Week 9 - Security

Originally, this week was intended to be about security. We shifted things around and this became a more open-ended project discussion rather than a structured focus on security. We'll include some links below to capture come of the discussion content for future reference.

We did discuss the OWASP Top Ten and the importance of understanding how application vulnerabilities work so that as engineers we can know how to avoid them.

Here is the blog post from Snyk that came up in discussion about how ReDOS works.

We also briefly discussed injection and related it back to our discussion on NoSQL databases. Since we didn't get too deep into the technical details on this, we thought we'd include a bit here: In Hacking APIs by Corey Ball there is an excellent section on the topic of NoSQL injection. They provide some of the following examples of how an attacker might try to exploit a NoSQL database.

$gt
{"$gt":""}
{"$gt":-1}
$ne
{"$ne":""}
{"$ne":-1}
$nin
{"$nin":1}
{"$nin":[1]}
|| '1'=='1
//
||'a'\\'a
'||'1'=='1';//
'/{}:
'"\;{}
'"\/$[].>
{"$where": "sleep(1000)"}

Consider how your application handles user input. Are any of these a possible concern?