Web Security Course Agenda
Transcript from the "Course Agenda" Lesson
>> Mike North: And with that let's talk about the agenda for today. So this is like a rough outline of a web application system. And we're going to stage a bunch of attacks on the client. So we're gonna deal with cross-site scripting. We're going to talk about third-party assets. Does anyone here break in like NPM dependencies, anything in your node modules folder at all?
[00:00:25] We'll talk about CSRF which is cross-site request forgery. These are attacks that take advantage of the fact that when we send a request to another origin, we pass cookies along the way by default. And if you use HTTP basic authentication, which, hopefully, nobody in the room does, those credentials are sent along the way as well.
[00:00:45] The last attack we'll deal with on the client is click jacking. This category of attacks is called a UI redress attack where users think they're interacting with one application, but in fact they're interacting with another. Moving away from the client we'll talk about CDNs. So if you bring in libraries via a CDN, and I'm not implying that I know of any that are untrustworthy.
[00:01:10] But things like unpackage, or CDNJS. These are controlled by people. They're like a small group of people you're trusting to never change the files that are on there. Never allow malicious code to be in there. And they can have the best intentions, but maybe they use their deploy key for that CDN and for something else.
[00:01:31] And maybe there's a breach with that something else. And so we'll talk about, how do we make sure that we are, for code that is hosted in a place we don't directly have control over. How can we have assurance that some subtle change can be made to that code without our knowledge?
[00:01:50] How can we be assured that when that code changes we are alerted? Finally, we will talk about the connection between client and server. We will look at an HTTPS downgrade attack. And man in the middle attacks in general, where basically an attacker positions themselves between a target and someone the target thinks they're communicating with.
[00:02:17] And they're trying to tamper with or eavesdrop on traffic that is going along that channel. So, that is seven attacks and I think we have 10 exercises today. Because, some of them, we end up not just defending against, but trying to stage the attacks ourselves.