Lecture Notes about the different threats a website can be under, and the steps to take as a developer to protect the website and its users.
It has a summary section on the left side of the page, following the Cornell note taking method, where the key points are summarised on the side of the noted.
There are different Contents
type of web Web Application Security
security attacks: Types of attacks
General recommendations
Spoofing Storing passwords
Tampering Salting
Injection Attacks
Repudiation SQL Injection
Information HTTP Header Injection
Log Injection
disclosure
JavaScript Injection (XSS)
Denial of Preventing attacks
Service Cookie httponly
Input Sanitisation
Elevation of
HTML Escaping
Privilege
XSS Protection
Passwords must Cross-Origin Resource Sharing
be stored, but Same-origin Policy
vulnerable to Cross-Origin Resource Sharing
dictionary attacks Cross-Site Request Forgery
CSRF Protection
so adding salting
Session Hijacking
makes them hard
Secure Transmission (HTTPS)
to decrypt
Injection attacks
consist of Web Application Security
attackers placing Hackers aim to access users’ information and
malicious code control of systems:
where the
collecting information about you or your system
application is
expecting normal access personal data for ID theft
data
Commit user transaction fraud
Security 1
, SQL Injection Use your system for more complex attacks
HTTP Headers
in response Types of attacks
Log injection Spoofing: impersonate another user
JavaScript Tampering: change or delete without
Injection (XSS) authorisation
Session hijacking, Repudiation: user actions not logged
when the attacker Information disclosure: steal or reveal server
has the same info
session ID as user,
Denial of Service (DoS): make app less available
server cannot
distinguish Elevation of Privilege: gain admin privileges
General recommendations
Use a firewall
Install latest security patches
Backup often and keep backup safe
Keep web server computer physically secure
Secure server computers with strong password
Close unused ports, turn off unused services
Virus checker to monitor inbound and outbound
traffic
Storing passwords
‼️ Never store passwords in plain text: hash
them
When using hash functions, if two users have the
same password they will have the same hash, which
can be discovered using a dictionary attack. This
still makes the system vulnerable
Security 2
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller ileniamaiettabusiness. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for £6.46. You're not tied to anything after your purchase.
