Web Security Training

Navigating the web security landscape

Navigating the web security landscape

Blog Archive

Click on a headline to read a short summary and go to the full post.

Article › The websec digest #21
The websec digest gives you a brief overview of significant incidents, technologies, and upcoming events. The headline this edition is another deserialization vulnerability in the Struts framework. As you can imagine, it's causing quite a ruckus. Read More ›

Resources › What do you mean, Front End Security?
The slides from my talk about front end security at the Front-end Forward meetup in Rotterdam. It gives an overview of what client-side security is about these days. Read More ›

Article › The websec digest #20
The websec digest gives you a brief overview of significant incidents, technologies, and upcoming events. This edition starts with a few troubles in the land of passwords. Two stories dig into recently observed issues with passwords. These issues illustrate how passwords fail in a few specific scenarios. Read More ›

Article › The websec digest #19
The websec digest gives you a brief overview of significant incidents, technologies, and upcoming events. With both BlackHat and DefCon happening in Las Vegas, it has been an exciting couple of weeks. This digest covers several stories from these events. Read More ›

Article › The websec digest #18
The websec digest gives you a brief overview of significant incidents, technologies, and upcoming events. This edition's headline features a severe vulnerability in the Cisco WebEx browser extension. You must take 5 minutes out of your day to address these issues ASAP. Read More ›

Article › The websec digest #17
The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. The headline of this edition goes to an outstanding research paper, describing a clever man-in-the-middle attack against a password reset system. Read More ›

Resources › Building secure Angular applications
The slides from my Voxxed Days Luxembourg talk about building secure Angular applications. It covers Angular's built-in XSS protection, and points out how you can use Subresource Integrity, Content Security Policy and Sandboxing to further improve the security of your application. Read More ›

Article › The websec digest #16
The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. This edition starts with a story of the theft of $ 8000 in bitcoin, even though the wallet was protected with two-factor authentication. Read More ›

Resources › Secure your code
The slides from my talk about security in Angular applications at the ScaleUp Week in Porto. It starts out with Angular's built-in XSS protection, and continues with a deep-dive into session management in Angular applications. Topics such as cookie flags, cookie prefixes, CSRF and JWT tokens are covered. Read More ›

Article › The websec digest #15
The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. This edition is overshadowed by the WannaCry ransomware epidemic, which has buried the regular web security news feed. Nonetheless, here are a few interesting pointers to check out. Read More ›

Resources › On the importance of HTTPS
The slides from my talk about HTTPS to a non-technical audience at the Legal Hackers Brussels meetup in Belgium. It covers the basic security properties of HTTPS, as well as common attacks to circumvent it use. Read More ›

Resources › Boosting the security of your Angular applications
The slides from my talk about security in Angular applications at OWASP AppSec Europe 2017. It starts out with Angular's built-in XSS protection, and continues with a deep-dive into session management in Angular applications. Topics such as cookie flags, cookie prefixes, CSRF and JWT tokens are covered. Read More ›

Article › The websec digest #14
The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. This edition's headline is another bank technology-based bank heist. This time, the attackers abused weaknesses in the phone system to intercept SMS messages, allowing them to bypass 2FA. Read More ›

Article › The websec digest #13
The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. This edition's headline is the homograph attack against Chrome, Firefox and Opera that had even the best security experts baffled. Read More ›

Article › The websec digest #12
The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. This edition's headline is the DNS-based attack on a Brazilian bank that resulted in a complete takeover of their online presence. Read More ›

Resources › Building Secure Angular Applications
The slides from my talk about security in Angular applications. It covers Angular's built-in XSS protection, and points out how you can use Subresource Integrity, Content Security Policy and Sandboxing to further improve the security of your application. Read More ›

Resources › Secure Authentication with OAuth 2.0 in Ember
The slides for the workshop on Secure Authentication with OAuth 2.0 in an Ember application, as given during a workhop at EmberConf 2017. Read More ›

Resources › Boosting the Security of your Angular Application
The slides from my talk about security in Angular applications. It covers Angular's built-in XSS protection, and points out how you can use Subresource Integrity, Content Security Policy and Sandboxing to further improve the security of your application. Read More ›

Resources › Demystifying Spring Security headers by example
I talked about Spring Security, and the great job it does enabling various security headers by default. But do you know what they actually mean? Find out in this talk. Read More ›

Article › The websec digest #11
The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. This edition covers two noteworthy stories that dwarf other news: the SHA1 collision produced by Google, and the data leakage over at Cloudflare. Read More ›

Resources › Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
The slides from an overview presentation of how the Web, and Web security, have changed in the last few years. This talk has been at the OWASP Belgium Chapter meeting in February 2017. Get in touch if you want to invite me to talk for your company or tech group! Read More ›

Resources › What do you mean, Front End Security?
The slides from my talk about front end security at the JSBe meetup. It gives an overview of what client-side security is about these days. Read More ›

Article › The websec digest #10
The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. This is the tenth edition already, and the headline is a cross-browser fingerprinting technique, which can be used to track you, even if you switch browsers. Read More ›

Resources › Keeping Untrusted Code out of Your Angular Application
The slides from my talk about untrusted code in Angular applications. It covers Subresource Integrity and the iframe sandbox attribute. Read More ›

Article › The websec digest #9
The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. In this edition, the headline goes to Cisco, which really screwed up security in their Chrome WebEx plugin. Read More ›

Article › The websec digest #8
The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. In this edition, the headline goes to the very misleading Guardian article on the backdoor in WhatsApp, which turns out to be a feature do bring encryption to more than 1 billion users. Read More ›

Article › 2016 in Review
The holiday season is upon us, and 2016 is coming to an end. About time to take a look at the past couple of months, and reflect on our achievements. Read More ›

Article › The websec digest #7
The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. In this edition, Yahoo! manages to steal the headline once again, as details of another massive data breach came to light. Read More ›

Article › The new way of doing CSP takes the pain away
Did you know that 95% of CSP policies can easily be bypassed? This shocking revelation came from research done by Google, and the culprit are overly optimistic whitelists. That’s the bad news. The good news is that CSP Level 3 comes with a new way of dynamically loading scripts, which fixes these problems, and makes CSP a lot easier to use! Find out what it all means in this article. Read More ›

Resources › Are we losing the battle for a secure web?
The slides from my guest lecture about web security at UCLL in LEuven. It covers the security landscape in general, and goes into depth into HTTP Strict Transport Security, one of the recent browser-based security policies. Read More ›

Article › The websec digest #6
The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. In this edition, the headline goes to the nifty JavaScript attack that used steganography to hide malware code in images, to bypass scanning software. Read More ›

Resources › Boosting the Security of your Angular 2 Application
The slides from my talk about security in Angular 2 applications. It covers Angular's built-in XSS protection, a few patterns you might want to avoid, and some advice on how you can leverage the power of Content Security Policy in your applications. Read More ›

Resources › Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
The slides from an overview presentation of how the Web, and Web security, have changed in the last few years. This talk has been given at various public and private venues. Get in touch if you want to invite me to your company or tech group! Read More ›

Article › The websec digest #5
The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. In this edition, the headline goes to the breach of 400 million accounts of AdultFriendFinder and associated sites. Read More ›

Article › The websec digest #4
The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. In this edition, the headline goes to the £2.5 million hack of the British banking giant Tesco. Read More ›

Resources › Are you botching the Security of your AngularJS applications?
I talked about AngularJS' built-in security featuers at Devoxx Belgium in November. Below, you can find the slide deck and video of that presentation. Read More ›

Article › The websec digest #3
The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. Just like the previous edition, the massive DDoS attacks make it to the headline of this digest. Read More ›

Resources › Are you botching the Security of your AngularJS applications?
I talked about AngularJS' built-in security featuers at DevFest Brussels in October. Below, you can find the slide deck for that presentation. Read More ›

Article › Should you deploy your own CSP reporting endpoint?
Reporting is an extremely powerful feature of CSP, and setting it up is very straightforward. The real challenge lies in promptly acting upon useful reports, and effectively filtering useless reports. Can you setup such a system using the freely available report-uri.io service, or should you roll out your own CSP reporting endpoint? Read on to find an answer to this question. Read More ›

Article › The websec digest #2
The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. The most important event of this issue are the recent, massive DDoS attacks, and their aftermath. Read More ›

Article › The websec digest #1
The websec digest gives you a strictly filtered overview of noteworthy incidents, interesting technologies and upcoming events. The most important event of this issue is the Yahoo! hack, which turns out to be a consequence of gross negligence. Read More ›

Resources › Building Secure EmberJS Applications
I gave a talk on Building Secure EmberJS applications at The Ember Show recently. These are the slides I used for that presentation. Once the video has been made available, I will link to it as well. Read More ›

Article › Building your First CSP Policy from Scratch
The best way to fully understand what CSP is all about is to get your feet wet. Maybe you've already had your first CSP experience. Chances are likely that you had a bad time, that you where overwhelmed by errors in the browser console, and that you gave up on CSP altogether. However, in this second post in the CSP series, I'll show you that there is light at the end of the tunnel. As I go through the CSP policy for this site, we'll talk about whitelisting resources, about a common mistake that leads to CSP bypassing attacks, and about when to use unsafe-inline. Read More ›

Article › A Step-by-Step Guide towards Deploying CSP
If you've been reading this blog, you have already heard about Content Security Policy (CSP), a really powerful and important browser security policy, introduced a few years ago. However, if you have taken a stab at implementing a CSP policy for your application, you may have noticed that there are many hurdles to overcome, you may have sworn profusely, and you may even have kicked CSP out the door altogether. I totally get it, CSP is a really complex beast, and retrofitting CSP to an existing web application can be extremely painful. However, I'm asking you to give CSP another chance, and keep reading to discover how to deploy CSP step by step, and which tools you can use to ease the process. Read More ›

Article › Don't become a Web Security Dinosaur!
If you're in for a blast from the past, take a look at the screenshot of Yahoo! below. That's an image from back in 1999, when almost everybody used Yahoo! to search the Web. Compared to today, web applications back then looked pretty boring. Modern web applications are prettier and snappier, using technologies such as multimedia elements and capture APIs, various powerful JavaScript APIs and numerous new communication mechanisms, such as WebSockets or WebRTC. But have you also upgraded the security of your applications? Did you know that the web security landscape has changed drastically in the past 4 years? Keep reading to see if you risk becoming a web security dinosaur, and what you can do to prevent this from happening. Read More ›

Article › A false sense of security by cheating with your security headers
Awareness is one of the most important aspects to get people to secure their web applications. In the last few years, we have seen a steady increase in media attention towards the lack of security, and we have also seen the rise of security scanning services. These services rate certain security aspects of your application, and assign you a score, ranging from F (really bad) to A+ (awesome). Prime examples are the SSL Server Test, driven by Ivan Ristić, and securityheaders.io, driven by Scott Helme. In this article, we explore the challenges of going from an automated scan to a meaningful score, and how website operators game the system to get a better score than they deserve. Read More ›

Resources › Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
The slides from an overview presentation of how the Web, and Web security, have changed in the last few years. This talk has been given at various public and private venues. Get in touch if you want to invite me to your company or tech group! Read More ›

Article › Preventing Private Key Theft with a Reverse Proxy
With every Web site, there's the risk of total compromise, well illustrated by the severe zero day vulnerabilities that have surfaced in major CMS systems over the past few years. When the exploit leads to a compromised Web server, there are a lot of consequences, and a lot of effort will go to the cleanup. If the site is deployed over HTTPS (and it should), it's very likely that the server's private key is compromised as well, allowing the attackers to impersonate your server towards your users. In this post, I will explain how you can use a TLS-terminating reverse proxy to stop the theft of your private keys, thereby limiting one aspect of the impact of a breach. Read More ›

Article › No, not everybody should be a security expert
The Web would be a lot more secure if everybody was a security expert, but that's an utterly unrealistic scenario. Instead, everybody should be aware of security, should learn the basic security principles, and should know when to call in help from security experts. That's exactly what the SecAppDev course stands for. To get you started with Web security, I've included a list of useful resources at the end of this post. Read More ›

Article › Leveraging 20-year old technology to build more secure Web applications
Ever thought about the security consequences of including JavaScript files from just about anywhere? Or why Cross-Site Scripting attacks are so dangerous? It all comes down to the core security model of the browser, where resources from different origins are separated from each other by the Same-Origin Policy. An understanding of the Same-Origin Policy, the protection it offers and, most importantly, its limits, is crucial for building secure Web applications. In this post, we look into the history of the Same-Origin Policy, and we show how it falls short of protecting Web sites from malicious, third-party code. We conclude with concrete advice on how to integrate third-party code in a more secure way, something you should take to heart. Read More ›

Article › Are the free SSL/TLS certificates from Let’s Encrypt any good?
Since December 2015, Let’s Encrypt is handing out free SSL/TLS certificates to anyone, hoping to improve the state of security on the Web. But are they any good? Surely they cannot compare to certificates from commercial CAs that cost a few hundred euros? Well, let me show you that you can not only save a lot of money, but also save a lot of time requesting and installing certificates. Read More ›

Resources › HTTPS, Here and Now
The slides from my presentation at the ICT Security Happening organized by the VDAB Competence Center in Leuven. Read More ›

Resources › Why Web Security Matters!
The slides from my presentation at the information day on online security for the municipalities of Flemish Brabant. Read More ›

Resources › Subresource Integrity
The slides from my presentation on Subresource Integrity at the EmberJS Belgium user group. Read More ›

Resources › Getting Single Page Application Security Right
The slides and full video of my presentation at Devoxx 2015 on how to get Single Page Application security right, by using recent Web security technologies. Read More ›

Resources › Web Security - Food for Thought
The slides from my presentation at the Impulse.Brussels cybersecurity conference, explaining why Web securuity is in such a bad shape, and how we can our users by leveraging the most recent security policies Read More ›

Resources › Securing Your EmberJS Application
The slides from my presentation at the EmberJS Belgium user group, focusing on client-side security in EmberJS applications. Read More ›

Resources › Securing Your AngularJS Application
The slides from my presentation at the AngularJS Belgium user group, focusing on client-side security in AngularJS applications. Read More ›