• Click-Jacking and a little Phishing – Basic Security Part 8

    by  • 26 July 2012

    NB: This is the eighth post in a series of posts on web application security. Click-jacking is a process of “stealing” clicks on your site, redirecting them to other places, either by using an XSS vector to replace the targets of links (or whole sections of the page) or by putting your page in...

    Read more →

    Server Configuration – Basic Security Part 7

    by  • 25 July 2012

    NB: This is the seventh post in a series of posts on web application security. Configuring a server correctly is both 1) hard and 2) critical. You’ve probably spent a bunch of time configuring Apache or nginx, or whatever your server of choice is, for performance. But have you configured it for security? I...

    Read more →

    Session Fixation and Hijacking – Basic Security Part 6

    by  • 24 July 2012

    NB: This is the sixth post in a series of posts on web application security. Don’t put session IDs in the URL. Django explicitly does not support this because it’s just dangerous. Use SSL and secure cookies. Use HttpOnly cookies. Is it really that easy? Yes and no. But start there and you’ve already...

    Read more →

    Access Control – Basic Security Part 5

    by  • 23 July 2012

    NB: This is the fifth post in a series of posts on web application security. Proper access control is an absolutely key part of web app security and is easily overlooked—possibly because it’s so easy. In Django, to hide a link from someone, you just: {% if perms.myapp.mymodel %}     <a href="{% url...

    Read more →

    Injections, SQL and otherwise – Basic Security Part 4

    by  • 20 July 2012

    NB: This is the fourth post in a series of posts on web application security. SQL Injection SQL injection is a vector that lets a user insert their own SQL into a statement sent to your database server. The typical example is: "SELECT * FROM users WHERE username = ‘" + username + "’...

    Read more →

    CSRF: Cross-Site Request Forgeries – Basic Security Part 3

    by  • 19 July 2012

    NB: This is the third post in a series of posts on web application security. The quintessential example of a CSRF (sometimes pronounced “sea-surf”) is a bank that naively does transfers over a GET request without any other security: http://badbank.com/transfer?from=act1&to=act2&amt=100000.00 Ignoring how many other bad things are going on here, there’s no validation that...

    Read more →

    XSS: Cross-Site Scripting – Basic Security Part 2

    by  • 18 July 2012

    NB: This is the second post in a series of posts on web application security. XSS covers a number of various attacks, but the common thread is that someone gets to execute code in the context of your web page and domain. Doing that, they can do all sorts of things, primarily collecting data...

    Read more →

    Password Storage – Basic Security Part 1

    by  • 17 July 2012

    NB-1: This is the first post in a series of posts on web application security. NB-2: Fred wrote a great post on password storage. You should read it. I’m assuming we’re talking about web apps, and most web apps have user accounts, and most of those have passwords. That is: I’m assuming you’re storing...

    Read more →

    Best Basic Security Practices (Especially with Django)

    by  • 17 July 2012

    Or: Locking Your Doors This goes along with a talk I gave at Django-NYC in July 2012, but is meant to stand on its own. It is the first in a series of posts, because I realized it was too big for one. Security is proportional. Most apps don’t need two-factor auth—some certainly do—but...

    Read more →

    Putting My Slides Where My Mouth Is

    by  • 17 July 2012

    I’m giving a talk tonight at GetGlue on web app security, particularly with Django. Over the next several days—starting tonight—parts of that talk will be posted here as blog posts (I’ve realized there’s too much material for one post). A while ago I said I didn’t like posting my slides because the slides don’t...

    Read more →