 Welcome to lecture 19, the second part of web security. We'll now go into what really most people think about when we talk web security, and that's vulnerabilities, attacks and the like. We will look in particular at the OWASP top 10, which is one classification of sort of top, the most important vulnerabilities that happen. And in the in-class sessions, I won't do this in the recording, but in the in-class session I will show you in practice some of these attacks in the OWASP juice shop. So that's an application that has been programmed intentionally vulnerable so that you can show and you can train security. And then I'll close with security advice for specific technology like Node.js, but there is not much on that and I'll tell you why that is the case when we get there. So mainly this is all about web security threats in particular. A number of literature references, the first two are the OWASP top 10 recommendations, which is a very important read if you really set up your own web presence. So in particular if you do server side things, you should be looking at that. The third one is specific to the OWASP juice shop, how to work with that, and then the last two are advice articles on Express and Node.js, how to make them secure. They are examples, as you see for example one of the blog posters from 2014, there is a good chance that a lot of these things are outdated, they just serve as an example. We'll start off with some terminology before we get into the actual vulnerabilities, so we talk about vulnerabilities, attacks, exploits and so on, so it's important to discuss what they actually mean. When we talk about vulnerabilities we mean that something has a weakness, something can be exploited by a so-called threat. And we usually talk about assets in web applications or any kind of applications, business cases, because at the end of the day what you care about is your business. For example, if you rent cars, if you have a car rental, an asset might be the information, what kind of cars you own, with all the license plates, all the insurance numbers or so on. It might be all the people that have registered on your website, all the bookings that have been made, so all of this is an asset, is some information that is very valuable to your company and it's a problem if it gets anyhow exposed, deleted or so on. A threat then, since we talk about threats here, a threat is a capability intention and attack method of adversaries, so someone that, well, to put it plain that tries to attack you, it does not like you, that has the potential to cause harm. So to translate this, an attack, for example, someone intentionally attacks your system that can cause harm, for example, deleting customer information. And that's just a method, so it's not an actual thing that happens, it's just the potential that this can happen. And finally, an exploit is a defined way to breach the security of an information system. So something in your system is vulnerable, so there is a threat that someone will attack this and then the exploit is the actual attack, the actual way to do this. So when we talk about vulnerabilities, we talk about general classes of potential things that are problematic, like you don't have authentication, everyone can just use your API. The threat that means, well, if everyone can use your API, one threat is that someone uses it to delete information that he or she should not delete, that can cause harm. And the exploit is then the actual attack, someone does this or someone writes a postmat script that does this. So that's the vocabulary that we often use in the security world. Why should you care? I should not need this slide, but I think it's important to show a couple of cases. I have a whole list of them here. This is one, it's just from last year, so it's fairly recent, where some retail company, home improvement retail company in the US had a data breach where 70,000 records got lost. And this one is particularly interesting because it was 70,000 people that have been stolen in these kind of stores. So it was kind of a list of people that were doing this, what they had stolen and so on. So obviously here, the problem is it's a legal problem because they're most likely not allowed to publish these names. It's a problem for the people that have been caught stealing because they are exposed. So this is something that is quite serious. Much more serious maybe. One million patient records leaked. So that's in a health network where people had left their personal health information. And this was exposed. One million patient records. That's already much more serious because now this includes stuff like how healthy is a person that is maybe a step more serious than has someone been stealing or not. Bank loan mortgage documents leaked in the US, financial information. Similarly, that's a big issue. This can also be a problem if someone, for example, a bank in the future denies you alone. And of course it's embarrassing as well. You don't want to have your financial information lying around maybe. ISAC, some of you might be familiar with. It's an intern application system or it's an intern network, but they had an issue at some point two months ago. So that's last year, so 14 months by now, where four million intern applications were exposed. Again, this might contain sensitive information that you don't want to have lying around and that maybe the company's not allowed to have lying around. Credit card data, now it's getting interesting. An ice cream chain. So they, out of some reason, stored the credit card information of people that they used to purchase ice cream. And well, this was then exposed. This could be used to actually pay on other websites. So now this could have a direct financial impact on the people that have left their credit card information. Here there's actually a detail on the attack that has been used. An unauthorized code was added to the website checkout page and that caused the credit card information to be kind of forwarded to another website. That's one of the vulnerabilities that's very typical. And now I'll end up with a really serious one where there was a privacy breach in a system to record details of psychologists where a woman said that her sexual trauma details were exposed because they were stored in some kind of system where the psychologist kind of made notes and recorded what had happened. And then because the system was unsecure, the data was leaked. And of course, this is deeply personal. This is really something that should not happen. You see that in this case it was 300 pages of personal information. The interesting thing it goes on, you see that there is a lot more stuff coming, but I think the interesting point here is we have systems like this one here. We say the psychologist is writing something down. We have the health system where people store their health. Here you can say, okay, this is something where the company running this should make really, really sure it's secure. This is something that should not happen. This is something that should be fined heavily. But then there's other stuff like in this case here where the people stealing have their information entered. This information was probably entered without them consenting to it so they could not affect it. Then we had the ice cream case where you say that of course the people have left their credit card information, but at the same time you could say, well, this is an ice cream shop. This is something as a customer you don't think about very much because it's not a very important business. It's something different than leaving your health information. And the list goes on. It's really important to see that it's all kinds of data that get exposed but also all kinds of unimportant things that we maybe don't think about the ice cream case that can lead to really severe consequences. This is why you should care about these things even if you write an application that seems to be very unimportant. When we go through the vulnerabilities later on you'll see other examples of how you can run successful attacks even from a website that is maybe not very important. So that's why you should care. The other thing is a lot of the attacks on websites are really, really basic things. So if you look at movies you always have these advanced hackers that sit and do crazy things, but often it boils down to basic attacks like changing an ID, changing a cookie, trying to insert some basic, for example, JavaScript code, trying to access things that you should not have access to. These are really, really basic things, but a lot of these attacks end up being successful. So that's why we cover basics in web security. You don't have to be an expert to really get to a certain level of security. Then, of course, there is the last stretch. If you want to be good at security you need to invest a lot of time. These things change, so you really need to stay up to date. And later on when we get to the specifics of, for example, Node.js you also often need to specialize. So you need to look into how to do security for Node.js applications or similar things. But the basics get you far and that's exactly what we cover in this lecture. So I'll stop here and in the second part we then go into the most common and most severe vulnerabilities that we see in web applications.