Securing Java Web Applications Through Authentication
Your users' usernames and passwords are the keys to the kingdom. Watch and apply this course in order to approach authenticating and managing secure data in Java web applications with greater confidence.
What you'll learn
How long would your users' usernames and passwords survive an attack? In this course, Security Java Web Applications Using Authentication, you will gain the ability to detect and mitigate authentication vulnerabilities. First, you will detect enumeration vulnerabilities. Next, you will find brute force ones. Then, in plaintext. Finally, you will explore how to securely log in order to detect attacks at runtime. When you're finished with this course, you will have the Application Security skills and knowledge needed to securely authenticate users.
Table of contents
- Ashley Madison, Part II 1m
- What Is Enumeration? 2m
- Detecting Enumeration Using Tests 2m
- How Would a Hacker Guess My Username? 1m
- Exploiting Enumeration to Find Usernames 1m
- Neither Confirm Nor Deny 2m
- Mitigating Enumeration with Error Messaging 1m
- The Trouble with Constant-time 0m
- Timing Vulnerabilities with .equals() 1m
- Timing Vulnerabilities with Authentication 1m
- Mitigating Enumeration with a Constant-time Algorithm 1m
- Mitigating Enumeration with Indexes 1m
- Mitigating Enumeration with Focused Queries 1m
- Mitigating Enumeration with Asynchronous Dispatch 1m
- Anti-pattern: Mitigating Enumeration with Random Jitter 1m
- Review 1m
- Hackers and Three-year Olds 1m
- Brute Forcing and the ASVS 1m
- Detecting Brute Force with Tests 1m
- Spot the Bad Password 1m
- Brute Forcing with John the Ripper 3m
- Have You Changed All Your Default Passwords? 2m
- Mitigating Brute Force by Removing Trojans 1m
- Mitigating Brute Force by Automating Default Password Change 1m
- Soft Lockout vs. Hard Lockout 2m
- Mitigating Brute Force with a Soft Lockout 2m
- Securely Verifying the IP Address 1m
- Mitigating Brute Force with IP Soft Lockouts 1m
- One More Reason to Add Two-factor Authentication 1m
- Using RFC 6238 to Add Two-factor Authentication 1m
- Mitigating Brute Force with Two-factor Authentication 4m
- Testing It All Out 1m
- Further Strengthening Two-factor Authentication 2m
- Passwords and Panic Attacks 1m
- No Plaintext Passwords Anywhere 2m
- Performing MITM with Bettercap 2m
- TLS in Java 2m
- Generating and Trusting a Self-signed Certificate with Keytool 4m
- Getting Browsers to Trust Your Self-signed Certificate 1m
- Enforcing HTTPS with Java Servlets 3m
- Enforcing HTTPS with Spring Boot and Spring Security 2m
- Enforcing HTTPS with HSTS 2m
- Token-based Authentication 4m
- Protecting Passwords with OAuth 2m
- Federation 2m
- Protecting Passwords with Federation 2m
- Review 1m
- Name That Password 1m
- The Importance of Entropy 2m
- Allowing Special Characters and Long Passwords 1m
- Why LUNS Isn't Enough 2m
- Improving on LUNS with Nbvcxz 2m
- One Trillion Guesses Per Second 1m
- Verifying High Entropy with Unit Tests 1m
- Password Storage Maturity Model, Level One 1m
- Password Storage Maturity Model, Level Two 2m
- Password Storage Maturity Model, Level Three 2m
- Strengthening Password Storage with BCrypt 1m
- Upgrading Password Storage with Spring Security 1m
- Scripting Password Storage Upgrades with Spring Security 1m
- Rehashing Insecure Storage Mechanisms 0m
- Rehashing Insecure Storage Mechanisms with Spring Security 1m
- Exploiting Password Change Vulnerabilities 1m
- Password Change and the ASVS 1m
- What Is Transactional Authorization? 1m
- Securing Password Change with Old Passwords 2m
- Token-based Transactional Authorization 2m
- Token-based Transaction Service Design Principles 2m
- A Secure Password Recovery Outline 1m
- Mitigating Password Recovery Vulnerabilities 4m
- Mitigating Password Recovery Enumeration 1m
- Cleaning up Password Recovery Tokens 0m
- Review 1m
- Things Will Go Wrong 0m
- FOMO on an Epic Hack 2m
- Logging Authentication Events 2m
- Logging as an Aspect 2m
- Logging Authentication Events with Spring Security 2m
- Logging Change Events 1m
- Logging Change Events with Spring Security 1m
- Logging Change Events with Spring Actuator 1m
- Logging Availability, Resource, and Badness Events 1m
- Better Logging for Soft Lockout 1m
- What Information Should Go in a Log 3m
- Never Log These 1m
- Metrics vs. Logs 1m
- A Real-time Log Pipeline 1m
- Creating a Secure Log with Logback 1m
- Monitoring for Secure Events + Conclusion 2m
About the author
Like many software craftsmen, Josh eats, sleeps, and dreams in code. He codes for fun, and his kids code for fun! Right now, Josh works as a full-time committer on Spring Security and loves every minute. Hailing from Salt Lake City, Utah, Josh loves to hike and be in the outdoors when he's not hacking away at some new Java library. He also loves to juggle, especially on every third Saturday in June. Application Security holds a special place in his heart, a place diametrically opposed to and cos... more