JavaScript specific

The language specific module

Secure coding in JS

Developed by Péter Nyilasy

Is JS a secure language?

    Automatic conversions
    Type safety
    Variable scopes
    Eval, setTimeout, etc,,,

Js injections

    XSS
      Types (reflective, stored, dom-based, non dom-based)
      Dangerous js functions (Vanilla and jQuery)
      How to defend
      BeEF demo [*]
    Other html injections
    Open redirection
    Client side sqli [*]
    Cookie injection
    The same origin policy, CSRF, CORS
    OSRF
    Clickjacking
    Tabnabbing

HTML5 security

    Web storage [*]
    WebSockets [*]
    Web Messaging [*]
    Webworkers [*]
    Iframe sandboxing
    CSP and other security headers

Technology specific security

    ReactJS security [*]
    Angular security [*]

Other topics

    JS obfuscation [*]
    Cryptography in JS [*]
[*] optional, delivered on demand

Prerequisites

We assume that the developers attending the JS secdev course:
    are familiar with the JS language and with XOX
    understand the HTTP protocol and HTML
    are familiar with basic security features of an enterprise application (authentication, authorization, the concept of a session)
    have XOX and a suitable IDE installed on their laptop (labs desktop)
Last modified 2yr ago