90-180 minutes
How the Internet Works Topic Outline
Apprentices will learn secure development basics, common pitfalls, and how to avoid them.
Participants will be able to:
- Pull a relevant JS library up to handle common scenarios
- Validate user input
- Authenticate users on a site
- XSS someone else's web page
- OWASP Secure coding practices
- Input validation
- Authentication means and pitfalls
- Session management
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- OWASP Secure Coding Practices Quick Reference Guide
- Parsley, the ultimate JavaScript form validation library
- Validator
- DOMPurify
- Passport
- OpenID client connect
- A quick introduction to web security
OWASP releases a regular list of the top 10 most critical web application security risks. Here are the 2017 highlights:
- Injection: validate everything before you give it to an interpreter! Here we focus on Javascript sanitization.
- Broken Authentication and Session Management: practice this by using the above libraries. Better than passwords, try SAML.
- XSS and CRSF: XSS is basically injection in the DOM, and you can't prevent CRSF until you've tackled all the XSS bugs. Try it at home with Google and Excess XSS.
- Encryption: sensitive data should be encrypted in transit and at rest. Also, you are not a mathematician; never try to roll your own encryption.
- Apprentice will use popular libraries to add authentication and session management to the Pinterest clone project. Perhaps using Google or OpenID for SAML auth is better than trying Passport.
- Next, you can validate user input with Parsley and validate fields with Validator.
- Use DOMPurify to prevent XSS.
Build a page template to make it easier to prevent CSRF.
If you are feeling inclined, or interested in red teaming, you can experiment with Insecure Labs or a Kali Linux VM and read about its rich FOSS tool suite.
The next step is to try to XSS each other's sites.