Learning Objectives
In this assignment you will demonstrate:
- An understanding of Web Security principles
- Familiarity with OWASP, especially with its guides and its cheatsheets
- The ability to construct a web server secure from XSS attacks
- The ability to employ CSRF protection in a primitive web server
- The ability to prevent SQL Injection
- Some basic database skills
- The application of validation and fail-fast to a web app
Read and Watch
Read (or skim):
Browse:
Go through:
- Either this Flask tutorial or any modern Express tutorial, depending on whether you prefer to work in JavaScript or Python. Or, use a reference manual or whatever works for you in learning a new framework.
For Submission
Submit via BrightSpace, a link to a GitHub repo where you will implement a complete webapp, specified as follows.
Using either the Flask micro framework (for Python) or Express (for JavaScript), complete the web app we did in class in our unit on Web Security. Keep everything we did in our code-along, including for instance storing salted hashes of passwords with pbkdf2, storing JWTs in cookies for authentication, and preventing XSS and CSRF attacks. You will just need to add the following:
- A completed implementation of the transfer functionality.
- User enumeration defense.
- A nice README in your GitHub repo.
- Very extensive comments within the source code of how exactly you defend against XSS, CSRF, SQL Injection, User enumeration, etc. Comment on your validations and your error handling. Part of your learning experience should be showing and explaining what you learned, so give this project some thought.
If you know CSS, please include some minimal styling in your web app.
For fun, rather than making this a simple banking app where users have a “balance” in monetary units, allow users to hold something else (trading cards, stocks, cryptocurrency, gems, carbon credits, whatever) and make your web app do some fun animations on display and transfer.