Mike North
Stripe
Course Description
Websites are hacked every day at an alarmingly increasing rate. In this course Mike North shows you many kinds of threats developers are up against. You’ll stage your own mock attacks and get practice securing and defending against attacks. You'll learn to test security like an attacker and defend against XSS attacks, man-in-the-middle attacks, 3rd party asset injection attacks and more!
This course and others like it are available as part of our Frontend Masters video subscription.
Preview
CloseCourse Details
Published: December 19, 2017
Topics
Learn Straight from the Experts Who Shape the Modern Web
Your Path to Senior Developer and Beyond
- 200+ In-depth courses
- 18 Learning Paths
- Industry Leading Experts
- Live Interactive Workshops
Table of Contents
Web Security
Section Duration: 16 minutes
Mike North introduces his Web Security course by examining web security landscape in the context of front-end development. We recommend using Node version 8.17.0 with this course.
Mike discusses the course demo application, Equihax, which will be used throughout the course to demonstrate vulnerabilities.
Mike discusses the differences between types of hackers: Black Hat, Grey Hat, and White Hat.
To better understand how the process at attack happens, Mike discusses the motives of an attacker.
Mike reviews the course agenda which covers seven client-side and server-side attacks and ten challenges.
Cross-Site Scripting (XSS)
Section Duration: 1 hour, 43 minutes
Mike introduces Cross-Site Scripting (XSS), which occurs when attackers inject client-side scripts into web pages viewed by other users.
Mike reviews types of XSS attacks: Stored XSS, Reflected XSS, DOM Based XSS, and Blind XSS.
Mike examines the locations of vulnerabilities in a web application for XSS attacks.
Using the Browser Exploitation Framework (BeEF), Mike rather efficiently executes an XSS attack demonstration on site that does not utilize HTTPS.
After showing an example of a Fortune 500 company using XSS attack as a feature, Mike goes through questions to assess an application's vulnerability to XSS attacks.
In this challenge, students find and exploit three XSS vulnerabilities in the course demo application.
Mike walks through the solution to Challenge 1.
To defend against XSS exploits, Mike reviews areas where user data inserted into an application can cause problems.
Mike reviews methods for sanitizing data that an application's user would enter to thwart potential XSS attacks.
Since browsers cannot determine the difference between scripts downloaded from the origin or another source, Mike discusses how Content Security Policy (CSP) tells modern browsers which sources are trustworthy. Mike takes questions from students.
In this challenge, students address XSS bugs and add a CSP policy to course demo application.
Mike walks through the solution to Challenge 2 fixing XSS exploits.
Mike walks through the solution to Challenge 2 focusing on setting up a CSP policy.
After discussing how code can be added or embedded into files, Mike shows a JPEG image that contains HTML in the image's EXIF meta information.
In this challenge, students modify an image's EXIF meta information.
Mike walks through the solution to Challenge 3.
Mike reviews techniques to defend against malicious attachments.
Cross-Site Request Forgery (CSRF)
Section Duration: 31 minutes
Mike introduces the Origin header, which indicates where a fetch originates. The Origin includes only the server name and not any additional path information.
In this challenge, students create a bank transfer request through the course demo application through code initiated on a third party site.
Mike walks through the solution to Challenge 4.
After discussing under what conditions an application is vulnerable to CSRF, Mike introduces the concept of CSRF tokens, which is a unique value for each request initiated by the web application and checked on the server side.
Mike introduces the Origin header, which indicates where a fetch originates from. The Origin includess only the server name and not any additional path information.
Mike reviews Cross-Origin Resource Sharing, which allows servers a mechanism for restricting resources requested from another site hosted outside the domain from which the first resource was served.
In this challenge, students add CSRF protection. JSBIN
Mike walks through the solution to Challenge 5.
Clickjacking
Section Duration: 17 minutes
Mike discusses clickjacking, also known as "UI redress attack." In this technique, a user is tricked into clicking or interacting with something different than they perceived such as designing a login form to appear as a trusted online bank.
In this challenge, students create a landing page that can stage a clickjacking attack to trick a user.
Mike walks through the solution to Challenge 6. JSBIN
To defend against clickjacking, Mike reviews X-Frame-Options, an HTTP response header that can be set to determine if a browser should be allowed to render content within a frame, iframe, or object element. Because X-Frame-Options works in modern browsers, Mike also discusses an alternative approach for legacy browsers.
In this challenge, students add modern and legacy defense against clickjacking.
Mike walks through the solution to Challenge 7.
Third Party Assets
Section Duration: 18 minutes
Mike reviews different examples of third-party assets used in web development: Version Changes, CDN Assets, and Vendor Tags. Mike takes questions from students.
In this challenge, students add Subresource Integrity (SRI) attributes to the script and style tags to verify files fetched from a file library.
Mike walks through the solution to Challenge 8.
Man-in-the-Middle
Section Duration: 15 minutes
After reviewing client-side security, Mike starts examining into server-side security by first looking at Man-in-the-Middle attacks. Man-in-the-Middle is a result of an unknown attacker channeling network communication between two parties.
Mike examines hardware gear necessary to perform Man-in-the-Middle attacks.
Mike introduces data encryption for defending against Man-in-the-Middle attacks.
HTTPS
Section Duration: 34 minutes
Mike reviews HTTPS recent prominence and easy access through Let's Encrypt, a service that provides free SSL/TLS certificates.
Mike illustrates how cryptography is used in securing communication, especially with the use of public key encryption.
Mike deconstructs a TLS Handshake, a protocol in charge of the authentication and key exchange necessary to establish secure sessions.
Mike reviews how to generate keys and sign certificates with OpenSSL, a software library for applications that secure communications over computer networks.
In this challenge, students generate a private, serve the course demo application over HTTPS, and add a certificate to OS's trust store.
Mike walks through the solution to Challenge 9.
HTTPS Downgrade
Section Duration: 30 minutes
Mike describes HTTPS downgrade, which is a variant of the Man-in-the-Middle attack where the attacker acts a proxy between the user and the secure server.
Mike discusses techniques to force conntections to use HTTPS.
Through a Man-in-the-Middle approach, Mike reviews how an attacker might forge a certificate to compromise communication between two networks.
To defend against an attack using bad certificates, Mike discusses setting the HTTP Strict-Transport-Security (HSTS) response header that tells browsers to only accept access through HTTPS.
After reviewing the challenge of adding HSTS to course demo application, Mike walks through the solution.
Mike discusses concerns for when certificate authority, organizations entrusted with distributing certificates, become compromised. Due to modern browsers, Public Key Pinning Extension for HTML5 (HPKP) lowers the risks of forged certificates.
Wrapping Up
Section Duration: 2 minutes
Mike recaps the attacks and defenses covered in the Web Security course.
Learn Straight from the Experts Who Shape the Modern Web
- In-depth Courses
- Industry Leading Experts
- Learning Paths
- Live Interactive Workshops