Web Security

Wrapping Up Web Security

Web Security

Check out a free preview of the full Web Security course

The "Wrapping Up Web Security" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

Mike recaps the attacks and defenses covered in the Web Security course.


Transcript from the "Wrapping Up Web Security" Lesson

>> Mike North: So just to recap we started a bunch of different attacks today. We began with cross sites scripting and we injected code into an app that we could potentially use to affect another user. We used a CSRF attack to create a landing page that sent off a request to transfer funds from one bank account to another, using a GET request approach with an image tag and a form that had a JavaScript like programmatic submit.

But in either case, once a user lands on that page, the CSRF attack is carried out and by time they know what's happened, it's already too late. We built an example of clickjacking and positioned an eye frame over a submit button and tricked the user into interacting with an app that was not ours, just through basically CSS.

We talked a little bit about third party assets and how we can use sub-resource integrity in order to ensure that assets that are not under our control, when they change we will be notified of those changes and we will sort of have to patch things up in order to take them into our app.

We discussed resource tampering a little bit, and how things could happen on a CDN and how to insulate ourselves from that risk. And then finally we dealt with a couple different things that could happen with a man in the middle attack. And specifically how we can downgrade https connections into plain http and then talked about HSTS and public key pinning could be used to combat the basic version of that attack where you have an unencrypted session between the attacker and the target.

And then public key pinning which would basically say for the half of users who would click through the warning saying this certificate doesn't look quite right. Now you'd be in a position where the user doesn't get to make that decision, and if there's a man in the middle that has forged a certificate they're not allowed to accept that and they're not allowed to carry on and perform that task.

So I hope you found this useful. I hope you know more about web app security and those concerns that developers focused on JavaScript apps and TypeScript apps should be cognizant of. And hopefully you'll save yourself some stressful problem as a result of this new knowledge.

Learn Straight from the Experts Who Shape the Modern Web

  • In-depth Courses
  • Industry Leading Experts
  • Learning Paths
  • Live Interactive Workshops
Get Unlimited Access Now