Purpose

A running web application to demonstrate major security paradigms used within Mozilla web applications and security capabilities of modern browsers.

Uses

• Demonstration of secure application design
• Explanation of importance and purpose of security features
• Learning tool for others to reference
• Testing site to validate effectiveness of security & design recommendations
• Evaluation tool for pen testing individuals or tools

Design

Architecture

Python on Django via Playdoh

Security Components & Controls

Authentication

• Brute force prevention via adaptive CAPTCHA
• Password storage via bcrypt and system nonce
• Account creation with blacklisted password support
• (Possible) Secure Password Reset

How

• Login with database and different users

Access Control

• Presentation, Business, Data Layer Access Control
  • Presentation and Data layers use decorators
  • Read about presentation layer protection
• (Possible) Two tier design for admin account separation
  • The picture of separate control of changing passwords

Input Validation

• Rich text handling via bleach
• File upload support via secure file handling guidelines
• File Handling
• SQL
• Content Security Policy
  • outsource all javascript source! for the CSP demo as 2nd barrier beyond escaping characters
• (Possible) Third party service
• (Possible) Third party hosted images. Initial processing and per visit processing?

Transport Security

• Full & correct TLS
• HTTP Strict Transport Security

How

• Follow these rules

Cross Domain Controls

• X-frame-options in header options

See that x/frame-option is denied

Type:

> telnet 127.0.0.1 8000

> GET /en-US/msw/ HTTP/1.1

> press enter

Results: See that x-frame-options: DENY is there!

telnet 127.0.0.1 8000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /en-US/msw/ HTTP/1.1 

HTTP/1.0 200 OK
Date: Thu, 09 Jun 2011 23:41:32 GMT
Server: WSGIServer/0.1 Python/2.7.1
x-frame-options: DENY
Content-Type: text/html; charset=utf-8

<!DOCTYPE html>
  <head>
  <title>Hi there</title>
  </head>
  <body>

  <h1>aaiiibarbari</h1>
  
  Hi do I have a good title?

            <ul>
                            <li><a href="/msw/sqlinjection/">page title: SQL Injection</a> </li>
                            <li><a href="/msw/xss/">page title: XSS</a> </li>
                    </ul>
    
  </body>
</html>
Connection closed by foreign host.

Where playdoh set x-frame-option to "deny"

It's in vendor/src/commonware/commonware/response/middleware.py

from django.conf import settings

class FrameOptionsHeader(object):
    """
    Set an X-Frame-Options header. Default to DENY. Set
    response['x-frame-options'] = 'SAMEORIGIN'
    to override.
    """

    def process_response(self, request, response):
        if hasattr(response, 'no_frame_options'):
            return response

        if not 'x-frame-options' in response:
            response['x-frame-options'] = 'DENY'

Cookie Protection

• Secure Flag
• HTTPOnly Flag

Roadmap

1. X Setup playdoh & github
2. X Running HelloWorld
3. X Design Planning
4. X Figure out how to do templates
5. X Figure out how to put in database
6. X Know how to make pages with templates
7. basic: x-frame-options
8. basic: secure flag
9. basic: httponly flag
10. Use bleach for rich text.
11. add decorators for data and business layers
12. read about presentation layer
13. Complete initial presentation layer and CSS for basic item
14. Authentication/login
15. File upload stuff
16. Write about page for each vulnerability

Links References

https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines