Skip to content
Dev Dump
GitHub

🔐 Web Security Toolkit

Server-Side Request Forgery (SSRF)

Section titled “Server-Side Request Forgery (SSRF)”
  • Attack: user-controlled URL causes server to fetch internal resources (http://localhost/admin, metadata endpoints).
  • Risks: expose internal services, escalate privileges, pivot deeper into network.
  • Mitigations:
    • Validate and whitelist outbound URLs/domains.
    • Block dangerous protocols (file://, gopher://).
    • Enforce egress controls, network segmentation, and metadata protection.
    • Require auth on internal services even when accessed from inside.
url = request.args["url"]
if not is_allowed(url):
    abort(400)

Cross-Site Scripting (XSS)

Section titled “Cross-Site Scripting (XSS)”
  • Attack: untrusted input rendered as HTML/JS; payload executed in victim’s browser.
  • Types: stored, reflected, DOM-based.
  • Mitigations:

    • Escape/encode output (<, >, etc.).

    • Use templating or frameworks with auto-escaping.

    • Set Content-Security-Policy to restrict script sources.

    • Sanitize rich text inputs and strip scripts.

    • Types:

      • Stored XSS: Malicious script is stored on the server (e.g., in a database) and served to other users.
      • Reflected XSS: Malicious script is injected into the request and reflected back to the user (e.g., in a search result).
      • DOM-based XSS: Malicious script manipulates the DOM (Document Object Model) in the user’s browser.

Cross-Site Request Forgery (CSRF)

Section titled “Cross-Site Request Forgery (CSRF)”
  • Attack: victim’s browser sends authenticated request to target site without intent.
  • Scenario: attacker crafts <img src="https://bank.com/transfer?..."> while user is logged in.
  • Mitigations:
    • Synchronizer or double-submit tokens in forms/headers.
    • SameSite=Lax/Strict cookies; bind session to origin.
    • Require re-auth/password for high-risk actions.

Insecure Direct Object Reference (IDOR)

Section titled “Insecure Direct Object Reference (IDOR)”
  • Attack: guess or modify identifier (/profile?id=124) to access another user’s data.
  • Mitigations:
    • Enforce authorization checks on every resource.
    • Use opaque IDs (UUIDs, hashes) or scoped tokens.
    • Review logs for IDor attempts; add rate limits.

File Upload & Zip Bomb Defenses

Section titled “File Upload & Zip Bomb Defenses”
  • Attack: oversized files, malicious types, or compressed bombs exhaust storage/CPU.
  • Mitigations:
    • Validate MIME type and extension server-side.
    • Enforce file size limits and per-user quotas.
    • Stream uploads to temporary storage; scan before persistence.
    • Detect compressed archives that expand abnormally (zip bombs).

Defense Checklist

Section titled “Defense Checklist”
  • Input validation (allow-list, length limits).
  • Output encoding for HTML/JS/URL contexts.
  • Strong authentication (MFA, password policies).
  • Authorization checks per action/resource.
  • HTTPS everywhere; secure headers (HSTS, CSP, X-Frame-Options).
  • Rate limiting & bot detection for abuse control.
  • Logging, alerting, and security incident response plan.