INFO 30005
Web Information Technologies
Web Security
includes material by Ronal Singh
Copyright By PowCoder代写 加微信 powcoder
This Lecture
MDN defines website security as ”the act/practice of protecting websites from unauthorized access, use, modification, destruction, or disruption”.
• Common Risks and Attacks
• Security Practices + Demo
• Security Principles + Risk Assessment • Resources
Common Risks and Attacks
• Eavesdropping on HTTP traffic
• URL manipulation
• Injection (sql and nosql)
• Cross-site scripting (xss)
• Cross-Site Request Forgery (CSRF)
• Cookie theft (session hijacking)
(icon from https://thenounproject.com)
Eavesdropping
Common Risks and Attacks
URL manipulation
Common Risks and Attacks
Common Risks and Attacks
Cross-Site Scripting (XSS)
Common Risks and Attacks
Cross-Site Request Forgery
Common Risks and Attacks
Cookie Theft (session hijacking)
Common Risks and Attacks
Security Practices
• Use HTTPS (TLS, SSL)
• Secure routes
• Keep code private
• Non-specific error messages
• Validate user inputs
• Sanitize inputs
Security Practices
Secure routes
Security Practices
Keep code private
Security Practices
Non-specific error messages
Security Practices
Validate user inputs
Security Practices
Sanitize inputs
Security Practices
example attacks
• ‘register’ – XSS
• ‘login’ – injection
server-side validation
• validate inputs
• sanitize data
• Mongoose sanitizeFilter
client-side validation
• pattern, title • :invalid
Security Principles
Risk Assessment
• https://express-validator.github.io/docs/
• https://github.com/validatorjs/validator.js#validators
• https://developer.mozilla.org/en-US/docs/Learn/Server-
side/First_steps/Website_security
• https://owasp.org/www-project-top-ten/
• https://handbook.unimelb.edu.au/2022/subjects/comp90074
• https://handbook.unimelb.edu.au/2022/subjects/comp90043
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com