# Catatan Seekor: Web Security

> **"Web security is not just about protecting your website, it's about protecting your users"**

## 📚 Overview

Web Security adalah praktik melindungi website, web application, dan web service dari berbagai ancaman cyber. Ini mencakup perlindungan terhadap serangan yang dapat mengeksploitasi kerentanan dalam aplikasi web.

## 🎯 Learning Objectives

Setelah mempelajari materi ini, Anda akan mampu:

* Memahami OWASP Top 10 vulnerabilities
* Menerapkan protection terhadap XSS, SQL Injection, dan CSRF
* Mengkonfigurasi security headers dengan benar
* Mengimplementasikan Content Security Policy (CSP)
* Mengamankan komunikasi dengan HTTPS dan SSL/TLS

## 📖 Table of Contents

* [OWASP Top 10](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-web-security/owasp-top10.md)
* [Cross-Site Scripting (XSS)](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-web-security/xss.md)
* [SQL Injection](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-web-security/sql-injection.md)
* [Cross-Site Request Forgery (CSRF)](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-web-security/csrf.md)
* [Security Headers](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-web-security/security-headers.md)
* [Content Security Policy (CSP)](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-web-security/csp.md)
* [HTTPS & SSL/TLS](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-web-security/https-ssl.md)

## 🚨 Web Security Threats

### 1. **Injection Attacks**

* **SQL Injection**: Menyisipkan SQL code ke dalam query database
* **NoSQL Injection**: Eksploitasi kerentanan NoSQL database
* **Command Injection**: Menjalankan command system yang tidak sah
* **LDAP Injection**: Eksploitasi LDAP queries

### 2. **Cross-Site Attacks**

* **Cross-Site Scripting (XSS)**: Menjalankan script berbahaya di browser user
* **Cross-Site Request Forgery (CSRF)**: Memaksa user melakukan action yang tidak diinginkan
* **Cross-Site Script Inclusion (XSSI)**: Include script dari domain lain

### 3. **Authentication & Session Issues**

* **Weak Authentication**: Password yang lemah atau tidak aman
* **Session Hijacking**: Mencuri session ID user
* **Insecure Direct Object References**: Akses langsung ke resource tanpa validasi

### 4. **Data Exposure**

* **Sensitive Data Exposure**: Data sensitif terekspos
* **Insufficient Logging**: Logging yang tidak memadai untuk security monitoring
* **Security Misconfiguration**: Konfigurasi security yang salah

## 🚀 Quick Start

### 🔰 **Untuk Pemula**

1. Mulai dengan [OWASP Top 10](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-web-security/owasp-top10.md)
2. Pelajari [Cross-Site Scripting (XSS)](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-web-security/xss.md)
3. Pahami [Security Headers](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-web-security/security-headers.md)

### 🎯 **Untuk Developer**

1. Implementasi [Content Security Policy (CSP)](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-web-security/csp.md)
2. Pelajari [HTTPS & SSL/TLS](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-web-security/https-ssl.md)
3. Kuasai [SQL Injection](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-web-security/sql-injection.md)

## 📚 Referensi & Resources

### 🌟 **Essential Reading**

* [OWASP Top 10](https://owasp.org/www-project-top-ten/) - Web application security risks
* [OWASP Web Security Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
* [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/) - Security implementation guides
* [Mozilla Web Security Guidelines](https://developer.mozilla.org/en-US/docs/Web/Security)

### 📖 **Books**

* **"The Web Application Hacker's Handbook"** by Dafydd Stuttard
* **"Web Application Security"** by Andrew van der Stock
* **"Hacking Web Applications"** by Jeremiah Grossman
* **"Web Security Testing"** by Paco Hope

### 🎓 **Online Courses**

* [OWASP Web Security Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
* [Coursera: Web Security](https://www.coursera.org/learn/web-security)
* [edX: Web Security](https://www.edx.org/learn/web-security)
* [PortSwigger Web Security Academy](https://portswigger.net/web-security)

### 🛠️ **Tools & Frameworks**

* [OWASP ZAP](https://owasp.org/www-project-zap/) - Free security testing tool
* [Burp Suite](https://portswigger.net/burp) - Web application security testing
* [Nmap](https://nmap.org/) - Network security scanner
* [Nikto](https://cirt.net/Nikto2) - Web server scanner

### 🔗 **Communities & Forums**

* [OWASP Community](https://owasp.org/www-community/)
* [Web Security Stack Exchange](https://security.stackexchange.com/questions/tagged/web-application)
* [Reddit r/websecurity](https://www.reddit.com/r/websecurity/)
* [HackerOne](https://hackerone.com/) - Bug bounty platform

## 🎯 Best Practices

### 🔐 **Input Validation**

* ✅ Validate all user inputs
* ✅ Use whitelist approach
* ✅ Implement proper encoding
* ✅ Sanitize data before processing
* ✅ Use parameterized queries

### 🛡️ **Output Encoding**

* ✅ Encode all dynamic content
* ✅ Use context-aware encoding
* ✅ Implement proper escaping
* ✅ Validate output format
* ✅ Use security libraries

### 🔒 **Authentication Security**

* ✅ Strong password policies
* ✅ Multi-factor authentication
* ✅ Secure session management
* ✅ Account lockout policies
* ✅ Secure password reset

### 🌐 **Transport Security**

* ✅ Use HTTPS everywhere
* ✅ Implement HSTS
* ✅ Secure cookie attributes
* ✅ TLS 1.3 configuration
* ✅ Certificate management

## 🚨 Security Checklist

### 🔍 **Pre-Development**

* [ ] Security requirements defined
* [ ] Threat modeling completed
* [ ] Security architecture reviewed
* [ ] Security tools selected

### 🛠️ **During Development**

* [ ] Secure coding practices followed
* [ ] Input validation implemented
* [ ] Output encoding implemented
* [ ] Authentication/authorization in place
* [ ] Error handling secure

### 🧪 **Testing & Deployment**

* [ ] Security testing completed
* [ ] Vulnerability assessment done
* [ ] Penetration testing performed
* [ ] Security headers configured
* [ ] SSL/TLS properly configured

### 📊 **Monitoring & Maintenance**

* [ ] Security monitoring active
* [ ] Regular security updates
* [ ] Incident response plan ready
* [ ] Security training conducted
* [ ] Compliance audits scheduled

## 🔍 Common Vulnerabilities

### 🚨 **OWASP Top 10 2021**

1. **Broken Access Control** - Inadequate access controls
2. **Cryptographic Failures** - Weak encryption implementation
3. **Injection** - SQL, NoSQL, LDAP, OS injection
4. **Insecure Design** - Flaws in design and architecture
5. **Security Misconfiguration** - Incorrect security settings
6. **Vulnerable Components** - Outdated or vulnerable dependencies
7. **Authentication Failures** - Weak authentication mechanisms
8. **Software and Data Integrity Failures** - Supply chain attacks
9. **Security Logging Failures** - Insufficient logging and monitoring
10. **Server-Side Request Forgery** - SSRF attacks

### 🔓 **Additional Threats**

* **Clickjacking**: UI redressing attacks
* **File Upload Vulnerabilities**: Malicious file uploads
* **XML External Entity (XXE)**: XML parsing vulnerabilities
* **Server-Side Template Injection**: Template engine vulnerabilities
* **HTTP Request Smuggling**: Request smuggling attacks

## 🛡️ Security Controls

### 🔒 **Preventive Controls**

* Input validation and sanitization
* Output encoding
* Authentication and authorization
* Secure session management
* HTTPS implementation

### 🔍 **Detective Controls**

* Security logging
* Intrusion detection
* Vulnerability scanning
* Security monitoring
* Regular audits

### 🚨 **Corrective Controls**

* Incident response
* Patch management
* Security updates
* User training
* Continuous improvement

## 📊 Implementation Examples

### 🛡️ **Security Headers (Node.js/Express)**

```javascript
const express = require('express');
const helmet = require('helmet');
const app = express();

// Security middleware
app.use(helmet());

// Custom security headers
app.use((req, res, next) => {
  // Content Security Policy
  res.setHeader(
    'Content-Security-Policy',
    "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"
  );
  
  // X-Frame-Options
  res.setHeader('X-Frame-Options', 'DENY');
  
  // X-Content-Type-Options
  res.setHeader('X-Content-Type-Options', 'nosniff');
  
  // Referrer Policy
  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
  
  // Permissions Policy
  res.setHeader(
    'Permissions-Policy',
    'geolocation=(), microphone=(), camera=()'
  );
  
  next();
});

app.listen(3000, () => {
  console.log('Server running on port 3000');
});
```

### 🔐 **SQL Injection Prevention (Python)**

```python
import sqlite3
from flask import Flask, request, jsonify

app = Flask(__name__)

# BAD: Vulnerable to SQL injection
def bad_get_user(username):
    conn = sqlite3.connect('users.db')
    cursor = conn.cursor()
    
    # Vulnerable query
    query = f"SELECT * FROM users WHERE username = '{username}'"
    cursor.execute(query)
    
    user = cursor.fetchone()
    conn.close()
    return user

# GOOD: Parameterized query (prevents SQL injection)
def good_get_user(username):
    conn = sqlite3.connect('users.db')
    cursor = conn.cursor()
    
    # Safe parameterized query
    query = "SELECT * FROM users WHERE username = ?"
    cursor.execute(query, (username,))
    
    user = cursor.fetchone()
    conn.close()
    return user

@app.route('/user/<username>')
def get_user(username):
    try:
        user = good_get_user(username)
        if user:
            return jsonify({
                'username': user[1],
                'email': user[2],
                'status': 'active'
            })
        else:
            return jsonify({'error': 'User not found'}), 404
    except Exception as e:
        return jsonify({'error': 'Database error'}), 500

if __name__ == '__main__':
    app.run(debug=False)  # Disable debug in production
```

### 🔒 **XSS Prevention (Java/Spring)**

```java
import org.springframework.web.bind.annotation.*;
import org.springframework.web.util.HtmlUtils;
import org.owasp.encoder.Encode;

@RestController
@RequestMapping("/api")
public class UserController {
    
    @PostMapping("/user")
    public ResponseEntity<UserResponse> createUser(@RequestBody UserRequest request) {
        try {
            // Validate input
            if (request.getUsername() == null || request.getUsername().trim().isEmpty()) {
                return ResponseEntity.badRequest().body(new UserResponse("Username is required"));
            }
            
            // Sanitize input to prevent XSS
            String sanitizedUsername = Encode.forHtml(request.getUsername());
            String sanitizedEmail = Encode.forHtml(request.getEmail());
            
            // Process sanitized data
            User user = new User();
            user.setUsername(sanitizedUsername);
            user.setEmail(sanitizedEmail);
            
            // Save user
            userService.saveUser(user);
            
            return ResponseEntity.ok(new UserResponse("User created successfully"));
            
        } catch (Exception e) {
            return ResponseEntity.status(500).body(new UserResponse("Internal server error"));
        }
    }
    
    @GetMapping("/user/{id}")
    public ResponseEntity<String> getUser(@PathVariable Long id) {
        User user = userService.getUserById(id);
        if (user != null) {
            // Encode output to prevent XSS
            String safeUsername = Encode.forHtml(user.getUsername());
            String safeEmail = Encode.forHtml(user.getEmail());
            
            return ResponseEntity.ok(
                String.format("Username: %s, Email: %s", safeUsername, safeEmail)
            );
        }
        return ResponseEntity.notFound().build();
    }
}
```

### 🔐 **CSRF Protection (PHP)**

```php
<?php
session_start();

class CSRFProtection {
    private static function generateToken() {
        if (!isset($_SESSION['csrf_token'])) {
            $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
        }
        return $_SESSION['csrf_token'];
    }
    
    public static function getToken() {
        return self::generateToken();
    }
    
    public static function verifyToken($token) {
        if (!isset($_SESSION['csrf_token']) || $token !== $_SESSION['csrf_token']) {
            return false;
        }
        return true;
    }
    
    public static function refreshToken() {
        unset($_SESSION['csrf_token']);
        return self::generateToken();
    }
}

// HTML form with CSRF token
?>
<!DOCTYPE html>
<html>
<head>
    <title>User Registration</title>
</head>
<body>
    <form method="POST" action="/register">
        <input type="hidden" name="csrf_token" value="<?php echo CSRFProtection::getToken(); ?>">
        
        <label for="username">Username:</label>
        <input type="text" id="username" name="username" required><br>
        
        <label for="email">Email:</label>
        <input type="email" id="email" name="email" required><br>
        
        <label for="password">Password:</label>
        <input type="password" id="password" name="password" required><br>
        
        <button type="submit">Register</button>
    </form>
</body>
</html>

<?php
// Process form submission
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    // Verify CSRF token
    if (!CSRFProtection::verifyToken($_POST['csrf_token'])) {
        die('CSRF token validation failed');
    }
    
    // Process form data
    $username = htmlspecialchars($_POST['username'], ENT_QUOTES, 'UTF-8');
    $email = htmlspecialchars($_POST['email'], ENT_QUOTES, 'UTF-8');
    $password = password_hash($_POST['password'], PASSWORD_DEFAULT);
    
    // Save user to database
    // ... database operations ...
    
    echo "User registered successfully!";
}
?>
```

## 🚀 Advanced Topics

### 🔐 **Content Security Policy (CSP)**

* Policy directives
* Nonce and hash values
* Report-only mode
* CSP violations reporting
* Policy generation tools

### 🌐 **Subresource Integrity (SRI)**

* Hash verification
* Integrity attributes
* CDN security
* Resource validation
* Fallback strategies

### 🔒 **HTTP Security Headers**

* HSTS (HTTP Strict Transport Security)
* HPKP (HTTP Public Key Pinning)
* X-Frame-Options
* X-Content-Type-Options
* Referrer Policy

### 🛡️ **Web Application Firewall (WAF)**

* Rule-based protection
* Behavioral analysis
* Rate limiting
* DDoS protection
* Custom rules

## 🔍 Security Testing

### 🧪 **Automated Testing**

* Static Application Security Testing (SAST)
* Dynamic Application Security Testing (DAST)
* Interactive Application Security Testing (IAST)
* Software Composition Analysis (SCA)
* Container security scanning

### 🔍 **Manual Testing**

* Penetration testing
* Code review
* Configuration review
* Architecture review
* Threat modeling

### 📊 **Security Metrics**

* Vulnerability density
* Time to fix
* Security debt
* Compliance score
* Risk assessment

## 🤝 Contributing

Kontribusi untuk memperbaiki dan menambahkan konten web security sangat dihargai! Silakan:

1. Fork repository ini
2. Buat branch untuk fitur baru
3. Commit perubahan Anda
4. Push ke branch
5. Buat Pull Request

## 📄 License

Konten ini tersedia di bawah [MIT License](https://github.com/mahbubzulkarnain/catatan-seekor-the-series/blob/master/security/catatan-seekor-web-security/LICENSE/README.md).

## 🙏 Acknowledgments

* OWASP Foundation untuk web security guidelines
* Web security researchers dan practitioners
* Security testing tools developers
* Security community yang terus berbagi knowledge

***

**⚠️ Disclaimer**: Catatan ini dibuat untuk tujuan pembelajaran. Selalu test security measures di environment yang aman dan konsultasikan dengan security experts untuk implementasi production.

**🌐 Remember**: Web security is an ongoing process. Stay vigilant and keep your applications secure!