“The World Wide Web is continuously expanding. This creates new opportunities, practically for the entire society. As a result, more and more companies, government agencies and individuals have and use Web sites. However, this development is not without problems. There are security risks that affect Web servers, the local area networks that host Web sites, and even individual users of Web browsers.
The purpose of this session is to investigate the general requirements for Web security and the role of the specific security tools in increasing Internet and Web security. For instance, you may consider that you are a Webmaster or a system administrator. The moment you install a Web server at your site you have exposed your network to a number of risks. Now, you are put in the position to find solutions to the following issues:
Exactly what types of security risks you have to face?
What general security precautions should you take?
What are the most important steps you would recommend for securing a new Web server?
Read through OER Notes and learn about the security demands in modern Web and Internet.
Transport Layer Security (TLS)
See Session 5.7. The SSL Family of Secure Transaction Protocols for the World Wide Web of Kessler (the Session 3 OER) at http://www.garykessler.net/library/crypto.html#ssl.
IETF. (2006).The Secure Shell (SSH) Protocol Architecture. RFC: 4251. Retrieved from: https://www.ietf.org/rfc/rfc4251.txt
IETF. (2000). HTTP Over TLS. RFC: 2818. Retrieved from: https://tools.ietf.org/html/rfc2818
Vijayn, J. (2016). Information Week. Dark Reading. 7 Tips for Mitigating Phishing and Business Email Hacks. Retrieved from: http://www.darkreading.com/vulnerabilities—threats/7-tips-for-mitigating-phishing-and-business-email-hacks/d/d-id/1323608.
Rouse, M. (September 2015). Click-Jacking. Retrieved from: http://whatis.techtarget.com/definition/clickjacking-user-interface-or-UI-redressing-and-IFRAME-overlay.
SQL Injection Attacks
Rubens, P. (2018). How to Prevent SQL Injection Attacks. Retrieved from: https://www.esecurityplanet.com/threats/how-to-prevent-sql-injection-attacks.html
DB Networks (2015). SQL Injection Defense: There are no Silver Bullets. Retrieved from: http://www.dbnetworks.com/pdf/sql-injection-defense-there-are-no-silver-bullets.pdf.
OWASP (n.d.).Types of Cross-Site Scripting. Retrieved from: https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting.
Common Weak Enumeration. (n.d.). CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’). (2015). Retrieved from: https://cwe.mitre.org/data/definitions/79.html.
OWASP. (n.d.). Cross Site Scripting (XSS). Retrieved from: https://owasp.org/www-community/attacks/xss/
Cross-Site Request Forgery(CSRF)
OWASP. (n.d.). Cross Site Request Forgery (CSRF). Retrieved from: https://owasp.org/www-community/attacks/csrf
OWASP. Woschek, M. (2015). OWASP Cheat Sheets. Retrieved from: https://owasp.org/www-pdf-archive/OWASP_Cheatsheets_Book.pdf