10 things I learned during the Hack Yourself First workshop with Troy Hunt and Scott Helme
Written on 18 June 2019, 10:45pm
- What you require you must also retire
- Browser indicators: we are currently in a transition phase. A few years ago, the browsers only indicated secure behavior. In the near future, they will only indicate insecure behavior (ex: Chrome 75 shows HTTP sites as ‘Not secure’, but it also shows the green address bar for HTTPS sites with EV certificates)
- HTTPS usage: 78% overall according to Firefox telemetry, but only 58% among the first 1M websites. However, we are a long way until the browsers will default to HTTPS scheme for loading a website.
- Plaintext HTTP/1.1 is about 8 times slower compared to encrypted HTTP/2 HTTPS. https://www.httpvshttps.com/
- Fiddler is really powerful (ex. replay requests, intercept mobile traffic, etc), but Havij (SQL injection) is close to magic when it comes to penetration testing
- Certificate transparency is a really useful tool. The CT monitoring tool is arguably the only useful thing ever created by Facebook
- A few tools: SuperLogout (maybe try this in an incognito window; it will log you out of all the popular websites), ZoomIt (screen zoom and annotation tool), Windows key + . (just try it if you’re on Windows 😉)
- The expectation of privacy is different on a tech website compared to an online dating one
- Trust, but verify: you should trust the CDNs and rely on them for the massive performance improvements, but you must verify them using SRI. Tip: you don’t need to SRI your own assets.
- The main value proposition of the Content Security Policy is mitigating XSS attacks. A strategy to get started: use a non-production environment, report only, default-src ‘none’, watch the console and build your CSP by cleaning the console errors one by one.
Written by Dorin Moise (Published articles: 256)