https://systemoverlord.com/tags/web-security.htmlRecent content in Web Security on System OverlordHugoen-usdavid@systemoverlord.com (David Tomaschik)david@systemoverlord.com (David Tomaschik)Fri, 10 Jul 2020 00:00:00 +0000https://systemoverlord.com/2020/07/10/comparing-3-great-web-security-books.htmlFri, 10 Jul 2020 00:00:00 +0000david@systemoverlord.com (David Tomaschik)https://systemoverlord.com/2020/07/10/comparing-3-great-web-security-books.html<p>I thought about using a clickbait title like &ldquo;Is this the best web security book?&rdquo;, but I just couldn&rsquo;t do that to you all. Instead, I want to compare and contrast 3 books, all of which I consider great books about web security. I won&rsquo;t declare any single book &ldquo;the best&rdquo; because that&rsquo;s too subjective. Best depends on where you&rsquo;re coming from and what you&rsquo;re trying to achieve.</p> <p>The 3 books I&rsquo;m taking a look at are:</p> <ul> <li><a href="https://amzn.to/2ZUg4bK">Real-World Bug Hunting: A Field Guide to Web Hacking</a></li> <li><a href="https://amzn.to/2ZVZojX">The Web Application Hacker&rsquo;s Handbook: Finding and Exploiting Security Flaws</a></li> <li><a href="https://amzn.to/2W5KQ05">The Tangled Web: A Guide to Securing Modern Web Applications</a></li> </ul>https://systemoverlord.com/2016/08/24/posting-json-with-an-html-form.htmlWed, 24 Aug 2016 00:00:00 +0000david@systemoverlord.com (David Tomaschik)https://systemoverlord.com/2016/08/24/posting-json-with-an-html-form.html<p>A coworker and I were looking at an application today that, like so many other modern web applications, offers a RESTful API with JSON being used for serialization of requests/responses. She noted that the application didn&rsquo;t include any sort of CSRF token and didn&rsquo;t seem to use any of the headers (X-Requested-With, Referer, Origin, etc.) as a &ldquo;poor man&rsquo;s CSRF token&rdquo;, but since it was posting JSON, was it really vulnerable to CSRF? <strong>Yes, yes, definitely yes!</strong></p>