Web Security Training
Navigating the web security landscape
Navigating the web security landscape
I hope you enjoyed the Progressive Web Security course. I'm sure you already learned a lot about web security, common attacks and their defenses. This page offers you further reading material, and links to useful resources. If you want to stay up to date in the future, I highly recommend to subscribe to our mailing list using the button below.
As an overall introduction, I can highly recommend Mike West (Google) his keynote speech about Hardening the Web Platform. The links below are grouped per module that we covered in the training.
The following resources go deeper into the topics we covered during the course.
An overview of steps to take to prepare the move towards HTTPS
An explanation of how the SSL server test comes to its score
An overview of SSL/TLS Deployment Best Practices
The free OpenSSL cookbook containing lots of practical details about configuring TLS
Moxie Marlinspike's entertaining talk on Authenticity in TLS
A blog post about potential abuses of HSTS and HPKP
The 'Black Tulip' report on the compromise of DigiNotar
Facebook's tool to subscribe to Certificate Transparency logs
Below, you find a few pointers to useful information if you're deploying TLS or HTTPS in practice.
A detailed explanation of what happens during the initialisation of an HTTPS connection
Mozilla's operational guide to TLS
A guide on decrypting TLS traffic in Wireshark
The intent of Let's Encrypt to support Certificate Transparency through OCSP responses
A detailed account of setting up Certificate Transparency with a TLS Extension
F5 labs' 2016 TLS Telemetry Report, documenting the evolution of various SSL/TLS features
The links below explain a few topics from the course in a lot more detail.
An excellent write-up of the cryptographic errors that have been uncovered in the Adobe breach
A blog post about the advantages of the YubiKey
The FIDO U2F security reference, which clearly gives an overview of the threats U2F counters.
The SameSite cookie flag explained in more detail
An account from an IE engineer who came up with cookie prefixes, which are ironically supported by most browsers except IE
The original blog post with the list of JWT Best Practices we covered
The full article on Insecure Direct Object References
A deep dive into OAuth and OpenID Connect
An explanation of the reason why OAuth is not an authentication protocol
A few pointers to some practical information on authentication and authorization.
An overview of the biggest data breaches over time
A detailed account of how Dropbox goes out of their way to store your passwords securely.
Practical advice on addressing the top challenges with implementing U2F-based multi-factor auhtentication.
A description of Facebook's delegated recovery mechanism
Using authentication tokens in a Single Page Application
An example of a brute-force attack in practice, worth $5000 in bug bounties
A simplified yet practical explanation of OAuth 2.0
Additional information on Cross-Site Scripting and Content Security Policy can be found below.
A very clear overview of XSS attacks and defenses, ideal to sharpen your understanding of XSS
A detailed blog post on template injection in AngularJS applications using the orderBy filter
The blog post series on deploying CSP at Dropbox
GitHub's well-documented CSP journey
Strict-dynamic, presented by Google engineers at AppSec 2016
A few practical resources and tools to combat XSS attacks
OWASP's XSS Filter Evasion Cheat Sheet
Netflix on the reason they built Sleepy Puppy
The CSP Playground, which includes a policy validator for CSP
Google's CSP Evaluator tool to check the security of your CSP policy.
The write-up of the decision and impact of removing the AngularJS Expression Sandbox
Further reading material on the latest developments in browser communication technologies.
A well-documented guided tour of CORS
A very complete explanation of the Server-Sent Events protocol
The inner workings of WebSocket compression explained in detail
A good explanation of CSWSH, or Cross-Site WebSocket Hijacking in full
A very impressive WebRTC demo, that goes a bit further than video conferencing
The full report on the WebRTC security assessment by the imec-DistriNet Research group