The document discusses common web security vulnerabilities like cross-site scripting, cross-site request forgery, SQL injection, and ways to prevent exploitation. It outlines a plan to provide an overview of key security misconfigurations, try hacking a custom website, and review code to prevent vulnerabilities. Prevention techniques include input validation, output encoding, anti-forgery tokens, parameterization, and access controls. The goal is to help secure a website against common attacks.

1. Web Security
What are some key misconfigurations, how to exploit them, and how to
prevent others from exploiting them
Chris Wood - https://chriswoodcodes.net

2. Plan
 High-level overview of key security misconfigurations
 Try and hack a custom website
 Walk through the code and see how we can prevent the security
misconfigurations from being exploited
Chris Wood - https://chriswoodcodes.net

3. Cross-Site Scripting (XSS)
 A malicious script is run when a user accesses a webpage
 HTML, CSS, JS
 Either Reflected or Persisted
 https://portswigger.net/web-security/cross-site-scripting
Chris Wood - https://chriswoodcodes.net

4. Cross-Site Request Forgery (CSRF)
 User is tricked into making a request they did not intend
 Usually with the target user’s session
 Regular (link) and stored (img, iframe, form)
 Another website
 https://portswigger.net/web-security/csrf
Chris Wood - https://chriswoodcodes.net

5. Server-Side Request Forgery (SSRF)
 Requests made to an unintended location from the server
 Internal services, file location
 Malicious server
 https://portswigger.net/web-security/ssrf
Chris Wood - https://chriswoodcodes.net

6. SQL Injection
 Where a user can manipulate the SQL queries run by the backend server
 Usually with full access
 Read data
 Modify/delete data
 https://portswigger.net/web-security/sql-injection
Chris Wood - https://chriswoodcodes.net

7. Cross-Origin Resource Sharing (CORS)
 Enforced in most browsers, controls how requests to a website can be made
from another website
 Same-Origin Policy
 Pre-flight (not used in some cases)
 Access-Control-Allow-Origin
 Access-Control-Allow-Credentials
 https://portswigger.net/web-security/cors
Chris Wood - https://chriswoodcodes.net

8. Miscellaneous
 Scripting user logins and creation
 Poor password management
 User access controls
 Revealing too much information
Chris Wood - https://chriswoodcodes.net

9. Hacking time!
 Try and break things on the website
 List of challenges
 Some pages will be rolled out
Chris Wood - https://chriswoodcodes.net

10. Cross-Site Scripting (XSS)
 Validate/filter input
 Encode output (default behaviour)
 Content Security Policy (CSP) header
Chris Wood - https://chriswoodcodes.net

11. Client-Side Request Forgery (CSRF)
 Anti-forgery tokens (also called CSRF Tokens)
 And validate them
 Cookies ‘SameSite’ set to Lax or Strict
 Generally, don’t use GETs for state changes
Chris Wood - https://chriswoodcodes.net

12. SQL Injection
 Parameterise arguments
 Avoid string concatenation
Chris Wood - https://chriswoodcodes.net

13. Cross-Origin Resource Sharing (CORS)
 Either don’t specify anything (using Same-Origin Policy)
 Or restrict to trusted domains
 Avoid using credentials (just depends)
Chris Wood - https://chriswoodcodes.net

14. Cookies
 Secure
 Http-Only
 Short-lived
 Same-Site
 None
 Lax (the domain and parent domains)
 Strict (only to that specific domain)
 Limited scope
 Encrypted
Chris Wood - https://chriswoodcodes.net

15. User Management
 Display generic error messages
 CAPTCHA
 Account verification (i.e. email)
 Hash and salt passwords with sufficient entropy
 Or don’t manage passwords at all!
 Rate limit logins (lockout too)
 MFA
 Logout should be POST
Chris Wood - https://chriswoodcodes.net

16. Secure all the things
 HTTPS every request
 HSTS, preload
Chris Wood - https://chriswoodcodes.net

17. Thanks!
Chris Wood - https://chriswoodcodes.net