1 Security Topics: Readings and References

Under Construction, subject to change

  • Networking, Protocols, Servers and Security
  • Sessions, security, certificates, cookies, tokens, tracking

2 HTTPS, TLS, and Certificates

  • Minimal Crypto basics: single key encryption, public key encryption, secure hashes, secure random numbers. No number theory...

  • TLS and HTTPS basics

  • Certificate tutorial: website certificates, other uses for certificates.

  • To be reviewed: Painless Self Signed Certificates in node.js

3 Web Application security

A good source of information is the Open Web Application Security Project (OWASP). However getting around their Wiki to find the "good stuff" can be a bit difficult. One place to go for very practical advice is their Cheet Sheet Series.

3.1 Top Threats

OWASP Top 10 - 2017

  • A1: Injection Will cover
  • A2: Broken Authentication Will cover
  • A3: Sensitive Data Exposure
  • A4: XML External Entities Not applicable to us
  • A5: Broken Access Control
  • A6: Security Misconfiguration will not cover
  • A7: Cross-Site Scripting (XSS) Particularly relevant to us
  • A8: Insecure Deserialization
  • A9: Using Components with Known Vulnerabilities will not cover
  • A10: Insufficient Logging & Monitoring will not cover

3.2 Injection

3.3 Authentication

Credential stuffing is the automated injection of breached username/password pairs (typically from other sites) in order to identify accounts on the target system that use the same credentials.

3.4 Sensitive Data Exposure

This cheat sheet focuses on privacy and anonymity threats that users might face by using online services, especially in contexts such as social networking and communication platforms.

An architectural decision must be made to determine the appropriate method to protect data at rest.

This is a general computer security problem so should be covered in a computer security class.

HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.

3.5 Access Control

Authorization is the process where requests to access a particular resource should be granted or denied. It should be noted that authorization is not equivalent to authentication - as these terms and their definitions are frequently confused. Authentication is providing and validating identity. Authorization includes the execution rules that determines what functionality and data the user (or Principal) may access, ensuring the proper allocation of access rights after authentication is successful.

Browser protection mechanism: Cross-Origin Resource Sharing (CORS), this also comes up as a "hassle" during development.

3.6 Cross-Site Scripting (XSS)

Definition XSS

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

Cross-site Scripting (XSS) explanation. XSS (Cross Site Scripting) Prevention Cheat Sheet.

3.7 Also of Interest

4 Browser Security Features

Content Security Policy (CSP)

Uses HTTP headers and such...