Web Security

November 28, 2023
May 18, 2015

cyber-security
dark-web
linux-security
ssl-tls
sql#SQL injection

focus of web application and deployment

Web application security - Wikiwand
Category:Web security exploits - Wikiwand

Have I been pwned? Check if your email has been compromised in a data breach

HACKING GOOGLE - YouTube

Top 10 Web Hacking Techniques of 2015 | WhiteHat Security Blog

10 Web Security Vulnerabilities: Misconfiguration and More | Toptal
Logjam, Part 1: Why the Internet is Broken Again (an Explainer) | Electronic Frontier Foundation

paragonie/awesome-appsec: A curated list of resources for learning about application security
Single Page Web App Security Cheat Sheet

Rana Khalil - YouTube
Free Web Hacking Course - YouTube 1:08:03, Broken Access Control

Web Security Academy: Free Online Training from PortSwigger

The Art of Identifying Vulnerabilities - CascadiaFest 2015
How I find bugs in Web Applications | The ^lift Security Blog

前端安全冷门知识杂谈 | Litten 的博客
7 Steps to Secure JavaScript in 2021 | by Viduni Wickramarachchi | May, 2021 | Bits and Pieces
JavaScript Security Issues and Best Practices | by Mahdhi Rezvi | Bits and Pieces
The protocol-relative URL - Paul Irish

Identity eats security: How identity management is driving security | CSO Online detect intrusion beyond authentication

In Search for a Perfect Access Control System | Teleport

How to Secure Your React.js Application

Courses/Videos

APIsec University - Become an API Security Expert
Web Security Academy: Free Online Training from PortSwigger

1 Hour of Popular Web Attacks (XSS, CSRF, SSRF, SQL Injection, MIME Sniffing, Smuggling and more!) - YouTube

Vickie Li's Security Blog
Vickie Li Dev - YouTube
Attacking Web Applications - YouTube
Defending Web Applications - YouTube

28c3 - YouTube

Frontend Security - Frontend Conf 2013, Zürich - YouTube
HTML5DevConf May2014: Mark Stuart, PayPal: Web Security in Node.js and JavaScript Apps (SPAs) - YouTube
Web Security @ SFHTML5 - YouTube

Become a bug bounty hunter - Learn about web application vulnerabilities and how to find them on bug bounty programs | BugBountyHunter.com

Tools

Burp Suite - Application Security Testing Software - PortSwigger
Download Burp Suite Community Edition - PortSwigger
Burp for Beginners: Introduction to Burp - YouTube

sullo/nikto: Nikto web server scanner
Web Server Scanning With Nikto – A Beginner's Guide

OWASP

The Open Web Application Security Project (OWASP) OWASP_SCP_Quick_Reference_Guide_v2.pdf
OWASP on GitHub

HTML5 Security · OWASP Cheat Sheet Series

OWASP Dependency Check - OWASP
Continuous Security Using OWASP - DZone Security

OWASP Zed Attack Proxy Project - OWASP
zaproxy/zaproxy: The OWASP ZAP core project

OAuth 2.0 Hacking for Beginners with Farah Hawa - YouTube

Session Fixation

Session fixation - Wikiwand

SRI

Subresource Integrity - Web security | MDN
hash for resources

CSP

Content-Security-Policy Header ⟶ CSP Reference & Examples
Content Security Policy (CSP) - HTTP | MDN
Content security policy | Web Security Academy

Enhance JavaScript Security with Content Security Policies | by Ashan Fernando | Bits and Pieces
Bypassing CSP with dangling iframes | PortSwigger Research

SSRF

Server-side request forgery - Wikiwand
What is SSRF (Server-side request forgery)? Tutorial & Examples | Web Security Academy

CORS/SOP

Cross Origin Resource Sharing
Same Origin Policy

Cross-origin resource sharing - Wikiwand
Cross-Origin Resource Sharing (CORS) - HTTP | MDN
enable cross-origin resource sharing

Cross-Origin Resource Sharing (CORS)  |  Articles  |  web.dev
Why you need "cross-origin isolated" for powerful features  |  Articles  |  web.dev

Getting CORS Working
Understanding CORS and cross-origin cookies | by Sharad Jain | Medium
authentication - Set cookies for cross origin requests - Stack Overflow
HTML5 Security Cheat Sheet - OWASP

XSRF/CSRF/CSURF

Cross-site request forgery - Wikiwand
What is CSRF (Cross-site request forgery)? Tutorial & Examples | Web Security Academy
Bypassing CSRF Protections: A Double Defeat of the Double-Submit Cookie Pattern
Bypassing CSRF Protections: A Double Defeat of the Double-Submit Cookie Pattern
Cross-Site Request Forgery is dead!
CSRF Is Dead, Long Live SameSite=Lax! (or is it?) – Stephen's Thoughts
讓我們來談談 CSRF

Cross Site Request Forgery vs Server Side Request Forgery Explained - YouTube
Cross-Site Request Forgery (CSRF) Explained - YouTube

These are vulnerabilities that exploits trust on user's browser. Malicious scripts initiates attack from user's browser to the target site and reuse the cookie in the browser. The attack usually involves form submit or URL operation.
Same-Origin policy (SOP) only blocks reading response, not helpful in blocking CSRF

The counter-measure is to:

XSS

Cross-site scripting - Wikiwand
What is cross-site scripting (XSS) and how to prevent it? | Web Security Academy

Excess XSS: A comprehensive tutorial on cross-site scripting
What is cross-site scripting (XSS) and how to prevent it? | Web Security Academy

What is cross-site scripting (XSS) and how to prevent it? | Web Security Academy
DOM clobbering | Web Security Academy

Your API-Centric Web App Is Probably Not Safe Against XSS and CSRF

trufflesecurity/xsshunter
Truffle Security relaunches XSS Hunter tool with new features | The Daily Swig

These are vulnerabilities that exploits trust on user inputs, the app renders or executes them without sanity check and escaping.
It usually involves running malicious in the target site and reusing the user session and accessing the target site's cookies.

一次对 Tui Editor XSS 的挖掘与分析 | 离别歌

// this triggers upon inserting to `innerHTML`
const root = document.createElement("div");
root.innerHTML = "<img src=1 onerror=alert(1)>";
root.innerHTML = "<details open ontoggle=alert(1)>";

SQL injection

SQL injection - Wikiwand
What is SQL Injection? Tutorial & Examples | Web Security Academy

Node.js

Node Security Project
The ^lift Security Blog Newsletter

Unapply attack | Better world by better software
When This is Really That | The ^lift Security Blog

Node.js application (in)security - Ilja van Sprundel - OWASP AppSec California 2015 - YouTube

Helmet for express app
NodeJS Security Headers: 101 | Hacker Noon

Vulnerable Dependencies

npm audit

Retire.js
Dependency management + Code analytics for Node.js projects

Fingerprinting

How websites take browser fingerprints | Kaspersky official blog

Fighting TLS fingerprinting with Node.js | HTTP Toolkit

Researchers use GPU fingerprinting to track users online

CSS Security Vulnerabilities | CSS-Tricks - CSS-Tricks
CSS-Based Fingerprinting | CSS-Tricks - CSS-Tricks

What Is Browser Fingerprinting and How Does It Work? | SEON
FingerprintJS Open Source Demo

The device intelligence platform | Fingerprint
Demo: Disabling JavaScript Won’t Save You from Fingerprinting
The Top Browser Fingerprinting Techniques Explained - Fingerprint
How Does Canvas Fingerprinting Work - Fingerprint
Canvas Fingerprinting - BrowserLeaks
How the Web Audio API is used for audio fingerprinting