Web
-
Cross-site Scripting(XXS)Web/Security 2019. 8. 30. 11:30
1. Overview Cross-site scripting is a type of computer security vulnerability typically found in web applications. And cross-site tracing is a network security vulnerability exploiting the HTTP TRACE method. Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF(or XSRF) is a type of malicious exploit of a website where unauthorized commands are tran..
-
Same-origin Security PolicyWeb/Security 2019. 8. 30. 11:27
1. Overview An origin defined as a combination of URI scheme, hostname, and port number should be the same between two pages interact data with scripts. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model(DOM). 2. Description 2.1 Examples Compared URL Outcome Reason http://www.example.com/dir/pa..
-
Open Authorization(OAuth) 2.0Web/Security 2019. 8. 29. 15:05
1. Overview OAuth is an open standard protocol for authentication External service functions can be used in other applications OAuth2.0 is not compatible with 1.0, but the authentication process is simple 1.1 Difference between OAuth and Login Login is when a member of the A service uses the A service In the case of OAuth, the B service performs authentication and authentication through the meth..
-
Difference between Signing and Encryption with OpenPGPWeb/Security 2019. 8. 29. 09:57
1. Overview Let's distribute Signing and Encryption with OpenPGP 2. Purpose Preserve confidentiality and privacy To meet some business regulations of security To make sensitive data unreadable to unauthorized parites Data Integrity Not altered from its original form Message AUthentication(Proof of Origin) Ensuring message came from the purported sender Non-repudiation That the sender cannot deny..
-
Encoding, Encryption, Hashing, and ObfuscationWeb/Security 2019. 8. 28. 10:39
1. Overview Let's distinguish these confusing concepts 2. Description 2.1 Encoding The purpose of encoding is to transform data so that it can be properly and safely consumed by a different type of system. For example, binary data being sent over email, or viewing special characters on a web page. The goal is not to keep information secret, but rather to ensure that it's able to be properly cons..
-
Authentication and AuthorizationWeb/Security 2019. 8. 27. 21:55
1. Overview Authentication is the process of ascertaining that somebody really is who they claim to be. And Authorization refers to rules that determine who is allowed to do what. E.g. Adam may be authorized to create and delete databases, while Usama is only authorized to read. 1.1 Authentication Login + password Who you are 1.2 Authorization Permissions What you are allowed to do 2. Descriptio..
-
JWT, JWS, JWE, JWA, and JWKWeb/Security 2019. 8. 27. 21:53
1. Overview JWT is used to transport user identity/entitlements between interested parties in a secure manner. JWS and JWE are instances of the JWT when used compact serialization JWS and JWE can be serialized using either the compact serialization or JSON serialization JWT doesn't' define a specific binding, but in practice, JWT tokens are transported over HTTPS under the Authorization Bearer h..
-
Stateful and stateless in ProtocolWeb/Protocol 2019. 8. 25. 08:19
1. Overview Network Protocols for web browser and servers are categorized into two types: stateless Protocol, and Stateful protocol. Both protocols are differentiated on the basis of the requirement of server or server-side software to save status or session information. 2. Comparisons STATELESS PROTOCOL STATEFUL PROTOCOL Does not require the server to retain the server information or session de..