WebAppSec/MozSecureWorld
From MozillaWiki
Contents
Code on GitHub
Purpose
A running web application to demonstrate major security paradigms used within Mozilla web applications and security capabilities of modern browsers.
Uses
- Demonstration of secure application design
- Explanation of importance and purpose of security features
- Learning tool for others to reference
- Testing site to validate effectiveness of security & design recommendations
- Evaluation tool for pen testing individuals or tools
Design
Architecture
Python on Django via Playdoh
Security Components & Controls
Authentication
- Brute force prevention via adaptive CAPTCHA - track failed logins by IP address (attacker from one IP guessing "password" on all useraccounts) and by user account (Joe has 3 failed logins)
- Password storage via bcrypt (fred wenzel) and system nonce
- Account creation with blacklisted password support
- (Possible) Secure Password Reset
How
- Login with database and different users
Access Control
- Presentation, Business, Data Layer Access Control
- Presentation and Data layers use decorators
- Read about presentation layer protection
- (Possible) Two tier design for admin account separation
- The picture of separate control of changing passwords
Input Validation
- Rich text handling via bleach
- File upload support via secure file handling guidelines
- File Handling
- SQL
- Content Security Policy
- outsource all javascript source! for the CSP demo as 2nd barrier beyond escaping characters
- (Possible) Third party service
- (Possible) Third party hosted images. Initial processing and per visit processing?
Transport Security
- Full & correct TLS
- HTTP Strict Transport Security
How
- Follow these rules
Cross Domain Controls
- X-frame-options in header options
- P
Cookie Protection
- Secure Flag
- HTTPOnly Flag
How to check
- Get Burp
- Go to your site
- should see that ""Set-Cookie: HTTPOnly" in the HTTP Header Response
Roadmap
- X Setup playdoh & github
- X Running HelloWorld
- X Design Planning
- X Figure out how to do templates
- X Figure out how to put in database
- X Know how to make pages with templates
- X basic: x-frame-options
- LATER --> Install Apache basic: secure flag (June 9 pg2)
- X basic: httponly flag
- X Use bleach for rich text.
- LATER --> input the same --> output check for HTML, JS, XML (June 13 pg2)
- X Google Safe Browsing POST Lookup
- LATER --> Use Google Safe Browsing Local (June 14)
- add decorators for data and business layers
- read about presentation layer
- Complete initial presentation layer and CSS for basic item
- Authentication/login
- File upload stuff
- Write about page for each vulnerability
- Access Control
- Input Validation
Calendar
Reminder: Put in screenshots
Week | Category | Items | Done |
---|---|---|---|
1. 6/6 - 6/10 |
|
|
|
2. 6/13 - 6/17 |
|
|
a |
3. 6/20 - 6/24 |
|
|
a |
4. 6/27 - 7/1 |
|
a |
|
5. 7/3 - 7/8 |
|
a |
|
6. 7/11 - 7/15 |
|
a |
|
7. 7/18 - 7/22 |
|
a |
|
8. 7/25 - 7/29 |
|
a |
|
Extra things |
|
||
End date: 8/12 |