Web Application Hardening Assessment
by @quochungto
Systematically assess a web application's defensive security posture across input validation, information disclosure, application architecture, and server co...
clawhub install bookforge-web-application-hardening-assessmentπ About This Skill
name: web-application-hardening-assessment description: | Systematically assess a web application's defensive security posture across input validation, information disclosure, application architecture, and server configuration. Use this skill whenever: evaluating the quality of an application's input handling strategy and whether it correctly applies whitelist vs blacklist vs sanitization approaches; assessing whether boundary validation is implemented at each trust boundary (not only the perimeter); checking whether multistep validation and canonicalization ordering are implemented safely; auditing error handling to determine whether verbose error messages, stack traces, debug output, or database banners are exposed to clients; assessing whether server and service banners are suppressed and whether HTML source comments have been removed; evaluating tiered application architecture for trust-boundary segregation weaknesses, dangerous inter-tier trust relationships, and least-privilege violations; assessing shared hosting or cloud environments for customer isolation deficiencies; auditing application server configuration for default credentials, default content, directory listing exposure, dangerous HTTP methods (WebDAV PUT/DELETE), misconfigured proxy functionality, virtual hosting security gaps, and web application firewall effectiveness; performing a pre-deployment security hardening review; conducting a security architecture review or threat modeling session; reviewing a web application penetration test scope for defensive control gaps. Covers core defense mechanisms (Ch2), information leakage prevention (Ch15), architecture security (Ch17), and application server hardening (Ch18). Maps to CWE-20 (Improper Input Validation), CWE-209 (Information Exposure Through Error Message), CWE-16 (Configuration), CWE-284 (Improper Access Control), CWE-693 (Protection Mechanism Failure). version: 1.0.0 homepage: https://github.com/bookforge-ai/bookforge-skills/tree/main/books/web-application-hackers-handbook/skills/web-application-hardening-assessment metadata: {"openclaw":{"emoji":"π","homepage":"https://github.com/bookforge-ai/bookforge-skills"}} status: draft depends-on: [] source-books: - id: web-application-hackers-handbook title: "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws" authors: ["Dafydd Stuttard", "Marcus Pinto"] edition: 2 chapters: [2, 15, 17, 18] pages: "53-72, 651-666, 683-703, 705-735" tags: [input-validation, boundary-validation, canonicalization, error-handling, information-disclosure, application-architecture, tiered-architecture, shared-hosting, server-hardening, default-credentials, directory-listing, webdav, web-application-firewall, defense-in-depth, owasp, appsec, cwe-20, cwe-209, cwe-16] execution: tier: 2 mode: hybrid inputs: - type: codebase description: "Application source code β input validation logic, error handlers, framework configuration files β primary for white-box review" - type: document description: "HTTP traffic captures, Burp Suite logs, server configuration files, architecture diagrams β primary for black-box and config audit modes" tools-required: [Read, Grep, Write] tools-optional: [Bash, WebFetch] mcps-required: [] environment: "Run inside a project codebase for white-box review, or with HTTP traffic logs and server config for black-box / configuration assessment. Authorized testing context required." discovery: goal: "Assess the application's defensive posture across four domains β input validation strategy, information disclosure controls, application architecture security, and server hardening β and produce a structured findings report with severity, evidence, and countermeasures" tasks: - "Classify the application's input handling approach for each input type and assess its adequacy" - "Verify boundary validation is performed at each trust boundary, not only the perimeter" - "Test canonicalization ordering β ensure decode-before-validate is applied and no re-encoding after validation" - "Assess error handling for verbose messages, stack traces, debug output, and service banners" - "Audit server configuration for default credentials, default content, directory listings, dangerous methods, proxy misconfiguration, and virtual hosting gaps" - "Evaluate tiered architecture for trust-boundary weaknesses, inter-tier trust abuse risks, and shared hosting isolation" - "Assess web application firewall presence, effectiveness, and bypass susceptibility" - "Document all findings with CWE mapping, severity, and specific countermeasures" audience: roles: ["penetration-tester", "application-security-engineer", "security-minded-developer", "security-architect", "devops-engineer"] experience: "intermediate-to-advanced β assumes familiarity with HTTP, web proxies (Burp Suite or equivalent), server administration basics, and common vulnerability classes" triggers: - "Pre-deployment security hardening review of a web application" - "Penetration test scope includes defense mechanism quality assessment" - "Security architecture review or threat modeling session" - "Post-incident assessment to understand why existing defenses failed" - "Code review targeting input validation and error handling quality" - "Server configuration audit for a newly deployed or migrated application" not_for: - "Testing specific injection vulnerabilities (SQL injection, command injection) β use the injection assessment skill" - "Authentication mechanism testing β use the authentication security assessment skill" - "Access control and session management testing β use the dedicated skills for those domains" - "Client-side attack surface (XSS, CSRF) β use the client-side attack testing skill"
Web Application Hardening Assessment
When to Use
You have authorized access to a web application (source code, server configuration, HTTP traffic, or a combination) and need to assess the quality of its defensive security controls β not to find specific exploit payloads, but to evaluate whether the defenses themselves are sound.
This skill applies when:
The foundational insight from Stuttard and Pinto: Virtually all web applications use the same categories of defense mechanisms. The security difference between applications is not which mechanisms are present, but how well they are implemented. Assessing defensive quality requires understanding what the correct implementation looks like and systematically testing against that standard β not waiting to discover exploitable output.
Four assessment domains, each targeting a different layer of defense: 1. Input handling strategy β Is the correct approach being applied to each input type? Is boundary validation in place at every trust crossing? 2. Information disclosure β What does the application reveal about its internals through errors, headers, comments, and published data? 3. Application architecture security β Do tier boundaries enforce their own controls, or do they trust other tiers blindly? 4. Application server hardening β Has the server platform been hardened against its default configuration weaknesses?
Authorized testing only. This skill is for security professionals with explicit written authorization to assess the target application and server.
Context and Input Gathering
Required Context (must have β ask if missing)
Observable Context (gather from environment)
Server:, X-Powered-By:, X-AspNet-Version:, X-Generator: headers that reveal technology stack and version; presence of Strict-Transport-Security, Content-Security-Policy, X-Frame-Options
If unavailable: note that header analysis requires HTTP accessweb.config, httpd.conf, nginx.conf, web.xml, php.ini, .htaccess, appsettings.json
If unavailable: defer to behavioral testing for configuration weaknessesDefault Assumptions
Process
Step 1: Classify the Input Handling Strategy for Each Input Type
ACTION: For each category of user-supplied input the application processes, determine which of the five input handling approaches is being applied. The five approaches are:
1. Reject Known Bad (blacklist) β blocks a list of known-malicious strings or patterns; allows everything else 2. Accept Known Good (whitelist) β defines the set of permitted characters, length, format; blocks everything else 3. Sanitization β transforms input to a safe form (HTML encoding, escaping metacharacters) before use 4. Safe Data Handling β uses inherently safe processing APIs that eliminate the vulnerability class (parameterized queries for SQL, subprocess arrays for OS commands) 5. Semantic Checks β validates business logic authorization (does the submitted account ID belong to the authenticated user?)
WHY: The choice of approach has a direct bearing on how easily the defense can be bypassed. Blacklists are systematically bypassable through encoding, case variation, comment insertion, and null byte injection β a blacklist of SELECT can be bypassed with SeLeCt, SELECT/**/, or %00SELECT. Whitelisting is the strongest defense where feasible. Safe data handling (parameterized queries) eliminates entire vulnerability classes regardless of input content. Understanding which approach is in use for each input type reveals which inputs are inadequately defended and why.
AGENT: EXECUTES β Grep source code for input validation logic, regex patterns, filtering functions, and database query construction. Identify the approach applied to each input category.
For each identified input category, document:
Red flags:
exec(), system(), shell_exec(), subprocess.call(shell=True) receiving user-controlled valuesreplace() on attack strings (stripping, not blocking) rather than rejectionStep 2: Verify Boundary Validation at Each Trust Boundary
ACTION: Map all trust boundaries in the application β points where data crosses from one component to another where the receiving component applies different security assumptions. Common trust boundaries: browser-to-server, server-to-database, server-to-SOAP/REST back-end service, server-to-OS command execution, server-to-email sending (SMTP), server-to-LDAP, server-to-cache layer. For each boundary, verify that input validation appropriate to the receiving component's vulnerabilities is applied at that boundary.
WHY: The simple picture of input validation β clean at the perimeter, trust internally β is fundamentally inadequate. Consider a login flow: the application receives the username, validates basic character set (step 1), performs a SQL query to check credentials (step 2), passes account data to a SOAP service to retrieve profile (step 3), renders the account page in HTML (step 4). Each step is a trust boundary. SQL injection defenses must be applied before step 2. XML metacharacter encoding must be applied before step 3. HTML encoding must be applied before step 4. Perimeter validation alone cannot protect all boundaries simultaneously, because conflicting encoding requirements make a single pass impossible: HTML-encoding prevents XSS but does not prevent SQL injection; SQL escaping does not prevent SMTP header injection.
AGENT: EXECUTES β Trace the data flow of key user inputs through the application. For each processing stage, verify that the appropriate validation or encoding for the receiving component is applied immediately before that component receives the data.
Boundary-specific validation requirements to check: | Boundary | Required Defense | |---|---| | Server β SQL database | Parameterized queries or stored procedures (not escaping alone) | | Server β HTML output | HTML entity encoding of all user data in output | | Server β SOAP/XML service | XML metacharacter encoding of user data before XML construction | | Server β OS command | Avoid passing user data to OS commands; if unavoidable, use exec array form, not shell string | | Server β email (SMTP) | Strip or reject CR/LF in any field used in SMTP headers | | Server β file system path | Canonicalize path, validate against allowed base directory, reject traversal sequences | | Server β LDAP | Escape LDAP special characters; prefer LDAP API calls over raw filter construction |
Finding: Any trust boundary where validation appropriate to the receiving component is absent or insufficient constitutes a boundary validation gap.
Step 3: Assess Multistep Validation and Canonicalization Ordering
ACTION: Identify all input validation logic that performs multiple sequential operations on user input (for example: strip , then strip javascript:, then output). Also identify all points where the application decodes or canonicalizes user input. Verify that the ordering rule is satisfied: decode/canonicalize first, then validate, never re-encode after validation.
Test for these specific failure patterns:
is stripped once, the input ipt> will produce after one pass../ then ..\ β the input ..../ after first pass becomes ../, bypassing the second check%27 (URL-encoded apostrophe) at the application but then URL-decoding the value before passing it to the database β the decoded ' reaches the databaseWHY: Multistep validation introduces ordering dependencies that attackers can exploit. An application that strips a blocked expression once can be fed a nested version that reconstitutes itself after stripping. An application that applies filters before canonicalization can be fed encoded versions of blocked characters. The safe ordering is: perform all decoding and canonicalization first, so that validation sees the final processed form of the input, not an intermediate form that subsequent processing will transform further.
AGENT: EXECUTES β Read input validation functions for iterative or sequential sanitization logic. Check whether canonicalization (URL decoding, HTML decoding, Unicode normalization) is applied before or after filter checks.
Test with (black-box):
ipt>alert(1) ipt> (tests non-recursive stripping)%2527 β after first URL decode β %27 β after second β ' (tests validate-before-decode ordering)%3cscript%3e for where only literal form is blockedStep 4: Assess Error Handling and Information Disclosure via Error Messages
ACTION: Systematically probe the application to trigger error conditions and analyze what information is returned. For each functional area, submit: values of the wrong type, values of unexpected length, missing required parameters, values that reference nonexistent resources, and known attack strings for the technologies in use (SQL single-quote for database errors, ../../ for path traversal, ${7*7} for template injection).
For each error response, check for disclosure of:
WHY: Verbose error messages give an attacker a detailed map of the application's internals at no cost. A stack trace identifies the exact framework version (enabling known-CVE attacks), the database technology (enabling SQL injection tuning), the file system layout (enabling path traversal), and which component generated the error (enabling targeted exploitation). A database error message containing the partial SQL query allows an attacker to reconstruct the full query and craft a precise injection. This information gathering step is a standard part of every targeted attack, not a vulnerability in isolation β but it dramatically accelerates every other attack that follows.
AGENT: EXECUTES (response analysis and source code review of exception handling) β HANDOFF TO HUMAN for interactive error triggering via proxy.
In source code, look for:
DEBUG=True, customErrors mode="Off", display_errors=On)phpinfo() pages or equivalent diagnostic endpoints left accessibleScan raw HTTP responses for error keywords: error, exception, illegal, invalid, fail, stack, access, directory, file, not found, varchar, ODBC, SQL, SELECT β matches in responses that are not expected to contain these words indicate information disclosure.
Step 5: Assess Information Disclosure in Published Content and Headers
ACTION: Examine the following disclosure surfaces in the live application:
HTTP response headers:
Server: header β reveals web server product and versionX-Powered-By: β reveals framework, language, versionX-AspNet-Version:, X-Generator:, X-Runtime: β framework specificsHTML source of all application pages:
Sensitive data published to authorized users:
WHY: Server banners enable automated and manual fingerprinting of the exact product version, directly mapping to the CVE database. Developers frequently leave HTML comments containing information gathered during development β database schema notes, access control bypass hints, environment variable names, or even temporary hardcoded credentials. Pre-populating password fields means the existing password is transmitted in cleartext to the browser on every page load, even if the user never interacts with it β it is visible in the page source and in any browser extension or corporate proxy that logs traffic.
AGENT: EXECUTES β Read all page source files and response captures. Grep for comment markers (. Finding: test payment card data embedded in production HTML comment.
3. Countermeasures: Configure customErrors mode="On" in web.config with generic error page redirect; suppress Server: header via URLScan/IIS Lockdown; remove all HTML comments from production deployment pipeline.
Output: 5 information disclosure findings (1 Critical for session key exposure, 2 High for stack trace + SQL error, 2 Medium for version banners and payment card in comment).
References
License
This skill is licensed under CC-BY-SA-4.0. Source: BookForge β The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard, Marcus Pinto.
Related BookForge Skills
This skill is standalone. Browse more BookForge skills: bookforge-skills
β‘ When to Use
π‘ Examples
Scenario: Pre-deployment hardening review of a financial services portal
Trigger: "Before we go live next month, we need a security review of the server configuration and input handling across the application."
Process:
1. Step 1 (input handling classification): Review database query construction β 3 of 12 query-building functions use string concatenation with user parameters rather than parameterized queries. Classified as Approach 1 (Reject Known Bad) in two cases (blacklisting single-quote) and no validation in the third. Findings: 2 High (blacklist-only SQL), 1 Critical (no validation on admin query).
2. Step 2 (boundary validation): Trace username from login form through: (a) HTML login page rendering β username HTML-encoded before output, compliant; (b) SQL query for credential check β parameterized, compliant; (c) SOAP service call for profile data β username interpolated directly into XML payload, no XML metacharacter encoding, finding: XML injection risk at SOAP boundary.
3. Step 4 (error handling): Trigger a database error by submitting a type-mismatch value. Response contains full stack trace including Oracle JDBC connection string with hostname and credentials: jdbc:oracle:thin:apps/appspassword@db-prod-01.internal:1521/PROD. Critical finding: credential disclosure in error message.
4. Step 6 (server config): Apache Tomcat detected. Access /manager/html β returns 401 with authentication prompt. Test credentials tomcat/tomcat β authentication succeeds. WAR file deployment interface accessible with default credentials. Critical finding.
5. Step 7 (directory listings): 4 of 11 directories return Apache directory indexes. One exposed directory contains backup_2023-11-01.sql.gz β database backup file downloadable without authentication.
Output: 2 Critical, 4 High, 3 Medium findings across all four domains.
Scenario: Architecture security review of a multi-tenant SaaS application
Trigger: "We host multiple enterprise clients on the same platform. A security consultant flagged concerns about tenant isolation. Can you do a full architecture review?"
Process:
1. Step 9 (tiered architecture): Review database connection configuration β a single database account app_user with GRANT ALL PRIVILEGES is used for all operations. All tenants' data in the same schema with tenant_id discrimination in queries. SQL injection in any query can access any tenant's data. Finding: High β insufficient database-level tenant isolation.
2. Step 10 (shared hosting): Review OS account configuration β all tenant application containers run as www-data. Path traversal in any tenant application could read other tenants' uploaded files, which are all accessible to www-data. Finding: High β insufficient OS-level filesystem isolation.
3. Step 11 (WAF): WAF is present (detected via custom cookie X-WAF-Token). Test: submitting ' OR 1=1-- in query string is blocked. Same payload in JSON POST body passes through. Finding: Medium β WAF does not inspect JSON request bodies.
4. Step 2 (boundary validation): Multi-tenant SOAP endpoint receives tenant-supplied data that is interpolated into XML without encoding. One tenant could inject XML to interfere with another tenant's SOAP requests.
Output: Architecture recommendations include separate database accounts per tenant with row-level security, per-tenant OS accounts with restricted filesystem access, and WAF configuration update for JSON body inspection.
Scenario: Error handling and information disclosure audit of an e-commerce application
Trigger: "We're getting strange error pages appearing on our site during our pen test engagement. Can you review our error handling posture?"
Process:
1. Step 4 (error handling): Systematically inject type-mismatch values into each parameter category. Three findings: (a) product ID parameter returns Oracle SQL state and partial query text on invalid input; (b) order search by date returns ASP.NET stack trace revealing .NET version 4.5.2 and full file path; (c) admin user endpoint triggers custom debug message dumping session variables including SessionKey value.
2. Step 5 (header/comment disclosure): Server header reveals Microsoft-IIS/8.5. HTML source of checkout page contains commented-out block: . Finding: test payment card data embedded in production HTML comment.
3. Countermeasures: Configure customErrors mode="On" in web.config with generic error page redirect; suppress Server: header via URLScan/IIS Lockdown; remove all HTML comments from production deployment pipeline.
Output: 5 information disclosure findings (1 Critical for session key exposure, 2 High for stack trace + SQL error, 2 Medium for version banners and payment card in comment).