Web Security Web Security

Course Demo Application

Learning Paths:
Check out a free preview of the full Web Security course:
The "Course Demo Application" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

Mike discusses the course demo application, Equihax, which will be used throughout the course to demonstrate vulnerabilities.

Get Unlimited Access Now

Transcript from the "Course Demo Application" Lesson

[00:00:00]
>> Mike North: So the app we're gonna be working with all day today, it is an online bank where we have a couple accounts, like checking and savings accounts here. You have the ability to transfer funds to another person's account, and a user has a profile page that's not filled out.

[00:00:18] That's not completely implemented, but it's there enough that it might present a potential vector for causing a problem. Right, and we leave occasionally half complete features behind a feature flag or something. Or it's easy for something like that to sneak in. And you might think well, it doesn't work yet.

[00:00:39] It's not gonna cause a problem. But sometimes just a little piece of code can be enough for someone to get a foothold on your system. So where we're gonna start, everyone will agree this is an obviously insecure situation. And over time, we're going to alternate between staging an attack, so we're gonna take the role of the attacker and see how much trouble we can cause.

[00:01:04] And then we're going to flip over and see if we can shore up this application to the point where the attack that we've just made is not possible anymore, it's not effective. Right, so we're gonna sort of alternate back and forth. And I find this is the best way to do it because you kind of get to, when you're trying to compromise the system, that is the best mindset to have in order to figure out what exactly you have to defend against.

[00:01:31] And hopefully it will build some habits where you start thinking about unreasonable user input, for example. We always expect, we have a text field and it says username. And I expect the user to put something that looks like an email address in there. But I want you to start thinking about what are the crazy types of things that someone can put in there that could potentially cause trouble.

[00:01:52] Cuz we have to be prepared for that. So I'm gong to be testing on IE9, and if you're watching on the video, I'm gonna ask probably within the live classroom we all not try to download this at once. It's useful to have a virtual machine with an old browser.

[00:02:09] And I will represent the room here, and I will be running a virtual machine for you, so that we can look at it. But you can go to modern.ie and they have virtual machines that are good for 90 days that you can download for IE9, IE10, IE11. They work in VirtualBox, which is a free virtual machine platform.

[00:02:34] And that lets us task something realistic, right? Because, yes, Chrome and Firefox, like the evergreen browsers, do a lot to protect us from things like cross side scripting. But not all of our users are working on those, right? So we really want to be able to take at least two data points, a very modern browser and a browser that is the least safe, but we still need to support it.

[00:02:59] So, modern.ie, you can download that, and I will be the representative in the room that will show the holes that still remain in IE9.