Data Security 7, Web Applications II
References for this Part
https://owasp.org/www-project-web-security-testing-guide/stable/
https://owasp.org/www-project-webgoat/
Model Solutions Previous Lesson
DS.6.0
We do not expect you to have finished this exercise given the limited amount of time.
We will give you a couple of general overview hints on backend web applications that may be useful in the current exercise.
The router(s) are the central element of such application in that they receive user requests and assign controller to deal with the requests. The controllers do the logics of the applications. They build the response to the request and as help they call on model functions to read or write necessary dat into files and/or databases. When done they return the completed response to the user.
A router may look like:
|
|
In line 8 con.isAuth
and conPostQuote
are controller
functions that serve as application specific middleware.
A controller function may look like:
|
|
A model function in turn could be something like:
|
|
If you need to pass info from one middleware function to the next. You may create the necessary variable in the response object such as:
|
|
where your variable is auth
and its value is true
or whatever you need it to be.
Resources for securing web applications:
https://owasp.org/www-project-web-security-testing-guide/stable/ found in the refs above
https://owasp.org/www-project-web-security-testing-guide/stable/3-The_OWASP_Testing_Framework/ Check out sections 3 through 3.4
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/ This chapter has many hints on ways to secure your application while testing before deployment.
https://owasp.org/www-project-web-security-testing-guide/stable/6-Appendix/A-Testing_Tools_Resource
Appendix A has a long list of tools you may apply
in testing the security of your application.
john
, hashcat
, and hydra
are on the list.
https://www.zaproxy.org/, mentioned in the refs
is another.
Exercises
The intention of exercises today is to continue your work on Exercise DS.6.0 in order to hand it in before next weeks session.