WebAppSec/MozSecureWorld: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
Line 19: Line 19:
* Account creation with blacklisted password support
* Account creation with blacklisted password support
* (Possible) Secure Password Reset  
* (Possible) Secure Password Reset  
''How''
* Login with database and different users


=== Access Control ===
=== Access Control ===
* Presentation, Business, Data Layer Access Control
* Presentation, Business, Data Layer Access Control
** Presentation and Data layers use decorators
** Read about presentation layer protection
* (Possible) Two tier design for admin account separation
* (Possible) Two tier design for admin account separation
** The picture of separate control of changing passwords


=== Input Validation ===
=== Input Validation ===
Line 29: Line 34:
* File Handling
* File Handling
* SQL  
* SQL  
* Content Security Policy
* Content Security Policy  
** outsource all javascript source! for the CSP demo as 2nd barrier beyond escaping characters
* (Possible) Third party service
* (Possible) Third party service
* (Possible) Third party hosted images. Initial processing and per visit processing?
* (Possible) Third party hosted images. Initial processing and per visit processing?
Line 36: Line 42:
* Full & correct TLS
* Full & correct TLS
* HTTP Strict Transport Security
* HTTP Strict Transport Security
''How''
* Follow [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Introduction these rules]


=== Cross Domain Controls ===
=== Cross Domain Controls ===
* X-frame-options
* X-frame-options in header options


=== Cookie Protection ===
=== Cookie Protection ===
Line 45: Line 53:


== Roadmap ==
== Roadmap ==
# Setup playdoh & github
# X Setup [[https://github.com/mozilla/playdoh/ playdoh]] & [https://github.com/haoqili/MozSecWorld github]
# Running HelloWorld  
# X Running HelloWorld  
# Design Planning
# X Design Planning
# Code basic item first (x-frame-options)
# Make "about" pages for each bullet above
#* have a generic django template
# Code basic item first (x-frame-options, secure flag, httponly flag)
# Use bleach for rich text.
# add decorators for data and business layers
# read about presentation layer
# Complete initial presentation layer and CSS for basic item
# Complete initial presentation layer and CSS for basic item
# Setup backend database
# Setup backend database  
# Authentication
# Authentication/login
# File upload stuff


== Links References ==
== Links References ==
https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines

Revision as of 21:48, 7 June 2011

Purpose

A running web application to demonstrate major security paradigms used within Mozilla web applications and security capabilities of modern browsers.

Uses

  • Demonstration of secure application design
  • Explanation of importance and purpose of security features
  • Learning tool for others to reference
  • Testing site to validate effectiveness of security & design recommendations
  • Evaluation tool for pen testing individuals or tools

Design

Architecture

Python on Django via Playdoh

Security Components & Controls

Authentication

  • Brute force prevention via adaptive CAPTCHA
  • Password storage via bcrypt and system nonce
  • Account creation with blacklisted password support
  • (Possible) Secure Password Reset

How

  • Login with database and different users

Access Control

  • Presentation, Business, Data Layer Access Control
    • Presentation and Data layers use decorators
    • Read about presentation layer protection
  • (Possible) Two tier design for admin account separation
    • The picture of separate control of changing passwords

Input Validation

  • Rich text handling via bleach
  • File upload support via secure file handling guidelines
  • File Handling
  • SQL
  • Content Security Policy
    • outsource all javascript source! for the CSP demo as 2nd barrier beyond escaping characters
  • (Possible) Third party service
  • (Possible) Third party hosted images. Initial processing and per visit processing?

Transport Security

  • Full & correct TLS
  • HTTP Strict Transport Security

How

Cross Domain Controls

  • X-frame-options in header options

Cookie Protection

  • Secure Flag
  • HTTPOnly Flag

Roadmap

  1. X Setup [playdoh] & github
  2. X Running HelloWorld
  3. X Design Planning
  4. Make "about" pages for each bullet above
    • have a generic django template
  5. Code basic item first (x-frame-options, secure flag, httponly flag)
  6. Use bleach for rich text.
  7. add decorators for data and business layers
  8. read about presentation layer
  9. Complete initial presentation layer and CSS for basic item
  10. Setup backend database
  11. Authentication/login
  12. File upload stuff

Links References

https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines

Retrieved from "https://wiki.mozilla.org/index.php?title=WebAppSec/MozSecureWorld&oldid=316523"