Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Best resources on webapp security?
165 points by zipfle on Aug 8, 2015 | hide | past | favorite | 42 comments
TLDR; What are your favorite resources for how to build a secure webapp?

I've been looking to learn how to secure web apps more systematically. Just thinngs that (should be) well-understood by now--logins, customer data security, how to take payments with or without storing credit card info (even if that's just using a third-party processor). I've found the OWASP site, which seems poorly maintained and terribly organized, and a bunch of books that focus on how to pentest existing apps. The books that focus systematically on security, like Security Engineering, are extremely general and don't explicitly cover the webapp use case.

OWASP is good especially the top 10:


Troy Hunt has some good advice on his blog and a site for checking for issues:



OWASP is a massively disorganized, vendor-driven, volunteer (read: soapbox-as-a-service) organization littered with half-completed, abandoned projects. That said, there are a small few that are "ok".

I like using ASVS as a checklist when doing a webapp pentest:


The OWASP testing guide is an incredibly verbose walkthrough for finding most types of web vulns:


Some of the cheat sheets are ok, but many are littered with incorrect and incomplete info, so take them with a grain of salt:


All that said, I think that most (all?) professional web security testers use Burp Suite and have a copy of The Web Application Hacker's Handbook (2nd) on their desk. The book's authors wrote an on-demand assault course to help learn the concepts in the book and it is pretty decent. About $200 and you'll get most of the way through it. A few people I've known that went through it gave it good reviews.


I think the second book most web security testers have on their desk is The Tangled Web by Michal Zalewski (of afl-fuzz and ratproxy fame). If you have a chance, reading the ratproxy source can be an informative way to learn how a web scanner is built and about the vulns it can find:



Finally, the last and probably best way to learn web security is to play in a CTF. These are time-compressed challenges that last 24-72 hours where teams of competitors hack purposefully vulnerable applications to score points. Here's a calendar of upcoming competitions and a little guide I wrote about them:



EDIT: Ah, I realize I wrote this from the perspective of learning to break web applications and included few development resources. While some of that knowledge is generic (password storage, for instance), much of that knowledge is framework-specific. For example, see the Rails security guide and brakeman:



With respect to the comment Some of the cheat sheets are ok, the very best of them is the XSS material contributed by rsnake.

The Web App Hacker's Handbook is the gold standard for web security books.

The Tangled Web is a good primer on browser security, which is a deeper topic.

The OWASP Top 10 is worth knowing because it's a widely recognized metric, but OWASP itself is not an especially great resource.

To add some color to this great suggestion - The Web Application Hacker's Handbook is a better resource for learning to break web applications than for learning to build them properly. It will teach you every about almost every vulnerability that can be classified and how to find it.

The Tangled Web is better for learning the underlying causes of various issues presented in the former book and for learning how to prevent them. It has excellent, practical checklists at the end of every chapter for anyone building an application.

Understanding how to hack something is (arguably the most) important knowledge for a securing that something. If you don't know how it can break, how can you fix it?

If you don't know that something can break, it's hard to get it right. But I have many colleagues who've never exploited a buffer overflow, but who still do a fine job of counting their bytes. High code quality and coding patterns that reduce mistakes are really important; knowing a little about exploitation is useful to judge impact and to design anti-exploit defenses, but don't overestimate the impact - defenders' time is often better spent elsewhere. (Of course, hacking is sexy.)

(I write high-security software. )

He doesn't disagree with you; he's a professional pentester.

The Web Application Hacker's Handbook does get quite some bad reviews though on Amazon. The book seems to rely on the commercial offerings of the author, like the Blurp software and online material for which he charges by the hour.

Ignore those reviews. In reality, Burp is to web application security what Photoshop is to graphic design. There are alternatives, and people do use them, but if they do it's because they already know how to do the job.

Burp is the industry standard. It's also a criminally underrated dev tool. If you're getting paid to build web applications, you should own a license.

I think the reviews are off the mark, as you can go a substantial distance with the free version of burp, and none of the material strictly depends on burp--any intercepting proxy will do.

Similarly, the online stuff is totally optional, and none of the master WAHH crafstmen I know have needed that in the slightest.

It is pretty clear in reading those reviews that a person can, with no investment of time or effort, write bad reviews about anything.

It takes effort and energy to get the most out of WAHH, and you can do it without spending an additional dime.

Thanks for clearing that up!

The online material is a virtual lab where you can test out the things you learn in the book by breaking actual web applications. Technical books on niche subjects rarely leave the authors rolling in money, so it would be pretty silly to expect the labs to be free.

If you are too cheap to spend $7 an hour, you can set up a vulnerable VM and accomplish the same thing for free.

We told Matasano candidates to do this, and how to do it and what to run, and it seemed to work pretty well for people.

In addition to Web App Hacker's Handbook, I would like to recommend "Gray Hat Hacking The Ethical Handbook" (3rd or 4th Ed.) Focuses on the attack and defense in equal light.

There is a good list in an answer on Stack Exchange about this, maybe you can find something there - http://programmers.stackexchange.com/questions/46716/what-te...

This seems like the best answer here. Everyone else is coming at it from a pentesting perspective, where this is actually has a developer perspective, which is far more useful for someone actually building an application.

We have a curated list here, which has all you want to know and then some:


Our blog also have a bunch of posts about building secure web applications in PHP:


I hope either one helps.

It's easy to tunnel-vision into the security of your own code and forget that everything you depend on must also be secure. This could span from your framework's cookie signing to the version of OpenSSL you're using on the server to the access controls of your VPS.

Unattended upgrades are a good start for your OS-managed dependencies, but make sure to keep up with your app-managed dependencies. You could setup a continuous-integration thing that runs your tests against the latest minor versions of all of your dependencies and upgrades when deemed safe, though you need excellent test coverage to get away with it.

Anyone know of great resources for managing your deployments and dependencies? Something other than "here's how we use docker."

Related plug: There is https://appcanary.com/ which is a dependency vulnerability alerting service (disclaimer: I'm friends with the founders, swell folks who genuinely care about improving the safety of code everywhere). Many vulnerability databases are public, but keeping track of things—especially across platforms and database providers—is really painful.

Skimmed the responses, and I don't think anyone has said this, so...

Write a web app. Find the least friendly, most bare bones server in whatever your favorite language is (sinatra, flask, gin-gonic). Write as much of the MVC stuff as you can yourself. You will unintentionally implement at least one of the OWASP top 10 bugs. Maybe try to intentionally implement as many of them as you can.

So far the most educational coding I've done is writing a web proxy and a web router. Pentesting forced me to look at most parts of an HTTP request... rewriting headers, implementing session stores and (trying to) handle SSL has all been painfully educational.

This. For me, the "aha" moment of web security was when I completely understood HTTP. Once you understand the protocol itself, and start realizing things like "cookies are a hack, because they are just another header" and "why do we need SNI".

The second most common issue I see is XSS vectors, and for that, you just have to get down and learn about all the features (and edge cases) that javascript/HTML5 has. For instance, things like not storing sensitive data in localStorage.

Or that some applications write their own cookie handlers (which are injectable). Or that some frameworks don't handle the request header properly. Or that you'll sometimes see custom headers that you can donk with.

Being clever at XSS/CSRF is what forced me to learn javascript in the first place. Also worth writing your own instead of using existing stuff like jquery.

The top 10 is way too high level to be of any use, but the cheatsheets are actually not bad: https://www.owasp.org/index.php/XSS_Prevention_Cheatsheet (end of the page)

And if you don't read the cheatsheets there's something to be said for using a framework that implements most of the stuff by default. For example web2py tends to secure by default for the owasp stuff: http://www.web2py.com/book/default/chapter/01#Security

Personally I think I'm too dumb to implement all that stuff by hand without screwing something up.

I think as a bare minimum, you should choose a web application that has a well documented guide covering security and make sure you read it and understand it. Django and rails both have well organized documentation around this topic. Most of the attacks are relevant to any web app, but how you deal with it is framework specific:



If you're using django, there's a chapter in the Two-scoops of django 1.6 book that covers django security. Have you looked into framework specific resources? If you're using one of the big ones, this may be the most practical place to start.

Nikto, and other free web app vulnerability scanners can be good for both learning and practical use in the real world (albeit not much more useful than low-hanging fruit). http://sectools.org/tag/web-scanners/

Also if you're using django, give django.nV ( https://github.com/nVisium/django.nV ) a try:

"a purposefully vulnerable Django application. comes with a series of writeups for the vulnerabilities we've added to the code. Each tutorial comes with a description of the vuln, a hint to where to find it, and then the exact bug and how it could be remedied."

"You can access these tutorials within the app at http://localhost:8000/taskManager/tutorials/, or by clicking on the 'Tutorials' link in the top-right of the web interface."

SANS is a good resource for training material about security. They have a number of courses for "defenders" and "builders" including web security (e.g., DEV522: Defending Web Applications Security Essentials: https://www.sans.org/ondemand/course/defending-web-applicati... ). It's not free though :-)

Check out the AppSec conference videos (https://www.owasp.org/index.php/Category:OWASP_Video). You can find useful talks for "defenders" and "builders" there. For example, one of the first videos on their Vimeo channel (https://vimeo.com/appsecusa) is a talk by Douglas Crockford about securing JavaScript.

One of the biggest problems with the security information out there is that it's mostly geared towards "breakers" (and to a lesser degree "defenders"), but to change the state of security we need more (quality) information for "builders", so they can build more secure apps...

By the way, if you are a web app builder and you care about security learn and use CSP (Content Security Policy). CSP is one of the most effective ways to deal with the XSS attacks. Here's a place to get started: https://developer.mozilla.org/en-US/docs/Web/Security/CSP/In...

The tangled web[1] / browser security handbook[2] are worth reading.

[1] https://www.nostarch.com/tangledweb.htm

[2] https://code.google.com/p/browsersec/wiki/Main

The Art of Software Security Assessment is a gold standard in infosec that goes well beyond simply web applications, but it does cover those, as well.

Definitely read that to get a holistic image.

I noticed the same, but then i found the Steve Gibson Security Now podcast https://www.grc.com/securitynow.htm

The episode archive has a whole course on security,with a focus on the web

I'd say 10 or so false claims over 10 years is not really that bad. I've talked to security experts who enjoy the show. It is more for entertainment and industry news, I think people who compile lists like the above linked are trying way too hard and makes me wonder why they hate Gibson so much.

Would I hire him to do pentesting on my app? No.

Would I enjoy listening to him talk on a podcast about security related topics. Sure, I do.

I would skip the Steve Gibson stuff altogether.

Webapp security is important, but server security is in my opinion the most difficult thing to get right, ie how to configure a server properly in the era of apps pushed directly on VPS , IAAS , containers and co . Any resources about the matter appreciated.

I feel a huge part of this is "culture".

If a junior developer logs an issue stating "I'm concerned that this function could lead to SQL injection", what is the reaction?

In most companies I've seen, the answer is a senior developer saying either "show me an exploit or accept that you're wrong". If the attitude was instead to say "I disagree about exploitability, but the fact there's a question there is a code smell regardless so send a PR", a lot of vulnerabilities would go away.

I'm not a security expert at all, but I was wondering if Google Gruyere[0] was a worthwhile resource/training exercise...

[0] https://google-gruyere.appspot.com/

Maybe, if you can allow it and you care enough for security , the best thing is to use a framework designed for security like Scala lift.

That way, everything is built in.

Don't forget that if you are aiming for security knowing what's going on under the hood it's a must.

Knowledge comes before tooling (IMO).

The OWASP Development Guide 2.0.1 is from 2005, but it's still relevant: https://www.owasp.org/index.php/Projects/OWASP_Development_G...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact