mike-works / web-security-fundamentals Goto Github PK

View Code? Open in Web Editor NEW

255.0 255.0 116.0 2.55 MB

Mike North's Web Security Course

Home Page: https://frontendmasters.com/courses/web-security/

License: BSD 3-Clause "New" or "Revised" License

JavaScript 52.11% CSS 41.25% EJS 6.64%

clickjacking cors course csrf security web-security xss

web-security-fundamentals's Introduction

This is the project used for the Mike.Works Web Security for Web Developers course.

Course outline and slides

What are the pieces?

node-sass-middleware for Sass compilation
express for serving HTML and CSS (compiled from Sass)
commander as a foundation for a CLI to run exerises

Getting Set Up

There are a few things you need to ensure you have installed, in order to be ready for this course.

Node.js

You’ll need a relatively recent version (v4.5 or newer, v7 ideally) of node.js installed. On OS X, a great way of doing this without disturbing your existing dev environment is to install NVM. Installation instructions are here.

You’ll know everything is set up properly when you can run

nvm --version # might look like "0.31.4"
node --version # might look like "v7.7.3"

Visual Studio Code

Particularly if you’ve never tried it before, you should install Microsoft Visual Studio Code. Some fantastic extensions that I use regularly include

vscode-icons
Sublime Text Keymap - Install if you’re used to sublime text keyboard shortcuts

Check out and setup the project for this workshop

git clone [email protected]:mike-works/web-security-fundamentals.git websec
cd websec
npm install

Troubleshooting

What if I have an older version of Node.js?

You may run into problems during the workshop! An easy way to deal with this is to...

install nvm by running

curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.4/install.sh | bash

or Wget:

wget -qO- https://raw.githubusercontent.com/creationix/nvm/v0.33.4/install.sh | bash

then restart your terminal
then run

nvm install stable
nvm use stable
nvm alias default stable

What if I get an error like `Please install sqlite3 package manually`?

If you use OS X, it can be installed with homebew

brew install sqlite3

Windows and Linux users, please install the appropriate official release.

How to use it

This workshop builds on a single example project, step-by-step. You can start the project by running

npm start

License

While the general license for this project is the BSD 3-clause, the exercises themselves are proprietary and are licensed on a per-individual basis, usually as a result of purchasing a ticket to a public workshop, being a participant in a private training, being a current LinkedIn engineering employee or having a Front End Masters membership.

Here are some guidelines for things that are OK and NOT OK, based on our understanding of how these licenses work:

OK

Using everything in this project other than the exercises (or accompanying tests) to build a project used for your own free or commercial training material
Copying code from build scripts, configuration files, tests and development harnesses that are not part of the exercises specifically, for your own projects
As an owner of an individual license, using code from tests, exercises, or exercise solutions for your own non-training-related project.

NOT OK (without express written consent)

Using this project, or any subset of exercises contained within this project to run your own workshops
Writing a book that uses the code for these exercises
Recording a screencast that contains one or more of this project's exercises

Copyright

This material may not be used for workshops, training, or any other form of instructing or teaching developers, without express written consent

web-security-fundamentals's People

Contributors

Stargazers

Watchers

Forkers

chriswburke lisaychuang arun21 mliq wenleifang focus3d rustan-id nsaboo mgott roppa pramodsvidyarthi techntv smmakowski railsstudent darshanahettiarachchi correasebastian soufatn vikasisme dapperauteur liu-minjie lowjon raghuprathap sourav-kumar niilo zhangloo333 jimiryquai abskpro jyoo13495 sartaj brailor dannyorc johnathanachen jayamanigit hymntaha kaushalgangwar solertis frankluongo pranjali14 raoulodc darrynza jacobworrel bionstt texpatnyc dbwdev cheery-boga modulexcite codingfeverforever karthikah mackenmd toddmacintyre eyeccc melsoriano gopalj chihaby blainejohnson17 stereoraj stebogit ddot727 maxzintel sitaramyadav lienista adrianmorales80 chesterheng guardianrg wtlin1228 mmg1 octopi-knowledge-base islamhany harishreddy-bonikela wjxalexander yxuan1996 kumiko-haraguchi ibrahimcheik ashar340 chaituckr gwynndp dnzengou chitraflorid classicmatsuo exegetech abhishekquinn noappleonhead isued ccheung0926 tarekpower1 sultan12100 danny-vvv sturgeonphillip greathmaster cissp yaowenqiang sirine-afk cameronamini sureshratnala slothql yeana-dev jagarinart gabby-recny shelleymcq ugh-github

web-security-fundamentals's Issues

Certificate expired for course outline

if it's still maintained the website certificate for course outline has expired.

Action required: Greenkeeper could not be activated 🚨

🚨 You need to enable Continuous Integration on all branches of this repository. 🚨

To enable Greenkeeper, you need to make sure that a commit status is reported on all branches. This is required by Greenkeeper because we are using your CI build statuses to figure out when to notify you about breaking changes.

Since we did not receive a CI status on the greenkeeper/initial branch, we assume that you still need to configure it.

If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with greenkeeper/.

We recommend using Travis CI, but Greenkeeper will work with every other CI service as well.

Once you have installed CI on this repository, you’ll need to re-trigger Greenkeeper’s initial Pull Request. To do this, please delete the greenkeeper/initial branch in this repository, and then remove and re-add this repository to the Greenkeeper integration’s white list on Github. You'll find this list on your repo or organiszation’s settings page, under Installed GitHub Apps.

Possible readme improvement: Adding sqlite3 through npm if brew doesn't work out

Hi,

when our team tried so set up the workshop project, several devs ran into an issue with the installation of sqlite3.
It might be that the suggestion in the readme, to install with brew (brew install sqlite3) is not working properly for some people on more recent macOS versions. On Ventura what worked for us was uninstalling the brew version and using npm instead:

npm uninstall sqlite3 (to get rid of the brew version)
sudo npm install sqlite3
npm install
npm start

I couldn't add a PR to include this into the readme, so I thought I'll add it as an issue for either people who have the same issue to find or for you to add it to the readme.

Thanks for the great workshop. :)

An in-range update of sequelize is breaking the build 🚨

Version 4.37.8 of sequelize was just published.

Branch	Build failing 🚨
Dependency	`sequelize`
Current Version	4.37.7
Type	dependency

This version is covered by your current version range and after updating it in your project the build failed.

sequelize is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Status Details

❌ continuous-integration/travis-ci/push The Travis CI build could not complete due to an error Details

Release Notes

v4.37.8

4.37.8 (2018-05-19)

Bug Fixes

query-generator: regexp operator (ab1c1e3)

Commits

The new version differs by 1 commits.

ab1c1e3 fix(query-generator): regexp operator

See the full diff

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Your Greenkeeper Bot 🌴

An in-range update of commander is breaking the build 🚨

Version 2.16.0 of commander was just published.

Branch	Build failing 🚨
Dependency	commander
Current Version	2.15.1
Type	dependency

This version is covered by your current version range and after updating it in your project the build failed.

commander is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Status Details

❌ continuous-integration/travis-ci/push The Travis CI build could not complete due to an error Details

Release Notes

v2.16.0

Remove Makefile and test/run (#821)
Make 'npm test' run on Windows (#820)
Add badge to display install size (#807)
chore: cache node_modules (#814)
chore: remove Node.js 4 (EOL), add Node.js 10 (#813)
fixed typo in readme (#812)
Fix types (#804)
Update eslint to resolve vulnerabilities in lodash (#799)
updated readme with custom event listeners. (#791)
fix tests (#794)

Commits

The new version differs by 17 commits.

4cc348b Merge pull request #822 from abetomo/version_bump_2.16.0
8db14db version bump 2.16.0
1f9354f Remove Makefile and test/run (#821)
3f4f5ca Make 'npm test' run on Windows (#820)
3b8e519 Merge pull request #807 from styfle/patch-1
77ffd4f Merge pull request #814 from DanielRuf/chore/cache-node-modules
6889693 chore: cache node_modules
ff2f618 Merge pull request #813 from DanielRuf/chore/remove-nodejs-4-add-nodejs-10
d5c1d7d chore: remove Node.js 4 (EOL), add Node.js 10
c05ed98 Merge pull request #812 from yausername/fixReadme
55ff22f fixed typo in readme
2415089 Add badge to display install size
89edef0 Fix types (#804)
001d560 Update eslint to resolve vulnerabilities in lodash
988d09b Merge pull request #791 from yausername/master

There are 17 commits in total.

See the full diff

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Your Greenkeeper Bot 🌴

Action required: Greenkeeper could not be activated 🚨

🚨 You need to enable Continuous Integration on all branches of this repository. 🚨

Since we did not receive a CI status on the greenkeeper/initial branch, we assume that you still need to configure it.

We recommend using Travis CI, but Greenkeeper will work with every other CI service as well.

Once you have installed CI on this repository, you’ll need to re-trigger Greenkeeper’s initial Pull Request. To do this, please delete the greenkeeper/initial branch in this repository, and then remove and re-add this repository to the Greenkeeper integration’s white list on Github. You'll find this list on your repo or organization’s settings page, under Installed GitHub Apps.

An in-range update of helmet is breaking the build 🚨

Version 3.12.1 of helmet was just published.

Branch	Build failing 🚨
Dependency	`helmet`
Current Version	3.12.0
Type	dependency

This version is covered by your current version range and after updating it in your project the build failed.

helmet is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Status Details

❌ continuous-integration/travis-ci/push The Travis CI build could not complete due to an error Details

Commits

The new version differs by 3 commits.

65d04cb 3.12.1
7025ed6 Update expectCt to latest; prep for 3.12.1 release
d382a90 Update Standard and Supertest to latest versions

See the full diff

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Your Greenkeeper Bot 🌴

An in-range update of helmet-csp is breaking the build 🚨

Version 2.7.1 of helmet-csp was just published.

Branch	Build failing 🚨
Dependency	helmet-csp
Current Version	2.7.0
Type	dependency

This version is covered by your current version range and after updating it in your project the build failed.

helmet-csp is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Status Details

❌ continuous-integration/travis-ci/push The Travis CI build could not complete due to an error Details

Commits

The new version differs by 7 commits.

4880b53 2.7.1
ae14f86 Update devDependencies
6941b55 Remove lodash.reduce dependency
7c89159 Update some devDependencies
3b0b4f1 Minor: fix indentation issues in test
297fd6e Merge pull request #71 from davidjb/patch-1
e76831a Use uuid module in README, node-uuid is deprecated

See the full diff

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Your Greenkeeper Bot 🌴

An in-range update of babel-eslint is breaking the build 🚨

Version 8.2.4 of babel-eslint was just published.

Branch	Build failing 🚨
Dependency	`[babel-eslint](https://github.com/babel/babel-eslint)`
Current Version	8.2.3
Type	devDependency

This version is covered by your current version range and after updating it in your project the build failed.

babel-eslint is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details

❌ continuous-integration/travis-ci/push The Travis CI build could not complete due to an error Details

Commits

The new version differs by 11 commits.

2bd8508 8.2.4
5881648 Add test for template string with object with template string inside (#639)
476426a Support OptionalMemberExpression with scope too (#634)
92874d4 Drop node4 in travis
d2ac299 Bump Babel deps
e63962d refactor: rename babylon to @babel/parser
873f02f Fix converting template types to handle nested templates (#610)
74a3207 Fix token types for experimental operators (#632)
e802577 Add support for the optional chaining operator (#630)
ebc46e1 don't require unpad per test fixture, fixes #572 (#618)
9641e4b updates readme for latest eslint & babel-eslint (#607) [skip ci]

See the full diff

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Your Greenkeeper Bot 🌴

Missing Account.findById

There is no Account.findById in the /server/models/account.js.
So I can't transfer money between accounts.

Transfer works after I added the following code.

Account.findById = function (accountId) {
  return Account.findOne({
    where: { id: accountId },
    attributes: ['id', 'userId', 'name', 'number', 'balance']
  }).then(account => {
    if (!account) throw new Error("No account found");
    return account;
  })
}

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Repository problems

These problems occurred while renovating this repository. View logs.

WARN: Using npm packages for Renovate presets is now deprecated. Please migrate to repository-based presets instead.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

fix(deps): replace dependency faker with @faker-js/faker
fix(deps): update dependency connect-sqlite3 to v0.9.15
chore(deps): update dependency @types/lodash to v4.17.0
fix(deps): update dependency ejs-mate to v4
fix(deps): update dependency helmet to v7
fix(deps): update dependency nodemon to v3
🔐 Create all rate-limited PRs at once 🔐

Edited/Blocked

These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.

fix(deps): update dependency helmet-csp to v3

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

npm

package.json

bcrypt 3.0.8

body-parser 1.20.2

chalk 2.4.2

commander 2.20.3

connect-flash 0.1.1

connect-sqlite3 0.9.13

cookie-parser 1.4.6

cookie-session 2.1.0

cors 2.8.5

csurf 1.11.0

debug 4.3.4

dist-exiftool 10.53.0

ejs 2.7.4

ejs-mate 3.0.0

express 4.19.2

express-session 1.18.0

faker 4.1.0

helmet 3.23.3

helmet-csp 2.10.0

lodash 4.17.21

morgan 1.10.0

node-exiftool 2.3.0

nodemon 1.19.4

sequelize 5.22.5

serve-favicon 2.5.0

sqlite3 4.2.0

@mike-works/js-lib-renovate-config 2.0.0

@mike-works/workshop-semantic-release-config 1.0.0

@types/lodash 4.14.202

babel-core 6.26.3

babel-eslint 10.1.0

babel-preset-stage-3 6.24.1

semantic-release 15.14.0

travis-deploy-once 5.0.11

nvm

.nvmrc

travis

.travis.yml

node 10.24.1

node 8.17.0

Check this box to trigger a request for Renovate to run again on this repository

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: Cannot find preset's package (github>whitesource/merge-confidence:beta)

An in-range update of body-parser is breaking the build 🚨

Version 1.18.3 of body-parser was just published.

Branch	Build failing 🚨
Dependency	`body-parser`
Current Version	1.18.2
Type	dependency

This version is covered by your current version range and after updating it in your project the build failed.

body-parser is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Status Details

❌ continuous-integration/travis-ci/push The Travis CI build could not complete due to an error Details

Release Notes

1.18.3

Fix stack trace for strict json parse error
deps: depd@~1.1.2
- perf: remove argument reassignment
deps: http-errors@~1.6.3
- deps: depd@~1.1.2
- deps: [email protected]
- deps: statuses@'>= 1.3.1 < 2'
deps: [email protected]
- Fix loading encoding with year appended
- Fix deprecation warnings on Node.js 10+
deps: [email protected]
deps: [email protected]
- deps: [email protected]
- deps: [email protected]
deps: type-is@~1.6.16
- deps: mime-types@~2.1.18

Commits

The new version differs by 32 commits.

e6ccf98 1.18.3
0f75d30 Fix stack trace for strict json parse error
dde88eb build: support Node.js 10.x
d828f6d tests: remove "new Buffer" from tests
036de9a deps: [email protected]
c533873 deps: [email protected]
db78a97 build: [email protected]
8201ede deps: [email protected]
cfeeb59 build: [email protected]
d045949 build: [email protected]
6cb164b build: [email protected]
70815be deps: type-is@~1.6.16
2653fc5 build: [email protected]
55a2488 deps: http-errors@~1.6.3
f2959f5 lint: apply standard 11 style

There are 32 commits in total.

See the full diff

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Your Greenkeeper Bot 🌴

Action required: Greenkeeper could not be activated 🚨

🚨 You need to enable Continuous Integration on all branches of this repository. 🚨

Since we did not receive a CI status on the greenkeeper/initial branch, we assume that you still need to configure it.

We recommend using Travis CI, but Greenkeeper will work with every other CI service as well.

Once you have installed CI on this repository, you’ll need to re-trigger Greenkeeper’s initial Pull Request. To do this, please delete the greenkeeper/initial branch in this repository, and then remove and re-add this repository to the Greenkeeper integration’s white list on Github. You'll find this list on your repo or organization’s settings page, under Installed GitHub Apps.

An in-range update of greenkeeper-lockfile is breaking the build 🚨

Version 1.15.1 of greenkeeper-lockfile was just published.

Branch	Build failing 🚨
Dependency	`greenkeeper-lockfile`
Current Version	1.15.0
Type	devDependency

This version is covered by your current version range and after updating it in your project the build failed.

greenkeeper-lockfile is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details

❌ continuous-integration/travis-ci/push The Travis CI build could not complete due to an error Details

Release Notes

v1.15.1

1.15.1 (2018-05-19)

Bug Fixes

force push when amending (a89874f), closes #152

Commits

The new version differs by 1 commits.

a89874f fix: force push when amending

See the full diff

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Your Greenkeeper Bot 🌴

An in-range update of @types/lodash is breaking the build 🚨

Version 4.14.109 of @types/lodash was just published.

Branch	Build failing 🚨
Dependency	`@types/lodash`
Current Version	4.14.108
Type	devDependency

This version is covered by your current version range and after updating it in your project the build failed.

@types/lodash is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Status Details

❌ continuous-integration/travis-ci/push The Travis CI build could not complete due to an error Details

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Your Greenkeeper Bot 🌴

An in-range update of nodemon is breaking the build 🚨

Version 1.17.5 of nodemon was just published.

Branch	Build failing 🚨
Dependency	`nodemon`
Current Version	1.17.4
Type	dependency

This version is covered by your current version range and after updating it in your project the build failed.

nodemon is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Status Details

❌ continuous-integration/travis-ci/push The Travis CI build could not complete due to an error Details

Release Notes

v1.17.5

1.17.5 (2018-05-23)

Bug Fixes

in watch, use fully filtered ignore rules (b3fc3a9), closes #1348

Commits

The new version differs by 2 commits.

b3fc3a9 fix: in watch, use fully filtered ignore rules
ff79835 chore: update stalebot

See the full diff

FAQ and help

There is a collection of frequently asked questions. If those don’t help, you can always ask the humans behind Greenkeeper.

Your Greenkeeper Bot 🌴

Dependency deprecation warning: travis-deploy-once (npm)

On registry https://registry.npmjs.org/, the "latest" version (v5.0.11) of dependency travis-deploy-once has the following deprecation notice:

We recommend to use Travis Build Stages instead

Marking the latest version of an npm package as deprecated results in the entire package being considered deprecated, so contact the package author you think this is a mistake.

Affected package file(s): package.json

If you don't care about this, you can close this issue and not be warned about travis-deploy-once's deprecation again. If you would like to completely disable all future deprecation warnings then add the following to your config:

"suppressNotifications": ["deprecationWarningIssues"]

mike-works / web-security-fundamentals Goto Github PK

web-security-fundamentals's Introduction

Course outline and slides

What are the pieces?

Getting Set Up

Node.js

Visual Studio Code

Check out and setup the project for this workshop

Troubleshooting

What if I have an older version of Node.js?

What if I get an error like Please install sqlite3 package manually?

How to use it

License

OK

NOT OK (without express written consent)

Copyright

This material may not be used for workshops, training, or any other form of instructing or teaching developers, without express written consent

web-security-fundamentals's People

Contributors

Stargazers

Watchers

Forkers

web-security-fundamentals's Issues

Version 4.37.8 of sequelize was just published.

4.37.8 (2018-05-19)

Bug Fixes

Version 2.16.0 of commander was just published.

Version 3.12.1 of helmet was just published.

Version 2.7.1 of helmet-csp was just published.

Version 8.2.4 of babel-eslint was just published.

Repository problems

Rate-Limited

Edited/Blocked

Open

Detected dependencies

Version 1.18.3 of body-parser was just published.

Version 1.15.1 of greenkeeper-lockfile was just published.

1.15.1 (2018-05-19)

Bug Fixes

Version 4.14.109 of @types/lodash was just published.

Version 1.17.5 of nodemon was just published.

1.17.5 (2018-05-23)

Bug Fixes

Recommend Projects

Recommend Topics

Recommend Org

What if I get an error like `Please install sqlite3 package manually`?