diff --git a/README.md b/README.md index 2ec01fd..ed0e4a7 100644 --- a/README.md +++ b/README.md @@ -16,5 +16,5 @@ Follow the activities below as the semester progresses. - [H: Token Based Authorization](descriptions/060_token_authorization.md) - [I: Policies and Validation](descriptions/070_policies_validation_ssl.md) - [J: OAuth Protocol and Single-Table Inheritance](descriptions/090_oauth_protocol.md) -- [K: Signed Clients and XSS Prevention](descriptions/100_distributed_security.md) +- [K: Signed Clients and XSS Prevention](descriptions/100_client_side_security.md) - [L: Final Presentations](descriptions/110_final_presentation.md) diff --git a/descriptions/100_client_side_security.md b/descriptions/100_client_side_security.md new file mode 100644 index 0000000..d758974 --- /dev/null +++ b/descriptions/100_client_side_security.md @@ -0,0 +1,23 @@ +# Client-side Security: Signed Clients and XSS Prevention + +Our last security tasks of the semester is to help our API trust our client Application, and to ask the user's browser to help prevent cross-site scripting and code injection. + +Relevant code branches for App and API: +- Web App: [signed_protected](https://github.com/ISS-Security/configshare-app/tree/6_signed_protected) +- Web API: [signed_requests](https://github.com/ISS-Security/configshare-api/tree/8_signed_requests) + +1. Signed Client - API Routes that cannot have an auth_token must only accept signed requests + - Update your `SecureMessage` library to sign messages + - At a minimum, all POST requests to API that cannot provide an `auth_token` must be signed + - Send your signed json requests with separate `data` and `signature` parts +2. Preventing XSS/CSRF + - See our in-class [demo code for launching and preventing XSS attacks](https://github.com/ISS-Security/demo-xss) + - clone the demo code and make sure it works on your machine: + - comment out the protection code in the second half of `app.rb` to allow exploiting XSS/CSRF + - remove commenting and allow XSS protection to see that it catches code injection + - copy and modify this protection code to your App + - make a security controller file that enables all these settings (e.g., `/controllers/security.rb`) + - make sure security controller is loaded before `/controllers/base.rb` +3. Implement all remaining functionality of your application and API: + - Accounts must be able to create all relevant resources + - Accounts must be able to share resources between each other where appropriate diff --git a/descriptions/100_distributed_security.md b/descriptions/100_distributed_security.md deleted file mode 100644 index e3c88e1..0000000 --- a/descriptions/100_distributed_security.md +++ /dev/null @@ -1,32 +0,0 @@ -# Distributed Security: Signed Clients and XSS Prevention - -Our last security tasks of the semester is to help our API trust our client Application, and to ask the user's browser to help prevent cross-site scripting and code injection. - -Relevant code branches for App and API: -- App: [8-xss_protection](https://github.com/ISS-Security/configshare-app/tree/8-xss_protection) -- API: [8-authorize_client_app](https://github.com/ISS-Security/configshare/tree/8-authorize_client_app) - -1. Signed Client - API Routes that cannot have an auth_token must only accept signed requests - - Examples of routes in the demonstration Config-Share API: - - `POST '/api/v1/accounts` - - `POST '/api/v1/accounts/authenticate` - - `GET '/api/v1/github_account` - - Create `Ed25519` public and secret keys for your Application - - You might find it helpful to create a Rake task that generates asymmetric keys for you - - Store your App's secret key in its `config_env.rb` - - Store your App's public key in the API's `config_env.rb` - - Create helper methods in your App and API to sign and verify messages, respectively - - Create a `def self.sign` method in your App's SecureMessage (or similar) library - - Create a `def self.verify` method in your API's SecureMessage (or similar) library - - Modify the relevant service objects of your App and API to sign/verify requests - - note: you should not have any API calls in your controllers -2. Preventing XSS - - See our in-class [demo code for launching and preventing XSS attacks](https://github.com/ISS-Security/demo-xss) - - clone the demo code and make sure it works on your machine: - - comment out the protection code at the bottom of `app.rb` to allow exploiting XSS - - remove commenting and allow XSS protection to see that it catches code injection - - copy and modify this protection code to your App - - consider making a security controller that enables all these settings -3. Implement all remaining functionality of your application and API: - - Accounts must be able to create all relevant resources - - Accounts must be able to share resources between each other where appropriate diff --git a/descriptions/110_final_presentation.md b/descriptions/110_final_presentation.md index dbea021..2e69bf6 100644 --- a/descriptions/110_final_presentation.md +++ b/descriptions/110_final_presentation.md @@ -5,7 +5,7 @@ This final week we will present our semester projects and share our thoughts. Here are some criteria for your final presentations: 1. Presentation Time - - 15 Minutes Presentation + - 20 Minutes Presentation - Please share presentation duties among your teammates 2. Outline - Introduction