# Security Notes

The OWASP Top 10 lists the ten most common web application security risks. In 2018 they are:
1. Injection
1. Broken Authentication and Session Management
1. Cross-Site Scripting (XSS)
1. Insecure Direct Object References
1. Security Misconfiguration
1. Sensitive Data Exposure
1. Missing Access Control
1. Cross-Site Request Forgeries
1. Using Components with Known Vulnerabilities
1. Unvalidated Redirects and Forwards


## 1. Injection

Injection is where malicious code is run by abusing your system's inputs. 

Two most common types of injection are SQL injection and script injection.

### SQL Injection


#### Example



#### Solutions

Use an ORM.

Don't execute raw SQL strings, use paramterised SQL

Bad
```python
cursor.execute("SELECT * FROM users WHERE id={}".format(user_id))
```

Good
```python
cursor.execute("SELECT * FROM users WHERE id=%s()", user_id)
```

### Script Injection

NoSQL databases, such as MongoDB, are susceptible to Javascript injection. This is where they execute malicious Javascript injected by the attackers.

Python `eval()` and Pickle libraries.

#### Example


#### Solutions


## 2. Broken Authentication and Session Management

This covers a lot of areas:
- Insecure credential storage
- Weak acocunt management (e.g. password recovery)
- Poor session security (e.g. forging, stealing, fixation, poisoning)


### Solutions

Put everything over SSL (Flask and Django have tools to force this)

Use the session management library of your framework, don't write your own. `django.contrib.sessions`, `flask.session`

Don't store data directly in cookies, store them in the session.

Don't leak your secret key (e.g. putting it on GitHub)

## 3. Cross-Site Scripting (XSS)

Executing arbitrary code using the front-end (unlike injection which uses the backend). 

### Example



### Solution 

Use a templating language that autoescapes HTML.


## 4. Insecure Direct Object References

Bad URLs?

Direct reference to an object, e.g. directly referencing an object ID. 

Attackers can change the ID string to access an object they shouldn't have access to with a different ID.

## 5. Security Misconfiguration

Misconfiguring the framework that you're using, for example leaving debug mode on

Leaving debug mode on can leak secure info, like the database credentials or security keys when execptions are raised

No silver bullet to fix this. Secure defaults, documentation, automated tools that check for common mistakes, and security checklists can minimise this, but depends on the developers to do these. 

### Solutions

Django secure package was integrated into Django in 1.8. 

## 6. Sensitive Data Exposure

Displaying insecure data unnecessarily.

Encrypt/hash passwords

## 7. Missing Access Control

Not restricting users access to only access their own data and not the data of others.

Data access control comes with most frameworks, but developers must configure it to work with their code.


## 8. Cross-Site Request Forgery (CSRF)

Linking to another site to perform a malicious action e.g. sending a malicious link in an email. Click jacking does the same, but makes the button invisible so when they go to click on something, the cross-site request is made.

### Solution

Add an ID/input/token to the form to check for each form submission that it matches the one that was issued. This comes in most frameworks. Builted into Django, cannot be turned off.

Security of CSRF sessions depends on security of secret key.

## 9. Using Components with Known Vulnerabilities

Using outdated packages with known security vulnerabilities. 


### Solution

Have a good test suite so that upgrading to newer packages is easier to test.

Use fewer packages.

GitHub has a check for requirements.txt


## 10. Unvalidated Redirects and Forwards


Faking a host header to make an email look like it came from your site, but redirects to someone else's site. 

Don't know how to fix ???


## Sources

https://www.youtube.com/watch?v=sra9x44lXgU