Web Application Security: Exploitation and Countermeasures for Modern Web Applications

In the first edition of this critically acclaimed book, Andrew Hoffman defined the three pillars of application security: reconnaissance, offense, and defense. In this revised and updated second edition, he examines dozens of related topics, from the latest types of attacks and mitigations to threat modeling, the secure software development lifecycle (SSDL/SDLC), and more.

Hoffman, senior staff security engineer at Ripple, also provides information regarding exploits and mitigations for several additional web application technologies such as GraphQL, cloud-based deployments, content delivery networks (CDN) and server-side rendering (SSR). Following the curriculum from the first book, this second edition is split into three distinct pillars comprising three separate skill sets:

• Pillar 1: Recon--Learn techniques for mapping and documenting web applications remotely, including procedures for working with web applications
• Pillar 2: Offense--Explore methods for attacking web applications using a number of highly effective exploits that have been proven by the best hackers in the world. These skills are valuable when used alongside the skills from Pillar 3.
• Pillar 3: Defense--Build on skills acquired in the first two parts to construct effective and long-lived mitigations for each of the attacks described in Pillar 2.

在這本廣受好評的書的第一版中，安德魯·霍夫曼（Andrew Hoffman）定義了應用程式安全的三大支柱：偵查、攻擊和防禦。在這本修訂和更新的第二版中，他探討了許多相關主題，從最新的攻擊類型和緩解措施到威脅建模、安全軟體開發生命週期（SSDL/SDLC）等等。

霍夫曼是Ripple的高級安全工程師，他還提供了有關其他幾種網路應用程式技術的漏洞和緩解措施的資訊，例如GraphQL、基於雲端的部署、內容傳遞網路（CDN）和伺服器端渲染（SSR）。這本第二版按照第一本書的課程分為三個明確的支柱，包含三個獨立的技能組合：

- 支柱1：偵查 - 學習遠程映射和記錄網路應用程式的技術，包括處理網路應用程式的程序。
- 支柱2：攻擊 - 探索使用一些被世界上最優秀的駭客證明的高效攻擊手法來攻擊網路應用程式的方法。這些技能在與支柱3的技能結合使用時非常有價值。
- 支柱3：防禦 - 在前兩部分獲得的技能基礎上，為支柱2中描述的每種攻擊構建有效且持久的緩解措施。