menu

Web Security Basics

2023-06-28 Gyuri security web webbasics

The security of websites was always an important topic, and in my opinion it’s still a bit neglected by some developers. We have plenty of new tools, browsers try to protect their users more and more, but still, it’s important for a developer to be clear with some basic concepts.

Basics

Hash

Hashing algorithms are basically one way functions, where (typically) the hash(x) call is quick and easy, but its inverse is very slow and expensive - even impossible. In most cases they map arbitrary strings to fixed length, ones with very low probability of collision.

Web Authentication API

2022-10-19 Gyuri security web prog

WebAuthn uses public key cryptography (asymmetric) instead of passwords or SMS texts for registration, authentication and 2FA.

  • Protection against phishing: webauthn signatures changes with the origin, so it won’t work on “similar” webpages (with different domain name).
  • Reduced impact of data breaches: it does not really matter if the public key is stolen.
  • Invulnerable to password attacks: much harder to crack it by “brute force” than passwords.

Matrix

2022-03-25 Gyuri security
  • 2019, https://matrix.org/
  • not the movie, but the “matrixed communication”
  • open standard: spec
  • non-profit Matrix.org Foundation
  • decentralized
  • end-to-end encryption
    • olm, megolm
    • based on Signal’s double ratchet
    • extended to support encrypted rooms
  • messaging (IM, rooms, bots, even IoT devices)
  • signaling (for WebRTC, VoiP, video calls)
  • bridging to other IM networks (XMPP, Slack, IRC, Discord, Facebook, …)
  • HTTPS+JSON based by default, but a much lighter UDP based demo was already created for ~100bps (!) networks

Rate limiting

2022-02-15 Gyuri prog web security

Why?

  • DoS - Denial of Service attacks
  • Brute Force attacks
    • collect customer email addresses (signup)
    • reveal username/password pairs (login)
    • send emails (contact us, gift card)

Cross-Site Request Forgery

2022-02-07 Gyuri prog web security

CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

Cross Site Scripting (XSS)

2022-02-04 Gyuri prog web security

Data (from untrusted source) gets into the application, then this data is later displayed in the website without being properly validated/sanitized/escaped.

Cross-Origin Resource Sharing

2022-02-03 Gyuri prog web security

Modern browsers apply the same-origin policy to some resources, meaning they refuse to load or restrict access to resources coming from other origins than the loaded website. Servers can implement CORS to describe which origins are permitted to load their resources.

For some HTTP requests, browsers issue a “preflight” request (HTTP OPTIONS) to check whether the resource is available for the given origin.

PGP/GPG

2022-01-27 Gyuri prog security

PGP: Pretty Good Privacy

GPG: GNU Privacy Guard

PGP

  • from 1991
  • cryptographically sign/verify, encrypt/decrypt files, emails, etc.
  • OpenPGP standard, RFC 4880
  • key “verification” via fingerprints, Web of trust
  • public/private keys