Web Application Security 2nd Edition (Early Release) Andrew Hoffman

Quick and Easy Ebook Downloads – Start Now at ebookmeta.com for Instant Access
Web Application Security 2nd Edition (Early
Release) Andrew Hoffman
https://ebookmeta.com/product/web-application-security-2nd-
edition-early-release-andrew-hoffman/
OR CLICK BUTTON
DOWLOAD EBOOK
Instantly Access and Download Textbook at https://ebookmeta.com

Web Application Security
SECOND EDITION
Exploitation and Countermeasures for Modern Web Applications
With Early Release ebooks, you get books in their earliest form—the
author’s raw and unedited content as they write—so you can take
advantage of these technologies long before the official release of
these titles.
Andrew Hoffman

Web Application Security
by Andrew Hoffman
Copyright © 2024 Andrew Hoffman. All rights reserved.
Printed in the United States of America.
Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North,
Sebastopol, CA 95472.
O’Reilly books may be purchased for educational, business, or sales
promotional use. Online editions are also available for most titles
(http://oreilly.com). For more information, contact our
corporate/institutional sales department: 800-998-9938 or
corporate@oreilly.com .
Editors: Angela Rufino and Simina Calin
Production Editor: Katherine Tozer
Interior Designer: David Futato
Cover Designer: Karen Montgomery
Illustrator: Kate Dullea
May 2024: Second Edition

Revision History for the Early Release
2023-01-30: First Release
See http://oreilly.com/catalog/errata.csp?isbn=9781098143930 for
release details.
The O’Reilly logo is a registered trademark of O’Reilly Media, Inc.
Web Application Security, the cover image, and related trade dress
are trademarks of O’Reilly Media, Inc.
The views expressed in this work are those of the author and do not
represent the publisher’s views. While the publisher and the author
have used good faith efforts to ensure that the information and
instructions contained in this work are accurate, the publisher and
the author disclaim all responsibility for errors or omissions,
including without limitation responsibility for damages resulting from
the use of or reliance on this work. Use of the information and
instructions contained in this work is at your own risk. If any code
samples or other technology this work contains or describes is
subject to open source licenses or the intellectual property rights of
others, it is your responsibility to ensure that your use thereof
complies with such licenses and/or rights.
978-1-098-14393-0

Chapter 1. Secure Application
Configuration
A NOTE FOR EARLY RELEASE READERS
With Early Release ebooks, you get books in their earliest form—the
author’s raw and unedited content as they write—so you can take
advantage of these technologies long before the official release of
these titles.
This will be the 19th chapter of the final book. Please note that the
GitHub repo will be made active later on.
If you have comments about how we might improve the content
and/or examples in this book, or if you notice missing material within
this chapter, please reach out to the editor at arufino@oreilly.com.
One component of successfully delivering a secure web application
to your customers is to ensure the web application you are delivering
is configured in a way that makes use of built-in browser security
mechanisms.
Web applications today are built on a multitude of languages,
frameworks and technologies. However, because the sole method of

delivery for a web application is still the browser: learning how to
make use of built-in security mechanisms that are implemented by
the browser is essential to good security posture.
In this chapter we will evaluate and discuss several security
technologies implemented by the web browser, and you will learn
how to configure them correctly to maximise the security of your
web application.
Content Security Policy
Content Security Policy (CSP) is one of the browser’s primary
security mechanisms for protecting against the most common forms
of cyberattacks involving a browser client.
It is capable of preventing cross-site scripting (XSS), data injection,
phishing, framing and redirect attacks if implemented correctly.
In order to provide a clean developer experience without breaking
the internet, CSP was designed to be implemented by developers
with a significant amount of configuration options. Because of this, a
strong CSP policy differs drastically from a weak CSP policy. It is in
fact possible to run a fully functioning website without any CSP
policy whatsoever, leading to the browser implementing no
mitigations against common attacks.

Let’s take a deeper look into CSP policies from an implementation
perspective, so you can learn how to properly configure a CSP policy
on your web application in order to allow the browser to implement
security mechanisms on behalf of your users.
Implementing CSP
CSP can be implemented on a web application via one of two
methods.
The most common method is to have your server return a
Content-Security-Policy header with every request. Do note,
the X-Content-Security-Policy and X-Webkit-CSP headers
are deprecated and should no longer be used to implement a CSP
policy.
Alternatively, you may implement a CSP policy by including a meta
tag in the <HEAD></HEAD> of every HTML page. Such a meta tag
would look as follows:
<meta
http-equiv="Content-Security-Policy"
content="default-src 'self'; img-src data:" />

CSP Structure
Regardless of the implementation you choose, the method of
configuring your CSP policy is roughly the same. A CSP policy is
comprised of directives which are seperated by semicolons (;).
After each directive you may include a configuration option
corresponding with that directive, which will then be implemented by
the browser.
An example directive would be script-src scripts.mega-
bank.com which would permit the website to only execute
JavaScript scripts that are sourced from the provided origin
scripts.mega-bank.com . All other scripts would throw a CSP
error in the browser console.
Important Directives
The list of directives supported by CSP varies slightly by browser and
expands periodically as browsers update and adhere to the latest
version of the CSP specifications. Currently the CSP specification is
maintained by the World Wide Web Consortium (W3C) non-profit
organization which maintains a variety of web standards.
Some of the most important directives to be aware of from a
security perspective are as follows:

1. default-src this is a fallback for other directives, allow-listing
sources from which images, scripts, css stylesheets and other
resources can be loaded. Defining this directive prevents your
website from being able to execute unintended scripts -
reducing XSS risk significantly.
2. sandbox when configured, creates a sandbox on page-load
that prevents resources from being able to create pop-ups,
execute scripts or interact with browser plugins.
3. frame-ancestors defines which webpages may embed the
current webpage. Setting this to 'none' is often the most
secure option, as it prevents other websites from clickjacking by
placing user interface elements in front of the current webpage
and tricking users into clicking on them.
4. eval and inline script functionalities are blocked by
default simply by having any CSP policy implemented. This is a
huge win as both of these script execution methods are popular
attack vectors for XSS attacks. These however may be disabled
with 'unsafe-inline' and 'unsafe-eval' .
5. report-uri allows you to define an endpoint to which CSP
errors are reported for logging.

CSP Sources and Source Lists
Directives in a CSP policy that end with -src take an input known
as a source list . A source list is a whitespace separated list of
origins and CSP-specific configuration values. These source lists are
used to tell the directive how to operate once loaded into the
browser.
Several of these directives are unique to CSP, and it’s important to
understand how they function.
1. * wildcard operator. Allows any URL except blob and file .
For example, image-src * would allow images from any web-
based origin but not from the local filesystem.
2. 'none' prevents any source from loading. It is important to
note CSP policy including none after a directive must have NO
other sources or the CSP policy will fail to load. For example
image-src 'none' is valid but image-src 'none'
images.mega-bank.com is not valid.
3. data: allows the loading of base64 encoded images. For
example img-src data: .
4. https: allows loads provided the resources in the source list
all implement https. For example img-src https: mega-
bank.com .

5. 'self' refers to the current origin of the loaded page. If a
webpage loads to test.mega-bank.com/123 then any images
available from test.mega-bank.com/* will be capable of
loading provided the CSP policy is set to img-src 'self' .
Strict CSP
Sometimes you are building a more complex web application and
require the capacity to load inline script, but want to avoid the
pitfalls of enabling inline script to all scripts as it is one of the most
common XSS attack vectors.
With CSP, it is possible to enable inline scripts securely with a little
bit of effort. This form of CSP configuration is often called strict
CSP as it provides additional security rules to scripts that run in the
browser to prevent against XSS, but does not limit functionality.
There are two methods of implementing a strict-CSP policy. The
first method is a hash-based strict CSP, and the second is a
nonce-based strict CSP.
Both of these methods require that common XSS sinks implement
either a randomized nonce or a SHA256 hash which will be verified
prior to each script execution.
A simple nonce-based strict-CSP implementation looks as follows:

Content-Security-Policy:
script-src 'nonce-{RANDOM}' 'strict-dynamic';
When the CSP policy is set to 'strict-dynamic' with 'nonce-
{RANDOM}' the browser will enforce that inline scripts provide a new
attribute, nonce . In order to adhere, inline scripts will look as
follows:
<script src="..." nonce="123">alert()</script>
The nonce value is created at runtime, and each of your scripts are
loaded in with the correct nonce value. Prior to script execution,
the browser checks to ensure the nonce in the script attribute
matches the pre-defined value. If true, the script execution
continues (dynamic scripts loaded from the top-level script with
correct nonce may also load). If false, script execution fails and a
CSP error is thrown in the console.
The hash-based approach operates similiarly, but instead of using
randomized nonces, makes use of SHA256 hashes. In the hash case,
a hash of every single inline script is added to the CSP directive
script-src source list. When an inline script attempts to execute,
it is hashed and compared against the source list. If it fails to meet
that check, an error is thrown in the console and the script fails to
execute.

Nonce-based strict CSP is ideal for scenarios where every webpage is
rendered on the server, allowing the new nonces to be created on
every page load.
Hash-based CSP is better for applications that need to be cached
(e.g. make use of a content delivery network / CDN) as the collision
rate for SHA256 hashes is so low that the probability of two scripts
colliding (a malicious script creating the same hash as a non-
malicious script) is somewhere in the ballpark of 1/43,000,000,000.
Because CDN’s and caches often last quite a while, a hacker could
craft an inline script payload matching the current nonce - but it’s
extremely unlikely they could craft an inline script payload that
hashes identically to a non-malicious script in the same page.
Example Secure CSP Policy
The following is a secure-by-default CSP policy which can be used as
a starter policy prior to further customizations.
It provides an example implementation of the nonce strategy for
strict-CSP on script sources, blocks frame-ancestors to prevent
clickjacking attacks, enforces HTTPS on images while allowing
base64 image loads, presents a reporting URI for CSP errors and
provides a default 'self' as a fall-back for source lists.

Content-Security-Policy
default-src: 'self';
script-src: 'self' 'nonce-jgoj23j2o3j2oij26jk2nkn26kj
frame-ancestors: 'none';
img-src: data: https:;
report-uri: https://reporting.megabank.com
Cross-Origin Resource Sharing
Cross-Origin Resource Sharing (CORS) is a browser-implemented
security mechanism that is often confused with CSP.
While CSP allows a developer to choose which scripts are allowed to
be executed in the browser, CORS is capable of blocking scripts at an
earlier phase prior to the script ever reaching the JavaScript
execution context in the browser.
CORS is important in part because two of the primary methods of
performing network requests within JavaScript (the only browser-
supported programming language) are fetch and
XMLHTTPRequest . Both of these APIs respect a concept called
same-origin-policy (SOP) which stipulates that a web
application should only be able to make network calls within it’s own
(same) origin unless defined in a CORS policy.

Exploring the Variety of Random
Documents with Different Content

The Project Gutenberg eBook of The American
Missionary — Volume 33, No. 09, September,
1879

This ebook is for the use of anyone anywhere in the United
States and most other parts of the world at no cost and with
almost no restrictions whatsoever. You may copy it, give it away
or re-use it under the terms of the Project Gutenberg License
included with this ebook or online at www.gutenberg.org. If you
are not located in the United States, you will have to check the
laws of the country where you are located before using this
eBook.
Title: The American Missionary — Volume 33, No. 09,
September, 1879
Author: Various
Release date: March 25, 2017 [eBook #54429]
Most recently updated: October 23, 2024
Language: English
Credits: Produced by KarenD, Joshua Hutchinson and the Online
Distributed Proofreading Team at http://www.pgdp.net
(This
file was produced from images generously made
available
by Cornell University Digital Collections)
*** START OF THE PROJECT GUTENBERG EBOOK THE AMERICAN
MISSIONARY — VOLUME 33, NO. 09, SEPTEMBER, 1879 ***

Vol. XXXIII. No. 9.
THE
AMERICAN MISSIONARY.
“To the Poor the Gospel is Preached.”
SEPTEMBER, 1879.

CONTENTS:
Forward: Rev. Eli Corwin 257
EDITORIAL.
Paragraphs 258
Literature of our Southern Work 259
The Tenth Commandment 259
Winding up a Horse 260
Items from the Field 264
General Notes 265
THE FREEDMEN.
Winning by Passive Virtue: Rev. J. E. Roy, D. D. 267
Georgia, Woodville—Dying Scenes—Pressing Work 268
Georgia, Cypress Slash—A New Field 269
Alabama, Montgomery—Swayne School 270
Tennessee, Memphis—Le Moyne School—
Conversations 270
Tennessee—A Colored Girl’s Experience as a Teacher 270
Mississippi—Letter from a Tougaloo Student 271
AFRICA.
Mendi Mission—Religious Progress at Avery—Travels
into the Interior—The Heathen—The Country 273

THE CHINESE.
False Brethren: Rev. W. C. Pond 278
CHILDREN’S PAGE.
Children’s Influence 281
RECEIPTS 282
Constitution
285
Work, Statistics, Wants, &c. 286
NEW YORK.
Published by the American Missionary Association,
Rooms, 56 Reade Street.
Price, 50 Cents a Year, in advance.

American Missionary Association,
56 READE STREET, N. Y.
PRESIDENT.
Hon. E. S. TOBEY, Boston.
VICE-PRESIDENTS.
Hon. F. D. Parish, Ohio.
Hon. E. D. Holton, Wis.
Hon. William Claflin, Mass.
Rev. Stephen Thurston, D. D., Me.
Rev. Samuel Harris, D. D., Ct.
Wm. C. Chapin, Esq., R. I.
Rev. W. T. Eustis, D. D., Mass.
Hon. A. C. Barstow, R. I.
Rev. Thatcher Thayer, D. D., R. I.
Rev. Ray Palmer, D. D., N. Y.
Rev. J. M. Sturtevant, D. D., Ill.
Rev. W. W. Patton, D. D., D. C.
Hon. Seymour Straight, La.
Horace Hallock, Esq., Mich.
Rev. Cyrus W. Wallace, D. D., N. H.
Rev. Edward Hawes, Ct.
Douglas Putnam, Esq., Ohio.
Hon. Thaddeus Fairbanks, Vt.
Samuel D. Porter, Esq., N. Y.
Rev. M. M. G. Dana, D. D., Minn.
Rev. H. W. Beecher, N. Y.
Gen. O. O. Howard, Oregon.
Rev. G. F. Magoun, D. D., Iowa.
Col. C. G. Hammond, Ill.
Edward Spaulding, M. D., N. H.
David Ripley, Esq., N. J.
Rev. Wm. M. Barbour, D. D., Ct.
Rev. W. L. Gage, Ct.
A. S. Hatch, Esq., N.
Rev. J. H. Fairchild, D. D., Ohio.
Rev. H. A. Stimson, Minn.
Rev. J. W. Strong, D. D., Minn.
Rev. George Thacher, LL. D., Iowa.
Rev. A. L. Stone, D. D., California.
Rev. G. H. Atkinson, D. D., Oregon.
Rev. J. E. Rankin, D. D., D. C.
Rev. A. L. Chapin, D. D., Wis.
S. D. Smith, Esq., Mass.
Peter Smith, Esq., Mass.
Dea. John C. Whitin, Mass.
Rev. Wm. Patton, D. D., Ct.
Hon. J. B. Grinnell, Iowa.
Rev. Wm. T. Carr, Ct.
Rev. Horace Winslow, Ct.
Sir Peter Coats, Scotland.
Rev. Henry Allon, D. D., London, Eng.
Wm. E. Whiting, Esq., N. Y.
J. M. Pinkerton, Esq., Mass.
Rev. F. A. Noble, D. D., Ct.
Daniel Hand, Esq., Ct.
A. L. Williston, Esq., Mass.
Rev. A. F. Beard, D. D., N. Y.
Frederick Billings, Esq., Vt.
Joseph Carpenter, Esq., R. I.
CORRESPONDING SECRETARY.

Rev. M. E. STRIEBY, D. D., 56 Reade Street, N. Y.
DISTRICT SECRETARIES.
Rev. C. L. WOODWORTH, Boston.
Rev. G. D. PIKE, New York.
Rev. JAS. POWELL, Chicago.
EDGAR KETCHUM, Esq., Treasurer, N. Y.
H. W. HUBBARD, Esq., Assistant Treasurer, N. Y.
Rev. M. E. STRIEBY, Recording Secretary.
EXECUTIVE COMMITTEE.
Alonzo S. Ball,
A. S. Barnes,
Edward Beecher,
Geo. M. Boynton,
Wm. B. Brown,
Clinton B. Fisk,
Addison P. Foster,
E. A. Graves,
S. B. Halliday,
Sam’l Holmes,
S. S. Jocelyn,
Andrew Lester,
Chas. L. Mead,
John H. Washburn,
G. B. Willcox.
COMMUNICATIONS
relating to the business of the Association may be addressed to either of the
Secretaries as above; letters for the Editor of the “American Missionary” to Rev.
Geo. M. Boynton, at the New York Office.
DONATIONS AND SUBSCRIPTIONS
should be sent to H. W. Hubbard, Ass’t Treasurer, No. 56 Reade Street, New York,
or when more convenient, to either of the Branch Offices, 21 Congregational
House, Boston. Mass., or 112 West Washington Street, Chicago, Ill.
A payment of thirty dollars at one time constitutes a Life Member.
Correspondents are specially requested to place at the head of each letter the
name of their Post Office, and the County and State in which it is located.
THE
AMERICAN MISSIONARY.
Vol. XXXIII. SEPTEMBER, 1879.
No. 9.
American Missionary Association.

FORWARD!
Dedicated to the American Missionary Association, by the Author,
REV. ELI CORWIN, D.D., JACKSONVILLE, ILLS.
Strike, valiant warrior, strike!
Be foremost in the fight,
And wield the battle-axe of truth
With all a giant’s might;
He ventures in no doubtful cause
Who champions the right.
Build for the ages, build!
Lay the foundations strong,
Through all the circling centuries
Of wretchedness and wrong;
The tribute of the after times
May to this age belong.
Work, then, with courage, work!
He labors not in vain,
Who, leaning on the Mighty Arm,
Counts every loss a gain;
Since we may reach the glory goal
Through pilgrimage of pain.
Pray, weary watcher, pray!
Upon the promise rest;
Faith seems to see a rising sun
Sink in the darkening west;
And, in the morrow’s prophecy,
Is comforted and blest.

We take from the columns of the Christian Intelligencer, the organ of
the Reformed (Dutch) Church, the ingenious and suggestive article
by Dr. Chamberlain, entitled “Winding up a Horse.” We are sure it
will be read.
There is good sound sense in the very practical contribution on
Children’s Influence in Missions, or rather on interesting children in
the work of Missions, on the Children’s page. The heart which is
interested intelligently in such work in its youth will never be likely to
grow too busy or too old to follow the progress of the years, and the
hand which has learned early to drop its pennies into the Lord’s
treasury will hardly be found clenched upon its dollars in riper years.
Next month brings us around to another Annual Meeting. Our
financial year ends with the last day of this month (September). Our
books will be closed then for the year, and our balance will be struck.
This is our reminder to all, either churches or individuals, who have
intended to contribute to our work during the current year. Let your
gifts be sent in speedily and as liberally as the Lord may have
prospered you. Every cent received during the next thirty days helps
this year’s showing. Do not let us go back of the standard
maintained during the last three years! Our ambition is to report
expenses all met and debt all gone.
The report that the yellow fever has returned to Memphis has long
before this reached the ears of our friends. We hope that the evil will
not be so great as it was last year, and yet its immediate effect upon
our work has been more suddenly felt than then. The people flee
more eagerly from a scourge the severity of which they hold in
horror enhanced by the recent memory of its infliction. The church
at Memphis is scattered; pastor and people have left it; a faithful
janitor is caring for its and the school property. The church at
Chattanooga, too, has been largely deserted, and its attendants

have fled to the mountains. Of course this is but a temporary
interruption. The three or four hundred dollars which was sent to us
last year for the relief of the colored sufferers accomplished an
amount of physical relief, and indirectly of spiritual good, almost
beyond belief. We shall be glad to superintend the disbursement of
any like moneys which may be sent to relieve the poorest of the
poor in this their special distress.
“Oh, how great is Thy goodness, which Thou hast laid up for
them that fear Thee; which Thou hast wrought for them that
trust in Thee, before the sons of men!”
As a father lays up for his children against a future need, so the
psalmist felt that the Heavenly Parent had done for those that fear
Him; so, in sight of the sons of men had He wrought such goodness
for them. It is a great thing to realize the daily dispensing of such
divine favor, but a greater to learn that Infinite Love has gone before
to treasure up the riches of goodness. It was a marvel of blessing
that God wrought before the sons of men in all the world for the
American children of bondage in their emancipation. But more than
this: He had laid up beforehand treasures of Christian anti-slavery
sentiment and charity, to be disbursed among them in the lines of
educational and Christianizing processes, and, with divine
forethought. He had prepared a system for the administration of this
relief. Distinguished among other provisions of this kind were the
rise and the preparatory training in principle and method of the
American Missionary Association. We know not which the more to
admire, the wisdom or the goodness of such fore-ordaining. It is the
privilege of its constituency to be the almoners of such bounty.
THE LITERATURE OF OUR SOUTHERN WORK.
It makes no pretension. It has been a growth from nothing. And yet
it is worthy of mention. The Southern Workman, the organ of

Hampton Institute, is a monthly, well filled with matter historical,
scientific and newsy, and well adapted to interest the Freedmen and
their friends, as also the civilized Indians and their friends. The
Hampton Health Tracts, in a series of a half dozen, treat of the great
essentials of health and of physiology. It was a happy hit to give the
late children of bondage these first lessons in civilization. This list of
tractates has also not a little of instruction for many people who pass
among the enlightened class. The Fisk Expositor is an occasional
issue that gathers up the history and progress of that University,
which the Jubilee Singers have done so much to endow and to make
famous. The Southern Sentinel is a monthly, published at Talladega
College, and designed, as is the Southern Workman, to interest the
colored people in all matters pertaining to education, agriculture and
mechanic arts. On both, the work of type-setting and printing is all
done by the colored students, who have learned the process while in
school, and who make this their means of support, besides the
acquiring of a trade that will secure them a respectable livelihood.
The young women make capital compositors. In both of these
offices not a little of job work is also done. The mechanical work
upon the American Missionary was for a time done by the office at
Hampton. The Straight University at New Orleans has also its
occasional medium of communication with its constituency.
Eight chartered institutions issue their annual catalogues, which
compare favorably with the current literature of the kind. It seems
not a little strange, in these annual reports of schools among our
fellow-citizens, the late slaves, to come across not only the lists of
the Faculties and the long roll of students, but also the several
departments, normal, scientific, classical, medical, legal and
theological. Then of the six General Associations for our Southern
churches, four have issued their annual “Minutes.” Those of the
original one, the Central South, furnish quite a compendium of our
church work. Those of Alabama are rich in records of discussions
upon vital themes and of missionary activities. Those of Louisiana
glow with revival reminiscences. The first of Georgia makes a
dignified document that gives promise of not a little of church

activity. Texas and North Carolina will soon come on to the dignity of
printing the Minutes of their Associations.
THE TENTH COMMANDMENT.
During the last few days, how to avoid breaking the tenth
commandment has been a practical question for me.
It has been my privilege to visit the College and Agricultural School
at Amherst, and their sister institutions at Northampton and South
Hadley, if they can be called institutions when the students are
absent.
As I strolled about the Amherst College grounds and buildings, and
noticed its concrete walls and shaven lawns, with their trimmed
edges that said to the grass, “Thus far and no farther;” and looked
upon the Gymnasium, Walker Hall, and College Chapel, of solid
granite and beautiful sandstone, with their numerous gables, towers
and turrets; and walked about the Museum building, crowded with
many rare and costly specimens, representing thousands upon
thousands of dollars and years upon years of skilled and patient
labor; and then strolled about the pleasant village, and saw the
beauty and elegance and comfort of the professors’ residences:
then, as I went into the field, and saw in the centre of a farm of 500
acres of level, fertile land, the Agricultural College buildings of brick
and stone, erected for service, but not lacking in adornment; the
extensive and beautiful conservatory, the fine barn and cattle, and
various “new and improved” agricultural implements; then, as, after
a ride of seven miles through the valley of the Connecticut, justly
famed for its beauty, where deacons formerly raised profitable crops
of tobacco while they were trying to solve the questions of ethics
involved in this industry, I saw upon the “hill” in Northampton, Smith
College, with its lovely grounds, its Gothic buildings of somewhat
elaborate architecture, including a house for the president and
cottages for the young ladies, its varnished floors, its fine furniture,

and its art galleries, containing already a goodly collection from the
pencil of the painter and the chisel of the sculptor, upon all of whose
equipments seemed to be written, “Nothing mean or cheap can
enter here;” then, as, after having flanked Mount Holyoke and got in
his rear, I came upon the school of Mary Lyon, where formerly were
educated all the sisters and “cousins” of the Amherst students, and,
beginning at the kitchen, where are two stoves expressly devoted to
the cooking of griddle-cakes, a broiler for beefsteaks, a marble slab
for a “bread board,” and a stone slab for warming plates, and then
passed on through the capacious dining-room and the carpeted
chapel to the fire-proof library building filled with books, and then to
the new Williston cabinet and art gallery, where our guide, an old
pupil of Mary Lyon, pointed out a picture which she said, apparently
with “bated breath,” cost $1,000.
As I saw all these evidences of growth and prosperity and tokens of
the liberality of good men and women, there kept ringing in my ears
a sentence from the catalogue of our poor Atlanta University: “It is
hoped that the time is not far distant when funds will flow into the
treasury of the Institution as freely as they do into those of colleges
in other parts of the country.”
When one sees how New England is packed with seminaries,
colleges, academies and high schools, he can hardly help believing
that the Lord is willing that the colored people of the State of
Georgia shall have one institution for thoroughly fitting teachers for
the common schools of their race, and at least giving those who can
and wish to obtain a college education the opportunity of doing this.
And may we not have faith to believe that the example of Mrs.
Stone, in giving one-sixth of the money to be distributed by her
among the schools of the country to those in the South for the
education of the colored race, will be followed by others, and that
this provision for the more needy will but increase the devising of
liberal things for these institutions of the North?
T. N. C.

WINDING UP A HORSE.
Nineteen years ago I bought in Madras a peculiar kind of horse. He
had to be wound up to make him go. It was not a machine, but a
veritable live horse.
When breaking him to go in the carriage he had been injured. An
accident occurred in starting him the first time and he was thrown
and hurt and frightened. It made him timid; afraid to start. After he
had once started he would never balk, until taken out of the
carriage. He would start and stop and go on as many times as you
pleased, but it was very difficult to get him started at first each time
he was harnessed to the carriage.
He was all right under the saddle, an excellent riding horse, and
would carry me long distances in my district work, so that I did not
wish to dispose of him; but I could not afford to keep two, whatever
I had must go in carriage as well as ride, and I determined that I
would conquer.
How I have worked over that horse! At first it sometimes took me an
hour to get him started from my door. At last, after trying everything
I had ever heard of, I hit upon an expedient that worked.
I took a strong bamboo stick two feet long and over an inch thick. A
stout cord loop was passed through a hole two inches from its end.
This loop we would slip over his left ear down to the roots and turn
the stick round and round and twist it up.
It is said that a horse can retain but one idea at a time in its small
brain. Soon the twisting would begin to hurt. His attention would be
abstracted to the pain in his ear. He would forget all about a carriage
being hitched to him, bend down his head and walk off as quiet as a
lamb. When he had gone a rod the horse boy would begin to
untwist, soon off would come the cord, and the horse would be all
right for the day. The remedy never failed.
After having it on two or three times he objected to the operation,
and would spring about and rear and twitch and back; anything but

start ahead, to keep it from being applied. We would have, two of
us, to begin to pat and rub about his neck and head. He would not
know which had the key. All at once it would be on his ear and
winding up. The moment it began to tighten he would be quiet,
stand and bear it as long as he could, and then off he would go. It
never took thirty seconds to get him off with the key. It would take
an hour without. After a little he ceased objecting to have it put on.
He seemed to say to himself, “I have got to give in and may as well
do it at once,” but he would not start without the key. In a few
months he got so that, as soon as we got into the carriage, he
would bend down his head to have the key put on, and one or two
turns of the key would be enough.
Then the key became unnecessary. He would bend down his head,
tipping his left ear to the horse boy, who would take it in his hand
and twist it, and off he would go.
My native neighbors said, “That horse must be wound up or he
cannot run.” And it did seem to be so.
When he got so that the “winding up” was nothing but a form, I
tried to break him of that, but could not succeed. I would pat him
and talk to him and give him a little salt or sugar or bread, and then
step quietly into the carriage and tell him to go. “No.” Coax him.
“No.” Whip him. “No.” Legs braced, every muscle tense for
resistance. A genuine balk. Stop and keep quiet for an instant and
he would hold down his head, bend over his ear and look around for
the horse boy appealingly, saying very earnestly by his actions, “Do
please wind me up. I can’t go without, but I’ll go gladly if you will.”
The moment his ear was touched and one twist given, off he would
go as happy and contented as ever horse could be.
Many hearty laughs have we and our friends had over the winding
up of that horse. If I were out on a tour for a month or two and he
were not hitched to the carriage, or if he stood in the stable with no
work for a week or two during the monsoon, a real winding up had
to take place the first time he was put in. We kept him six years. The
last week I owned him I had to wind him up. I sold the patent to the

man that bought the horse, and learned from him that he had to use
it as long as the horse lived.
I was thinking about that horse the other night when it was too hot
to sleep, and I suddenly burst into a laugh as I said to myself, “I
have again and again, in the membership of our churches at home,
seen that horse that had to be wound up, in all matters of
benevolence.”
I had often thought of that horse as I went through our churches at
home, and imagined that I recognized him, but the whole thing
came upon me with such peculiar force the other night that I must
write out my thoughts.
There are some Christians (yes, I believe they are Christians) who
have to be wound up by some external pressure before they will
start off in any work of benevolence. Others will engage in some
kinds of benevolence spontaneously, but will not touch other
benevolent efforts unless specially wound up. Free under the saddle,
but balky in carriage.
I knew of one good member of our church who would never give a
cent to our Domestic Missionary Board unless he happened to hear
of some missionary in the West who was actually without the
necessaries of life, and then he would send in liberally. It took that
to wind him up.
Another would never give to the Board for educating young men for
the ministry unless he happened to become acquainted with some
candidate who was being aided. Then his gifts would come in for
helping that man.
Another would never give to the Bible Society unless he chanced to
hear of some particular town out West where but two Bibles could
be found in a population of five hundred, although he knew perfectly
well that there were hundreds of such communities among whom
the American Bible Society was daily endeavoring to introduce the
Divine Word. He must be wound up by a special case.

But it was especially of my visits through the churches in connection
with our foreign missionary work that I was thinking when I said
that I had so often recognized my horse that had to be wound up, in
all the different stages of his training.
Thank God, I found hosts of noble-hearted men and women all
through the Church that needed no winding up; whose conversion
and consecration had extended down to their pockets; who were
always at the forefront in every good work; who required no
spasmodic appeals. They gave from a deep set principle and an
intelligent love for Christ and His cause; some even pinching
themselves in the necessaries of life, as I know, to be able to give. It
is on such that the security and continuance of our missions depend.
We know that we can rely on them. They never fail us.
But there are others that have to be “wound up,” willing or
unwillingly, before they will do anything in the missionary work.
Some are very willing to be wound up.
“Dominie,” said a good elder who had just introduced himself to me
one day, “I have come in on behalf of our church at —— to see if
you would not come out and give us a missionary talk. We ought to
have sent in a collection to the Foreign Board months ago, but we
neglected it, and now we have been talking it over and have made
up our minds to do something handsome if you will come out there
and give us a talk.”
“Well,” said I, “I shall be very glad to come and tell you something of
our work just as soon as I can edge a day in between other
engagements. But if you have made up your minds to do something
handsome for the Board, why not do it at once and relieve their
present pressing need, and I will come as soon as I can and give
you the talk all the same.”
“O, no,” said he. “We can’t do that. We have made up our minds that
we must give liberally, but we can start it easier if you come there
and give us the talk first. You need not fear. We will give a good

sum. That is settled, and it is mostly pledged. But you must come
and talk to us first.”
I smiled and said to myself, “There is my horse in its third stage of
training. That church is bending down its ear and entreating me to
twist it, for it has made up its mind to go, only it requires to be
wound up first.”
“Dominie,” said one of our earnest ministers to me one Wednesday,
“we raised $1,000 for the Board last Sunday morning. It is more
than usual, and we are all happy over it. Now we want you to come
over the first Sunday of next month and give us a missionary
address.”
“Good,” said I, “that church has got one stage further than my horse
ever did in his training, for they start and do the work first and bend
down the ear to be twisted afterwards.” Did it not give me an
earnest joy to go and tell that church what the Lord’s war in India
was, and how much they had helped it?
A Sunday-school superintendent came to me one day with smiling
countenance, saying, “Our Sunday-school has raised $175 during the
past year for missions, and we have determined to give it to the
work in India. The year closed three months ago, and it is all in the
hands of the treasurer, but we want you to come and give us a
speech, and then it will be formally voted and sent at once to the
Board. We have been waiting all this time because they told us at
the rooms that you were engaged up till now. When can you come?
The money is lying idle and we are waiting, and we know the Board
needs the funds. So come as soon as you can.”
“Ah,” said I, “everything is ready, and the family are in the carriage,
but they have to sit there half an hour because the horse boy is busy
elsewhere, and the horse is holding down his ear all this time
waiting for that particular horse boy to come and twist it.”
I was both pained and irresistibly amused by an incident that
occurred not two hundred miles from New York, when the horse was

in the first stage of training, and stoutly resisted allowing its ear to
be touched.
The missionary was announced to speak in the church on a given
Sunday, when the annual collection would be taken up. A good
member of the church—the pastor says a sincere Christian—was
very much put out about it; had heard enough of these old
missionaries, and was not going to hear any more; did not believe in
foreign missions—we had heathen enough at home.
The appointed Sunday came. Mr. A. and his family stayed away from
church because they would not countenance the missionary address.
They, therefore, missed the announcement which the pastor made,
viz., that a telegram had been received that it was impossible for the
missionary to be there. He would come next Sunday, and the annual
collection would be deferred until then.
The following Sunday Mr. A. and family all filed into their pew,
serene and happy in the thought that they had avoided the old
missionary. As the organ was playing the voluntary, the pastor
entered the pulpit from the vestry and a stranger with him. The
pastor took the opening exercises and the second hymn was sung,
when the pastor rose and said that Mr.——, the missionary, as
announced last Sunday, would now address them.
Mr. A. was thunderstruck. He did not like to go out in the middle of a
service, and so determined to sit it through. The missionary told his
simple tale. The plates came in. The collection was unprecedentedly
large. Mr. A.’s plethoric pocket-book had disgorged itself upon the
plates, and no heartier worker for foreign missions is now found in
that church. Mr. A. had tried his best to keep his ear from being
twisted. Now it needs no twisting. He has learned to go and loves to
go.
There was a church in our fold at home whose pastor was
determined that it should not be wound up for foreign missions. He
had succeeded, as he himself told me, in keeping all missionaries
and secretaries and agents out of his pulpit during all the years of

his pastorate. When the day came for collections for any of our
Boards the fact was stated, the plates were passed, and those gave
who wished. The collection, as a matter of course, under such a
chill, was a minimum.
It required some of the very best and most wary and skillful
manœuvring to get hold of the ear of that church; but it was
obtained and twisted, and off it started on the trot in the missionary
work, and since then it has annually held down its ear and begged
to have it twisted, as it wanted to go more.
Scores of incidents which occurred in my own experiences among
the churches in America, and which recalled my “horse winding,”
come crowding into my mind, but I forbear.
For I remember the phalanx of noble churches that needed no such
winding up, who were all alive and always on the alert; who gave
regularly, generously, nobly; who, from the pastor, the head, to the
humblest member, prayed from the lips, from the heart, from the
pocket, “Thy Kingdom come.” They are always glad to get hold of
the recruiting watchman, and ask him, “Watchman, what of the
night?” but they never have to be wound up to start them giving.
God give us more and more of such churches and more such
Christians and church members, so that no missionary or secretary
need come to beg, but can come with radiant countenance and say,
“Brethren, with the funds you are continually sending us for the
work, we have done for the Master thus and thus.” Then in looking
over our churches and our benevolent work we shall no longer have
occasion to remember “the horse that had to be wound up.”
Rev. Jacob Chamberlain, D.D.
Mudnapilly, India, April 30, 1879.
ITEMS FROM THE FIELD.

Athens, Ala.—The Rev. Horace J. Taylor writes to us: “Work has
commenced for the new building. We have the yard prepared, and
are now engaged in making brick. I am treasurer and chairman of
the building committee, and the building will be finished without at
any time being in debt one cent, if it takes three years to finish it.”
Anniston, Ala.—The pastor of this church had written us asking for an
organ to help in its services. Before the request was made public,
one of our old and faithful friends wrote us that his resources had
been so much curtailed that he could send us no gift in money, but
that he had a cabinet organ which he would be glad to send us, if
we could make it of service in our work. The organ went to
Anniston. Rev. Mr. McEntosh, the pastor, writes: “I wish you could
have seen the bright eyes of the children in the Sunday-school, and
the admiration and surprise of the adults, as they listened with
solemn and pleasing quietness to the sweet tones of the new organ,
as it gave the heart-cheering notes of ‘One there is above all others.’
I cannot arrange words to express our thanks to you and to the
many friends of the descendants of Ham.”
Childersburg, Ala.—Rev. Alfred Jones writes: “I have had my series of
meetings; eight came to Christ, and five joined my church—four
young men and one girl,—and I think they bid fair for the future.
They all belong to my Sunday-school. I am holding my fort, and
expect to have a good church. I am doing all that I can, and feel
that the Lord is with me.”
GENERAL NOTES.
The Freedmen.
—At a meeting held by the influential Friends in Philadelphia this
week, to consider the condition of the negro refugees in Kansas,
some new facts were brought to light. It appears from the
statements made to them that the negroes are not all so needy as is

supposed; some of them have money to buy land, and have bought
it. The Freedmen’s Relief Association has bought 5,000 acres at
$2.65 per acre, has made the first payment, and put some of the
refugees to work on it. The second payment is not due for four
years, and before that time they hope the blacks will have got
Northern legs under them, so to speak, enough to be able to pay it
themselves. Many of the older men and women, however, are not
self-supporting, and never will be. The facts stated of their
immediate need were so well authenticated, and the methods
suggested for their help so practicable, that the Friends have taken
up the matter in earnest.
—The Exodus is attracting increased attention among colored people
in Virginia and North Carolina, though they are acting with more
deliberation than is shown in Louisiana and Mississippi. A colony has
been formed in Lynchburg to proceed West as soon as requisite
funds can be collected. A colony in North Carolina has sent one of its
members West to prospect.
The Indians.
—The Ponca Indians.—The Ponca Indians have always been peaceful
and friendly. It is not known that any of their number ever killed a
white man. In 1858 they released to the United States all their land,
except about twenty square miles. In response to a clamor from the
whites to get this from them a new treaty was made in 1866, by
which the Poncas ceded 30,000 acres to the United States, and the
latter ceded to the Poncas certain townships. On this land they built
houses, raised crops, and lived happily and prosperously, but the
white man would not let them alone. In 1877 Indian Agent James
Lawrence, Indian Inspector E. C. Kemble, and Rev. S. D. Hinman, an
Episcopal Missionary among the Indians, came and insisted that the
United States wanted them to leave and go to the Indian Territory.
This they refused to do. A paper purporting to be a contract was
drawn up by these men; the signature of a half breed by the name

Web Application Security 2nd Edition (Early Release) Andrew Hoffman

More Related Content

Similar to Web Application Security 2nd Edition (Early Release) Andrew Hoffman (20)

Recently uploaded (20)

Web Application Security 2nd Edition (Early Release) Andrew Hoffman