Web Security
Introduction
00:00:00 - 00:04:03
Introduction
Mike North introduces his Web Security course by examining web security landscape in the context of front-end development. -
https://github.com/mike-north/web-security-fundamentalsCourse Demo Application
00:04:04 - 00:07:14
Course Demo Application
Mike discusses the course demo application, Equihax, which will be used throughout the course to demonstrate vulnerabilities.
Types of Hackers
00:07:15 - 00:11:46
Types of Hackers
Mike discusses the differences between types of hackers: Black Hat, Grey Hat, and White Hat.
Hacker Motives
00:11:47 - 00:14:17
Hacker Motives
To better understand how the process at attack happens, Mike discusses the motives of an attacker.
Course Agenda
00:14:18 - 00:16:55
Course Agenda
Mike reviews the course agenda which covers seven client-side and server-side attacks and ten challenges.
Cross-Site Scripting (XSS)
Introducing Cross-Site Scripting (XSS)
00:16:56 - 00:20:22
Introducing Cross-Site Scripting (XSS)
Mike introduces Cross-Site Scripting (XSS), which occurs when attackers inject client-side scripts into web pages viewed by other users.
Types of XSS Attacks
00:20:23 - 00:23:44
Types of XSS Attacks
Mike reviews types of XSS attacks: Stored XSS, Reflected XSS, DOM Based XSS, and Blind XSS.
Locations for XSS Attacks
00:23:45 - 00:25:47
Locations for XSS Attacks
Mike examines the locations of vulnerabilities in a web application for XSS attacks.
XSS Attack Demonstration
00:25:48 - 00:35:47
XSS Attack Demonstration
Using the Browser Exploitation Framework (BeEF), Mike rather efficiently executes an XSS attack demonstration on site that does not utilize HTTPS. - -
https://www.kali.org/ -
http://beefproject.com/Prevent XSS Attacks Quiz
00:35:48 - 00:43:41
Prevent XSS Attacks Quiz
After showing an example of a Fortune 500 company using XSS attack as a feature, Mike goes through questions to assess an application's vulnerability to XSS attacks.
Challenge 1: XSS Attack
00:43:42 - 00:49:59
Challenge 1: XSS Attack
In this challenge, students find and exploit three XSS vulnerabilities in the course demo application.
Challenge 1: Solution
00:50:00 - 00:57:17
Challenge 1: Solution
Mike walks through the solution to Challenge 1.
User Data
00:57:18 - 01:00:23
User Data
To defend against XSS exploits, Mike reviews areas where user data inserted into an application can cause problems.
Sanitizing User Data
01:00:24 - 01:06:33
Sanitizing User Data
Mike reviews methods for sanitizing data that an application's user would enter to thwart potential XSS attacks.
Content Security Policy (CSP)
01:06:34 - 01:17:31
Content Security Policy (CSP)
Since browsers cannot determine the difference between scripts downloaded from the origin or another source, Mike discusses how Content Security Policy (CSP) tells modern browsers which sources are trustworthy. Mike takes questions from students.
Challenge 2: Defend Against XSS Attacks
01:17:32 - 01:20:12
Challenge 2: Defend Against XSS Attacks
In this challenge, students address XSS bugs and add a CSP policy to course demo application.
Challenge 2: Solution, Part 1
01:20:13 - 01:26:31
Challenge 2: Solution, Part 1
Mike walks through the solution to Challenge 2 fixing XSS exploits.
Challenge 2: Solution, Part 2
01:26:32 - 01:38:22
Challenge 2: Solution, Part 2
Mike walks through the solution to Challenge 2 focusing on setting up a CSP policy.
Malicious Attachments
01:38:23 - 01:45:04
Malicious Attachments
After discussing how code can be added or embedded into files, Mike shows a JPEG image that contains HTML in the image's EXIF meta information.
Challenge 3: XSS Attachment
01:45:05 - 01:49:01
Challenge 3: XSS Attachment
In this challenge, students modify an image's EXIF meta information.
Challenge 3: Solution
01:49:02 - 01:57:36
Challenge 3: Solution
Mike walks through the solution to Challenge 3.
Stopping Malicious Attachments
01:57:37 - 02:00:17
Stopping Malicious Attachments
Mike reviews techniques to defend against malicious attachments.
Cross-Site Request Forgery (CSRF)
Introducing Cross-Site Request Forgery (CSRF)
02:00:18 - 02:02:59
Introducing Cross-Site Request Forgery (CSRF)
Mike introduces the Origin header, which indicates where a fetch originates. The Origin includes only the server name and not any additional path information.
Challenge 4: CSRF
02:03:00 - 02:04:04
Challenge 4: CSRF
In this challenge, students create a bank transfer request through the course demo application through code initiated on a third party site.
Challenge 4: Solution
02:04:05 - 02:12:26
Challenge 4: Solution
Mike walks through the solution to Challenge 4.
CSRF Tokens
02:12:27 - 02:17:33
CSRF Tokens
After discussing under what conditions an application is vulnerable to CSRF, Mike introduces the concept of CSRF tokens, which is a unique value for each request initiated by the web application and checked on the server side.
Request Origin
02:17:34 - 02:19:14
Request Origin
Mike introduces the Origin header, which indicates where a fetch originates from. The Origin includess only the server name and not any additional path information.
Cross-Origin Resource Sharing (CORS)
02:19:15 - 02:21:19
Cross-Origin Resource Sharing (CORS)
Mike reviews Cross-Origin Resource Sharing, which allows servers a mechanism for restricting resources requested from another site hosted outside the domain from which the first resource was served.
Challenge: 5: Defend Against CSRF
02:21:20 - 02:25:07
Challenge: 5: Defend Against CSRF
In this challenge, students add CSRF protection. JSBIN
Challenge: 5: Solution
02:25:08 - 02:32:01
Challenge: 5: Solution
Mike walks through the solution to Challenge 5. -
https://github.com/expressjs/csurfClickjacking
Introducing Clickjacking
02:32:02 - 02:34:51
Introducing Clickjacking
Mike discusses clickjacking, also known as "UI redress attack." In this technique, a user is tricked into clicking or interacting with something different than they perceived such as designing a login form to appear as a trusted online bank.
Challenge 6: Clickjacking
02:34:52 - 02:36:01
Challenge 6: Clickjacking
In this challenge, students create a landing page that can stage a clickjacking attack to trick a user.
Challenge 6: Solution
02:36:02 - 02:39:41
Challenge 6: Solution
Mike walks through the solution to Challenge 6. JSBIN
Stopping Clickjacking
02:39:42 - 02:42:44
Stopping Clickjacking
To defend against clickjacking, Mike reviews X-Frame-Options, an HTTP response header that can be set to determine if a browser should be allowed to render content within a frame, iframe, or object element. Because X-Frame-Options works in modern browsers, Mike also discusses an alternative approach for legacy browsers.
Challenge 7: Defend Against Clickjacking
02:42:45 - 02:45:06
Challenge 7: Defend Against Clickjacking
In this challenge, students add modern and legacy defense against clickjacking.
Challenge 7: Solution
02:45:07 - 02:50:06
Challenge 7: Solution
Mike walks through the solution to Challenge 7.
Third Party Assets
Introducing Third Party Assets
02:50:07 - 03:03:00
Introducing Third Party Assets
Mike reviews different examples of third-party assets used in web development: Version Changes, CDN Assets, and Vendor Tags. Mike takes questions from students. -
https://snyk.io/Challenge 8: Subresource Integrity
03:03:01 - 03:04:02
Challenge 8: Subresource Integrity
In this challenge, students add Subresource Integrity (SRI) attributes to the script and style tags to verify files fetched from a file library.
Challenge 8: Solution
03:04:03 - 03:08:31
Challenge 8: Solution
Mike walks through the solution to Challenge 8.
Man-in-the-Middle
Introducing Man-in-the-Middle Attacks
03:08:32 - 03:16:42
Introducing Man-in-the-Middle Attacks
After reviewing client-side security, Mike starts examining into server-side security by first looking at Man-in-the-Middle attacks. Man-in-the-Middle is a result of an unknown attacker channeling network communication between two parties.
Hardware
03:16:43 - 03:21:12
Hardware
Mike examines hardware gear necessary to perform Man-in-the-Middle attacks.
Encrypting Data
03:21:13 - 03:23:52
Encrypting Data
Mike introduces data encryption for defending against Man-in-the-Middle attacks.
HTTPS
Introducing HTTPS
03:23:53 - 03:26:44
Introducing HTTPS
Mike reviews HTTPS recent prominence and easy access through Let's Encrypt, a service that provides free SSL/TLS certificates. -
https://letsencrypt.org/HTTPS & Cryptography
03:26:45 - 03:34:21
HTTPS & Cryptography
Mike illustrates how cryptography is used in securing communication, especially with the use of public key encryption.
TLS Handshake
03:34:22 - 03:36:52
TLS Handshake
Mike deconstructs a TLS Handshake, a protocol in charge of the authentication and key exchange necessary to establish secure sessions.
OpenSSL
03:36:53 - 03:40:13
OpenSSL
Mike reviews how to generate keys and sign certificates with OpenSSL, a software library for applications that secure communications over computer networks.
Challenge 9: Defend Against Man-in-the-Middle Attack
03:40:14 - 03:41:17
Challenge 9: Defend Against Man-in-the-Middle Attack
In this challenge, students generate a private, serve the course demo application over HTTPS, and add a certificate to OS's trust store.
Challenge 9: Solution
03:41:18 - 03:58:34
Challenge 9: Solution
Mike walks through the solution to Challenge 9.
HTTPS Downgrade
Introducing HTTPS Downgrade
03:58:35 - 04:01:35
Introducing HTTPS Downgrade
Mike describes HTTPS downgrade, which is a variant of the Man-in-the-Middle attack where the attacker acts a proxy between the user and the secure server.
Defending Against HTTPS Downgrade
04:01:36 - 04:03:12
Defending Against HTTPS Downgrade
Mike discusses techniques to force conntections to use HTTPS.
Bad Certificate
04:03:13 - 04:08:12
Bad Certificate
Through a Man-in-the-Middle approach, Mike reviews how an attacker might forge a certificate to compromise communication between two networks.
Defending Against Bad Certificates
04:08:13 - 04:11:42
Defending Against Bad Certificates
To defend against an attack using bad certificates, Mike discusses setting the HTTP Strict-Transport-Security (HSTS) response header that tells browsers to only accept access through HTTPS. -
https://hstspreload.org/Challenge & Solution 10: Defend Against HTTPS Downgrade
04:11:43 - 04:21:29
Challenge & Solution 10: Defend Against HTTPS Downgrade
After reviewing the challenge of adding HSTS to course demo application, Mike walks through the solution.
Certificate Authority Compromise
04:21:30 - 04:29:15
Certificate Authority Compromise
Mike discusses concerns for when certificate authority, organizations entrusted with distributing certificates, become compromised. Due to modern browsers, Public Key Pinning Extension for HTML5 (HPKP) lowers the risks of forged certificates. -
http://www.computerweekly.com/news/4500242932/Google-warns-of-fake-digital-certificatesWrapping Up
Wrapping Up Web Security
04:29:16 - 04:31:47
Wrapping Up Web Security
Mike recaps the attacks and defenses covered in the Web Security course.