Information Security Masters Degree
What is Security?
vs
Almost every web application needs to make authorization decisions
Authorization is about checking if an entity has the proper privileges for an action
Authorization requires the notion of the identity of the entity performing the action
Authentication is about verifying that an entity is who it claims to be
In web applications, authentication is often done with a username and password
Authentication happens once, and the authenticated state is kept in a session
Session management is the glue between authentication and authorization
It propagates the authenticated state throughout the session
Even stateless APIs depend on session data, to keep track of this authenticated state
Where will you keep your session data? How will you represent your session data?
E.g., server-side vs client-side sessions, session identifiers vs self-contained JWT tokens
cookies vs localStorage vs SessionStorage
cookies vs authorization header
Authorization based on JWT
JSON Web Token
Can you spot security issue here?
export class TokenInterceptor implements HttpInterceptor {
constructor(public auth: AuthService) { }
intercept(request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
request = request.clone({
setHeaders: {
Authorization: `Bearer ${this.auth.getToken()}`
}
});
return next.handle(request);
}
}
`SELECT * FROM artists WHERE id=${id}`
Sanitization out of box:
bypassSecurityTrust*
$save_text = str_replace('script', 'span', $text);
<ScRiPt>/* bad things happen here */</ScRiPt>
<INPUT TYPE="IMAGE" src="javascript:/* ... */;">
<imgsrc="xss.png" onerror="/* bad things happen here */">
The password cannot be updated by using this method.
However, the information that’s needed to reset the password can.
88.45% of the Alexa top 10,000 web sites “included at least one remote JavaScript library
npm audit
95% of HTTPS servers vulnerable to trivial MITM attack
good news for browser support
With great power comes great responsibility