Course Introduction Hi, I'm Brian Clark, and in this course we'll be talking about web application security and how to apply what we learn to a sample web application. This web application is built using a Node. js server with Express in an Angular UI. But before we go any further, let's talk about why we should care about security. As developers and engineers, we have great pressure to build applications, and providing the features required in it as quickly and efficiently as possible. We become focused on making sure the application fulfills our business and user needs, but can get caught up in this focus not always realizing what else we need to take into consideration while implementing these features. This leaves our applications potentially open to security vulnerabilities, and we may not be aware of them.
Protecting Data from Extraction Hi, this is Brian Clark, and the first risk we'll be exploring together is how our data can be exfiltrated from our web applications. This can have serious implications when the data is particularly sensitive and can lead to a breakdown in the integrity of our apps. We'll take a look at how an attacker would explore for this type of risk in our sample web application. This will provide us a better understanding of what we're trying to protect against within our applications. Once we've gotten familiar with this risk, we'll talk about the technical definition of the attack used to exploit it, and the high-level approaches that can be used for mitigation. After that, we will actually use those techniques that protect our apps by implementing them in the vulnerable application. We'll take advantage of the Node. js specific modules that assist in addressing this type of attack, and see just how easy they are to plug in. Let's put our hacker hats on, and attempt to extract information of interest from a web application.
Hide Network Traffic from Snooping Hi, this is Brian Clark, and the second risk we'll be exploring together is how our network traffic between users and our server can be snooped on. It is not something often thought about when building web applications today, but is a serious risk to both our users and our system. The location from which users may be accessing our web applications can be vulnerable to attackers working on the same network. We'll first see how we can emulate the attack in a simulation on our local machine, and therefore identifying the risk that is present with such an attack. After, we'll discuss the name of such an attack, and walk through a visual example of the attacker positioning, so that we may better understand the scenario in which this can occur. We'll learn of the way to protect our network traffic from such an attack, and actually implement this protection in the vulnerable application. This implementation will leverage the mechanisms available within the Node. js platform, but the technique can be applied to any other platform as well. Taking on the role of the attacker again, let's attempt to snoop on the vulnerable application's network traffic.
Ensure Legitimacy of Requests Hi, this is Brian Clark, and the third risk we'll be exploring together is illegitimate requests being made on behalf of the application's end user. It is possible that the request a server receives may not have been generated by the client-side associated with that server. This can happen either by someone formulating the requests using various tools available, such as a REST client, or through manipulation of the existing client-side code, but triggered through hidden mechanisms. We'll first get more acquainted with how this can be possible by following along what an attacker might do in such a scenario. After, we will learn of the name that is used to describe such an attack, and talk through the various ways we can prevent it. Once we're familiar with the prevention approaches, we will implement them in the vulnerable application. Once again, acting on behalf of the attacker, let's look at how an attacker might create illegitimate requests against the vulnerable application.
Block Content Hijacking Hi, this is Brian Clark, and the fourth risk we'll be exploring together is the hijacking of our sites content to trick users into clicking things they weren't intending to do. Attackers can use your content without your knowledge and leverage it to trick your authenticated users into executing operations they were not intending to do. The first thing we'll do is see how this can be accomplished through the vulnerable application so we know the type of situation we're dealing with. Then we will talk about what vulnerability and web applications makes this possible, and learn of the way we can stop them. After that, we will put this plan into action by implementing the technique within the vulnerable application. One more time, we'll approach the vulnerable application as an attacker and attempt to hijack the content so that we may use it to our advantage.
Summary In this final module, we're going to do a quick recap of everything we learned throughout this course to help solidify the topics of importance. It is crucial that we understand these topics so that we may be conscious of them as we build our web applications in the future. At a high level, we covered four main security topics in this course that we'll briefly review again here. Those topics were cross-site scripting, Man in the Middle, cross-site request forgery, and clickjacking. Let's quickly rehash each one and what we learned about them.