From 60a325ebde42fe3461f70a5a2255b1171964fb8b Mon Sep 17 00:00:00 2001 From: Gabriel Mocanu Date: Mon, 24 Jun 2024 14:56:30 +0300 Subject: [PATCH] task: Add first session information Add first session information Signed-off-by: Gabriel Mocanu --- .../overview/README.md | 1 + .../drills}/cockroach/sol/solution.sh | 0 .../web-basics/drills}/eyes/sol/solution.sh | 0 .../web-basics/drills}/gimme/sol/solution.sh | 0 .../drills}/give-to-get/sol/solution.sh | 0 .../drills}/give-to-post/sol/solution.sh | 0 .../drills}/king-kong/sol/solution.sh | 0 .../drills}/lame-login/sol/solution.sh | 0 .../drills}/my-special-name/sol/solution.sh | 0 .../web-basics/drills}/name/sol/solution.sh | 0 .../drills}/one-by-one/sol/solution.sh | 0 .../produce-consume/public/consume.php | 0 .../drills}/produce-consume/public/index.php | 0 .../produce-consume/public/produce.php | 0 .../drills}/produce-consume/sol/solution.sh | 0 .../web-basics/drills}/readme/sol/solution.sh | 0 .../drills}/surprise/sol/solution.sh | 0 .../web-basics/media}/CORS.jpg | Bin .../Session_01_Web_Basics_Diagram_01.jpg | Bin .../web-basics/media}/browser-analogy.png | Bin .../media}/browser-security-mechanism.png | Bin .../components-browser-security-policy.png | Bin .../web-basics/media}/devtools-1.png | Bin .../web-basics/media}/devtools-2.png | Bin .../web-basics/media}/devtools-3.png | Bin .../web-basics/media}/devtools-4.png | Bin .../web-basics/media}/devtools-5.png | Bin .../web-basics/media}/devtools-6.png | Bin .../web-basics/media}/dom.png | Bin .../web-basics/media}/first-activity.png | Bin .../web-basics/media}/http-request.png | Bin .../web-basics/media}/http-response.png | Bin .../web-basics/media}/url.png | Bin .../web-basics/media}/xml_http_request.png | Bin .../web-basics/reading/README.md | 130 ++++++++--------- .../web-basics/slides/Makefile | 1 + .../web-basics/slides/slides.mdpp | 10 ++ .../web-basics/slides/web-basics.md | 131 ++++++++++++++++++ config.yaml | 62 ++++----- 39 files changed, 235 insertions(+), 100 deletions(-) create mode 100644 chapters/web-application-security/overview/README.md rename {web-basics-browser-security-model/activities => chapters/web-application-security/web-basics/drills}/cockroach/sol/solution.sh (100%) rename {web-basics-browser-security-model/activities => chapters/web-application-security/web-basics/drills}/eyes/sol/solution.sh (100%) rename {web-basics-browser-security-model/activities => chapters/web-application-security/web-basics/drills}/gimme/sol/solution.sh (100%) rename {web-basics-browser-security-model/activities => chapters/web-application-security/web-basics/drills}/give-to-get/sol/solution.sh (100%) rename {web-basics-browser-security-model/activities => chapters/web-application-security/web-basics/drills}/give-to-post/sol/solution.sh (100%) rename {web-basics-browser-security-model/activities => chapters/web-application-security/web-basics/drills}/king-kong/sol/solution.sh (100%) rename {web-basics-browser-security-model/activities => chapters/web-application-security/web-basics/drills}/lame-login/sol/solution.sh (100%) rename {web-basics-browser-security-model/activities => chapters/web-application-security/web-basics/drills}/my-special-name/sol/solution.sh (100%) rename {web-basics-browser-security-model/activities => chapters/web-application-security/web-basics/drills}/name/sol/solution.sh (100%) rename {web-basics-browser-security-model/activities => chapters/web-application-security/web-basics/drills}/one-by-one/sol/solution.sh (100%) rename {web-basics-browser-security-model/activities => chapters/web-application-security/web-basics/drills}/produce-consume/public/consume.php (100%) rename {web-basics-browser-security-model/activities => chapters/web-application-security/web-basics/drills}/produce-consume/public/index.php (100%) rename {web-basics-browser-security-model/activities => chapters/web-application-security/web-basics/drills}/produce-consume/public/produce.php (100%) rename {web-basics-browser-security-model/activities => chapters/web-application-security/web-basics/drills}/produce-consume/sol/solution.sh (100%) rename {web-basics-browser-security-model/activities => chapters/web-application-security/web-basics/drills}/readme/sol/solution.sh (100%) rename {web-basics-browser-security-model/activities => chapters/web-application-security/web-basics/drills}/surprise/sol/solution.sh (100%) rename {web-basics-browser-security-model/assets => chapters/web-application-security/web-basics/media}/CORS.jpg (100%) rename {web-basics-browser-security-model/assets => chapters/web-application-security/web-basics/media}/Session_01_Web_Basics_Diagram_01.jpg (100%) rename {web-basics-browser-security-model/assets => chapters/web-application-security/web-basics/media}/browser-analogy.png (100%) rename {web-basics-browser-security-model/assets => chapters/web-application-security/web-basics/media}/browser-security-mechanism.png (100%) rename {web-basics-browser-security-model/assets => chapters/web-application-security/web-basics/media}/components-browser-security-policy.png (100%) rename {web-basics-browser-security-model/assets => chapters/web-application-security/web-basics/media}/devtools-1.png (100%) rename {web-basics-browser-security-model/assets => chapters/web-application-security/web-basics/media}/devtools-2.png (100%) rename {web-basics-browser-security-model/assets => chapters/web-application-security/web-basics/media}/devtools-3.png (100%) rename {web-basics-browser-security-model/assets => chapters/web-application-security/web-basics/media}/devtools-4.png (100%) rename {web-basics-browser-security-model/assets => chapters/web-application-security/web-basics/media}/devtools-5.png (100%) rename {web-basics-browser-security-model/assets => chapters/web-application-security/web-basics/media}/devtools-6.png (100%) rename {web-basics-browser-security-model/assets => chapters/web-application-security/web-basics/media}/dom.png (100%) rename {web-basics-browser-security-model/assets => chapters/web-application-security/web-basics/media}/first-activity.png (100%) rename {web-basics-browser-security-model/assets => chapters/web-application-security/web-basics/media}/http-request.png (100%) rename {web-basics-browser-security-model/assets => chapters/web-application-security/web-basics/media}/http-response.png (100%) rename {web-basics-browser-security-model/assets => chapters/web-application-security/web-basics/media}/url.png (100%) rename {web-basics-browser-security-model/assets => chapters/web-application-security/web-basics/media}/xml_http_request.png (100%) rename web-basics-browser-security-model/index.md => chapters/web-application-security/web-basics/reading/README.md (84%) create mode 100644 chapters/web-application-security/web-basics/slides/Makefile create mode 100644 chapters/web-application-security/web-basics/slides/slides.mdpp create mode 100644 chapters/web-application-security/web-basics/slides/web-basics.md diff --git a/chapters/web-application-security/overview/README.md b/chapters/web-application-security/overview/README.md new file mode 100644 index 00000000..ff6f3326 --- /dev/null +++ b/chapters/web-application-security/overview/README.md @@ -0,0 +1 @@ +# Web Application Security diff --git a/web-basics-browser-security-model/activities/cockroach/sol/solution.sh b/chapters/web-application-security/web-basics/drills/cockroach/sol/solution.sh similarity index 100% rename from web-basics-browser-security-model/activities/cockroach/sol/solution.sh rename to chapters/web-application-security/web-basics/drills/cockroach/sol/solution.sh diff --git a/web-basics-browser-security-model/activities/eyes/sol/solution.sh b/chapters/web-application-security/web-basics/drills/eyes/sol/solution.sh similarity index 100% rename from web-basics-browser-security-model/activities/eyes/sol/solution.sh rename to chapters/web-application-security/web-basics/drills/eyes/sol/solution.sh diff --git a/web-basics-browser-security-model/activities/gimme/sol/solution.sh b/chapters/web-application-security/web-basics/drills/gimme/sol/solution.sh similarity index 100% rename from web-basics-browser-security-model/activities/gimme/sol/solution.sh rename to chapters/web-application-security/web-basics/drills/gimme/sol/solution.sh diff --git a/web-basics-browser-security-model/activities/give-to-get/sol/solution.sh b/chapters/web-application-security/web-basics/drills/give-to-get/sol/solution.sh similarity index 100% rename from web-basics-browser-security-model/activities/give-to-get/sol/solution.sh rename to chapters/web-application-security/web-basics/drills/give-to-get/sol/solution.sh diff --git a/web-basics-browser-security-model/activities/give-to-post/sol/solution.sh b/chapters/web-application-security/web-basics/drills/give-to-post/sol/solution.sh similarity index 100% rename from web-basics-browser-security-model/activities/give-to-post/sol/solution.sh rename to chapters/web-application-security/web-basics/drills/give-to-post/sol/solution.sh diff --git a/web-basics-browser-security-model/activities/king-kong/sol/solution.sh b/chapters/web-application-security/web-basics/drills/king-kong/sol/solution.sh similarity index 100% rename from web-basics-browser-security-model/activities/king-kong/sol/solution.sh rename to chapters/web-application-security/web-basics/drills/king-kong/sol/solution.sh diff --git a/web-basics-browser-security-model/activities/lame-login/sol/solution.sh b/chapters/web-application-security/web-basics/drills/lame-login/sol/solution.sh similarity index 100% rename from web-basics-browser-security-model/activities/lame-login/sol/solution.sh rename to chapters/web-application-security/web-basics/drills/lame-login/sol/solution.sh diff --git a/web-basics-browser-security-model/activities/my-special-name/sol/solution.sh b/chapters/web-application-security/web-basics/drills/my-special-name/sol/solution.sh similarity index 100% rename from web-basics-browser-security-model/activities/my-special-name/sol/solution.sh rename to chapters/web-application-security/web-basics/drills/my-special-name/sol/solution.sh diff --git a/web-basics-browser-security-model/activities/name/sol/solution.sh b/chapters/web-application-security/web-basics/drills/name/sol/solution.sh similarity index 100% rename from web-basics-browser-security-model/activities/name/sol/solution.sh rename to chapters/web-application-security/web-basics/drills/name/sol/solution.sh diff --git a/web-basics-browser-security-model/activities/one-by-one/sol/solution.sh b/chapters/web-application-security/web-basics/drills/one-by-one/sol/solution.sh similarity index 100% rename from web-basics-browser-security-model/activities/one-by-one/sol/solution.sh rename to chapters/web-application-security/web-basics/drills/one-by-one/sol/solution.sh diff --git a/web-basics-browser-security-model/activities/produce-consume/public/consume.php b/chapters/web-application-security/web-basics/drills/produce-consume/public/consume.php similarity index 100% rename from web-basics-browser-security-model/activities/produce-consume/public/consume.php rename to chapters/web-application-security/web-basics/drills/produce-consume/public/consume.php diff --git a/web-basics-browser-security-model/activities/produce-consume/public/index.php b/chapters/web-application-security/web-basics/drills/produce-consume/public/index.php similarity index 100% rename from web-basics-browser-security-model/activities/produce-consume/public/index.php rename to chapters/web-application-security/web-basics/drills/produce-consume/public/index.php diff --git a/web-basics-browser-security-model/activities/produce-consume/public/produce.php b/chapters/web-application-security/web-basics/drills/produce-consume/public/produce.php similarity index 100% rename from web-basics-browser-security-model/activities/produce-consume/public/produce.php rename to chapters/web-application-security/web-basics/drills/produce-consume/public/produce.php diff --git a/web-basics-browser-security-model/activities/produce-consume/sol/solution.sh b/chapters/web-application-security/web-basics/drills/produce-consume/sol/solution.sh similarity index 100% rename from web-basics-browser-security-model/activities/produce-consume/sol/solution.sh rename to chapters/web-application-security/web-basics/drills/produce-consume/sol/solution.sh diff --git a/web-basics-browser-security-model/activities/readme/sol/solution.sh b/chapters/web-application-security/web-basics/drills/readme/sol/solution.sh similarity index 100% rename from web-basics-browser-security-model/activities/readme/sol/solution.sh rename to chapters/web-application-security/web-basics/drills/readme/sol/solution.sh diff --git a/web-basics-browser-security-model/activities/surprise/sol/solution.sh b/chapters/web-application-security/web-basics/drills/surprise/sol/solution.sh similarity index 100% rename from web-basics-browser-security-model/activities/surprise/sol/solution.sh rename to chapters/web-application-security/web-basics/drills/surprise/sol/solution.sh diff --git a/web-basics-browser-security-model/assets/CORS.jpg b/chapters/web-application-security/web-basics/media/CORS.jpg similarity index 100% rename from web-basics-browser-security-model/assets/CORS.jpg rename to chapters/web-application-security/web-basics/media/CORS.jpg diff --git a/web-basics-browser-security-model/assets/Session_01_Web_Basics_Diagram_01.jpg b/chapters/web-application-security/web-basics/media/Session_01_Web_Basics_Diagram_01.jpg similarity index 100% rename from web-basics-browser-security-model/assets/Session_01_Web_Basics_Diagram_01.jpg rename to chapters/web-application-security/web-basics/media/Session_01_Web_Basics_Diagram_01.jpg diff --git a/web-basics-browser-security-model/assets/browser-analogy.png b/chapters/web-application-security/web-basics/media/browser-analogy.png similarity index 100% rename from web-basics-browser-security-model/assets/browser-analogy.png rename to chapters/web-application-security/web-basics/media/browser-analogy.png diff --git a/web-basics-browser-security-model/assets/browser-security-mechanism.png b/chapters/web-application-security/web-basics/media/browser-security-mechanism.png similarity index 100% rename from web-basics-browser-security-model/assets/browser-security-mechanism.png rename to chapters/web-application-security/web-basics/media/browser-security-mechanism.png diff --git a/web-basics-browser-security-model/assets/components-browser-security-policy.png b/chapters/web-application-security/web-basics/media/components-browser-security-policy.png similarity index 100% rename from web-basics-browser-security-model/assets/components-browser-security-policy.png rename to chapters/web-application-security/web-basics/media/components-browser-security-policy.png diff --git a/web-basics-browser-security-model/assets/devtools-1.png b/chapters/web-application-security/web-basics/media/devtools-1.png similarity index 100% rename from web-basics-browser-security-model/assets/devtools-1.png rename to chapters/web-application-security/web-basics/media/devtools-1.png diff --git a/web-basics-browser-security-model/assets/devtools-2.png b/chapters/web-application-security/web-basics/media/devtools-2.png similarity index 100% rename from web-basics-browser-security-model/assets/devtools-2.png rename to chapters/web-application-security/web-basics/media/devtools-2.png diff --git a/web-basics-browser-security-model/assets/devtools-3.png b/chapters/web-application-security/web-basics/media/devtools-3.png similarity index 100% rename from web-basics-browser-security-model/assets/devtools-3.png rename to chapters/web-application-security/web-basics/media/devtools-3.png diff --git a/web-basics-browser-security-model/assets/devtools-4.png b/chapters/web-application-security/web-basics/media/devtools-4.png similarity index 100% rename from web-basics-browser-security-model/assets/devtools-4.png rename to chapters/web-application-security/web-basics/media/devtools-4.png diff --git a/web-basics-browser-security-model/assets/devtools-5.png b/chapters/web-application-security/web-basics/media/devtools-5.png similarity index 100% rename from web-basics-browser-security-model/assets/devtools-5.png rename to chapters/web-application-security/web-basics/media/devtools-5.png diff --git a/web-basics-browser-security-model/assets/devtools-6.png b/chapters/web-application-security/web-basics/media/devtools-6.png similarity index 100% rename from web-basics-browser-security-model/assets/devtools-6.png rename to chapters/web-application-security/web-basics/media/devtools-6.png diff --git a/web-basics-browser-security-model/assets/dom.png b/chapters/web-application-security/web-basics/media/dom.png similarity index 100% rename from web-basics-browser-security-model/assets/dom.png rename to chapters/web-application-security/web-basics/media/dom.png diff --git a/web-basics-browser-security-model/assets/first-activity.png b/chapters/web-application-security/web-basics/media/first-activity.png similarity index 100% rename from web-basics-browser-security-model/assets/first-activity.png rename to chapters/web-application-security/web-basics/media/first-activity.png diff --git a/web-basics-browser-security-model/assets/http-request.png b/chapters/web-application-security/web-basics/media/http-request.png similarity index 100% rename from web-basics-browser-security-model/assets/http-request.png rename to chapters/web-application-security/web-basics/media/http-request.png diff --git a/web-basics-browser-security-model/assets/http-response.png b/chapters/web-application-security/web-basics/media/http-response.png similarity index 100% rename from web-basics-browser-security-model/assets/http-response.png rename to chapters/web-application-security/web-basics/media/http-response.png diff --git a/web-basics-browser-security-model/assets/url.png b/chapters/web-application-security/web-basics/media/url.png similarity index 100% rename from web-basics-browser-security-model/assets/url.png rename to chapters/web-application-security/web-basics/media/url.png diff --git a/web-basics-browser-security-model/assets/xml_http_request.png b/chapters/web-application-security/web-basics/media/xml_http_request.png similarity index 100% rename from web-basics-browser-security-model/assets/xml_http_request.png rename to chapters/web-application-security/web-basics/media/xml_http_request.png diff --git a/web-basics-browser-security-model/index.md b/chapters/web-application-security/web-basics/reading/README.md similarity index 84% rename from web-basics-browser-security-model/index.md rename to chapters/web-application-security/web-basics/reading/README.md index 3f5fb5b0..cabbb660 100644 --- a/web-basics-browser-security-model/index.md +++ b/chapters/web-application-security/web-basics/reading/README.md @@ -1,9 +1,3 @@ ---- -linkTitle: 01. Web Basics & Browser Security Model -type: docs -weight: 10 ---- - # Introduction --- @@ -14,29 +8,29 @@ This lab and the following will focus on the first sub-field, although they migh The design of web applications, and their security in particular is influenced by the following characteristics: - **Statelessness:** by default HTTP is a simple request-response protocol maintaining no state between successive communications. -This shortcoming led to the design of cookies, which are small pieces of information exchanged between the client and the web application. -The type of information exchanged using cookies needs to be carefully chosen, as a malicious client could possibly attempt to send back a malformed or forged cookie; additionally, cookies most often (but not always) represent confidential data, which means that they should only be transferred over a secure channel (i.e. HTTPS). + This shortcoming led to the design of cookies, which are small pieces of information exchanged between the client and the web application. + The type of information exchanged using cookies needs to be carefully chosen, as a malicious client could possibly attempt to send back a malformed or forged cookie; additionally, cookies most often (but not always) represent confidential data, which means that they should only be transferred over a secure channel (i.e. HTTPS). - **Message format:** HTTP requests have a specific format, namely they comprise plain-text header and data (although newer improvements also implement a binary protocol). -The header contains various information about the client or the server (e.g. a user-agent, page caching information, text encoding information), while the payload is very often (but not always) an HTML page. + The header contains various information about the client or the server (e.g. a user-agent, page caching information, text encoding information), while the payload is very often (but not always) an HTML page. - **Addressing:** resources on the web are located using the URI/URL addressing scheme. -Possible vulnerabilities here include a misconfigured web server that allows viewing application-specific files, or worse, that allows accessing other files on the host machine. -While this information leakage is not very dangerous by itself, it may be used as an intermediary stage for other attacks. -You can read more about URLs here [[1]](https://skorks.com/2010/05/what-every-developer-should-know-about-urls/). + Possible vulnerabilities here include a misconfigured web server that allows viewing application-specific files, or worse, that allows accessing other files on the host machine. + While this information leakage is not very dangerous by itself, it may be used as an intermediary stage for other attacks. + You can read more about URLs here [[1]](https://skorks.com/2010/05/what-every-developer-should-know-about-urls/). - **Request methods:** HTTP communication is done by using methods, also called HTTP verbs. -The most used methods are GET, POST, PUT and DELETE. -The GET method is read-only and is used to retrieve data from the server. -A DELETE request is used to remove the specified resource from the server. -The PUT method is used to modify an entire resource. -POST requests are used to create new resources. -You can find more information about all methods here [[2]](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods). + The most used methods are GET, POST, PUT and DELETE. + The GET method is read-only and is used to retrieve data from the server. + A DELETE request is used to remove the specified resource from the server. + The PUT method is used to modify an entire resource. + POST requests are used to create new resources. + You can find more information about all methods here [[2]](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods). While the client is provided with HTML, JavaScript, CSS pages, modern web applications are implemented using general-purpose scripting or programming languages, e.g. PHP, Java, Python, Ruby, etc. and centralize their data using database systems such as MySQL. Faulty back-end code can in itself provide a more dangerous attack surface to potentially malicious clients. -![Client - Server](./assets/Session_01_Web_Basics_Diagram_01.jpg) +![Client - Server](../media/Session_01_Web_Basics_Diagram_01.jpg) # Web Applications Today @@ -63,7 +57,7 @@ Types of vulnerabilities: - System vulnerabilities - applications or services that run inside an Operating System or an Operating System vulnerability - Runtime vulnerabilities - when one of the components (frameworks such as PHP, Java, Python, WordPress, etc.) of the web application is vulnerable leads to a risk. - Browser vulnerabilities - occasionally attackers will discover a vulnerability in the browser itself that allows execution of arbitrary binary code when a user simply visits a compromised site. -Browsers are complex pieces of machinery with many subsystems (HTML rendering, JavaScript engine, CSS parser, image parsers, etc.), and a small coding mistake in any of these systems could offer malicious code just enough of a foothold to get running. + Browsers are complex pieces of machinery with many subsystems (HTML rendering, JavaScript engine, CSS parser, image parsers, etc.), and a small coding mistake in any of these systems could offer malicious code just enough of a foothold to get running. - Vulnerabilities in web application implementation - here we can talk about OWASP Top Ten vulnerabilities [[3]](https://owasp.org/www-project-top-ten/). # HTTP (Hypertext Transfer Protocol) @@ -78,9 +72,9 @@ Communication between clients and servers is done by requests and responses: - The server returns an HTTP response (output) to the browser - The client (the browser) receives the response -![HTTP - Request](./assets/http-request.png) +![HTTP - Request](../media/http-request.png) -![HTTP - Response](./assets/http-response.png) +![HTTP - Response](../media/http-response.png) ### Basic format of the request: @@ -127,7 +121,7 @@ The XHR Object is a Web Developers Dream, because you can: The XHR Object is the underlying concept of AJAX and JSON: -![XMLHttpRequest](./assets/xml_http_request.png) +![XMLHttpRequest](../media/xml_http_request.png) ### HTTP Response Codes @@ -154,7 +148,7 @@ As the resource represented by the URL and the URL itself are handled by the Web A URL incorporates the domain name, along with other detailed information, to create a complete address (or “web address”) to direct a browser to a specific page online called a web page. In essence, it’s a set of directions and every web page has a unique one. -![URL](./assets/url.png) +![URL](../media/url.png) Special characters are encoded as hex: @@ -181,7 +175,7 @@ Each browser windows or frame: - Rendering: OnLoad, OnBeforeUnload - Timing: setTimeout(), clearTimeout() -![browser-analogy](./assets/browser-analogy.png) +![browser-analogy](../media/browser-analogy.png) Examples of browser vulnerabilities: @@ -208,35 +202,35 @@ Next, some of the core functionalities of these tools will be detailed (some nam This kind of inspection could lead to the discovery of hidden elements which can be toggled into view by altering the CSS code or could lead to the discovery of commented pieces of code which could contain sensitive data. Also, the [DOM](#dom-document-object-model) (Document Object Model) structure of the page can be altered, and elements can be added or removed, such as scripts, input fields, etc. (any element in fact), which means that any JavaScript code used to sanitize user input or perform other functions can be bypassed. -![Elements - Developer Tools](./assets/devtools-1.png) +![Elements - Developer Tools](../media/devtools-1.png) - **Console**: The console prints errors which occurred during page rendering or during any action performed on the page, such as, but not limited to, error loading an image not found, error while performing an asynchronous request to fetch data, missing included file (such as CSS or Javascript files), errors in Javascript code from the included scripts, debug messages left by the developer, etc. The console also has the ability to run any Javascript code by typing it directly there and interacting with the page. -![Console - Developer Tools](./assets/devtools-2.png) +![Console - Developer Tools](../media/devtools-2.png) - **Sources**: This tab lets you see any file loaded in the front-end, such as images, JS, CSS etc. in an arborescent way. This could be a good tool to inspect the JS scripts included in the current page. They could reveal possibly valuable information, such as hidden paths or resources, or even critical pieces of functionality, which, if understood, could lead to successful exploits. -![Sources - Developer Tools](./assets/devtools-3.png) +![Sources - Developer Tools](../media/devtools-3.png) - **Network**: The network tab shows detailed information about every file loaded and every request and response made by the page. You can find in-depth info about the [HTTP requests](#http-hypertext-transfer-protocol), such as HTTP parameters, HTTP methods (GET, POST), HTTP status codes (200, 404, 500, etc.), loading time and size of each loaded element (image, script, etc). Furthermore, clicking on one of the requests there, you can see the headers, the preview, the response (as raw content) and others. This is useful for listing all the resources needed by a page, such as if there are any requests to APIs, additional scripts loaded, etc. -![Network - Developer Tools](./assets/devtools-4.png) +![Network - Developer Tools](../media/devtools-4.png) - **Application**: This tab lets you see some specific data about the page, such as cookies (which will be covered in depth in the next section), local storage, session storage, cache, etc. This can be useful to see which data is stored on the client-side and it may contain useful values. -![Application - Developer Tools](./assets/devtools-5.png) +![Application - Developer Tools](../media/devtools-5.png) - **Security**: Detailed information about the protocol used (HTTP or HTTPS) and the website certificates. Insecure websites can be vulnerable because HTTP sends data in plain text across the connection, which may be intercepted (e.g. Man in the Middle). -![Security - Developer Tools](./assets/devtools-6.png) +![Security - Developer Tools](../media/devtools-6.png) # DOM (Document Object Model) @@ -262,7 +256,7 @@ Use the DOM when we interact with web pages. Every element within your document is an object: \ tag, \ tag, etc. In javascript we can call methods on objects, we can call properties on objects in order to change the objects. -![DOM](./assets/dom.png) +![DOM](../media/dom.png) We can introduce nodes, all objects are nodes. We can change the nodes, we can interact with them, create Animations, validations, etc. @@ -297,11 +291,11 @@ This is a major source of problems for users of Gecko-based browsers, which resp Here you can find an example for this type of vulnerability. [[4]](https://github.com/denimgroup/denimgroup-vulnerability-examples) **MIME Sniffing** - The browser will often not just look at the Content-Type header that the server is passing, but also the contents of the page. - If it looks enough like HTML, it’ll be parsed as HTML. => This led to IE 6/7-era bugs where image and text files containing HTML tags would execute as HTML (not so common anymore). +If it looks enough like HTML, it’ll be parsed as HTML. => This led to IE 6/7-era bugs where image and text files containing HTML tags would execute as HTML (not so common anymore). **Encoding Sniffing** - the encoding used on a document will be sniffed by browsers. - If you don’t specify an encoding for an HTML document, the browser will apply heuristics to determine it. - If you are able to control the way the browser decodes text, you may be able to alter the parsing. +If you don’t specify an encoding for an HTML document, the browser will apply heuristics to determine it. +If you are able to control the way the browser decodes text, you may be able to alter the parsing. # Security Mechanism @@ -322,7 +316,7 @@ if you can see this, your browser doesn't understand IFRAME. ``` -![BrowserSecurityMechanism](./assets/browser-security-mechanism.png) +![BrowserSecurityMechanism](../media/browser-security-mechanism.png) Why use frames? @@ -338,7 +332,7 @@ In order to play a little bit with iframes follow the next instructions: 4. Access the browser as http://localhost 5. Solve the problem in order to see the iframe -![ComponentsBrowserSecurityPolicy](./assets/components-browser-security-policy.png) +![ComponentsBrowserSecurityPolicy](../media/components-browser-security-policy.png) ### HTML Sandboxing @@ -370,71 +364,69 @@ The value of the sandbox attribute can either be just sandbox (then all restrict # Same-origin Policy The same-origin policy is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin. -It helps isolate potentially malicious documents, reducing possible attack vectors. +It helps isolate potentially malicious documents, reducing possible attack vectors. In order to understand how the policy works, you also need to understand what is an origin. Two URLs have the same origin if the protocol, port (if specified), and host are the same for both. To better understand this, follow the table below: -| URL | Outcome | Reason | -| ------------------------------------------------ | ----------- | ---------------------------------------------- | -| http://store.company.com/dir2/other.html | Same origin | Only the path differs | -| http://store.company.com/dir/inner/another.html | Same origin | Only the path differs | -| https://store.company.com/page.html | Failure | Different protocol | -| http://store.company.com:81/dir/page.html | Failure | Different port (http:// is port 80 by default) | -| http://news.company.com/dir/page.html | Failure | Different host | - +| URL | Outcome | Reason | +| ----------------------------------------------- | ----------- | ---------------------------------------------- | +| http://store.company.com/dir2/other.html | Same origin | Only the path differs | +| http://store.company.com/dir/inner/another.html | Same origin | Only the path differs | +| https://store.company.com/page.html | Failure | Different protocol | +| http://store.company.com:81/dir/page.html | Failure | Different port (http:// is port 80 by default) | +| http://news.company.com/dir/page.html | Failure | Different host | + ## Why is this important? Assume you are logged into Facebook and visit a malicious website in another browser tab. Without the same origin policy JavaScript on that website could do anything to your Facebook account that you are allowed to do. -For example read private messages, post status updates, analyse the HTML DOM-tree after you entered your password before submitting the form. - +For example read private messages, post status updates, analyse the HTML DOM-tree after you entered your password before submitting the form. + But of course Facebook wants to use JavaScript to enhance the user experience. So it is important that the browser can detect that this JavaScript is trusted to access Facebook resources. -That's where the same origin policy comes into play: If the JavaScript is included from a HTML page on facebook.com, it may access facebook.com resources. - -Now replace Facebook with your online banking website, and it will be obvious that this is an issue. +That's where the same origin policy comes into play: If the JavaScript is included from a HTML page on facebook.com, it may access facebook.com resources. + +Now replace Facebook with your online banking website, and it will be obvious that this is an issue. ## Is this always the case, to access only resources on the same origin? The most prevalent myth about Same-origin Policy is that it plainly forbids a browser to load a resource from a different origin. Though we know that the thing that makes today's web technologies so rich and colorful is the content loaded from different origins. -The presence of a huge content delivery network (CDN) ecosystem proves this is not true. - +The presence of a huge content delivery network (CDN) ecosystem proves this is not true. + Another prevalent myth is that an origin cannot send information to another one. That is also not true. Again we know that an origin can make a request to another one. The information of the forms in one origin can be reached from another origin. -If we think of cloud payment systems integrated into a business workflow, these often operate by sending requests to another origin. +If we think of cloud payment systems integrated into a business workflow, these often operate by sending requests to another origin. Even one of the most common web vulnerabilities, Cross-Site Request Forgery (CSRF), arises from that point. CSRF is possible because of the ability of sites to make requests to each other. -This topic will be covered in a separate session more in-depth. +This topic will be covered in a separate session more in-depth. # CORS Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin. -A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own. - -An example of a cross-origin request: the front-end JavaScript code served from https://domain-a.com uses XMLHttpRequest (AJAX) to make a request for https://domain-b.com/data.json. - +A web application executes a cross-origin HTTP request when it requests a resource that has a different origin (domain, protocol, or port) from its own. + +An example of a cross-origin request: the front-end JavaScript code served from https://domain-a.com uses XMLHttpRequest (AJAX) to make a request for https://domain-b.com/data.json. + For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. For example, XMLHttpRequest follows the same-origin policy. -This means that a web application using those APIs can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers. - +This means that a web application using those APIs can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers. + The CORS mechanism supports secure cross-origin requests and data transfers between browsers and servers. Modern browsers use CORS in APIs such as XMLHttpRequest to mitigate the risks of cross-origin HTTP requests. -The CORS header is added by the server to the response. - +The CORS header is added by the server to the response. + **CORS Header Syntax:** `Access-Control-Allow-Origin: *` `Access-Control-Allow-Origin: ` `Access-Control-Allow-Origin: null` -`Access-Control-Allow-Origin: https://developer.mozilla.org` - - -![CORS](./assets/CORS.jpg) +`Access-Control-Allow-Origin: https://developer.mozilla.org` +![CORS](../media/CORS.jpg) # Talking to web sites @@ -506,12 +498,12 @@ It also supports MQTT or GraphQL requests. [[8]](https://hoppscotch.io/) # Activities -**1.** The below image represents a snippet with DevTools containing information about a web application. +**1.** The below image represents a snippet with DevTools containing information about a web application. What can you discover in the next image ? Is there any useful information from a security point of view ? Write the answer to the instructor. -![FirstActivity](./assets/first-activity.png) +![FirstActivity](../media/first-activity.png) **2.** [Cockroach](https://sss-ctf.security.cs.pub.ro/challenges?category=web-sessions) **3.** [Gimme](https://sss-ctf.security.cs.pub.ro/challenges?category=web-sessions) diff --git a/chapters/web-application-security/web-basics/slides/Makefile b/chapters/web-application-security/web-basics/slides/Makefile new file mode 100644 index 00000000..7b467e5a --- /dev/null +++ b/chapters/web-application-security/web-basics/slides/Makefile @@ -0,0 +1 @@ +include ../../../../common/makefile/slides.mk diff --git a/chapters/web-application-security/web-basics/slides/slides.mdpp b/chapters/web-application-security/web-basics/slides/slides.mdpp new file mode 100644 index 00000000..23420794 --- /dev/null +++ b/chapters/web-application-security/web-basics/slides/slides.mdpp @@ -0,0 +1,10 @@ +--- +title: "Web Basics" +revealOptions: + background-color: 'aquamarine' + transition: 'none' + slideNumber: true + autoAnimateDuration: 0.0 +--- + +!INCLUDE "web-basics.md" diff --git a/chapters/web-application-security/web-basics/slides/web-basics.md b/chapters/web-application-security/web-basics/slides/web-basics.md new file mode 100644 index 00000000..7f029bae --- /dev/null +++ b/chapters/web-application-security/web-basics/slides/web-basics.md @@ -0,0 +1,131 @@ +# Web Basics + +Security Summer School + +--- + +## Motivation + +- Wide variety of Web applications +- Complexity of the Web applications +- Ubiquitous + +--- + +## Web + +- Web vs Internet +- Popularity +- Attack surface + +--- + +## Stateless + +HTTP + +Simple + +Without session + +--- + +## Stateful + +FTP + +Session + +--- + +## Security against Whom ? + +- Neighbors that sniff your Wi-Fi +- Script kiddies that try to bruteforce your website login +- Nation state actors that have exploits to undisclosed vulnerabilities in software you use + +--- + +## Why ? + +- Financial gain +- Internet crime +- Cyber warfare +- Data breaches + +--- + +## Status of Web Application Security + +- Web application security is not mature field +- The entry level to web development is low +- New exploits and exploitation methods are frequently published +- Security does not directly add revenue. In many cases, it is viewed as an extra cost +- Complexity, various sources, public APIs + +--- + +## Good to know + +- CVE +- 0-day Vulnerability +- CWE + +--- + +## Static Web Sites + +fast + +simple + +--- + +## Dynamic Web Sites + +customizable + +complex + +--- + +## Roots of Web Application insecurity + +- Non-validated user input +- Programmers mistakes + +--- + +## Web Application Framework + +- Collection of pieces of software +- Ease of development +- Common solutions for wide variety of tasks + +--- + +## Links + +[OWASP Top 10](https://owasp.org/www-project-top-ten/) + +- Broken Access Control +- Cryptographic Failures +- Injection +- Insecure Design +- Security Misconfiguration + +--- + +## Types of vulnerabilities on web + +- Browser vulnerabilities +- Server vulnerabilities +- Web application vulnerabilities + +--- + +## Browser + +- Software that displays pages and files on the web +- Interpret and display HTML Web pages, applications, JavaScript, CSS +- Plugins which extend the capabilities diff --git a/config.yaml b/config.yaml index 75dbe9ea..89665ed5 100644 --- a/config.yaml +++ b/config.yaml @@ -13,18 +13,18 @@ make_assets: command: make locations: - chapters/web-application-security/web-basics/slides - - chapters/web-application-security/cookies-and-session-management/slides - - chapters/web-application-security/sql-injection/slides - - chapters/web-application-security/cross-site-scripting/slides - - chapters/web-application-security/exotic-attacks/slides - - chapters/web-application-security/overview/slides - - chapters/system-and-data-security/framework-api-vulnerabilities/slides - - chapters/system-and-data-security/privilege-escalation/slides - - chapters/system-and-data-security/end-to-end-attack/slides - - chapters/system-and-data-security/overview/slides - - chapters/network-and-communication-security/enumeration-and-recon/slides - - chapters/network-and-communication-security/securring-cummunication/slides - - chapters/network-and-communication-security/overview/slides + # - chapters/web-application-security/cookies-and-session-management/slides + # - chapters/web-application-security/sql-injection/slides + # - chapters/web-application-security/cross-site-scripting/slides + # - chapters/web-application-security/exotic-attacks/slides + # - chapters/web-application-security/overview/slides + # - chapters/system-and-data-security/framework-api-vulnerabilities/slides + # - chapters/system-and-data-security/privilege-escalation/slides + # - chapters/system-and-data-security/end-to-end-attack/slides + # - chapters/system-and-data-security/overview/slides + # - chapters/network-and-communication-security/enumeration-and-recon/slides + # - chapters/network-and-communication-security/securring-cummunication/slides + # - chapters/network-and-communication-security/overview/slides args: - all @@ -35,16 +35,16 @@ embed_reveal: extension: mdx build: web-basics: web-basics - cookies-and-session-management: cookies-and-session-management - securring-communication: securring-communication - sql-injection: sql-injection - cross-site-scripting: cross-site-scripting - enumeration-and-recon: enumeration-and-recon - framework-api-vulnerabilities: framework-api-vulnerabilities - exotic-attacks: exotic-attacks - privilege-escalation: privilege-escalation - end-to-end-attack: end-to-end-attack - + # cookies-and-session-management: cookies-and-session-management + # securring-communication: securring-communication + # sql-injection: sql-injection + # cross-site-scripting: cross-site-scripting + # enumeration-and-recon: enumeration-and-recon + # framework-api-vulnerabilities: framework-api-vulnerabilities + # exotic-attacks: exotic-attacks + # privilege-escalation: privilege-escalation + # end-to-end-attack: end-to-end-attack + # docusaurus: plugin: docusaurus options: @@ -63,17 +63,17 @@ docusaurus: static_assets: - web-basics: /build/make_assets/chapters/web-application-security/web-basics/slides/_site - - cookies-and-session-management: /build/make_assets/chapters/web-application-security/cookies-and-session-management/slides/_site - - sql-injection: /build/make_assets/chapters/web-application-security/sql-injection/slides/_site - - cross-site-scripting: /build/make_assets/chapters/web-application-security/cross-site-scripting/slides/_site - - exotic-attacks: /build/make_assets/chapters/web-application-security/exotic-attacks/slides/_site + # - cookies-and-session-management: /build/make_assets/chapters/web-application-security/cookies-and-session-management/slides/_site + # - sql-injection: /build/make_assets/chapters/web-application-security/sql-injection/slides/_site + # - cross-site-scripting: /build/make_assets/chapters/web-application-security/cross-site-scripting/slides/_site + # - exotic-attacks: /build/make_assets/chapters/web-application-security/exotic-attacks/slides/_site - - framework-api-vulnerabilities: /build/make_assets/chapters/system-and-data-security/framework-api-vulnerabilities/slides/_site - - privilege-escalation: /build/make_assets/chapters/system-and-data-security/privilege-escalation/slides/_site - - end-to-end-attack: /build/make_assets/chapters/system-and-data-security/end-to-end-attack/slides/_site + # - framework-api-vulnerabilities: /build/make_assets/chapters/system-and-data-security/framework-api-vulnerabilities/slides/_site + # - privilege-escalation: /build/make_assets/chapters/system-and-data-security/privilege-escalation/slides/_site + # - end-to-end-attack: /build/make_assets/chapters/system-and-data-security/end-to-end-attack/slides/_site - - enumeration-and-recon: /build/make_assets/chapters/network-and-communication-security/enumeration-and-recon/slides/_site - - securring-cummunication: /build/make_assets/chapters/network-and-communication-security/securring-cummunication/slides/_site + # - enumeration-and-recon: /build/make_assets/chapters/network-and-communication-security/enumeration-and-recon/slides/_site + # - securring-cummunication: /build/make_assets/chapters/network-and-communication-security/securring-cummunication/slides/_site config_meta: title: Web Security url: http://localhost/