Coding Cloud

Web Security Essentials

MD
R
Markdown

Some basic know-how regarding web security on APIs and Clients

File Uploads

Your files will be securely uploaded and stored using AES-256 encryption. Only members of your project will be able to view or download these attachments.

Web Security (exploit and then mitigate several common Web Security Vulnerabilities)

Man in the Middle (MITM), Cross Site Request Forgery (CSRF), and Cross Site Scripting (XSS) *** point of view of an attacker, and then as the defender of a sample application ***

  • HTTPS prevents MITM attacks
  • Redirect all HTTP Traffic to HTTPS
  • Set Secure Cookie Flag to ensure cookies are only sent over Secure Connections
  • Add HSTS Headers to ensure all requests are HTTPS
  • Set the SameSite cookie flag
  • Add CSRF Token Middleware to Mitigate CSRF
  • Set the httpOnly cookie flag to ensure that the cookies are inacessible from JavaScript
  • Prevent inline script execution by implementing Script-src SCP headers
  • Add a Nonce based script-src header to allow scripts matching the nonce
  • Add default-src CSP Header to enforce an allowlist and migrate XSS

Tests:

  • To simulate MITM attacks and inspect network traffic use: Charles Proxy
  • Create Exploits to emulate a CSRF Vulnerability
  • Make an XSS Payload to Read a Cookie from a vulnerable domain
  • Make an XSS Payload to read document.body form the vulnerable domain
  • Read document content from vulnerable domin via script tag injection in an XSS Payload
  • Prompt users for credentials from a vulnerable website via iframe injection

Links

https://www.charlesproxy.com/download/ https://github.com/mikesherov/web-security-essentials/tree/master/exercises https://github.com/daquinoaldo/https-localhost/

Course Transcript

Mike Sharav: 0:00 Security is important and is often overlooked and forgotten. Part of the reason for this is that security seems hard to get right. One of the best ways to protect your application from attack is to first understand how attacks are carried out and then learn how to mitigate them. Application security doesn't need to be overwhelming.

0:18 In this course, we'll cover session hijacking and how to prevent it, secure cookie configuration and making them hard to steal. Using chralesproxy to simulate a man-in-the-middle attack, using HTTPS and HSTS to mitigate man-in-the-middle attacks. Using CSRF tokens in same inaudible keys to mitigate CSRF attacks. Using the CSP to mitigate XSS attacks. You'll learn security rules of thumb such as defense in-depth and principle of list power.

0:48 We'll learn all this by finding and exploiting vulnerabilities and then patching them on our target website in a game of security cat and mouse. To get our target website running and to perform our attacks, we'll need a bit of a setup. Note that these instructions are for macOS or Linux. You could find instructions for Windows in the remit section of the source code for this course.

1:08 First, download charlesproxy from charlesproxy.com/download. When you open it, after a splash screen, it should look like this, the list of URLs your computer is making a request to. You'll also need some command line utilities.

1:25 First you'll need Git, which you can check to see if you have by running git--version. Next, you'll need node JS, which you can check by running node--version. You'll need a version higher than version 8.9.3. If you don't have node yet, you could download it from nodejs.org. Node comes with npm, which you can check by running npm--version.

1:49 Finally, you need a cURL which also you can check with curl--version. If you don't have it, you can get it at curl.haxx.se. Next, you'll need to make sure that you have pseudo privileges or that you can run a command line as an administrator if you're using Windows.

2:06 We'll modify our host file which is located at etsy/host. We'll look for the localhost entry, which is that IP address 127...1. To this, we'll add evil.com and hit save. Because this is a protected file, we'll have to see it again as pseudo.

2:29 I'll enter my password. This makes it so that when I visit evil.com, which will be our fake attacker website, it will resolve to my local computer.

2:40 Next, run pseudo npm install from the root of the repository. This will prompt you for your password. For this course, you'll only ever have to npm install this one time. All dependencies for all the lessons are installed upfront.

2:58 Now go to the first lesson by cd-ing into exercises/01, and run pseudo npm start. You should get a messages saying to visit http://localhost.charlesproxy.com. If you open that URL, you should see a username and password prompt.

3:21 Next, we'll want to start our evil.com attacker website. For this, we'll run pseudo npm run start:evil.com. This should start a server on https://evil.com:666/index.html. If you see "Thanks for visiting," it worked.

3:42 Our application doesn't have much to it. It has a log in form. Once logged in, it has a message form that either allows you to send a specific message or send a hello message via one button. It also displays our username and our Social Security number, the perfect type of information suitable for a hacker to steal.

4:03 If you visit login.js, you'll notice that we have a database of users here. This is the username and password for our site. You'll be logging in with the username Mike Sharav, and a password of 1. Let's get started.

Created on 3/10/2020