JavaScript specific
Developed by Péter Nyilasy
- Automatic conversions
- Type safety
- Variable scopes
- Eval, setTimeout, etc,,,
- XSS
- Types (reflective, stored, dom-based, non dom-based)
- Dangerous js functions (Vanilla and jQuery)
- How to defend
- BeEF demo [*]
- Other html injections
- Open redirection
- Client side sqli [*]
- Cookie injection
- The same origin policy, CSRF, CORS
- OSRF
- Clickjacking
- Tabnabbing
- Web storage [*]
- WebSockets [*]
- Web Messaging [*]
- Webworkers [*]
- Iframe sandboxing
- CSP and other security headers
- ReactJS security [*]
- Angular security [*]
- JS obfuscation [*]
- Cryptography in JS [*]
[*] optional, delivered on demand
We assume that the developers attending the JS secdev course:
- are familiar with the JS language and with XOX
- understand the HTTP protocol and HTML
- are familiar with basic security features of an enterprise application (authentication, authorization, the concept of a session)
- have XOX and a suitable IDE installed on their laptop (labs desktop)
Last modified 4yr ago