Web Security Training
Navigating the web security landscape
Navigating the web security landscape
I hope you enjoyed the training on modern web application security. This page offers you further reading material, and links to useful resources. If you want to stay up to date in the future, I highly recommend to follow me on Twitter.
A couple of videos talking about security in general.
A very good keynote speech from Mike West (Google) about Hardening the Web Platform
An interview with Maarten Decat (Elimity) on authorization in web applications
An interview with Mathy Vanhoef (KU Leuven), the researcher behind the KRACK attacks, on the insecurity of wireless networks
An interview with Matias Madou (Secure Code Warrior) on mitigating common vulnerabilities
A few general resources on the topics we discussed can be found below.
A very clear overview of XSS attacks and defenses, ideal to sharpen your understanding of XSS
The blog post series on deploying CSP at Dropbox
GitHub's well-documented CSP journey
Strict-dynamic, presented by Google engineers at AppSec 2016
A well-documented guided tour of CORS
The original blog post with the list of JWT Best Practices we covered
An article covering the motivation of using the key ID (kid) with JWT tokens
The video covering various CORS misconfigurations and their potential consequences
The SameSite cookie flag explained in more detail
An account from an IE engineer who came up with cookie prefixes, which are ironically supported by most browsers except IE
Below are a couple of resources on addressing security issues directly related to AngularJS and Angular.
The write-up of the decision and impact of removing the AngularJS Expression Sandbox
A detailed blog post on template injection in AngularJS applications using the orderBy filter
Documentation of the $http provider (1.x) and the HttpClient (2+) which has a separate section on security considerations
An article covering Angular's CSRF protection in more detail
The angular-jwt library, which offers out-of-the-box support for whitelisting domains
Below are a couple of resources on addressing security issues in SAP