This chapter introduced some fundamental concepts about security and related them to web development. You learned about authentication systems’ best practices and some classes of attacks you should be prepared to defend against. Some mathematical background on cryptography described how HTTPS and signed certificates can be applied to secure your site.
Most importantly, you saw that security is only as strong as the weakest link, and it remains a challenge even for the world’s largest organizations. You must address security at all times during the development and deployment of your web applications and be prepared to recover from an incident in order to truly have a secure web presence.
What are the three components of the CIA security triad?
What is the difference between authentication and authorization?
Why is two-factor authentication more secure than single factor?
How does the secure by design principle get applied in the software development life cycle?
What are the three types of actor that could compromise a system?
What is security theater? Is it effective?
What type of cryptography addresses the problem of agreeing to a secret symmetric key?
What is a cryptographic one-way hash?
What does it mean to salt your passwords?
What is a Certificate Authority, and why do they matter?
What is a DoS attack, and how does it differ from a DDoS attack?
What can you do to prevent SQL injection vulnerabilities?
How do you defend against cross-site scripting (XSS) attacks?
What features does a digital signature provide?
What is a self-signed certificate?
What is mixed content, and how is it related to HTTPS?
Why are slow hashing functions like bcrypt recommended for password storage?
What is a downgrade attack and how can you protect a site against it?
What are the three types of SSL certificates? What are their strengths and weaknesses?
What is a Cross-Site Request Forgery (CSRF) attack? How do you defend against it?
It’s very important to have written permission to attack a system before starting to try and find weaknesses. Since we cannot be certain of what permission you have available to you, these projects focus on some secure programming practices.
You have been provided with a sample page that contains a variety of security vulnerabilities. The page allows people to upload comments but is vulnerable to SQL injection and to cross-site scripting.
Examine ch16-proj1.html in the browser. Also examine process.php. This page does the actual saving of the data to the provided SQLite database (called security-sample.db) and will require you to have a running server environment such as XAMPP.
Test if your site is vulnerable to SQL Injection by typing in either of the following in the page’s search box:
' or 1=1; --
' or 1=1; drop table junk; --The second line will delete a table from your database.
Test if your site is vulnerable to XSS by saving the following in the comment field:
<script type='text/javascript'>
alert('XSS vulnerability found!');
</script>Use the view comments link to see the newly added comment. If the alert is executed, then the site is vulnerable to XSS.
Sanitize the user comment input via JavaScript by using the DOMPurify library. You will need to provide sanitization for already existing comments as well as for new comments. You will also need to add sanitization on the server in PHP using HTML Purifier; for less protection (but easier to implement now) you can use the htmlentities function in PHP.
Protect your PHP against SQL Injection. This will require using prepared statements, as shown in Chapter 12.
Test for SQL Injection and XSS exploits as shown in steps 2 and 3.
Create a registration and login system in PHP using the supplied users table (you have been supplied a SQLite database file as well as a SQL import script if using MySQL).
You have been provided with the HTML, CSS, and JavaScript for the login and the registration pages. Test and examine in a browser.
The users table has two different digests: one (the field password) created from a bcrypt algorithm, the other (the field password_sha256) created with the sha256 hashing algorithm. The latter also requires the value in the salt field. You will be creating two different login pages in PHP so that you can test both approaches. For the bcrypt field, use the password_hash() function; for the sha256 field, use the hash() function. Set the login form to one of the two PHP login pages. Add in some logic to handle a failed login.
Implement two versions of the registration PHP page. You will need to insert the received data to the users table. Before inserting the data, you will need to generate the bcrypt digest or the sha256 digest and a random salt. Set the registration form to one of the two PHP registration pages.
After registration, redirect to the login page. After login, redirect to the supplied home page. If the user has logged in, in the message area of the home page, display the user’s name; if the user isn’t logged in when requesting this file, display a link to the login page. This will require making use of session state in PHP to keep track of the logged in user.
Add a logout link to the home page. This will require clearing session state of the user information.
The actual password for each user in the table is mypassword. For the bcrypt hash, it has used a cost value of 12.
Create a registration and login system in Node using the supplied users json file (you will have to import it into MongoDB).
You have been provided with the HTML, CSS, and JavaScript for the home and login pages. Test and examine in a browser. The home page has a link to a simple API.
You will make use of the digest field password created from a bcrypt algorithm. You will implement the login page in Node using the passport package. This will require creating a Mongoose schema and model for the Users collection. When the user has logged in, use JWT and not sessions to maintain the logged-in status.
You have been provided a simple API in Node. It should only be accessible in the browser if the user has already logged in. This will require checking the token provided by the passport package.
Implement the logout link.
The actual password for each user in the table is mypassword. For the bcrypt hash, it has used a cost value of 12.
1. Verizon, 2013 Data Breach Investigations Report. [Online]. http:/
2. M. Howard, D. LeBlanc, “The STRIDE threat model,” in Writing Secure Code, Redmond, Microsoft Press, 2002.
3. A. Goguen, A. Feringa, G. Stoneburner, “Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology,” NIST, special publication Vol. 800, No. 30, 2002.
4. D. Kravets, “San Francisco Admin Charged With Hijacking City’s Network,” Wired, July 15, 2008.
5. K. Poulsen, “ATM Reprogramming Caper Hits Pennsylvania.” [Online]. http:/
6. F. Brunton, “The long, weird history of the Nigerian e-mail scam,” Boston Globe, May 19, 2013.
7. PCI Security Standards Council, PCI Data Security Standard. [Online]. https:/
9. Oxford Dictionaries. [Online]. http:/
10. W. Diffie, M. E. Hellman, “New directions in cryptography,” Information Theory, IEEE Transactions on, Vol. 22, No. 6, pp. 644–654, 1976.
11. R. Rivest, A. Shamir, L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM, Vol. 21, No. 2, pp. 120–126, 1978.
12. ITU. [Online]. http:/
13. B. Quinn, C. Arthur, “PlayStation Network hackers access data of 77 million users,” The Guardian, 26 04 2011.
14. A. Greenberg, “Citibank Reveals One Percent Of Credit Card Accounts Exposed In Hacker Intrusion.” [Online]. http:/
15. T. Claburn, “GE Money Backup Tape With 650,000 Records Missing At Iron Mountain.” [Online]. http:/
16. “Federal Information Processing Standards Publication 180-4: Specifications for the Secure Hash Standard,” NIST, 2012.
17. R. Rivest, “The MD5 Message-Digest Algorithm.” [Online]. http://tools.ietf.org/html/rfc1321, April 1992.
18. ACZoom. [Online]. http:/
19. w3af. [Online]. http:/
20. T. O. W. A. S. Project. [Online]. https:/
21. Google. [Online]. http://code.google.com/p/google-caja/source/browse/trunk/src/com/google/caja/plugin/html-sanitizer.js.
22. OWASP Enterprise Security API. [Online]. https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API.
23. J. Leyden, June 2013. [Online]. http:/