Web Security Training
Navigating the web security landscape
Navigating the web security landscape
I hope you enjoyed the Web Security Essentials course. I'm sure you already learned a lot about web security, common attacks and their defenses. This page offers you further reading material, and links to useful resources.
We send out a bi-weekly newsletter on web security, so if you want to stay up to date, subscribe to our mailing list using the button below.
As an overall introduction, I can highly recommend Mike West (Google) his keynote speech about Hardening the Web Platform. The links below are grouped per module that we covered in the training.
The following resources contain a bit more information about the topics we covered during the course.
An overview of steps to take to prepare the move towards HTTPS
The account of Wired's upgrade to HTTPS, Part 1, Part 2, and the final report
The story of how The Guardian completed their transition towards HTTPS
A blog post about potential abuses of HSTS and HPKP
Facebook's tool to subscribe to Certificate Transparency logs
The intent of Let's Encrypt to support Certificate Transparency through OCSP responses
Below, you find a few pointers to related HTTPS topics.
The free OpenSSL cookbook containing lots of practical details about configuring TLS
Moxie Marlinspike's entertaining talk on Authenticity in TLS
A guide on decrypting TLS traffic in Wireshark
The 'Black Tulip' report on the compromise of DigiNotar
F5 labs' 2016 TLS Telemetry Report, documenting the evolution of various SSL/TLS features
The pointers below explain a few topics from the course in a lot more detail.
An overview of the biggest data breaches over time
A blog post about the advantages of the YubiKey
The FIDO U2F security reference, which clearly gives an overview of the threats U2F counters.
Practical advice on addressing the top challenges with implementing U2F-based multi-factor auhtentication.
A description of Facebook's delegated recovery mechanism
An example of a brute-force attack in practice, worth $5000 in bug bounties
These resources give a bit of context to what we covered in the course
A detailed account of how Dropbox goes out of their way to store your passwords securely.
A guide from the Belgian government about choosing safe passwords.
Further reading material on authorization and session management
An article on using tokens in a Single Page Application
The original blog post with the list of JWT Best Practices we covered
The SameSite cookie flag explained in more detail
An account from an IE engineer who came up with cookie prefixes, which are ironically supported by most browsers except IE
The full article on the problem with Insecure Direct Object References, and how to addres them
Additional information on Cross-Site Scripting and Content Security Policy can be found below.
A very clear overview of XSS attacks and defenses, ideal to sharpen your understanding of XSS
The blog post series on deploying CSP at Dropbox
GitHub's well-documented CSP journey
Strict-dynamic, presented by Google engineers at AppSec 2016
An overview of advanced DOM-based XSS attacks with script gadgets
A few practical resources and tools to combat XSS attacks
OWASP's XSS Filter Evasion Cheat Sheet
Netflix on the reason they built Sleepy Puppy
Google's CSP Evaluator tool to check the security of your CSP policy.
The write-up of the decision and impact of removing the AngularJS Expression Sandbox