learning to build a more secure web
Recently I've been working my way through labs along several paths in Portswigger's Web Security Academy. These labs are real-world exercises designed to teach developers common web application security vulnerabilities so they can learn how to best combat them. I decided to work on these exercises partly because of my experience building browser extensions. I typically build extensions that manipulate the DOM in order to remove distracting, distressing, or otherwise frustrating HTML elements for users. As a result, I've spent a substantial amount of time looking at the code for various websites, and it's made me hyperaware of the many ways in which websites are not secure. I wanted a better understanding of the vulnerabilities I was seeing and how to avoid them as a dev.
So far I've completed 40+ labs. Here are a few initial thoughts:
-
This is great information for anyone who works in web development. There are a lot of code conventions for web development designed to limit security vulnerabilities, but the actual vulnerabilities themselves aren't always clear to developers. For me it was helpful to go through exercises on cross-site scripting, cross-site request forgery, and API testing in particular to have a better understanding of what these attacks looked like and how someone might implement them.
-
Many websites are not secure in subtle ways. For example, the web is full of login pages that reveal which credential was incorrect when users try to sign in with a username and password. (Ex. "user not found.") This opens the site up to brute force attacks where attackers, who now have a correct username, can run scripts over an extended period of time to try multiple passwords and increases the likelihood of them finding the right one.
All in all, this has been fun! Even before this, I would frequently peruse network calls and their responses on various websites, so learning how to use Portswigger's Burpsuite software to do this more effectively has been exciting. I also love practical, hands-on learning. In the past I would read articles on some of these vulnerabilities, but they didn't really click until I had to implement them myself. Next I'm going to dive more into API testing for GraphQL, along with server-side vulnerabilities. Beyond the Web Security Academy, I'm hoping to learn more about web application security for browser extensions.
If you're interested in trying some exercises out, you can do so here: Web Security Academy.
I'll be writing more articles on application security in the future. If you'd like to get notified when new articles are posted, subscribe below!