📗
Application Security Manual
  • Intro
    • Start Here
  • Vulnerabilities & Code
    • Injection Vulnerabilities
      • SQL Injection
      • Server-Side Template Injection (SSTI)
      • XPath Injection
      • XML External Entity (XXE) Injection
      • HTTP Request Smuggling
      • Insecure Deserialization
    • Input-based Vulnerabilities
      • Cross-Site Scripting (XSS)
      • Content Security Policy (CSP) Misconfiguration
      • HTTP Parameter Pollution
    • Origin-related Vulnerabilities
      • Cross-Site Request Forgery (CSRF)
      • Server-Side Request Forgery (SSRF)
      • Cross-Origin Resource Sharing (CORS) Misconfiguration
    • Access-related Vulnerabilities
      • Insecure Direct Object References (IDOR)
      • Authorization Code Interception
      • Session Hijacking
      • Insufficient Transport Layer Security (TLS)
      • JSON Web Token (JWT) Vulnerabilities
      • Insecure Client-Side Storage of JWTs
    • Logic & Timing Vulnerabilities
      • Business Logic Flaws
      • Type Juggling (Loose Type Comparison)
      • Timing Attack
  • Design Review
    • Product Security Design Review Framework
    • Security Design Review Checklist
  • Concepts & Culture
    • Implementing SAST Through Security-Driven Developer Culture
    • Security as Code: Baking Security into DevOps
Powered by GitBook
On this page
  1. Intro

Start Here

NextInjection Vulnerabilities

Last updated 1 year ago

This manual dives into the world of application security vulnerabilities and explores how they can be identified, understood, and mitigated through practical code examples.

There are many excellent resources available to learn application security, but I found that many do not teach through coding examples. Understanding why code is vulnerable is the most effective way to learn about vulnerabilities in my opinion. After all, application vulnerabilities exist because of coding implementations in the first place. Plus there is the added bonus of knowing how to fix the vulnerable code.

The manual starts by presenting a vulnerable scenario and displaying some simple code that contains a security flaw. The vulnerability is then explained in detail, highlighting how an attacker could exploit it to compromise the application or gain unauthorized access to sensitive data. Next, each guide provides step-by-step instructions and secure coding practices that can be applied to fix the vulnerability.

A rule template is included for each vulnerable scenario. is a static code analysis tool that helps identify potential security issues in codebases. The provided rules serve as a starting point for detecting and preventing vulnerabilities in your own projects. These rules can be edited for your specific use-cases then integrated into development workflows to catch security flaws early in the SDLC.

Additional sections have been added that cover topics like threat modeling, SSDLC concepts and other application security best practices. These sections are designed to help put the techniques from the code security sections into practice.

It's important to note that while this manual focuses on learning through coding scenarios, it is not an exhaustive list of all application security vulnerabilities. There are many other excellent resources available that cover additional vulnerabilities, security best practices, and theoretical concepts.

Semgrep
Semgrep