Web Application Security Guide
This guide attempts to provide a comprehensive overview of web application security. Common web application security issues and methods how to prevent them are explained. Web server and operating system security are not covered. The guide is intended mainly for web application developers, but can also provide useful information for web application reviewers.
The checklist gives a short summary containing only the individual guidelines. It is recommended to take the time and read the full version, where the guidelines are explained in detail, especially if any questions arise.
Most web application developers probably (hopefully) already know some or even most of the points mentioned in this guide. However, there will probably be something new for every developer. Remember, as a developer it is your responsibility to develop your application securely, and a single mistake may be enough to allow an attack.
- Miscellaneous points
- File inclusion and disclosure
- File upload vulnerabilities
- SQL injection
- Cross-site scripting (XSS)
- XML and internal data escaping
- XML, JSON and general API security
- (Un)trusted input
- Cross-site request forgery (CSRF)
- Insecure data transfer
- Session fixation
- Session stealing
- Truncation attacks, trimming attacks
- Password security
- Comparison issues
- PHP-specific issues
- Prefetching and Spiders
- Special files
- SSL, TLS and HTTPS basics
- Further reading
The print version provides the entire book on a single page.