Well, Chapter 5 really misses a reference to the same origin policy.
So after reading section Synchronizer Token
Pattern in Chapter 5, one can come up with the question:
Suppose we have site vulnerable.com that renders a form after a GET request and submits the form with a POST request, and that we should CSRF protect the POST.
If the malicious site evil.com can send requests to vulnerable.com with session riding, why does it not issue beforehand a GET to render the form, harvest the CSRF token, and then submit the POST.
The answer to this is that the Same Origin policy forbids evil.com to access content from vulnerable.com.
But one cannot just comeup with this answer, if the same origin policy has not been introduced in the book.
Also, I think it is too late to introduce the Same Origin Policy so late in the chapter, when we already discuss solutions.
In the CSRF attack you ride the user session to issue requests from evil.com to vulnerable.com but you cannot see the results of these requests, due to the Same Origin Policy.
The same origin policy is kindof part of the definition of CSRF, so I think that the authors should first mention the Same Origin Policy when they introduce CSRF .
Then. in the discussion of Synchronizer Token Pattern later in the same chapter, they should analyze the above scenario and make another reference to the Same Origin Policy.
And they should make a reference to the OWASP CSRF Guard Project, it is THE flagship project afterall!!!
Finally to close Chapter 5, the authors should review the Stateless CSRF Defense section.
In their coverage of the double submit cookie solution, they write that the csrf cookie should be HttpOnly.
However, I am quoting wikipedia's CSRF entry, "The CSRF token cookie must not have httpOnly flag, as it is intended to be read by the JavaScript by design"
and from the CSRF Prevention_Cheat_Sheet, "An attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy".
It is the Same Origin policy that does it and not having the cookie HttpOnly. In fact the cookie should not be httpOnly(view DWR, AngularJS...)
The authors should rewrite this section, correct the cookie, and again make a Reference to the Same Origin Policy and also to popular Javascript frameworks.
Btw, when they discuss who uses this method, they speak about stateless webservices and applications that want to keep nothing in their httpSession,
and they dont speak about popular Javascript frameworks, which make heavy use of the technique. This is kind of weird...
Finally in chapter 7, section Defence in Depth, the authors present the "Insecure Direct Object Reference" Attack as a special case of SQL injection.
Specifically, a case of SQL injection where the injected part is in the "order by clause".
However, the "Insecure Direct Object Reference" Attack is something different and is not necessarily restricted to SQL databases.
Failing to describe the problem properly they also fail to present proper solutions, like the ESAPI RandomAccessReferenceMap class.
The authors should just rewrite this from scratch, it is totally wrong.
I have made a much larget post, and I am afraid I just said the same things again.
Also, I probably sound too strict but the book was great
it was by far my best read for 2014