Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Securing Angular and Node.js Apps in Azure
Brian Clark
_clarkio
Casterly Rock
Casterly Rock
Casterly Rock
Casterly Rock
“an impregnable
fortress”
Casterly Rock
?!
Casterly Rock
Deter your enemies
Defending against…
MortarsArrowsInfantry
Defending against…
O W A S P
pen
eb
pplication owasp.org
O
A
P
ecurity
roject
W
S
Access Control
Authenticatio
n
Authorization
You are who you
say you are
You have the required
permissions for the request
Browser
http://insecureheroes.com
Server
http://insecureheroes.com
Browser
http://insecureheroes.com
Server
http://insecureheroes.com
Browser
http://insecureheroes.com
Server
http://insecureheroes.com
Browser
http://insecureheroes.comCookies
Server
http://insecureheroes.com
Browser
http://insecureheroes.comCookies
Server
http://insecureheroes.com
Hero: Luke
Demo
Malicious Input
Insecure Heroes
http://insecureheroes.com
An attack that injects malicious code into a trusted web
site such that it may be executed unintendedly by other
users
Cro...
Prevention
Content Security PolicyInput Handling
Control what resources
the browser is allowed to
load
Ensure data is alig...
Input Handling
Input Handling
Input Handling
EscapingSanitizationValidation
Sanitization EscapingValidation
Ensure the data is legit
Invalid Email
Result
:
Validation EscapingSanitization
Clean the bad data
BC
Result
:
SanitizationValidation Escaping
Encode the bad data
B<script>alert(1);</script>C
Result
:
Do not trust user input
Where should we apply
input handlers?
Where should we apply
input handlers?
Client? Server?
Browser
http://insecureheroes.com
Server
http://insecureheroes.com
Browser
http://insecureheroes.com
Server
http://insecureheroes.com
Security
Boundary
Browser
http://insecureheroes.com
Server
http://insecureheroes.com
Security
Boundary
Untruste
d
Browser
http://insecureheroes.com
Server
http://insecureheroes.com
Security
Boundary
Truste
Both
https://angular.io/guide/security
https://angular.io/guide/security
?
https://www.npmjs.com/package/express-validator
https://www.npmjs.com/package/xss-filters
Demo
Content Security Policy
<script>var x = “yz”;</script>
Content Security Policy
Content-Security-Policy: default-src 'self '
Describes sources type...
https://www.npmjs.com/package/helmet
https://www.npmjs.com/package/helmet
Faking Requests
Browser
http://insecureheroes.comCookies
Server
http://insecureheroes.com
Hero: Luke
Browser
http://insecurehe
roes.com
Cookies
Server
http://insecureheroes.com
http://clickbaity.co
Browser
http://insecurehe
roes.com
Cookies
Server
http://insecureheroes.com
http://attacker.com
Attack
insecureheroes.com
...
Demo
An attack that executes a request on behalf of another
authenticated user that was not intending to perform
that action be...
Synchronizer
Token
Pattern
Random token
Unique to user and
session
Included as a header
Validated server-
side
https://www.npmjs.com/package/csu
rf
https://angular.io/guide/http#security-xsrf-protection
Demo
Stealing Clicks
Demo
An attack that tricks users into clicking on content that
they were not intending to click on
Clickjacking
Clickjacking
Mitigation
X-FRAME-OPTIONS
DENY
SAMEORIGIN
ALLOW-FROM: URL*
*Content-Security-Policy: frame-ancestors:
URL
https://helmetjs.github.io/
Demo
Package
Management
https://nodesecurity.io/opensource
https://snyk.io
Demo
Summary
Access Control
Faking Requests
Stealing Clicks
Package
Management
Malicious Input
© DEVintersection 2017. All rights reserved.
https://www.DEVintersection.com
References
 https://owasp.org
 https://gith...
© DEVintersection 2017. All rights reserved.
https://www.DEVintersection.com
Please use EventsXD to fill out a session eva...
Securing Angular and Node.js Apps in Azure
Securing Angular and Node.js Apps in Azure
Securing Angular and Node.js Apps in Azure
Securing Angular and Node.js Apps in Azure
Securing Angular and Node.js Apps in Azure
Securing Angular and Node.js Apps in Azure
Securing Angular and Node.js Apps in Azure
Securing Angular and Node.js Apps in Azure
Upcoming SlideShare
Loading in …5
×

Securing Angular and Node.js Apps in Azure

135 views

Published on

Securing Angular and Node.js Apps in Azure

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

Securing Angular and Node.js Apps in Azure

  1. 1. Securing Angular and Node.js Apps in Azure Brian Clark _clarkio
  2. 2. Casterly Rock
  3. 3. Casterly Rock
  4. 4. Casterly Rock
  5. 5. Casterly Rock “an impregnable fortress”
  6. 6. Casterly Rock ?!
  7. 7. Casterly Rock
  8. 8. Deter your enemies
  9. 9. Defending against…
  10. 10. MortarsArrowsInfantry Defending against…
  11. 11. O W A S P
  12. 12. pen eb pplication owasp.org O A P ecurity roject W S
  13. 13. Access Control
  14. 14. Authenticatio n Authorization You are who you say you are You have the required permissions for the request
  15. 15. Browser http://insecureheroes.com Server http://insecureheroes.com
  16. 16. Browser http://insecureheroes.com Server http://insecureheroes.com
  17. 17. Browser http://insecureheroes.com Server http://insecureheroes.com
  18. 18. Browser http://insecureheroes.comCookies Server http://insecureheroes.com
  19. 19. Browser http://insecureheroes.comCookies Server http://insecureheroes.com Hero: Luke
  20. 20. Demo
  21. 21. Malicious Input
  22. 22. Insecure Heroes http://insecureheroes.com
  23. 23. An attack that injects malicious code into a trusted web site such that it may be executed unintendedly by other users Cross-site Scripting (XSS)
  24. 24. Prevention Content Security PolicyInput Handling Control what resources the browser is allowed to load Ensure data is aligned with the expectations for its intended use
  25. 25. Input Handling
  26. 26. Input Handling
  27. 27. Input Handling EscapingSanitizationValidation
  28. 28. Sanitization EscapingValidation Ensure the data is legit Invalid Email Result :
  29. 29. Validation EscapingSanitization Clean the bad data BC Result :
  30. 30. SanitizationValidation Escaping Encode the bad data B<script>alert(1);</script>C Result :
  31. 31. Do not trust user input
  32. 32. Where should we apply input handlers?
  33. 33. Where should we apply input handlers? Client? Server?
  34. 34. Browser http://insecureheroes.com Server http://insecureheroes.com
  35. 35. Browser http://insecureheroes.com Server http://insecureheroes.com Security Boundary
  36. 36. Browser http://insecureheroes.com Server http://insecureheroes.com Security Boundary Untruste d
  37. 37. Browser http://insecureheroes.com Server http://insecureheroes.com Security Boundary Truste
  38. 38. Both
  39. 39. https://angular.io/guide/security
  40. 40. https://angular.io/guide/security
  41. 41. ?
  42. 42. https://www.npmjs.com/package/express-validator
  43. 43. https://www.npmjs.com/package/xss-filters
  44. 44. Demo
  45. 45. Content Security Policy
  46. 46. <script>var x = “yz”;</script> Content Security Policy Content-Security-Policy: default-src 'self ' Describes sources types in directives (css, image, etc.) <div style=“{margin-top:10px;}”> 1 3 4 2
  47. 47. https://www.npmjs.com/package/helmet
  48. 48. https://www.npmjs.com/package/helmet
  49. 49. Faking Requests
  50. 50. Browser http://insecureheroes.comCookies Server http://insecureheroes.com Hero: Luke
  51. 51. Browser http://insecurehe roes.com Cookies Server http://insecureheroes.com http://clickbaity.co
  52. 52. Browser http://insecurehe roes.com Cookies Server http://insecureheroes.com http://attacker.com Attack insecureheroes.com Hero: Darth
  53. 53. Demo
  54. 54. An attack that executes a request on behalf of another authenticated user that was not intending to perform that action being requested Cross-site Request Forgery
  55. 55. Synchronizer Token Pattern Random token Unique to user and session Included as a header Validated server- side
  56. 56. https://www.npmjs.com/package/csu rf
  57. 57. https://angular.io/guide/http#security-xsrf-protection
  58. 58. Demo
  59. 59. Stealing Clicks
  60. 60. Demo
  61. 61. An attack that tricks users into clicking on content that they were not intending to click on Clickjacking
  62. 62. Clickjacking Mitigation X-FRAME-OPTIONS DENY SAMEORIGIN ALLOW-FROM: URL* *Content-Security-Policy: frame-ancestors: URL
  63. 63. https://helmetjs.github.io/
  64. 64. Demo
  65. 65. Package Management
  66. 66. https://nodesecurity.io/opensource
  67. 67. https://snyk.io
  68. 68. Demo
  69. 69. Summary Access Control Faking Requests Stealing Clicks Package Management Malicious Input
  70. 70. © DEVintersection 2017. All rights reserved. https://www.DEVintersection.com References  https://owasp.org  https://github.com/Azure-Samples/angular-cosmosdb  (branch: insecure-heroes)  https://angular.io/guide/security  https://www.npmjs.com/package/csurf  https://angular.io/guide/http#security-xsrf-protection  https://www.npmjs.com/package/helmet  https://nodesecurity.io/opensource  https://snyk.io
  71. 71. © DEVintersection 2017. All rights reserved. https://www.DEVintersection.com Please use EventsXD to fill out a session evaluation. Thank you! Brian Clark _clarkio

×