9. Securing Web Applications
Рет қаралды 138,305
Күн бұрын
@alimatthew428 7 жыл бұрын
you are very great lecturer i wish i get in touch with you.....keep doing the great job
@luckynumbersevuuun 4 жыл бұрын
at 37:20, one of the most effective use of the CSP is to limit where javascript can be sourced from. this will get you pretty far down the road against most XSS and other hybrid attacks.
@PMA65537 4 жыл бұрын
43:00 DROP TABLE tablename; DELETE is used for deleting (some) records from a table.
@aidanbrumsickle 7 жыл бұрын
Use prepared/parameterized statements for SQL!
@armandkruger911 4 жыл бұрын
Thank You! Finally!
@voikalternos 9 ай бұрын
fascinating to learn how things are different 10 years ago
@dzungnguyen 4 жыл бұрын
this is the great course, I know a lot of stuffs here and why it's important. Finally, I can understand and visualize how these things work
@mpumelelozulu6268 3 жыл бұрын
Lloyd""l""whale 'll)"lhll
@mpumelelozulu6268 3 жыл бұрын
La Farrell and ll""low cost a"h
@mpumelelozulu6268 3 жыл бұрын
Lips". I know"
@mpumelelozulu6268 3 жыл бұрын
L"ballthe llllrllllll l"last year last time"and l"lljhl"lbs lll"lh""lhhllllh
@mpumelelozulu6268 3 жыл бұрын
H lluh"rll lull""lljll. L"hotel"lowllhlhl"lull ll"ltlllllhllljl"Ljubljana"lrulhllllhlhplj, Ljubljana to"llhlljh Lal
@armandkruger911 4 жыл бұрын
Input Validation , parameterized queries, static & dynamic code analysis is the future to secure code development
@marveladeguitar 2 жыл бұрын
In the third XSS example that didn't work @10:22 , judging from the web server logs @10:43, the stripping was already done when the request hit the web server. Without testing this, I'm going to take a guess and say that it's the semicolon that tripped this example; not a browser mechanism that filtered the response and definitely not because of the X-XSS-Protection header being set to 0. That header will only tell the browser what to do with the *response*. It doesn't know about that response header yet when it sends the request.
@ClearlyCero 6 жыл бұрын
Quite a lot to think about, so many more vectors than I knew about.
@christophersiwale7218 7 жыл бұрын
still appreciating the video!
@GamingBlake2002 5 жыл бұрын
alert('Great video!');
@armandkruger911 4 жыл бұрын
#include int main() { std::cout
@UndercoverDog Жыл бұрын
Hecker
@jovanyaldayrtoquerofranco9214 Жыл бұрын
Excellent!!!
@Greatfulone Жыл бұрын
I did not catch how putting the sensitive info in the DOM keeps JavaScript eval() from accessing it.
@lets_discuss5352 6 жыл бұрын
Prof. Mickens, for the SQL injection attack, would using stored procedures be a way to prevent malicious content being used for injection?
@seductivewalrus5587 4 жыл бұрын
Yes. You use algorithms to "sanitize" all user input. In industry this is known as "input sanitation".
@novawarebr 6 ай бұрын
@@seductivewalrus5587 Do you know any tutorial/course about this subject? I'm trying to find it on youtube, but it's very hard.
@bluemagicuk Жыл бұрын
talk was fire AF
@EdigleyssonSilva 2 жыл бұрын
Great lecture!!
@blenderpanzi 3 жыл бұрын
Why is bash even looking at the contents of env vars if they are set via setenv(), let alone under any circumstance interpret it as a function? That does not make any sense to me.
@SportsIncorporated 4 жыл бұрын
I went to college in the 1970's. Instructors are still using a blackboard and chalk.
@TDRinfinity 3 жыл бұрын
I would say most schools use dry erase white board. Some of my classes use ipads or surfaces or something like that but it usually isn't as good because you just get the one screen with a smaller buffer
@musilicks 2 жыл бұрын
You only get blackboards and chalk if your tuition is +50k/term
@predatorBr 5 жыл бұрын
Ways to stop SQLi 1- User prepared Statements 2- Stored Procedures 3 - WhiteLists And a mandatory is never ever trust user input, even if it an internal system. Even worst yet sometimes. Use all because this called security by depth.
@omarkhan1491 5 жыл бұрын
use a framework like django?
@Kiolesis 3 жыл бұрын
Great! 😀
@freddykakonde9144 6 жыл бұрын
super
@redstoneprojectrules 4 жыл бұрын
Lol, "how to prevent xss access to secrets" "hand them out as a capability and store them plain in your html"...
@mr.almezeini647 2 ай бұрын
i didn't know Chris rock was into IT 😂😂
@alexandrudescultu7086 2 жыл бұрын
Securitate layer 7: www.popnews.ro/
@SportsUniqueFootage 2 жыл бұрын
I think this is just me but this is a bit hard to follow. Not a fan of teaching with whiteboard and chalk.
@rafaelnacha1788 2 жыл бұрын
9:00
@jongarcia982 Жыл бұрын
I can't believe he is writing on a chalkboard. The only way it could be less efficient is if he was engraving stone during the discourse. This is insane. A projector would be better.
@StijnHommes 2 жыл бұрын
The easiest way to secure a web app is not to use it. That way, it can't cause any security breaches. We don't need them, so it's not that hard to avoid "web apps" and use real apps instead.
@mikecaldwell8417 5 жыл бұрын
Wow I remember my electrical engineering classes at a new york state university to be much more complicated then these MIT computer science classes. This is kindergarden stuff compared to electrical engineering or the many math classes I took
@seductivewalrus5587 4 жыл бұрын
This is cybersecurity, not math.
@mikecaldwell8417 4 жыл бұрын
@Don Pablo You angry because compared to us older guys you idiots are not even half as smart as we were when we were in college? You mad because you are in the dumbed down version of education and you probably still barely get by. Now go back to your cell phone and stare at it for a few more hours because that is all you young dolts can do
@mikecaldwell8417 4 жыл бұрын
@@seductivewalrus5587 Duh I never said it was math, fool. I said it was easy compared to the subjects I studied at a less prestigious school.
@ishashka 4 жыл бұрын
Well, that's because cybersecurity is a lot more of an art. There's no definite answers, there's no equations. You have to rely on knowing what has gone wrong in the past, so that you don't replicate those mistakes (and no one has a 100% complete list of those) as well as your imagination: how will people try to abuse my website? The concepts presented in the lecture aren't complicated, because they're just the most common, basic ones, but they're essential for a cybersecurity specialist to know. And in practice, their job is hard and messy, because when you're dealing with many layers of software, each with its unique quirks and bugs, there's no way to predict every way that's going to be abused.
@mikecaldwell8417 4 жыл бұрын
@@ishashka I already know about cyber security since I have been in high tech working for a major software company for decades. My point was that I learned much more complicated things at a state college in my electrical engineering courses then what these MIT students are learning. Of course, my major was considerably more challenging then a computer science degree. I would expect at a top engineering school they would be teaching much more complicated subject matter such as encryption then this baby stuff.
Embrace The Red
Рет қаралды 10 М.