WebAppSec/MozSecureWorld: Difference between revisions
Jump to navigation
Jump to search
(Created page with "= Purpose = A running web application to demonstrate major security paradigms used within Mozilla web applications and security capabilities of modern browsers. == Uses == * Dem...") |
|||
| Line 39: | Line 39: | ||
* HTTPOnly Flag | * HTTPOnly Flag | ||
== Secure I/O == | === Secure I/O === | ||
* File Handling | * File Handling | ||
* SQL | * SQL | ||
* (Possible) Third party service | * (Possible) Third party service | ||
== Roadmap == | == Roadmap == | ||
Revision as of 05:59, 7 June 2011
Purpose
A running web application to demonstrate major security paradigms used within Mozilla web applications and security capabilities of modern browsers.
Uses
- Demonstration of secure application design
- Explanation of importance and purpose of security features
- Learning tool for others to reference
- Testing site to validate effectiveness of security & design recommendations
- Evaluation tool for pen testing individuals or tools
Design
Architecture
Python on Django via Playdoh
Security Components & Controls
Authentication
- Brute force prevention via adaptive CAPTCHA
- Password storage via bcrypt and system nonce
- Account creation with blacklisted password support
- (Possible) Secure Password Reset
Access Control
- Presentation, Business, Data Layer Access Control
- (Possible) Two tier design for admin account separation
Input Validation
- Rich HTML handling via bleach
- File upload support via secure file handling guidelines
Transport Security
- Full & correct TLS
- HTTP Strict Transport Security
Cross Domain Controls
- X-frame-options
Cookie Protection
- Secure Flag
- HTTPOnly Flag
Secure I/O
- File Handling
- SQL
- (Possible) Third party service
Roadmap
- Setup playdoh & github
- Running HelloWorld
- Design Planning
- Code basic item first (x-frame-options)
- Complete initial presentation layer and CSS for basic item
- Setup backend database
- Authentication