Web Security

From bibbleWiki
Jump to navigation Jump to search

Introduction

This page is to list all things around Web Security

1. CSRF (Cross-Site Request Forgery)

Definition: A malicious site tricks a user's browser into sending authenticated requests to your server.

Threat Model:

  • Exploits cookie-based sessions
  • Common in form submissions and state-changing requests

Defense Strategies:

  • Synchronizer token pattern
  • Double-submit cookie validation
  • SameSite cookie attributes

Tapir Notes:

  • Use `extractFromRequest` to access headers and cookies
  • Validate CSRF token manually in `serverLogic`

Videos:

Iain's Explanation This is relatively easy. This is where an attacker gets a user to send a link to an already authenticated site with there operation. E.g. in this case, send an email, with a link to change your bank email. Because the browser is already logged on, when the user clicks the link, the existing session cookie gets sent.

2. XSRF

Note: Often used interchangeably with CSRF. Some frameworks (e.g., Angular) use "XSRF" to refer to their CSRF protection mechanism.

Angular Pattern:

  • Sends token in `X-XSRF-TOKEN` header
  • Validates against cookie value

3. CSP (Content Security Policy)

Definition: A browser-enforced policy that restricts what content can be loaded or executed.

Threat Model:

  • Prevents XSS and clickjacking
  • Blocks inline scripts and unauthorized resources

Defense Strategies:

  • Use nonce-based or hash-based CSP headers
  • Avoid `unsafe-inline` and `unsafe-eval`

Example Header: 

Content-Security-Policy: default-src 'self'; script-src 'nonce-abc123'

4. Host Header Validation

Definition: Ensures requests come from expected domains by validating the `Host` header.

Threat Model:

  • DNS rebinding attacks
  • Host header spoofing

Defense Strategies:

  • Use Play’s `AllowedHostsFilter` or validate manually
  • In Tapir, use `ServerRequest.header("Host")` and compare against a whitelist

5. XSS (Cross-Site Scripting)

Definition: Injects malicious scripts into trusted web pages.

Threat Model:

  • Steals cookies or session tokens
  • Defaces content or redirects users

Defense Strategies:

  • Escape output
  • Sanitize inputs
  • Use CSP headers

6. CORS (Cross-Origin Resource Sharing)

Definition: Controls which domains can access your API from the browser.

Threat Model:

  • Unauthorized cross-origin requests
  • Data leakage via exposed endpoints

Defense Strategies:

  • Set strict `Access-Control-Allow-Origin` headers
  • Avoid wildcard origins (`*`) in production

7. Authentication & Authorization

Definition: Verifies identity (authN) and controls access (authZ).

Threat Model:

  • Unauthorized access to protected resources
  • Privilege escalation

Defense Strategies:

  • Use JWTs, OAuth2, or session tokens
  • Implement RBAC or ABAC
  • Validate tokens in Tapir via `.securityIn(...)`

8. Input Validation & Injection Prevention

Definition: Ensures user input doesn’t compromise system integrity.

Threat Model:

  • SQL injection
  • Command injection
  • Header manipulation

Defense Strategies:

  • Use parameterized queries
  • Validate types, formats, and ranges
  • Reject unexpected input early
Retrieved from "https://wiki.bibble.co.nz/mediawiki/index.php?title=Web_Security&oldid=10693"