MozSecWorld is a web security reference site. It can teach you simple ways that you can make your own websites more secure. You'll learn through diagrams, explanations, and best of all, live demos! :) If you are a web developer, you might find the open-source code for each demo helpful too.
More specifically, MozSecWorld is a running Django web application demonstrating major security paradigms used within Mozilla web applications and security capabilities of modern browsers. Our goal is to help make the web more secure for all.
The MozSecWorld Beta is running at https://mozsecworld.org, the server has some problems that is making clicks very slow.
Email mozsecworld at gmail dot com to receive an update email as soon as the website is functional.
Feel free to email us anything else related to this project. We'd love to hear from you!
Cross Domain
- x-frame-options: DENY
- set-cookie: HTTPOnly
- Content Security Policy
Input Validation
- Parameterized SQL statements
- Richtext, so users can use <i>, <b>, but not <script>
- bleach only allows whitelisted HTML tags
- Only safe URLs are clickable
- Google SafeBrowsing and a 3-step HTTPS Google Validation
- Image Upload following the “Image Upload” guidelines
- strip away extraneous content with PIL rewrite
Good Authentication
- Password safety with bcrypt+HMAC
- Black-listed passwords
- Brute force prevention with ratelimit and ReCapatcha
- Shows ReCaptach after multiple failed logins from same IP or different IP for same username
Access Control
- Access Control: separate Presentation, Business, and Data layers
Transport Security [coming soon]
- Full and correct TLS
- HTTP Strict Transport Security
-
Get the repository:
git clone https://github.com/haoqili/MozSecWorld -
Get the vendor:
cd MozSecWorld/vendorand dogit clone --recursive git://github.com/mozilla/playdoh-lib.git .
- update jingo-minify because an older version might be referenced in the submodule:
cd vendor/src/jingo-minfy && git fetch origin && git checkout origin/master
- Configure settings:
cp settings_local.py-dist settings_local.py
-
and then put in an account's user and password in
settings_local.py, for example'USER' : 'msw_user', 'PASSWORD' : 'm3dRL2Asw7' -
Get Google Safe Browsing Key and fill it in on settings_local.py
-
Get Recaptcha keys and fill it in on settings_local.py
-
Mysql setup:
-
get mysql server:
sudo apt-get install mysql-server -
mysql -u root -p -
mysql>
show databases; -
mysql>
select user, host from myqsl.user; -
mysql>
grant all on mozsecworld.* to msw_user@localhost identified by 'm3dRL2Asw7'; -
mysql>
create database mozsecworld;
-
Get pip:
sudo apt-get install python-pip -
Get bcrypt:
sudo pip install py-bcrypt. If you have rhel, you can doyum install py-bcrypt -
Get jinja2:
sudo pip install jinja2 -
run the server:
python manage.py runserverand you should seeValidating models... 0 errors found ...
-
go to 127.0.0.1:8000/msw and you should see a green-themed page :D
TODO: add default mysql
TODO: try pip install -r requirements/compiled.txt
workon playdoh to go to Mozilla playdoh's environment
mysql.server start to start the MySQL database
./manage.py runserver starts the Django server so I can navigate to http://127.0.0.1:8000/msw/
apps/msw/models.py --> mysql
apps/msw/urls.py --> apps/msw/views.py --> apps/msw/templates/msw/*
Add bleach: pip install -e git://github.com/jsocol/bleach.git#egg=bleach ... actually this has been updated to playdoh.
Download recaptcha-client http://pypi.python.org/pypi/recaptcha-client read http://curioushq.blogspot.com/2011/07/recaptcha-on-django.html
CEF: inside your project home dir, do: pip install --no-install --build=vendor-local/packages --src=vendor-local/src -I cef for more info
- PIL: inside your project home dir, do:
pip install --no-install --build=vendor-local/packages --src=vendor-local/src -I pil - Jpeg:
brew install jpeg - rebuild PIL:
pip install PIL==1.1.7 --upgrade
- Use PyOpenSSL and sockets, not urllib, because urllib's urlopen does not check the SSL server certificates warning on urllib documentation, thus becoming vulnerable to Man-In-The-Middle attacks.
--> PyOpenSSL install:
pip install pyopenssl