Development on Various Platforms
12.7K views | +4 today
Follow
Development on Various Platforms
Your new post is loading...
Your new post is loading...
Rescooped by Ertunç Efeoğlu from JavaScript for Line of Business Applications
Scoop.it!

JavaScript and Web Security

This 49 minute talk covers several topics in JavaScript and web security, including secure password storage and authentication, SRP protocol, and common JavaScript security threats and injection techniques.


Via Jan Hesse
more...
No comment yet.
Rescooped by Ertunç Efeoğlu from JavaScript for Line of Business Applications
Scoop.it!

How easy is it to hack JavaScript in a browser?

How easy is it to hack JavaScript in a browser? | Development on Various Platforms | Scoop.it
Breaking down the possibilities of breaking in.

My question has to do with JavaScript security.

Imagine an auth system where you're using a JavaScript framework like Backbone or AngularJS, and you need secure endpoints. That's not a problem, as the server always has the last word and will check if you're authorized to do what you want.

But what if you need a little security without involving the server? Is that possible?

For example, say you've got a client-side routing system and you want a concrete route to be protected for logged-in users. So you ping the server asking if you're allowed to visit protected routes and you go on. The problem is that when you ping the server, you store the response in a variable, so the next time you go to a private route, it will check that if you're already logged in (no ping to the server), and depending on the response it will go or not.

How easy is for a user to modify that variable and get access?


Via Jan Hesse
more...
No comment yet.
Rescooped by Ertunç Efeoğlu from JavaScript for Line of Business Applications
Scoop.it!

Testing Security of HTML5 WebSockets

Recently I became faced with my first Web Application Security Assessment which relied heavily on HTML5′s WebSockets.

The first clue that the application was using WebSockets was when the application kept giving me a timeout error while using my proxy of choice, Burp Suite. Looking at the HTTP requests/responses in Burp I noticed that a large JavaScript file was requested and downloaded from the server. Within this file I noticed a URL with the ws:// scheme, the WebSocket scheme.

For some reason the WebSocket handshake was not captured by Burp’s Proxy (even though the WireShark capture shows that the handshake was over HTTP), however, it can be viewed within Google Chrome’s Developer Tools and OWASP’s ZAP Proxy.


* Encryption (SSL/TLS)
* Origin
* Authentication
* Authorisation
* Input Sanitisation

 


Via Jan Hesse
more...
Benjamin Dean's curator insight, September 3, 2013 1:13 AM

As web apps move to be more "real-time" via socket connections, this is probably a good discussion.

Rescooped by Ertunç Efeoğlu from JavaScript for Line of Business Applications
Scoop.it!

7 steps for building a secure web application

7 steps for building a secure web application | Development on Various Platforms | Scoop.it

For years, security experts have warned of vulnerabilities in web applications. And these warnings are unfortunately coming to fruition. Today, the headlines are dominated with news of a hacker successfully infiltrating one web application or another. We cannot hack or firewall our way to become impenetrable – hackers have proved that – so what can be done to secure these often critical applications?

Thankfully, it is possible. Here are seven steps to security-centric computer programming necessary to build low-risk web-based applications.

Step 1: Query Parameterisation
Step 2: Secure Password Storage
Step 3: Contextual Output Encoding XSS Defence
Step 4: Content Security Policy
Step 5: Cross Site Request Forgery
Step 6: Multi Factor Authentication
Step 7: Forgotten password security design


Via Jan Hesse
more...
No comment yet.