illustration for Web Security Essentials: MITM, CSRF, and XSS

Course

Web Security Essentials: MITM, CSRF, and XSS

1
Course Overview: Web Security Essentials
4m 17s
2
Simulate Man in the Middle Attacks and Inspect Network Traffic with Charles Proxy
3m 1s
3
Add https to a Localhost Express App to Prevent MITM Attacks
2m 33s
4
Redirect All HTTP Traffic to HTTPS in Express to Ensure All Responses are Secure
2m 19s
5
Set the Secure Cookie Flag to Ensure Cookies are Only Sent Over Secure Connections
1m 35s
6
Add HSTS Headers to Express Apps to Ensure All Requests are https Requests
4m 15s
7
Create a Proof of Concept Exploit of a CSRF Vulnerable Website
4m 1s
8
Mitigate CSRF Attacks by Setting the SameSite Cookie Flag in Express
2m 46s
9
Add CSRF Token Middleware to an Express Server to Mitigate CSRF
6m 12s
10
Make an XSS Payload to Read a Cookie from a Vulnerable Website
3m 50s
11
Set the httpOnly Cookie Flag in Express to Ensure Cookies are Inaccessible from JavaScript
1m 27s
12
Make an XSS Payload to Read document.body from a Vulnerable Website
53s
13
Prevent Inline Script Execution by Implementing Script-Src CSP Headers in Express
5m 30s
14
Read Document Content from a Vulnerable Website via Script Tag Injection in an XSS Payload
1m 11s
15
Add a Nonce Based script-src Header in Express to Only Allow Scripts that Match the Nonce
3m 7s
16
Prompt Users for Credentials from a Vulnerable Website via iframe Injection
1m 36s
17
Add a default-src CSP Header in Express to Enforce an Allowlist and Mitigate XSS
2m 15s

Prevent Inline Script Execution by Implementing Script-Src CSP Headers in Express

Mike Sherov

InstructorMike Sherov

Share this video with your friends

In this lesson, we'll learn what CSP is and how it can be used to prevent inline scripts from being executed on our vulnerable website. First, we'll deploy CSP in "report only" mode, which will send violations to the endpoint you specify without blocking execution. Then, we'll run CSP in regular mode, which we'll use to completely block inline scripts from executing.

Cygni E-learning

~ 4 years ago

How do you prevent csurf to block this post? I added the route below the routeLogin and routeMessages part but then I get a 403 because of this part:

app.use(function(err, req, res, next) {
  if (err.code !== "EBADCSRFTOKEN") return next(err);

  // handle CSRF token errors here
  res.status(403).send("csrf detected");
});

Mike Sherov(instructor)

~ 4 years ago

Hi Cygni,

Please make sure your CSP route is registered before the CSRF handler. That should fix it! Thanks.