“The Web Application Hacker’s Handbook” by Dafydd Stuttard and Marcus Pinto.
The book was written already in 2008 but points out many, still to date, common security risks that every developer should know about. Security is for most either a developers a nightmare – it is my job but I have clue – or either an afterthought – this is not my job.
The book covers many ways your custom build website is at risk, some examples
- Mapping the application: the structure of URI’s and parameters gives away a lot of information.
- Bypassing client controls: the back-end should never assume a safe front-end.
- Authentication: weak passwords.
- Session management: the need for state introduces risks around the tokens to identify sessions.
- Injecting code: the well known SQL injection issues.
- Exploiting path traversal: elevating your rights as a user.
- Application logic issues: parameterized query strings or clear text parameters that control certain business limits can easily be spoofed.
- Information disclosure: errors that are too verbose.