applications-
security-essentials) ). It's not free though :-)

Check out the AppSec conference videos
([https://www.owasp.org/index.php/Category:OWASP_Video](https://www.owasp.org/index.php/Category:OWASP_Video)).
You can find useful talks for "defenders" and "builders" there. For example,
one of the first videos on their Vimeo channel
([https://vimeo.com/appsecusa](https://vimeo.com/appsecusa)) is a talk by
Douglas Crockford about securing JavaScript.

One of the biggest problems with the security information out there is that
it's mostly geared towards "breakers" (and to a lesser degree "defenders"),
but to change the state of security we need more (quality) information for
"builders", so they can build more secure apps...

By the way, if you are a web app builder and you care about security learn and
use CSP (Content Security Policy). CSP is one of the most effective ways to
deal with the XSS attacks. Here's a place to get started:
[https://developer.mozilla.org/en-
US/docs/Web/Security/CSP/In...](https://developer.mozilla.org/en-
US/docs/Web/Security/CSP/Introducing_Content_Security_Policy)

------
amenghra
The tangled web[1] / browser security handbook[2] are worth reading.

[1]
[https://www.nostarch.com/tangledweb.htm](https://www.nostarch.com/tangledweb.htm)

[2]
[https://code.google.com/p/browsersec/wiki/Main](https://code.google.com/p/browsersec/wiki/Main)

------
vezzy-fnord
_The Art of Software Security Assessment_ is a gold standard in infosec that
goes well beyond simply web applications, but it does cover those, as well.

Definitely read that to get a holistic image.

------
xpto123
I noticed the same, but then i found the Steve Gibson Security Now podcast
[https://www.grc.com/securitynow.htm](https://www.grc.com/securitynow.htm)

The episode archive has a whole course on security,with a focus on the web

~~~
snowpolar
At your own risks.

[http://attrition.org/errata/charlatan/steve_gibson/](http://attrition.org/errata/charlatan/steve_gibson/)

~~~
LocalPCGuy
I'd say 10 or so false claims over 10 years is not really that bad. I've
talked to security experts who enjoy the show. It is more for entertainment
and industry news, I think people who compile lists like the above linked are
trying way too hard and makes me wonder why they hate Gibson so much.

Would I hire him to do pentesting on my app? No.

Would I enjoy listening to him talk on a podcast about security related
topics. Sure, I do.

------
aikah
Webapp security is important, but server security is in my opinion the most
difficult thing to get right, ie how to configure a server properly in the era
of apps pushed directly on VPS , IAAS , containers and co . Any resources
about the matter appreciated.

------
technion
I feel a huge part of this is "culture".

If a junior developer logs an issue stating "I'm concerned that this function
could lead to SQL injection", what is the reaction?

In most companies I've seen, the answer is a senior developer saying either
"show me an exploit or accept that you're wrong". If the attitude was instead
to say "I disagree about exploitability, but the fact there's a question there
is a code smell regardless so send a PR", a lot of vulnerabilities would go
away.

------
michaelmior
[https://github.com/sbilly/awesome-
security](https://github.com/sbilly/awesome-security)

------
brokencup
I'm not a security expert at all, but I was wondering if Google Gruyere[0] was
a worthwhile resource/training exercise...

[0] [https://google-gruyere.appspot.com/](https://google-gruyere.appspot.com/)

------
elchief
[http://security.stackexchange.com/questions/tagged/web-
appli...](http://security.stackexchange.com/questions/tagged/web-
application?sort=votes)

------
minthd
Maybe, if you can allow it and you care enough for security , the best thing
is to use a framework designed for security like Scala lift.

That way, everything is built in.

~~~
talles
Don't forget that if you are aiming for security knowing what's going on under
the hood it's a must.

 _Knowledge_ comes before _tooling_ (IMO).

------
stefantalpalaru
The OWASP Development Guide 2.0.1 is from 2005, but it's still relevant:
[https://www.owasp.org/index.php/Projects/OWASP_Development_G...](https://www.owasp.org/index.php/Projects/OWASP_Development_Guide/Releases/Guide_2.0)

