Chapter Six · The Application Under Attack

Web Application Security

app.meridian.example is the internet-facing crown jewel, and this is the chapter where the intruder tries hardest. Each topic takes one OWASP-class flaw, shows it exploited against the app in the Meridian lab, then builds the fix in Sam's code. It assumes HTTP and TLS from earlier and goes straight at the application layer.

8 topics

Almost every web vulnerability has one root cause: the application trusts something it should not — input from the browser, an ID in a URL, a token's own claims. This chapter is eight instances of that single idea, each a named OWASP category, each shown as an exploit against app.meridian.example and then closed in Sam's code. Where Chapter 5 was the attacker reaching the app, this is the attacker inside it.

The four defenses recur on every page: validate input, encode output, authenticate every request, and authorize every object. The chapter ends by assembling all eight flaws into the OWASP Top 10 — the map you can carry to any web application, including the parts not deep-dived here.

Most web flaws are one idea — the app trusts what it should not
Trusting input
→ injection, XSS · validate and encode
Trusting the request
→ IDOR, CSRF, SSRF · authorize every object
Trusting the session
→ auth flaws · regenerate, expire, protect

Topics in This Chapter

Topic 30
The Web Attack Surface
Every parameter, header, cookie, and upload is attacker-controllable, and the client is never trusted. The four defenses — validate input, encode output, authenticate, authorize — that the whole chapter instantiates.
Attack Surface
Topic 31
Injection: SQL and Command
When user input is mixed into a command so its data becomes code. SQL injection can dump the whole database; the one durable fix is parameterized queries — separate code from data, never concatenate.
Injection
Topic 32
Cross-Site Scripting (XSS)
Injection into the browser: attacker input reflected into a page runs as the site's own JavaScript, stealing sessions or acting as the user. Output encoding is the fix; CSP is the backstop.
XSS
Topic 33
CSRF and SSRF
Two request-forgery flaws that share a name and nothing else. CSRF tricks the user's browser into an unwanted request; SSRF tricks the server into one — often reaching cloud metadata for credentials.
CSRF / SSRF
Topic 34
Broken Access Control and IDOR
The most common serious web flaw: the app authenticates you, then fails to check whether you may access this resource. IDOR — change an ID in a URL and see someone else's data.
Access Control
Topic 35
Authentication and Session Flaws
Even with good hashing and MFA, the login and session machinery has its own failures: credential stuffing, session fixation, tokens that don't expire, and recovery weaker than the login it protects.
Auth Flaws
Topic 36
Security Headers and Defenses
A handful of HTTP response headers instruct the browser to enforce protections the server can't alone — forcing HTTPS, restricting scripts, controlling framing. Cheap defense in depth, if set precisely.
Headers
Topic 37
The OWASP Top 10 as a Map
The industry's shared list of the most critical web risks — the map this chapter has been filling in. What it is, what it isn't, and how to carry it to any web app including the parts not deep-dived here.
OWASP Top 10