🌐Catatan Seekor: Web Security

"Web security is not just about protecting your website, it's about protecting your users"

📚 Overview

Web Security adalah praktik melindungi website, web application, dan web service dari berbagai ancaman cyber. Ini mencakup perlindungan terhadap serangan yang dapat mengeksploitasi kerentanan dalam aplikasi web.

🎯 Learning Objectives

Setelah mempelajari materi ini, Anda akan mampu:

• Memahami OWASP Top 10 vulnerabilities

• Menerapkan protection terhadap XSS, SQL Injection, dan CSRF

• Mengkonfigurasi security headers dengan benar

• Mengimplementasikan Content Security Policy (CSP)

• Mengamankan komunikasi dengan HTTPS dan SSL/TLS

📖 Table of Contents

• OWASP Top 10

• Cross-Site Scripting (XSS)

• SQL Injection

• Cross-Site Request Forgery (CSRF)

• Security Headers

• Content Security Policy (CSP)

• HTTPS & SSL/TLS

🚨 Web Security Threats

1. Injection Attacks

• SQL Injection: Menyisipkan SQL code ke dalam query database

• NoSQL Injection: Eksploitasi kerentanan NoSQL database

• Command Injection: Menjalankan command system yang tidak sah

• LDAP Injection: Eksploitasi LDAP queries

2. Cross-Site Attacks

• Cross-Site Scripting (XSS): Menjalankan script berbahaya di browser user

• Cross-Site Request Forgery (CSRF): Memaksa user melakukan action yang tidak diinginkan

• Cross-Site Script Inclusion (XSSI): Include script dari domain lain

3. Authentication & Session Issues

• Weak Authentication: Password yang lemah atau tidak aman

• Session Hijacking: Mencuri session ID user

• Insecure Direct Object References: Akses langsung ke resource tanpa validasi

4. Data Exposure

• Sensitive Data Exposure: Data sensitif terekspos

• Insufficient Logging: Logging yang tidak memadai untuk security monitoring

• Security Misconfiguration: Konfigurasi security yang salah

🚀 Quick Start

🔰 Untuk Pemula

1. Mulai dengan OWASP Top 10

2. Pelajari Cross-Site Scripting (XSS)

3. Pahami Security Headers

🎯 Untuk Developer

1. Implementasi Content Security Policy (CSP)

2. Pelajari HTTPS & SSL/TLS

3. Kuasai SQL Injection

📚 Referensi & Resources

🌟 Essential Reading

• OWASP Top 10 - Web application security risks

• OWASP Web Security Testing Guide

• OWASP Cheat Sheet Series - Security implementation guides

• Mozilla Web Security Guidelines

📖 Books

• "The Web Application Hacker's Handbook" by Dafydd Stuttard

• "Web Application Security" by Andrew van der Stock

• "Hacking Web Applications" by Jeremiah Grossman

• "Web Security Testing" by Paco Hope

🎓 Online Courses

• OWASP Web Security Testing Guide

• Coursera: Web Security

• edX: Web Security

• PortSwigger Web Security Academy

🛠️ Tools & Frameworks

• OWASP ZAP - Free security testing tool

• Burp Suite - Web application security testing

• Nmap - Network security scanner

• Nikto - Web server scanner

🔗 Communities & Forums

• OWASP Community

• Web Security Stack Exchange

• Reddit r/websecurity

• HackerOne - Bug bounty platform

🎯 Best Practices

🔐 Input Validation

• ✅ Validate all user inputs

• ✅ Use whitelist approach

• ✅ Implement proper encoding

• ✅ Sanitize data before processing

• ✅ Use parameterized queries

🛡️ Output Encoding

• ✅ Encode all dynamic content

• ✅ Use context-aware encoding

• ✅ Implement proper escaping

• ✅ Validate output format

• ✅ Use security libraries

🔒 Authentication Security

• ✅ Strong password policies

• ✅ Multi-factor authentication

• ✅ Secure session management

• ✅ Account lockout policies

• ✅ Secure password reset

🌐 Transport Security

• ✅ Use HTTPS everywhere

• ✅ Implement HSTS

• ✅ Secure cookie attributes

• ✅ TLS 1.3 configuration

• ✅ Certificate management

🚨 Security Checklist

🔍 Pre-Development

• Security requirements defined

• Threat modeling completed

• Security architecture reviewed

• Security tools selected

🛠️ During Development

• Secure coding practices followed

• Input validation implemented

• Output encoding implemented

• Authentication/authorization in place

• Error handling secure

🧪 Testing & Deployment

• Security testing completed

• Vulnerability assessment done

• Penetration testing performed

• Security headers configured

• SSL/TLS properly configured

📊 Monitoring & Maintenance

• Security monitoring active

• Regular security updates

• Incident response plan ready

• Security training conducted

• Compliance audits scheduled

🔍 Common Vulnerabilities

🚨 OWASP Top 10 2021

1. Broken Access Control - Inadequate access controls

2. Cryptographic Failures - Weak encryption implementation

3. Injection - SQL, NoSQL, LDAP, OS injection

4. Insecure Design - Flaws in design and architecture

5. Security Misconfiguration - Incorrect security settings

6. Vulnerable Components - Outdated or vulnerable dependencies

7. Authentication Failures - Weak authentication mechanisms

8. Software and Data Integrity Failures - Supply chain attacks

9. Security Logging Failures - Insufficient logging and monitoring

10. Server-Side Request Forgery - SSRF attacks

🔓 Additional Threats

• Clickjacking: UI redressing attacks

• File Upload Vulnerabilities: Malicious file uploads

• XML External Entity (XXE): XML parsing vulnerabilities

• Server-Side Template Injection: Template engine vulnerabilities

• HTTP Request Smuggling: Request smuggling attacks

🛡️ Security Controls

🔒 Preventive Controls

• Input validation and sanitization

• Output encoding

• Authentication and authorization

• Secure session management

• HTTPS implementation

🔍 Detective Controls

• Security logging

• Intrusion detection

• Vulnerability scanning

• Security monitoring

• Regular audits

🚨 Corrective Controls

• Incident response

• Patch management

• Security updates

• User training

• Continuous improvement

📊 Implementation Examples

🛡️ Security Headers (Node.js/Express)

const express = require('express');
const helmet = require('helmet');
const app = express();

// Security middleware
app.use(helmet());

// Custom security headers
app.use((req, res, next) => {
  // Content Security Policy
  res.setHeader(
    'Content-Security-Policy',
    "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"
  );
  
  // X-Frame-Options
  res.setHeader('X-Frame-Options', 'DENY');
  
  // X-Content-Type-Options
  res.setHeader('X-Content-Type-Options', 'nosniff');
  
  // Referrer Policy
  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
  
  // Permissions Policy
  res.setHeader(
    'Permissions-Policy',
    'geolocation=(), microphone=(), camera=()'
  );
  
  next();
});

app.listen(3000, () => {
  console.log('Server running on port 3000');
});

🔐 SQL Injection Prevention (Python)

import sqlite3
from flask import Flask, request, jsonify

app = Flask(__name__)

# BAD: Vulnerable to SQL injection
def bad_get_user(username):
    conn = sqlite3.connect('users.db')
    cursor = conn.cursor()
    
    # Vulnerable query
    query = f"SELECT * FROM users WHERE username = '{username}'"
    cursor.execute(query)
    
    user = cursor.fetchone()
    conn.close()
    return user

# GOOD: Parameterized query (prevents SQL injection)
def good_get_user(username):
    conn = sqlite3.connect('users.db')
    cursor = conn.cursor()
    
    # Safe parameterized query
    query = "SELECT * FROM users WHERE username = ?"
    cursor.execute(query, (username,))
    
    user = cursor.fetchone()
    conn.close()
    return user

@app.route('/user/<username>')
def get_user(username):
    try:
        user = good_get_user(username)
        if user:
            return jsonify({
                'username': user[1],
                'email': user[2],
                'status': 'active'
            })
        else:
            return jsonify({'error': 'User not found'}), 404
    except Exception as e:
        return jsonify({'error': 'Database error'}), 500

if __name__ == '__main__':
    app.run(debug=False)  # Disable debug in production

🔒 XSS Prevention (Java/Spring)

import org.springframework.web.bind.annotation.*;
import org.springframework.web.util.HtmlUtils;
import org.owasp.encoder.Encode;

@RestController
@RequestMapping("/api")
public class UserController {
    
    @PostMapping("/user")
    public ResponseEntity<UserResponse> createUser(@RequestBody UserRequest request) {
        try {
            // Validate input
            if (request.getUsername() == null || request.getUsername().trim().isEmpty()) {
                return ResponseEntity.badRequest().body(new UserResponse("Username is required"));
            }
            
            // Sanitize input to prevent XSS
            String sanitizedUsername = Encode.forHtml(request.getUsername());
            String sanitizedEmail = Encode.forHtml(request.getEmail());
            
            // Process sanitized data
            User user = new User();
            user.setUsername(sanitizedUsername);
            user.setEmail(sanitizedEmail);
            
            // Save user
            userService.saveUser(user);
            
            return ResponseEntity.ok(new UserResponse("User created successfully"));
            
        } catch (Exception e) {
            return ResponseEntity.status(500).body(new UserResponse("Internal server error"));
        }
    }
    
    @GetMapping("/user/{id}")
    public ResponseEntity<String> getUser(@PathVariable Long id) {
        User user = userService.getUserById(id);
        if (user != null) {
            // Encode output to prevent XSS
            String safeUsername = Encode.forHtml(user.getUsername());
            String safeEmail = Encode.forHtml(user.getEmail());
            
            return ResponseEntity.ok(
                String.format("Username: %s, Email: %s", safeUsername, safeEmail)
            );
        }
        return ResponseEntity.notFound().build();
    }
}

🔐 CSRF Protection (PHP)

<?php
session_start();

class CSRFProtection {
    private static function generateToken() {
        if (!isset($_SESSION['csrf_token'])) {
            $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
        }
        return $_SESSION['csrf_token'];
    }
    
    public static function getToken() {
        return self::generateToken();
    }
    
    public static function verifyToken($token) {
        if (!isset($_SESSION['csrf_token']) || $token !== $_SESSION['csrf_token']) {
            return false;
        }
        return true;
    }
    
    public static function refreshToken() {
        unset($_SESSION['csrf_token']);
        return self::generateToken();
    }
}

// HTML form with CSRF token
?>
<!DOCTYPE html>
<html>
<head>
    <title>User Registration</title>
</head>
<body>
    <form method="POST" action="/register">
        <input type="hidden" name="csrf_token" value="<?php echo CSRFProtection::getToken(); ?>">
        
        <label for="username">Username:</label>
        <input type="text" id="username" name="username" required><br>
        
        <label for="email">Email:</label>
        <input type="email" id="email" name="email" required><br>
        
        <label for="password">Password:</label>
        <input type="password" id="password" name="password" required><br>
        
        <button type="submit">Register</button>
    </form>
</body>
</html>

<?php
// Process form submission
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    // Verify CSRF token
    if (!CSRFProtection::verifyToken($_POST['csrf_token'])) {
        die('CSRF token validation failed');
    }
    
    // Process form data
    $username = htmlspecialchars($_POST['username'], ENT_QUOTES, 'UTF-8');
    $email = htmlspecialchars($_POST['email'], ENT_QUOTES, 'UTF-8');
    $password = password_hash($_POST['password'], PASSWORD_DEFAULT);
    
    // Save user to database
    // ... database operations ...
    
    echo "User registered successfully!";
}
?>

🚀 Advanced Topics

🔐 Content Security Policy (CSP)

• Policy directives

• Nonce and hash values

• Report-only mode

• CSP violations reporting

• Policy generation tools

🌐 Subresource Integrity (SRI)

• Hash verification

• Integrity attributes

• CDN security

• Resource validation

• Fallback strategies

🔒 HTTP Security Headers

• HSTS (HTTP Strict Transport Security)

• HPKP (HTTP Public Key Pinning)

• X-Frame-Options

• X-Content-Type-Options

• Referrer Policy

🛡️ Web Application Firewall (WAF)

• Rule-based protection

• Behavioral analysis

• Rate limiting

• DDoS protection

• Custom rules

🔍 Security Testing

🧪 Automated Testing

• Static Application Security Testing (SAST)

• Dynamic Application Security Testing (DAST)

• Interactive Application Security Testing (IAST)

• Software Composition Analysis (SCA)

• Container security scanning

🔍 Manual Testing

• Penetration testing

• Code review

• Configuration review

• Architecture review

• Threat modeling

📊 Security Metrics

• Vulnerability density

• Time to fix

• Security debt

• Compliance score

• Risk assessment

🤝 Contributing

Kontribusi untuk memperbaiki dan menambahkan konten web security sangat dihargai! Silakan:

1. Fork repository ini

2. Buat branch untuk fitur baru

3. Commit perubahan Anda

4. Push ke branch

5. Buat Pull Request

📄 License

Konten ini tersedia di bawah MIT License.

🙏 Acknowledgments

• OWASP Foundation untuk web security guidelines

• Web security researchers dan practitioners

• Security testing tools developers

• Security community yang terus berbagi knowledge

---

⚠️ Disclaimer: Catatan ini dibuat untuk tujuan pembelajaran. Selalu test security measures di environment yang aman dan konsultasikan dengan security experts untuk implementasi production.

🌐 Remember: Web security is an ongoing process. Stay vigilant and keep your applications secure!