100 Web Application Defense Techniques from the ‘Web Application Defender’s Cookbook’

This article introduces the book Web Application Defender's Cookbook , a practical guide for using ModSecurity to protect web applications. Although the book targets ModSecurity, the 100 techniques it describes are valuable for any web security professional.

Techniques 1‑10 cover real‑time HTTP request feature analysis, hash‑token validation, installing OWASP ModSecurity CRS, converting Snort rules to ModSecurity, applying Bayesian classification, and configuring detailed HTTP audit logs (full, partial, or static‑resource‑excluded). They also discuss redacting sensitive data in logs and forwarding server warnings to a central SIEM.

Techniques 11‑20 introduce tools such as AuditConsole, passive vulnerability identification via OSVDB, active scanning with Arachni (including manual and automated rule generation), real‑time scanner invocation, and various honeypot strategies (fake ports, robots.txt, 401 responses, HTML comments, hidden form fields, and fake cookies).

Techniques 21‑30 focus on IP reputation services (MaxMind, RBL, custom RBL, URIBL), selective request‑body parsing, protocol‑compliance checks, Unicode normalization, multi‑encoding detection, and abnormal HTTP method whitelisting.

Techniques 31‑40 address RFC‑compliant URI validation, header anomalies, parameter‑based attacks (extra, missing, duplicate, length, type), and response‑header hygiene (removing server signatures, limiting 5xx ratios, preventing malicious redirects).

Techniques 41‑50 discuss selective response‑body parsing, detecting page‑tampering (title changes, size anomalies, injected scripts such as <script>alert(document.cookie);</script> ), source‑code leaks (e.g., CVE‑201201823), information leakage, abnormal response times (e.g., time‑based SQL injection), and identifying webshell or backdoor connection attempts.

Techniques 51‑60 cover login‑related monitoring: common‑account brute‑force, credential‑spraying, failed and high‑frequency attempts, uniform failure messages, password‑complexity enforcement, session‑based anomaly detection, and suspicious cookie values.

Techniques 61‑70 include GEO‑IP changes, fingerprint shifts, non‑ASCII characters, directory traversal, abnormal resource access, SQL‑injection defenses (keyword filtering, semantic analysis, Bayesian classification), remote file inclusion detection, OS command execution checks, HTTP request smuggling, response splitting, and XML attacks.

Techniques 71‑80 present CSP policies, XSS mitigation (keyword filters, X‑XSS‑PROTECTION, sandbox), CSRF token validation, clickjacking defenses (X‑Frame‑Options, frame‑busting JavaScript), MITM protection via response‑body MD5, upload size/quantity limits, virus scanning with ClamAV, and HTTP DDoS detection (including tools like LOIC, HOIC, slowloris).

Techniques 81‑90 describe slow‑loris detection, CSRF timing analysis, request‑order anomalies, graph‑based anomaly detection, resource‑specific traffic spikes, collaborative rule scoring, dynamic WAF audit activation, email alerts, sharing WAF events via request headers, custom block pages, and cutting off attacker connections.

Techniques 91‑100 involve IP‑blacklist blocking, GEO‑based tiered defense, response‑time throttling, deceptive success pages, honeypot redirection, forced logout on session anomalies, temporary account lockout, JavaScript‑injected cookies for traffic mitigation, CAPTCHA challenges for bots, and integrating the BeFF framework for malicious request analysis.

The article concludes that web security is an integrated, multi‑layered discipline requiring coordinated use of firewalls, IDS/IPS, vulnerability databases, honeypots, scanners, and analytics, and that combining imperfect defenses often yields a stronger overall posture.