Table of Contents
Foreword xix
Introduction xxiii
I Preparing the Battle Space 1
1 Application Fortification 7
Recipe 1-1 Real-time Application Profiling 7
Recipe 1-2 Preventing Data Manipulation with Cryptographic Hash Tokens 15
Recipe 1-3 Installing the OWASP ModSecurity Core Rule Set (CRS) 19
Recipe 1-4 Integrating Intrusion Detection System Signatures 33
Recipe 1-5 Using Bayesian Attack Payload Detection 38
Recipe 1-6 Enable Full HTTP Audit Logging 48
Recipe 1-7 Logging Only Relevant Transactions 52
Recipe 1-8 Ignoring Requests for Static Content 53
Recipe 1-9 Obscuring Sensitive Data in Logs 54
Recipe 1-10 Sending Alerts to a Central Log Host Using Syslog 58
Recipe 1-11 Using the ModSecurity AuditConsole 60
2 Vulnerability Identification and Remediation 67
Recipe 2-1 Passive Vulnerability Identification 70
Recipe 2-2 Active Vulnerability Identification 79
Recipe 2-3 Manual Scan Result Conversion 88
Recipe 2-4 Automated Scan Result Conversion 92
Recipe 2-5 Real-time Resource Assessments and Virtual Patching 99
3 Poisoned Pawns (Hacker Traps) 115
Recipe 3-1 Adding Honeypot Ports 116
Recipe 3-2 Adding Fake robots.txt Disallow Entries 118
Recipe 3-3 Adding Fake HTML Comments 123
Recipe 3-4 Adding Fake Hidden Form Fields 128
Recipe 3-5 Adding Fake Cookies 131
II Asymmetric Warfare 137
4 Reputation and Third-Party Correlation 139
Recipe 4-1 Analyzing the Client's Geographic Location Data 141
Recipe 4-2 Identifying Suspicious Open Proxy Usage 147
Recipe 4-3 Utilizing Real-time Blacklist Lookups (RBL) 150
Recipe 4-4 Running Your Own RBL 157
Recipe 4-5 Detecting Malicious Links 160
5 Request Data Analysis 171
Recipe 5-1 Request Body Access 172
Recipe 5-2 Identifying Malformed Request Bodies 178
Recipe 5-3 Normalizing Unicode 182
Recipe 5-4 Identifying Use of Multiple Encodings 186
Recipe 5-5 Identifying Encoding Anomalies 189
Recipe 5-6 Detecting Request Method Anomalies 193
Recipe 5-7 Detecting Invalid URI Data 197
Recipe 5-8 Detecting Request Header Anomalies 200
Recipe 5-9 Detecting Additional Parameters 209
Recipe 5-10 Detecting Missing Parameters 212
Recipe 5-11 Detecting Duplicate Parameter Names 214
Recipe 5-12 Detecting Parameter Payload Size Anomalies 216
Recipe 5-13 Detecting Parameter Character Class Anomalies 219
6 Response Data Analysis 223
Recipe 6-1 Detecting Response Header Anomalies 224
Recipe 6-2 Detecting Response Header Information Leakages 234
Recipe 6-3 Response Body Access 238
Recipe 6-4 Detecting Page Title Changes 240
Recipe 6-5 Detecting Page Size Deviations 243
Recipe 6-6 Detecting Dynamic Content Changes 246
Recipe 6-7 Detecting Source Code Leakages 249
Recipe 6-8 Detecting Technical Data Leakages 253
Recipe 6-9 Detecting Abnormal Response Time Intervals 256
Recipe 6-10 Detecting Sensitive User Data Leakages 259
Recipe 6-11 Detecting Trojan, Backdoor, and Webshell Access Attempts 262
7 Defending Authentication 265
Recipe 7-1 Detecting the Submission of Common/Default Usernames 266
Recipe 7-2 Detecting the Submission of Multiple Usernames 269
Recipe 7-3 Detecting Failed Authentication Attempts 272
Recipe 7-4 Detecting a High Rate of Authentication Attempts 274
Recipe 7-5 Normalizing Authentication Failure Details 280
Recipe 7-6 Enforcing Password Complexity 283
Recipe 7-7 Correlating Usernames with SessionIDs 286
8 Defending Session State 291
Recipe 8-1 Detecting Invalid Cookies 291
Recipe 8-2 Detecting Cookie Tampering 297
Recipe 8-3 Enforcing Session Timeouts 302
Recipe 8-4 Detecting Client Source Location Changes During Session Lifetime 307
Recipe 8-5 Detecting Browser Fingerprint Changes During Sessions 314
9 Preventing Application Attacks 323
Recipe 9-1 Blocking Non-ASCII Characters 323
Recipe 9-2 Preventing Path-Traversal Attacks 327
Recipe 9-3 Preventing Forceful Browsing Attacks 330
Recipe 9-4 Preventing SQL Injection Attacks 332
Recipe 9-5 Preventing Remote File Inclusion (RFI) Attacks 336
Recipe 9-6 Preventing OS Commanding Attacks 340
Recipe 9-7 Preventing HTTP Request Smuggling Attacks 342
Recipe 9-8 Preventing HTTP Response Splitting Attacks 345
Recipe 9-9 Preventing XML Attacks 347
10 Preventing Client Attacks 353
Recipe 10-1 Implementing Content Security Policy (CSP) 353
Recipe 10-2 Preventing Cross-Site Scripting (XSS) Attacks 362
Recipe 10-3 Preventing Cross-Site Request Forgery (CSRF) Attacks 371
Recipe 10-4 Preventing UI Redressing (Clickjacking) Attacks 377
Recipe 10-5 Detecting Banking Trojan (Man-in-the-Browser) Attacks 381
11 Defending File Uploads 387
Recipe 11-1 Detecting Large File Sizes 387
Recipe 11-2 Detecting a Large Number of Files 389
Recipe 11-3 Inspecting File Attachments for Malware 390
12 Enforcing Access Rate and Application Flows 395
Recipe 12-1 Detecting High Application Access Rates 395
Recipe 12-2 Detecting Request/Response Delay Attacks 405
Recipe 12-3 Identifying Inter-Request Time Delay Anomalies 411
Recipe 12-4 Identifying Request Flow Anomalies 413
Recipe 12-5 Identifying a Significant Increase in Resource Usage 414
III Tactical Response 419
13 Passive Response Actions 421
Recipe 13-1 Tracking Anomaly Scores 421
Recipe 13-2 Trap and Trace Audit Logging 427
Recipe 13-3 Issuing E-mail Alerts 428
Recipe 13-4 Data Sharing with Request Header Tagging 436
14 Active Response Actions 441
Recipe 14-1 Using Redirection to Error Pages 442
Recipe 14-2 Dropping Connections 445
Recipe 14-3 Blocking the Client Source Address 447
Recipe 14-4 Restricting Geolocation Access Through Defense Condition (DefCon) Level Changes 452
Recipe 14-5 Forcing Transaction Delays 455
Recipe 14-6 Spoofing Successful Attacks 462
Recipe 14-7 Proxying Traffic to Honeypots 468
Recipe 14-8 Forcing an Application Logout 471
Recipe 14-9 Temporarily Locking Account Access 476
15 Intrusive Response Actions 479
Recipe 15-1 JavaScript Cookie Testing 479
Recipe 15-2 Validating Users with CAPTCHA Testing 481
Recipe 15-3 Hooking Malicious Clients with BeEF 485
Index 495