Project Feedback!

[codepathreview]

Hello Raymond.

👍 Nice work! Now that we've been exploring XSS and SQL injection attacks, hopefully you have more appreciation for the other side of things, which is sanitizing input and output to defend against these attacks. Even though these attacks have existed in the web for many years, it's still incredibly easy to introduce these vulnerabilities, even when using all the latest web frameworks.

Check out recent reported XSS vulnerabilities here. As you can see, there have been over 2 dozen found just in the first few months of 2017 in major brands such as Wordpress, Adobe, Cisco, and Steam.

If you have any particular questions about the assignment or the feedback, email us at universitysupport@codepath.com.

[codepathreview]

Hello Raymond,

:+1: Nice work! You have learned to prevent the most critical web development vulnerabilities. These are far from the only pitfalls in web development, but they are the most commonly exploited. Through them, you should also have a broad understanding of the types of targets hackers choose and the techniques used to exploit them. Other exploits are similar and often involve small variations on these vulnerabilities.

Make sure you have a firm grasp on the following concepts. You should be able to describe in words to someone else how each vulnerability could be exploited, why hackers would want to exploit it, and how to prevent it.

• Cross-Site Scripting
• SQL Injection
• Cross-Site Request Forgery
• Cookie Theft and Manipulation
• Session Hijacking
• Session Fixation

If you have any particular questions about the assignment or the feedback, email us at universitysupport@codepath.com.

[codepathreview]

Hello Raymond,

:+1: Nice work! You have proven that you are a qualified "Agent with PHP and Encryption Experience". You have gained valuable experience both in building and in using encryption tools.

Key points to review and remember:

• Symmetric key algorithms
  • "password encryption"
  • fast, can handle large amounts of data
  • the key or password must be shared secretly somehow
• Asymmetric key algorithms
  • "public-private keys"
  • slow, can only handle small amounts of data
  • public key can be shared openly
• Checksum/Hash
  • Works because same function inputs = same output
  • Used to verify data integrity
• Digital Signature
  • Checksum with a public/private key added
  • Used to verify data integrity + authenticity

If you would like to learn more about code and cryptography, "The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography" by Simon Singh is an excellent book on both the history and techniques.

If you have any particular questions about the assignment or the feedback, email us at universitysupport@codepath.com.

[codepathreview]

Hello Raymond,

:+1: Nice work! User authentication has become a standard feature of almost every modern web application. But knowing how to authenticate is not enough, developers must know the common security pitfalls and how to avoid them.

Key points to remember:

• Always encrypt passwords before storing them!
• Require users to choose strong passwords (long, diverse characters).
• Use a secure password algorithm, like Blowfish/Bcrypt.
• Salts are added to passwords to make them unique and harder to crack.
• Log in throttling makes brute force attacks and password guessing ineffective.
• Do not accidentally reveal which usernames exist. (Username enumeration)

If you have any particular questions about the assignment or the feedback, email us at universitysupport@codepath.com.

[codepathreview]

Hello Raymond,

:+1: Nice work! It is important to recognize and to understand how these six common vulnerabilities function. And of course, you should know how to fix the code once you identify the problem!

If you have any particular questions about the assignment or the feedback, email us at universitysupport@codepath.com.

[codepathreview]

Hello Raymond, yes, we need you to create a gif to show how the attacks work on the website.

Make sure all you have completed the following steps to completing your README:

1. Make sure you have copied the template README for this assignment, go to the "Setup" section in Assignment Tab for the corresponding week in the course portal.
2. Please mark of all completed stories [x]
3. Add a link to your animated gif walkthough to your README and make sure it renders (animates) when viewing the README.

Your assignment is incomplete until the README is complete. Once completed, please push your updates and submit your assignment again so we can regrade it.

Whenever you make updates to your project that require re-grading, you need to re-submit your project using the submit button on the associated assignment page in the course portal. This will flag your project as “updated” on our end and we know to re-grade.

You should re-submit your assignment anytime you:

• Update a previously incomplete assignment
• Add optional and additional features to an already completed assignment