DevLeague Coding Bootcamp
DevLeague is a Full Stack Coding Bootcamp
https://en.wikipedia.org/wiki/Cross-site_scripting
The general idea is that a script is loaded on to some resource like a website or email due to a lack of input validation.
Once stored on a resource, any new users to the resource will execute the script which could do anything from sending sensitive data to a remote server or attempting to access a third party site (like a bank) and trying to manipulate the API of the third party site.
A online forum (like Reddit) may not be sanitizing one of it's many input field and directly displaying anything the user inputs direct on their site.
Any new users will then execute that script.
In one scenario, the script could be a keylogger that attempts to log all keypress, hoping that you eventually type in your username and password.
Myspace: https://en.wikipedia.org/wiki/Samy_(computer_worm)
In another scenario, the script may try to send a request to insecurebank.com's api. Since insecurebank.com uses cookies to keep track of user session, any calls to the api will carry a valid user session.
The api the script ends up calling will transfer 1 million dollars from your bank account to the attackers bank account with no visual indicators.
Validate your Inputs!
Use a sanitization library of some sort to ensure that any <script> or any other attack string is sanitized out before it's saved to your database.
OWASP XSS prevention cheat sheet:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
The main purpose of a CSRF attack is to leverage an exploit on one page to inject some code, which eventually attacks another page altogether.
Often known as session riding.
Take the script from the previous example, once it runs on a user's computer, it may try to send a request to insecurebank.com's api. Since insecurebank.com uses cookies to keep track of user session, any calls to the api will carry a valid user session.
The api the script ends up calling will transfer 1 million dollars from your bank account to the attackers bank account with no visual indicators.
Most server now come with an option to send a csrf-token along with any page load.
The purpose of this token is to ensure that the user has at least loaded this token before making any requests tot he API.
The token itself should be embedded in the html (usually in a hidden input field) and should be specific to the user that is requesting the token.
https://en.wikipedia.org/wiki/SQL_injection
Often times when input is not properly validated and is directly added to a database query. Special characters can be used to stop the current query and start a new query that could potentially return sensitive information.
It could also be used to delete critical information.
Or even worse, take control of the entire server by breaking out of the database application.
Sanitize your goddamn inputs!!!111one!!eleventy!one
This can often be easily accomplished by just using a database connector lib like knex or bookshelf. They usually have built in mechanisms that will sanitize your query.
But even with these libraries, there are often a "raw" query that you might be generating by hand and can insert. In these cases, you need to ...
SANITIZE YOUR INPUTS!
As you've probably guess right now, this is the most effective way to protect your application.
There are many libraries out there that will help ensure that the input you're getting from your users are safe.
JOI - https://github.com/hapijs/joi
validator.js - https://github.com/chriso/validator.js
sanitize-html - https://github.com/punkave/sanitize-html
google-caja - https://code.google.com/archive/p/google-caja/wikis/JsHtmlSanitizer.wiki
Nearly every language will have some kind of validator.
helmet - https://github.com/helmetjs/helmet
An all in one security library for express
OWASP Web Application Security Cheat Sheet:
https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
SQL Map - SQL Penetration testing tool
http://sqlmap.org/
Fuzzing: https://en.wikipedia.org/wiki/Fuzzing
A technique to automate sending invalid, unexpected or just random input to web applications
WFuzz - https://github.com/xmendez/wfuzz
Wired
Apple, Amazon epic hack:
https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
Github Attack:
https://en.wikipedia.org/wiki/Censorship_of_GitHub
NTP Reflection Attack:
https://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks/
ILOVEYOU Bug:
https://en.wikipedia.org/wiki/ILOVEYOU
Adrian Lamo:
https://en.wikipedia.org/wiki/Adrian_Lamo
Kevin Mitnick:
https://en.wikipedia.org/wiki/Kevin_Mitnick
By DevLeague Coding Bootcamp