Course Overview: Web Security Essentials
In this course, we'll learn how to exploit and then mitigate several common Web Security Vulnerabilities: Man in the Middle (MITM), Cross Site Request Forgery (CSRF), and Cross Site Scripting (XSS).
The goal of this course is to introduce you to these attacks from the point of view of an attacker, and then as the defender of a sample application, and to gain first hand experience with how these attacks works. You'll also learn several security "rules of thumb" along the way and discover modern defenses against these attacks that drastically reduce their likelihood of succeeding!
By the end of this course, you’ll know how to recognize these vulnerabilities in your own application and have strategies to mitigate and defend against all of them. You'll feel more confident in your ability to write secure code, and my hope is that you'll be inspired to continue your security journey and help make the internet a safer place for all of us.
For the code on GitHub, it's the tags that correspond to the lesson title and not the branch name.
1:08 First, download charlesproxy. Link is broken. https://www.charlesproxy.com/download/
If you are running a VPN, you'll need to start Charles Proxy before starting your VPN. https://www.charlesproxy.com/documentation/faqs/vpn-not-working-with-charles/
This took me some time to figure out so I thought I would give a heads up.
1:08 First, download charlesproxy. Link is broken. https://www.charlesproxy.com/download/
Thanks for this! I went ahead and got all of these links fixed for you guys.
The "code /etc/hosts" command is supposed to open the file in VS Code. If you have VS Code installed but the terminal does not recognize the code command, follow the directions for Launching from the command line here: https://code.visualstudio.com/docs/setup/mac
This is a security course and one of the first things you instruct people to do is sudo npm install which is dangerous, a bad idea, and really shouldn't be required. I'd suggest re-recording the first episode and removing that. Here's the first blog post that came up when I googled sudo npm install: https://medium.com/@ExplosionPills/dont-use-sudo-with-npm-still-66e609f5f92
Hi Aaron,
I agree. In general, you should never use sudo for a command that you don't have to. In the generic case of npm install, indeed if a malicious script was present it would execute with escalated privs... a terrible idea.
However, in this specific case of npm install, you are installing the dependencies that are in the package-lock.json file, which are locked to known safe dependencies. So for the purpose of this course, running this specific sudo npm install is perfectly safe.
The other reasons for not sudo npm installing are not security related, and again, as generic advice make sense.
It just so happens though that those reasons don't apply to the specific sudo npm install we're doing.
Hi Mike,
Though you may have personally audited all of the dependencies here: https://github.com/mikesherov/web-security-essentials/blob/master/package-lock.json your viewers will likely not have. Asking people to run sudo npm install without a giant warning and encouraging them to first audit those dependencies is what I have a problem with, especially in a course about security.
The bigger question is, why require sudo npm install in the first place?
Hi Aaron,
The package https-localhost, which we use to get a local https server running which installs a root cert on your computer to avoid the "self signed certificate" warnings you'd get with local https otherwise, can require some of its files to be owned by root when it automates this setup. Several of my students who attended workshops, and myself included had this issue. The package itself notes this in its install instructions (look for it says "this may require sudo") underneath the npm install step.
https://github.com/daquinoaldo/https-localhost/
The point of the lesson is to set up the course as quickly as possible, and asking my students to audit the dependencies in the lock file when I know they are safe provides a distraction.
I appreciate your feedback here and will incorporate it into future lessons but I feel confident this is the right choice for this lesson, which has a goal to get you up and running.
Thanks again for taking the time to discuss this issue and call it out, it's valuable!
On Windows, this did not work, but if you use cross-env-shell inside packages.json on the start and start:evil command, it works. Tips here: https://stackoverflow.com/questions/58924328/generic-node-js-init-cwd-for-windows-and-nix
Just launched the sudo npm run start:evil.com. Server seems to be working, but nothing displays on evil.com:666/index.html in the browser
Just launched the
sudo npm run start:evil.com. Server seems to be working, but nothing displays onevil.com:666/index.htmlin the browser
Nevermind the whole address is not evil.com:666/index.html but https://evil.com:666/index/html.
Silly me.
Hi Mike,how nodejs listen 80 port?
For me, $INIT_CWD wasn't getting set, so running the sudo npm start command from within the first exercise directory wasn't working for me.
I then tried what the README suggested: nodemon ./site/index.js (again from within ./exercises/01, but I didn't want to have a globally-installed version of nodemon so instead I used: ../../node_modules/.bin/nodemon ./site/index.js
I haven't used npm in a while, so I'm probably missing an easier way of access the executable of a local package, but also worth noting that both from the root directory (or for that matter, from the specific exercise directory, but probably not worth cd'ing into it in this case) you use yarn to easily access the local nodemon executable and run the exercise:
yarn nodemon ./exercises/01/site/index.js
Just posting this in case it helps anyone :)