Search posts, tags, users, and pages
What are the basic security measures you would take if you were starting a new project in 2018?
The cool thing about web app security basics is that they don’t really change over time.
For web app security specifically, I’ll say the following.
Sanitize content in different HTML contexts to avoid XSS. Apply defense-in-depth, and use CSP as an additional layer of security. Use SRI if you load resources from a CDN. Check your server configuration, and make sure you serve each resource with the correct MIME type and headers to disable MIME sniffing where applicable. Avoid cookies, and if you must use them, consider applying the SameSite flag. Never trust any data that you do not fully control (e.g. user input, data fetched from a third party, request header values, etc.). Train yourself to have a security mindset: always assume the worst.
IMHO the best (and most fun!) way to learn about all this, is to try and exploit these bugs yourself. There are perfectly legal ways of doing so.
Try to exploit XSS vulnerabilities: https://xss-game.appspot.com/ Hungry for more? Google Gruyere takes it even further: https://google-gruyere.appspot.com/
I used to play a lot of Security CTFs with my friends from KUL (team Hacknam Style 4 lyfe!). These are online competitions where you get access to similar hacking challenges. Every level contains some kind of vulnerability, and exploiting it gives you access to a secret “flag” you can then submit to score points.
With every single CTF I played, I learned something new. I ended up starting a project to collect my (and later, other people’s) write-ups along with the original challenges. Here are some example write-ups for web challenges: