1. Web Security
What are some key misconfigurations, how to exploit them, and how to
prevent others from exploiting them
Chris Wood - https://chriswoodcodes.net
2. Plan
High-level overview of key security misconfigurations
Try and hack a custom website
Walk through the code and see how we can prevent the security
misconfigurations from being exploited
Chris Wood - https://chriswoodcodes.net
3. Cross-Site Scripting (XSS)
A malicious script is run when a user accesses a webpage
HTML, CSS, JS
Either Reflected or Persisted
https://portswigger.net/web-security/cross-site-scripting
Chris Wood - https://chriswoodcodes.net
4. Cross-Site Request Forgery (CSRF)
User is tricked into making a request they did not intend
Usually with the target user’s session
Regular (link) and stored (img, iframe, form)
Another website
https://portswigger.net/web-security/csrf
Chris Wood - https://chriswoodcodes.net
5. Server-Side Request Forgery (SSRF)
Requests made to an unintended location from the server
Internal services, file location
Malicious server
https://portswigger.net/web-security/ssrf
Chris Wood - https://chriswoodcodes.net
6. SQL Injection
Where a user can manipulate the SQL queries run by the backend server
Usually with full access
Read data
Modify/delete data
https://portswigger.net/web-security/sql-injection
Chris Wood - https://chriswoodcodes.net
7. Cross-Origin Resource Sharing (CORS)
Enforced in most browsers, controls how requests to a website can be made
from another website
Same-Origin Policy
Pre-flight (not used in some cases)
Access-Control-Allow-Origin
Access-Control-Allow-Credentials
https://portswigger.net/web-security/cors
Chris Wood - https://chriswoodcodes.net
8. Miscellaneous
Scripting user logins and creation
Poor password management
User access controls
Revealing too much information
Chris Wood - https://chriswoodcodes.net
9. Hacking time!
Try and break things on the website
List of challenges
Some pages will be rolled out
Chris Wood - https://chriswoodcodes.net
11. Client-Side Request Forgery (CSRF)
Anti-forgery tokens (also called CSRF Tokens)
And validate them
Cookies ‘SameSite’ set to Lax or Strict
Generally, don’t use GETs for state changes
Chris Wood - https://chriswoodcodes.net
13. Cross-Origin Resource Sharing (CORS)
Either don’t specify anything (using Same-Origin Policy)
Or restrict to trusted domains
Avoid using credentials (just depends)
Chris Wood - https://chriswoodcodes.net
14. Cookies
Secure
Http-Only
Short-lived
Same-Site
None
Lax (the domain and parent domains)
Strict (only to that specific domain)
Limited scope
Encrypted
Chris Wood - https://chriswoodcodes.net
15. User Management
Display generic error messages
CAPTCHA
Account verification (i.e. email)
Hash and salt passwords with sufficient entropy
Or don’t manage passwords at all!
Rate limit logins (lockout too)
MFA
Logout should be POST
Chris Wood - https://chriswoodcodes.net
16. Secure all the things
HTTPS every request
HSTS, preload
Chris Wood - https://chriswoodcodes.net