Further Reading: Web Application Security

Annotated resources for going deeper on the web's most durable attacks and their defenses. Each entry is tagged with the learning path it best serves — 🏗️ Engineer, 🛡️ SOC, 📜 Cert, 📋 GRC — and tiered for source confidence (Tier 1 = canonical/primary; Tier 2 = attributed). Start with the OWASP cheat sheets and the Web Security Academy; they are the fastest path from this chapter to working competence.

Standards & primary documentation (Tier 1)

  • OWASP Top 10 (current edition). owasp.org/Top10. 🏗️🛡️📜📋 — The industry's reference list of the most critical web application risks, with prevention guidance per category. This chapter operationalizes its injection, XSS, CSRF/SSRF, and identification/authentication categories; read the entries for those classes alongside §13.2–§13.5. Read this first if you read nothing else.

  • OWASP Cheat Sheet Series. cheatsheetseries.owasp.org. 🏗️📜 — Concise, authoritative, copy-pasteable defensive guidance. The ones that map directly to this chapter: SQL Injection Prevention, Query Parameterization, Cross Site Scripting Prevention, DOM based XSS Prevention, Content Security Policy, Cross-Site Request Forgery Prevention, Server Side Request Forgery Prevention, and Session Management. These are the single best reference for the exact fix in each section.

  • OWASP Application Security Verification Standard (ASVS). owasp.org/www-project-application-security-verification-standard. 🏗️📋📜 — A structured catalog of web-app security requirements at three rigor levels. Use it to turn this chapter's controls into a testable checklist and to scope a code review or pen test (it underpins Case Study 1's review structure). Introduced in Chapter 12; the input-validation, output-encoding, session, and access-control chapters are most relevant here.

  • OWASP Core Rule Set (CRS). coreruleset.org. 🛡️🏗️ — The open, widely used managed rule set behind many WAFs (including ModSecurity). Reading its rules teaches you what a WAF actually matches on for injection and XSS — invaluable for §13.6 detection work and for understanding WAF false positives.

  • MDN Web Docs — Content Security Policy, Same-origin policy, HTTP cookies (SameSite, HttpOnly, Secure). developer.mozilla.org. 🏗️ — The authoritative, browser-accurate reference for the browser-layer controls in §13.3–§13.5. When you need to know exactly how a CSP directive or cookie attribute behaves, this is the source of truth.

  • NIST SP 800-53 (Rev. 5), control families SI (System and Information Integrity) and SC (System and Communications Protection). 🏗️📋 — Maps this chapter's web controls (input validation SI-10, information output handling, boundary protection) to a formal control catalog — useful for GRC and for connecting engineering fixes to compliance evidence (the Case Study 1 PCI mapping idea, formalized).

  • PCI-DSS v4.0, Requirement 6. 🏗️📋📜 — The payment-card mandate for secure development and protecting public-facing web applications (including the WAF-or-equivalent expectation). Directly relevant to Meridian; this is the regulatory floor (Theme 5) that the chapter's controls satisfy.

Free online — interactive & deep (Tier 1/2)

  • PortSwigger Web Security Academy. portswigger.net/web-security. 🏗️🛡️📜 — Free, hands-on, and excellent: structured labs on SQL injection, XSS (all three types), CSRF, SSRF, and more, with rigorous explanatory material. The best single way to internalize this chapter — but note it teaches attacks to build defensive intuition; practice only in its sandbox and apply the defensive lessons (this is a defensive course). Tier 1 for technical accuracy. (Engineer/SOC: do the injection, XSS, CSRF, and SSRF tracks.)

  • OWASP Juice Shop and OWASP WebGoat. owasp.org. 🏗️🛡️ — Deliberately vulnerable applications you run in your own lab to practice finding and (in WebGoat's lessons) fixing web vulnerabilities safely and legally. The right place to do the "Your Turn" exercises from both case studies. Authorization: your own instance only — never point these techniques at systems you do not control.

  • Google CSP Evaluator. csp-evaluator.withgoogle.com. 🏗️🛡️ — Paste a Content-Security-Policy and it flags weaknesses (notably 'unsafe-inline' and overly broad sources). A fast way to check that the strict CSP from §13.3 is actually strict; use it on Exercise 18's answer.

  • MITRE CWE — the Common Weakness Enumeration. cwe.mitre.org. 🏗️📜 — The taxonomy of software weakness types (introduced in Chapter 12). The entries this chapter maps to: CWE-89 (SQL Injection), CWE-79 (XSS), CWE-352 (CSRF), CWE-918 (SSRF), CWE-384 (Session Fixation), CWE-78 (OS Command Injection). Use CWE IDs to speak precisely about a finding's class in reviews and tickets.

Books (Tier 1/2)

  • Stuttard, D. & Pinto, M., The Web Application Hacker's Handbook (2nd ed.). 🏗️🛡️ — The classic deep treatment of how web attacks work. It is an offensive reference; read it the way this book reads attacks — to understand the mechanism well enough to defend, then apply the fixes from the OWASP cheat sheets. Tier 1 for technical depth, older but foundational.

  • OWASP / community, The Tangled Web (Zalewski, M.). 🏗️ — A browser-security-model deep dive (origins, cookies, content sniffing, the same-origin policy). The best explanation of why the browser-layer controls in §13.3–§13.4 work the way they do. Tier 1.

  • Chapple, M. & Seidl, D., CompTIA Security+ Study Guide; Harris, S. & Maymí, F., CISSP All-in-One Exam Guide. 📜 — Both cover web application attacks and secure development at the level the exams test. Pair the relevant chapters with this chapter's key-takeaways.md crosswalk. Tier 1.

Talks & ongoing sources (Tier 2)

  • OWASP Global AppSec / local OWASP chapter talks (many on YouTube). 🏗️🛡️ — Recorded conference talks on web defense, CSP rollouts at scale, WAF tuning, and real breach retrospectives. A good way to see how large organizations actually deploy the controls in this chapter. Attribution varies by talk (Tier 2).

  • Vendor WAF & web-security engineering blogs (e.g., Cloudflare, major cloud providers). 🛡️🏗️ — Useful, current writeups on web-attack trends and WAF detection — read critically (vendor perspective; Tier 2), and always trace claims back to the Tier-1 primary sources above.

Suggested reading order

  1. OWASP Top 10 entries for injection, XSS, CSRF, SSRF, broken auth — to frame the risks (all paths).
  2. OWASP Cheat Sheets for each fix in §13.2–§13.5 — the exact secure pattern (Engineer/Cert).
  3. PortSwigger Web Security Academy labs — to do it, defensively, in a sandbox (Engineer/SOC).
  4. OWASP CRS + your WAF's docs + the §13.6 detections — for the SOC's edge-and-logs layer (SOC).
  5. ASVS / PCI-DSS Req. 6 / NIST 800-53 SI & SC — to turn controls into a standard and audit evidence (GRC), connecting forward to Chapters 28 (compliance) and 31 (pipeline gates).