MozSecWorld is a reference site to help web developers make their sites more secure. It is a running Django web application demonstrating major security paradigms used within Mozilla web applications and security capabilities of modern browsers. Each security feature comes with a live demo, complete with explanations, diagrams, and code.

Like other Mozilla projects, MozSecWorld is completely open source. Feel free to comment, critique, or contribute. Please see the "Set Up" section if you would like to set up MozSecWorld locally.

MozSecWorld is running at https://mozsecworld.org, the site will be fully functional by September 20th, 2011.

Cross Domain

• x-frame-options: DENY
• set-cookie: HTTPOnly
• Content Security Policy

Input Validation

• Parameterized SQL statements
• Richtext, so users can use <i>, <b>, but not <script>
  • bleach only allows whitelisted HTML tags
• Only safe URLs are clickable
  • Google SafeBrowsing and a 3-step HTTPS Google Validation
• Image Upload following the “Image Upload” guidelines
  • strip away extraneous content with PIL rewrite

Good Authentication

• Password safety with bcrypt+HMAC
• Black-listed passwords
• Brute force prevention with ratelimit and ReCapatcha
  • Shows ReCaptach after multiple failed logins from same IP or different IP for same username

Access Control

• Access Control: separate Presentation, Business, and Data layers

Transport Security [coming soon]

• Full and correct TLS
• HTTP Strict Transport Security

1. Get the repository: git clone https://github.com/haoqili/MozSecWorld

2. Get the vendor: cd MozSecWorld/vendor and do git clone --recursive git://github.com/mozilla/playdoh-lib.git .

• update jingo-minify because an older version might be referenced in the submodule: cd vendor/src/jingo-minfy && git fetch origin && git checkout origin/master

3. Configure settings: cp settings_local.py-dist settings_local.py

• and then put in an account's user and password in settings_local.py, for example 'USER' : 'msw_user', 'PASSWORD' : 'm3dRL2Asw7'

• Get Google Safe Browsing Key and fill it in on settings_local.py

• Get Recaptcha keys and fill it in on settings_local.py

• Mysql setup:

• get mysql server: sudo apt-get install mysql-server

• mysql -u root -p

• mysql> show databases;

• mysql> select user, host from myqsl.user;

• mysql> grant all on mozsecworld.* to msw_user@localhost identified by 'm3dRL2Asw7';

• mysql> create database mozsecworld;

5. Get pip: sudo apt-get install python-pip

6. Get bcrypt: sudo pip install py-bcrypt. If you have rhel, you can do yum install py-bcrypt

7. Get jinja2: sudo pip install jinja2

8. run the server: python manage.py runserver and you should see

   Validating models... 0 errors found ...

9. go to 127.0.0.1:8000/msw and you should see a green-themed page :D

TODO: add default mysql

TODO: try pip install -r requirements/compiled.txt

workon playdoh to go to Mozilla playdoh's environment

mysql.server start to start the MySQL database

./manage.py runserver starts the Django server so I can navigate to http://127.0.0.1:8000/msw/

apps/msw/models.py --> mysql
apps/msw/urls.py --> apps/msw/views.py --> apps/msw/templates/msw/*

Add bleach: pip install -e git://github.com/jsocol/bleach.git#egg=bleach ... actually this has been updated to playdoh. Download recaptcha-client http://pypi.python.org/pypi/recaptcha-client read http://curioushq.blogspot.com/2011/07/recaptcha-on-django.html

CEF: inside your project home dir, do: pip install --no-install --build=vendor-local/packages --src=vendor-local/src -I cef for more info

Image Upload

• PIL: inside your project home dir, do: pip install --no-install --build=vendor-local/packages --src=vendor-local/src -I pil
• Jpeg: brew install jpeg
• rebuild PIL: pip install PIL==1.1.7 --upgrade

• Use PyOpenSSL and sockets, not urllib, because urllib's urlopen does not check the SSL server certificates warning on urllib documentation, thus becoming vulnerable to Man-In-The-Middle attacks. --> PyOpenSSL install: pip install pyopenssl