About 90-180 minutes
- Lesson: 45 minutes
- Guided Practice: 30 minutes
- Independent Practice: 60 minutes
- Check for Understanding: 10 minutes
A basic understanding of following is required:
Participants will learn secure development basics, common pitfalls, and how to avoid them.
Website attacks and cyber attacks are growing in numbers every day and the importance of creating a secure website and website security, in general, is increasing rapidly. So, being secure in the online world becomes more and more important every day and it is more than important to protect your website and the data it holds now. So, therefore, we’ll give you five reasons why website security is important.(By Agnes Talalaev)
Which companies use web security? Some of the popular companies that use web security are mentioned below with the links that describe the role of web security in these companies:
Participants will be able to:
- Understand and handle common vulnerabilities
- Validate user input
- Authenticate users on a site
- XSS/CSRF on someone else's web page
- OWASP Secure coding practices
- Input validation
- Authentication means and pitfalls
- Session management
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- [Techtonica's Security Lesson Slideshow](- Security Lesson Slideshow
- Techtonica's Roles in Tech Presentation (security section starts at 2:57)
- Slideshow: Authentication vs Authorization.
- 7 min read: A quick introduction to web security [FreeCodeCamp]
- MDN web security
- Khan Academy course, Cybersecurity 101. It should take about 30 minutes.
- Validator
- Parsley, the ultimate JavaScript form validation library
- DOMPurify
- OWASP Secure Coding Practices Quick Reference Guide
- Passport
- OpenID client connect
- Stack exchange anti-CSRF thread
-
The first thing that you must remember never trusts your user. There will always be someone with malicious intent out there. To safeguard you need security. What do we mean by security on the web?
- Read through lesson slides Security
- Watch Techtonica's Roles in Tech Presentation (security section starts at 2:57)
- Read through MDN web security (30 mins read)
-
Authentication vs Authorization vs Access Control:
Read through this slideshow explaining the difference between Authentication and Authorization. It has a few slides with examples written in Ruby, but you'll get the gist of it.
In simple words: - Authentication is about who somebody is. - The authorization is about what they're allowed to do. - Once we know who a user is, and we know what authorization level they have and what we should and should not give them access to, we need to physically prevent that user from accessing anything that they should not by Access Control. -
Read this 7-min article: A quick introduction to web security .
-
Cross Site Scripting(XSS) exploits the trust a user has for a particular site.
-
Cross-Site Request Forgery(CSRF) exploits the trust that a site has in a user's browser.
- Changing all GET requests to POST requests does not protect you from CSRF attacks. For complete protection against CSRF attacks PUT requests are used or some token based request verification. More info about anti-CSRF techniques here
- Injection: validate everything before you give it to an interpreter! Here we focus on JavaScript sanitization.
- Broken Authentication and Session Management: practice this by using the above libraries. Better than passwords, try SAML.
- Encryption: sensitive data should be encrypted in transit and at rest. Also, you are not a mathematician; never try to roll your own encryption.
- SQL injection and XSS(also injection based): Injection based attacks try to exploit a website by feeding it malicious input in the form of HTTP requests or in input fields. SQL injection attacks are used to steal information from databases whereas XSS attacks are used to redirect users to websites where attackers can steal data from them.
- Spend 15 minutes on SQL Injection Practice
- Spend 15 minutes on XSS Practice
- Validate user input for a project with Parsley and validate fields with Validator. - Parsley, the ultimate JavaScript form validation library - Validator
- Build a form (or use an existing one) which allows users to submit a comment string and renders those comments into a doc on the page. Use DOMPurify to prevent XSS. For example an input comment like
<script type='application/javascript'>alert('xss');</script>
should not trigger an alert on the page. - DOMPurify - Build a page template with all inputs escaped and validated and set up a PUT request instead of GET and POST to prevent CSRF. You can also look into implementing Token based CSRF prevention techniques if interested.
- The next step is to try XSS to do that make an HTML form with a text field and submit button(like search bar) now enter script based XSS attack through the text field
<script>alert('You are under attack')</script>
, you can also try various singleton tags like bold, italic, etc. on each other's webpages. - Now fix the vulnerabilities by HTML escaping all the dynamic input data.
- After that write some URL based XSS , assuming the input by users
<?phpecho $_GET["message"];?>
like this is serving as output somewhere on the sitehttp://your-server/something.php?message=<script>alert('XSS attack');</script>
. side note: There are many other ways of doing XSS/CSRF attacks so keep exploring.
- What is the difference between XSS and CSRF?
- What are some common exploits that hackers use to infiltrate systems?
- You get an email from an unknown source containing a link while you were logged in your internet banking in the next tab. Should you click on the link if it says it's from the bank?
- If you click on it and your money gets transferred out of your account. What is this attack known as XSS or CSRF?
- HTTP Headers for the Responsible Developer
- Bug Bounty Programs
- Types of Hackers
- OWASP releases a regular list of the top 10 most critical web application security risks.
- XSS and CSRF: Try it at home with Google and Excess XSS.
If you are feeling inclined, or interested in red teaming, you can experiment with Insecure Labs or a Kali Linux VM and read about its rich FOSS tool suite.