Oreilly - Web Security: Common Vulnerabilities And Their Mitigation

Oreilly - Web Security: Common Vulnerabilities And Their Mitigation

by Loonycorn | Released October 2017 | ISBN: 9781788835077

https://www.oreilly.com/library/view/web-security-common/9781788835077/

A guide to dealing with XSS, session hijacking, XSRF, credential management, SQLi and a whole lot moreAbout This VideoSecurity attacks such as Cross Site Scripting, Session Hijacking, Credential Management, Cross Site Request Forgery, SQL Injection, Direct Object Reference, Social EngineeringRisk mitigation using the Content Security Policy Header, user input validation and sanitization, secure token validation, sandboxed iframes, secure sessions and expiry, password recoveryWeb security basics: Two factor authentication, Open Web Application Security Project,In DetailCoat your website with armor, protect yourself against the most common threats and vulnerabilities. Understand, with examples, how common security attacks work and how to mitigate them. Learn secure practices to keep your website users safe. Let's parse that. How do common security attacks work?: This course walks you through an entire range of web application security attacks, XSS, XSRF, Session Hijacking, Direct Object Reference and a whole lot more. How do we mitigate them?: Mitigating security risks is a web developer's core job. Learn by example how you can prevent script injection, use secure tokens to mitigate XSRF, manage sessions and cookies, sanitize and validate input, manage credentials safely using hashing and encryption etc. What secure practices to follow?: See what modern browsers have to offer for protection and risk mitigation, how you can limit the surface area you expose in your site. Show and hide more

Chapter 1 : You, This Course and Us
- You, This Course and Us 00:01:49
Chapter 2 : What Is Security?
- Security and its building blocks 00:13:41
- Security related definitions and categories 00:10:13
Chapter 3 : Cross Site Scripting
- What is XSS? 00:12:59
- Learn by example - how does a XSS attack work? 00:13:06
- Types of XSS 00:12:59
- XSS mitigation and prevention 00:11:16
Chapter 4 : User Input Sanitization And Validation
- Sanitizing input 00:12:09
- Sanitizing input - still not done 00:08:10
- Validating input 00:14:07
- Validating input - some more stuff to say 00:09:17
- Client Side Encoding, Blacklisting and Whitelisting inputs 00:07:03
Chapter 5 : The Content Security Policy Header
- Rules for the browser 00:11:23
- Default directives and wildcards 00:08:40
- Stay away from inline code and the eval() function 00:08:13
- The nonce attribute and the script hash 00:11:27
Chapter 6 : Credentials Management
- Broken authentication and session management 00:03:05
- All about passwords - Strength, Use and Transit 00:05:24
- All about passwords – Storage 00:13:17
- Learn by example - login authentication 00:10:29
- A little bit about hashing 00:10:34
- All about passwords – Recovery 00:14:26
Chapter 7 : Session Management
- What is a session? 00:06:22
- Anatomy of a session attack 00:06:35
- Session hijacking - count the ways 00:04:53
- Learn by example - sessions without cookies 00:14:40
- Session ids using hidden form fields and cookies 00:04:08
- Session hijacking using session fixation 00:08:09
- Session hijacking counter measures 00:03:59
- Session hijacking - sidejacking, XSS and malware 00:03:11
Chapter 8 : SQL Injection
- Who Is Bobby Tables? 00:05:17
- Learn by example - how does SQLi work? 00:09:27
- Anatomy of a SQLi attack - unsanitized input and server errors 00:08:42
- Anatomy of a SQLi attack - table names and column names 00:06:19
- Anatomy of a SQLi attack - getting valid credentials for the site 00:05:23
- Types of SQL injection 00:08:09
- SQLi mitigation - parameterized queries and stored procedures 00:07:47
- SQLi mitigation - Escaping user input, least privilege, whitelist validation 00:06:33
Chapter 9 : Cross Site Request Forgery
- What is XSRF? 00:10:01
- Learn by example - XSRF with GET and POST parameters 00:07:25
- XSRF mitigation - The referer, origin header and the challenge response 00:05:47
- XSRF mitigation - The synchronizer token 00:09:14
Chapter 10 : Lot's Of Interesting Bits Of Information
- The Open Web Application Security Project 00:08:11
- 2 factor authentications and OTPs 00:11:05
- Social Engineering 00:09:01
Chapter 11 : Direct Object Reference
- The direct object reference attack - do not leak implementation details 00:09:20
- Direct object reference mitigations 00:04:56
Chapter 12 : Iframes
- IFrames come with their own security concerns 00:06:46
- Sandboxing iframes 00:09:02
Chapter 13 : One last word
- Wrapping up the OWASP top 10 list 00:07:42
Chapter 14 : One last word
- Installing PHP (Windows) 00:09:45
- Enabling MySQL and using phpmyadmin (Windows) 00:03:05
- Installing PHP (Mac) 00:11:55
- Installing MySQL (Mac) 00:07:04
- Using MySQL Workbench (Mac) 00:17:32
- Getting PHP and MySQL to talk to each other (Mac) 00:01:06