Table of Contents
IntroductionMike North introduces his Web Security course by examining web security landscape in the context of front-end development. We recommend using Node version 8.17.0 with this course.
Course Demo ApplicationMike discusses the course demo application, Equihax, which will be used throughout the course to demonstrate vulnerabilities.
Types of HackersMike discusses the differences between types of hackers: Black Hat, Grey Hat, and White Hat.
Hacker MotivesTo better understand how the process at attack happens, Mike discusses the motives of an attacker.
Course AgendaMike reviews the course agenda which covers seven client-side and server-side attacks and ten challenges.
Cross-Site Scripting (XSS)
Introducing Cross-Site Scripting (XSS)Mike introduces Cross-Site Scripting (XSS), which occurs when attackers inject client-side scripts into web pages viewed by other users.
Types of XSS AttacksMike reviews types of XSS attacks: Stored XSS, Reflected XSS, DOM Based XSS, and Blind XSS.
Locations for XSS AttacksMike examines the locations of vulnerabilities in a web application for XSS attacks.
XSS Attack DemonstrationUsing the Browser Exploitation Framework (BeEF), Mike rather efficiently executes an XSS attack demonstration on site that does not utilize HTTPS.
Prevent XSS Attacks QuizAfter showing an example of a Fortune 500 company using XSS attack as a feature, Mike goes through questions to assess an application's vulnerability to XSS attacks.
Challenge 1: XSS AttackIn this challenge, students find and exploit three XSS vulnerabilities in the course demo application.
Challenge 1: SolutionMike walks through the solution to Challenge 1.
User DataTo defend against XSS exploits, Mike reviews areas where user data inserted into an application can cause problems.
Sanitizing User DataMike reviews methods for sanitizing data that an application's user would enter to thwart potential XSS attacks.
Content Security Policy (CSP)Since browsers cannot determine the difference between scripts downloaded from the origin or another source, Mike discusses how Content Security Policy (CSP) tells modern browsers which sources are trustworthy. Mike takes questions from students.
Challenge 2: Defend Against XSS AttacksIn this challenge, students address XSS bugs and add a CSP policy to course demo application.
Challenge 2: Solution, Part 1Mike walks through the solution to Challenge 2 fixing XSS exploits.
Challenge 2: Solution, Part 2Mike walks through the solution to Challenge 2 focusing on setting up a CSP policy.
Malicious AttachmentsAfter discussing how code can be added or embedded into files, Mike shows a JPEG image that contains HTML in the image's EXIF meta information.
Challenge 3: XSS AttachmentIn this challenge, students modify an image's EXIF meta information.
Challenge 3: SolutionMike walks through the solution to Challenge 3.
Stopping Malicious AttachmentsMike reviews techniques to defend against malicious attachments.
Cross-Site Request Forgery (CSRF)
Introducing Cross-Site Request Forgery (CSRF)Mike introduces the Origin header, which indicates where a fetch originates. The Origin includes only the server name and not any additional path information.
Challenge 4: CSRFIn this challenge, students create a bank transfer request through the course demo application through code initiated on a third party site.
Challenge 4: SolutionMike walks through the solution to Challenge 4.
CSRF TokensAfter discussing under what conditions an application is vulnerable to CSRF, Mike introduces the concept of CSRF tokens, which is a unique value for each request initiated by the web application and checked on the server side.
Request OriginMike introduces the Origin header, which indicates where a fetch originates from. The Origin includess only the server name and not any additional path information.
Cross-Origin Resource Sharing (CORS)Mike reviews Cross-Origin Resource Sharing, which allows servers a mechanism for restricting resources requested from another site hosted outside the domain from which the first resource was served.
Challenge: 5: Defend Against CSRFIn this challenge, students add CSRF protection. JSBIN
Challenge: 5: SolutionMike walks through the solution to Challenge 5.
Introducing ClickjackingMike discusses clickjacking, also known as "UI redress attack." In this technique, a user is tricked into clicking or interacting with something different than they perceived such as designing a login form to appear as a trusted online bank.
Challenge 6: ClickjackingIn this challenge, students create a landing page that can stage a clickjacking attack to trick a user.
Challenge 6: SolutionMike walks through the solution to Challenge 6. JSBIN
Stopping ClickjackingTo defend against clickjacking, Mike reviews X-Frame-Options, an HTTP response header that can be set to determine if a browser should be allowed to render content within a frame, iframe, or object element. Because X-Frame-Options works in modern browsers, Mike also discusses an alternative approach for legacy browsers.
Challenge 7: Defend Against ClickjackingIn this challenge, students add modern and legacy defense against clickjacking.
Challenge 7: SolutionMike walks through the solution to Challenge 7.
Third Party Assets
Introducing Third Party AssetsMike reviews different examples of third-party assets used in web development: Version Changes, CDN Assets, and Vendor Tags. Mike takes questions from students.
Challenge 8: Subresource IntegrityIn this challenge, students add Subresource Integrity (SRI) attributes to the script and style tags to verify files fetched from a file library.
Challenge 8: SolutionMike walks through the solution to Challenge 8.
Introducing Man-in-the-Middle AttacksAfter reviewing client-side security, Mike starts examining into server-side security by first looking at Man-in-the-Middle attacks. Man-in-the-Middle is a result of an unknown attacker channeling network communication between two parties.
HardwareMike examines hardware gear necessary to perform Man-in-the-Middle attacks.
Encrypting DataMike introduces data encryption for defending against Man-in-the-Middle attacks.
Introducing HTTPSMike reviews HTTPS recent prominence and easy access through Let's Encrypt, a service that provides free SSL/TLS certificates.
HTTPS & CryptographyMike illustrates how cryptography is used in securing communication, especially with the use of public key encryption.
TLS HandshakeMike deconstructs a TLS Handshake, a protocol in charge of the authentication and key exchange necessary to establish secure sessions.
OpenSSLMike reviews how to generate keys and sign certificates with OpenSSL, a software library for applications that secure communications over computer networks.
Challenge 9: Defend Against Man-in-the-Middle AttackIn this challenge, students generate a private, serve the course demo application over HTTPS, and add a certificate to OS's trust store.
Challenge 9: SolutionMike walks through the solution to Challenge 9.
Introducing HTTPS DowngradeMike describes HTTPS downgrade, which is a variant of the Man-in-the-Middle attack where the attacker acts a proxy between the user and the secure server.
Defending Against HTTPS DowngradeMike discusses techniques to force conntections to use HTTPS.
Bad CertificateThrough a Man-in-the-Middle approach, Mike reviews how an attacker might forge a certificate to compromise communication between two networks.
Defending Against Bad CertificatesTo defend against an attack using bad certificates, Mike discusses setting the HTTP Strict-Transport-Security (HSTS) response header that tells browsers to only accept access through HTTPS.
Challenge & Solution 10: Defend Against HTTPS DowngradeAfter reviewing the challenge of adding HSTS to course demo application, Mike walks through the solution.
Certificate Authority CompromiseMike discusses concerns for when certificate authority, organizations entrusted with distributing certificates, become compromised. Due to modern browsers, Public Key Pinning Extension for HTML5 (HPKP) lowers the risks of forged certificates.