Same-origin policy Security measure for client-side scripting This mechanism bears a particular significance for modern web applications that extensively depend on HTTP cookies[1] to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions. A strict separation between content provided by unrelated sites must be maintained on the client-side to prevent the loss of data confidentiality or integrity. It is very important to remember that the same-origin policy applies only to scripts. This means that resources such as images, CSS, and dynamically-loaded scripts, can be accessed across origins via the corresponding HTML tags[2] (with fonts being a notable exception[3]). Cross site request forgery attacks take advantage of the fact that the same origin policy does not apply to HTML tags. History[edit] The concept of same-origin policy dates back to Netscape Navigator 2 in 1995. Implementation[edit] JSONP[edit]
Cross-origin resource sharing Mechanism to request restricted resources from another domain CORS defines a way in which a browser and server can interact to determine whether or not it is safe to allow the cross-origin request.[3] It allows for more freedom and functionality than purely same-origin requests, but is more secure than simply allowing all cross-origin requests. The specification for CORS was originally published as a W3C Recommendation[4] but that document is obsolete.[5] The current actively-maintained specification that defines CORS is WHATWG's Fetch Living Standard.[6] How CORS works[edit] The CORS standard describes new HTTP headers which provide browsers a way to request remote URLs only when they have permission. Simple example[edit] Suppose a user visits and the page attempts a cross-origin request to fetch the user's data from Preflight example[edit] OPTIONS / Host: service.example.com Origin: [edit] [edit] [edit] History[edit]
OPTIONS - HTTP The HTTP OPTIONS method is used to describe the communication options for the target resource. The client can specify a URL for the OPTIONS method, or an asterisk (*) to refer to the entire server. Syntax OPTIONS /index.html HTTP/1.1 OPTIONS * HTTP/1.1 Examples Identifying allowed request methods To find out which request methods a server supports, one can use curl and issue an OPTIONS request: curl -X OPTIONS -i The response then contains an Allow header with the allowed methods: HTTP/1.1 204 No Content Allow: OPTIONS, GET, HEAD, POST Cache-Control: max-age=604800 Date: Thu, 13 Oct 2016 11:45:00 GMT Expires: Thu, 20 Oct 2016 11:45:00 GMT Server: EOS (lax004/2813) x-ec-custom-error: 1 Preflighted requests in CORS In CORS, a preflight request with the OPTIONS method is sent, so that the server can respond whether it is acceptable to send the request with these parameters. Specifications Browser compatibility The compatibility table in this page is generated from structured data.
Anti CSRF Tokens ASP.NET In short, CSRF abuses the trust relationship between browser and server. This means that anything that a server uses in order to establish trust with a browser (e.g., cookies, but also HTTP/Windows Authentication) is exactly what allows CSRF to take place - but this only the first piece for a successful CSRF attack. The second piece is a web form or request which contains parameters predictable enough that an attacker could craft his own malicious form/request which, in turn, would be successfully accepted by the target service. Then, usually through social engineering or XSS, the victim would trigger that malicious form/request submission while authenticated to the legitimate service. This is where the browser/server trust is exploited. In order to prevent CSRF in ASP.NET, anti-forgery tokens (also known as request verification tokens) must be utilized. These tokens are simply randomly-generated values included in any form/request that warrants protection. Solutions NOT considered secure
Cipherli.st - Strong Ciphers for Apache, nginx and Lighttpd X-Frame-Options - HTTP The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. The added security is only provided if the user accessing the document is using a browser supporting X-Frame-Options. Syntax There are three possible directives for X-Frame-Options: X-Frame-Options: deny X-Frame-Options: sameorigin X-Frame-Options: allow-from Directives If you specify deny, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. deny The page cannot be displayed in a frame, regardless of the site attempting to do so. sameorigin The page can only be displayed in a frame on the same origin as the page itself. allow-from uri The page can only be displayed in a frame on the specified origin.
Content Security Policy (CSP) - HTTP Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware. CSP is designed to be fully backward compatible (except CSP version 2 where there are some explicitly-mentioned inconsistencies in backward compatibility; more details here section 1.1). Browsers that don't support it still work with servers that implement it, and vice-versa: browsers that don't support CSP simply ignore it, functioning as usual, defaulting to the standard same-origin policy for web content. If the site doesn't offer the CSP header, browsers likewise use the standard same-origin policy. Alternatively, the <meta> element can be used to configure a policy, for example: <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src child-src 'none';"> Threats referrer
OWASP Juice Shop Project OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications! Description Juice Shop is written in Node.js, Express and Angular. The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a “guinea pig”-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs. Translating “dump” or “useless outfit” into German yields “Saftladen” which can be reverse-translated word by word into “juice shop”. Testimonials Contributors Licensing Main Selling Points Screenshots Latest Releases
Defense in depth (computing) Physical controls are anything that physically limits or prevents access to IT systems. Fences, guards, dogs, and CCTV systems and the like. Technical controls are hardware or software whose purpose is to protect systems and resources. Examples of technical controls would be disk encryption, fingerprint readers, and Windows Active Directory. Hardware technical controls differ from physical controls in that they prevent access to the contents of a system, but not the physical systems themselves. Administrative controls are an organization's policies and procedures. The usage of Non-Standard Ports is not a valid means of security. Using more than one of the following layers constitutes defense in depth[citation needed].
Swiss cheese model Model used in risk analysis Although the Swiss cheese model is respected and considered a useful method of relating concepts, it has been subject to criticism that it is used too broadly, and without enough other models or support.[2] Holes and slices[edit] Frosch[8] described Reason's model in mathematical terms as a model in percolation theory, which he analyses as a Bethe lattice. Active and latent failures[edit] The model includes active and latent failures. In the early days of the Swiss cheese model, late 1980 to about 1992, attempts were made to combine two theories: James Reason's multi-layer defence model and Willem Albert Wagenaar's tripod theory of accident causation. These attempts to combine these theories still causes confusion today. Examples of applications[edit] The model was used in some areas of healthcare. The Swiss cheese model is nowadays widely used within process safety. See also[edit] References[edit]