Building and Running Secure Web and Mobile Apps

Posted on March 29, 2018

Web development is hard. Secure web development is harder. Running applications on the internet without security incidents is almost impossible.

A non-exhaustive list of infrastructure services that you rely on for running any website.

The following are references for the talk given at Microsoft Ventures Accellerator on 28th April 2015

References

General

• An illustrated guide to computer security

Security News

• Hackers temporarily take control of Tesla's website and twitter

Fundamentals

• DNS Resource Records

Tools

DNS Recon

• DNS Recon
• Using DNS Recon tool

DirBuster

• DirBuster
• Using DirBuster Video
• Using DirBuster like a pro

wfuzz

• wfuzz
• wfuzz basics
• Bruteforcing web applications
• webslayer a similar tool

fuzzdb

• fuzzdb
• Using fuzzdb for testing website security

Web app URLs default list

• web app urls
• pwnwiki

cewl

• cewl - Wordlist generator

Concepts

• Ocean's 11 Movie Plot
• Trust

OWASP

• OWASP

OWASP Top 10

• OWASP Top 10
• OWASP Mobile Top 10

OWASP A1 Injection

• Injection
• Exploits of a Mom
• Bobby Tables
• SQL Injection
• Command Injection
• XXE

OWASP A3 Cross Site Scripting

• XSS
• Apache.org incident report
• XSS to root in Apache Jira incident
• Apache.org compromised through XSS
• Ubuntu Forums Hacked
• 1.82 Million Usernames stolen in Ubuntu Hack

OWASP A4 Insecure Direct Object Reference

• Insecure Direct Object Reference

OWASP A8 Cross Site Request Forgery

• Cross Site Request Forgery
• Dlink routers vulnerable to DNS hijacking
• Gmail CSRF vulnerability
• All your clouds are belong to us

Automated, Incremental, Encrypted Backups

• Simple Duplicity
• Crashplan - Free Backup software on Win/Lin/Mac

Infrastructure as code

• Infrastructure as code
• Ansible Getting Started