This lesson is under construction. Learn from it at your own risk. If
you have any feedback, please fill out our General Feedback Survey.
- Types of security.
- Threat models.
- Authentication, Authorization, Identification.
- Passwords and Passphrases.
- HTTPS and certificates.
- Types of attacks.
- Disclosing a vulnerability.
- se·cu·ri·ty ( siˈkyo͝oritē/ ) [ noun ]
The state of being free from danger or threat.
The safety of a state or organization against criminal activity such as
terrorism, theft, or espionage.
There are three main types of security in computing:
- Network Security
- Physical Security
- Use physical barriers to prevent unauthorized access to data
- Software Security
- Fix flaws in your application that could grant attackers unwanted levels of
access to your systems
- Network Security
Security pertaining to networked services (websites, databases, etc).
- Active: in which an intruder initiates commands to disrupt the network's
normal operation (Denial-of-Service, Ping of Death)
- Passive: a network intruder intercepts data traveling through the network.
(Man-in-the-Middle, Wiretapping, Idle Scan)
Each of these encompasses a field of computer security unto itself. We will at
least mention each of them in more detail, but we will focus on network security
in this course.
Threat models allow you to focus and limit your security resources on what is
necessary instead of what is possible.
Threat models are the assessment of which attacker you are protecting against.
This is so you don't spend too much time in a panic attack trying to protect
your tiny webapp from the NSA.
- Identification: Who is this person?
- Authentication: Is this person who they say they are?
- Authorization: Is this person allowed to perform this action?
Access Control is a framework for controlling who has access to what
resources on a system. There are many ways to implement Access Control,
but the three basic principles of Access Control are Identification,
Authentication, and Authorization.
Passwords are a necessary part of security. They aren't great though for a few
- People repeat passwords.
- Many passwords are easy to guess.
- Passwords are hard to remember.
- Use a password manager.
- Change your passwords regularly.
- Use multi-step authentication.
- Let the password manager generate them for you.
- Use pass phrases instead of words.
Relevant funny bash.org post
- HTTPS: Hyper Text Transfer Protocol Secure.
- Certificate Authorities: An entity that issues digital certificates
for HTTPS connections.
- SSL/TLS: Secure Socket Layer/Transport Layer Security.
Code Injection is the act of inserting code into a running process (website,
webapp, word processor, etc.) with malicious intention.
- SQL Injection:
- SQL Injection is when you take advantage of the fact that a form input
is inserted directly into a SQL query. You write some password and
then write a new SQL query which drops all tables, or returns all
data, exploiting an easy security hole.
| username: | admin |
| password: | pass' || true); DROP TABLE STUDENTS;-- |
- Cross-Site Scripting (XSS):
- Cross-Site Scripting is when a malicious script is sent to, and run on,
a person's computer. This tends to take advantage of the fact that
<img onerror=alert("Tracking your IP with a GUI interface!");>
- Cross-Site Request Forgery (CSRF):
- CSRF is when one website on your browser tries to carry out an action
as you on a different website. For instance you're an admin of some
big social media website, you get an email, embedded in the email is a
CSRF script which tries to delete all user accounts on your website.
Since you've got your credentials cached your browser doesn't know
better and can run that command because it looks like any other
<img src="http://example.com/?action="Delete All Accounts">
- Sanitize User Inputs
- Use CSRF Tokens
Some of these attacks are very hard to fight against, but they all have
industry-tested solutions that are easy enough to implement in an
application of your own.
- Sanitize Inputs
- Input sanitation is when your code sniffs a piece of input to see if
it looks like a SQL or code of any kind. If it does look like code
it's probably malicious so your program errors out and tells the user
to enter a real input.
- CSRF Tokens
- A CSRF token is a unique string that has to be tied to each request
you send to a server. You don't need to log back in each time you get
a new one but the application won't complete your action unless the
token is included in your query. This means only the website you're
logged into can send a real query because only that website knows the
Web Server attacks take advantage in vulnerabilities of specific versions or
default configurations of webservers.
- Test and document the bug to verify it exists.
If you think you encountered a bug, make sure you can replicate it. If
you can't how can you expect the developers to recreate it?
- Disclose it privately to those responsible for fixing it.
Provide examples – it’s basically a bug report, but through private
channels (not public tracker yet!)
- Give them time to release a patch before announcing it.
Google waits 90 days to announce a bug after informing the developers.
- Try your hand at actual SQL Injection attacks
- OverTheWire Wargames
- Learn the basics of offensive security by solving challenges and using
exploits to gain access to the password for the next level.