To have a productive workshop experience, please do the following:
- Install Charles
- Add the following to your hosts file, located at
/etc/hosts
(mac/linux)127.0.0.1 localhost evil.com
- Ensure you can successfully run the code (~5 minutes)
- Run
script/dev-setup
- Go to the first exercise
cd exercises/01-session-hijacking
- Run
sudo npm start
. Ifsudo npm start
fails, trynodemon ./site/index.js
- open http://localhost.charlesproxy.com and verify you see a login
- Run
sudo npm run start:evil.com
. If that fails, trynode ./evil.com/index.js
- Open https://evil.com:666/index.html and verify you see "thanks for visiting!"
- Run
- Optional, but recommended: Read prerequisite learning material (~20 minutes)
- Username: substantial
- Password: 1
- Username: attacker
- Password: 1
The workshop works as a series of exercises located in the exercises
directory. We will work our way progressively through the concepts. At any point in time, if you get stuck, you can find the solution by doing git show lesson-<lesson number>
(e.g. git show lesson-2
) or view the solution directly in github at e.g. https://github.com/mikesherov/web-security-essentials/commit/lesson-2. If you're still stuck, don't worry! We'll move onto the next lesson, and you'll have a fresh copy of the working code to work off of.
All of the required npm dependencies you'll need throughout the workshop are already listed in package.json. You should only have to npm install
once at the very beginning. Our time will be spent working through code and concepts, not waiting for dependencies to finish installing :-).
The workshop uses expressjs as the server software, but all of the techniques you'll learn apply to any server software. Try not to worry too much about expressjs specific questions. The goal is to learn how these attacks work and how to generically mitigate them!
At the beginning of each lesson, you'll cd exercise/<exercise-number>
and then run sudo npm start
to start up the server. Saving changes will automatically restart, thanks to nodemon
. For a few lessons, you'll need to start up an attacker website by running sudo npm run start:evil.com
in another terminal window to start up the attacker's server.
The workshop is written and tested on a Mac in Chrome. Please use Chrome and a Mac if possible.
You will be learning to exploit and mitigate the following security vulnerabilities and attacks:
- Man-in-the-Middle
- Simulate a Session Hijacking attack
- Set up https
- Redirect http to https
- Set the Secure cookie flag
- Set up HSTS
- 5 minute break 😅
- CSRF
- Create an attack
- Set the sameSite cookie flag
- Add CSRF tokens to forms and fetch
- 15 minute break 😅
- XSS
- Create a cookie stealing attack via inline JS injection
- Set the httpOnly cookie flag
- Create a body stealing attack via inline JS injection
- Set up a "report only" CSP directive
- Block inline script execution and eval with CSP
- Create a body stealing attack via script injection
- Block script injection with CSP src nonces
- Create a credential stealing attack via iframe injection
- Explicitly allow only needed sources with CSP
Q: When running sudo npm start
or sudo npm run start:evil.com
, I see the following error:
EADDRINUSE: another service on your machine is using the current port.
A: You already have a process running on port 80, 443, or 666. Most likely, it's from another node process still running from this workshop. For Windows, please follow these instructions. For Mac/linux, you can run: sudo killall node
, which will end whatever node processes you currently have running.
This material is available for private, non-commercial use under the GPL version 3. Please contact me at [email protected] for permission to use for any other use.