WebAppSec/MozSecureWorld
Jump to navigation
Jump to search
Purpose
A running web application to demonstrate major security paradigms used within Mozilla web applications and security capabilities of modern browsers.
Uses
- Demonstration of secure application design
- Explanation of importance and purpose of security features
- Learning tool for others to reference
- Testing site to validate effectiveness of security & design recommendations
- Evaluation tool for pen testing individuals or tools
Design
Architecture
Python on Django via Playdoh
Security Components & Controls
Authentication
- Brute force prevention via adaptive CAPTCHA
- Password storage via bcrypt and system nonce
- Account creation with blacklisted password support
- (Possible) Secure Password Reset
Access Control
- Presentation, Business, Data Layer Access Control
- (Possible) Two tier design for admin account separation
Input Validation
- Rich HTML handling via bleach
- File upload support via secure file handling guidelines
Transport Security
- Full & correct TLS
- HTTP Strict Transport Security
Cross Domain Controls
- X-frame-options
Cookie Protection
- Secure Flag
- HTTPOnly Flag
Secure I/O
- File Handling
- SQL
- (Possible) Third party service)
Roadmap
- Setup playdoh & github
- Running HelloWorld
- Design Planning
- Code basic item first (x-frame-options)
- Complete initial presentation layer and CSS for basic item
- Setup backend database
- Authentication