This post is part of the ”WASEC: Web Application SECurity” series, which is a portion of the content of WASEC, an e-book on web application security I’m currently writing.
Here is a list of all the articles in this series:
Web security demistified: WASEC
Understanding the browser
WASEC is a series about Web Application SECurity, written in the attempt
to summarize security best practices when building web applications.
Today’s web platform allows developers to build magnificent products, with
technologies that were unthinkable of just a few years ago, such as
web push notifications, geolocation or even “simpler” features such as
These additional technologies, though, come at a cost: the spectrum of
vulnerabilities is amplified, and there’s more we must know
when developing for the web. When iFrames were introduced, everyone
was quick to point out how great of an invention they were (at least back in the day),
as they allowed to embed content from different webpages very
easily; few, though, would have thought that the very same technology
would serve as the basis of clickjacking,
a type of vulnerability only possible thanks to additional features
to the HTML standard.
As Wikipedia puts it:
Clickjacking is possible because [of] seemingly harmless features of HTML web pages
Let me twist the tale and ask you if you were aware that CSRF attacks are about
to disappear. How? Thanks to browsers supporting
SameSite cookies (discussed
further on in the series).
See, the landscape surrounding the web is changing quickly, and having a good
understanding of the platform, with a keen eye on security, is the goal
of this series: to make sure we’ve raised our security awareness.
WASEC is a series written to demistify web security, and make it easier for
the everyday developer to understand important, security-related aspects
of this universal platform.
Read on →