Is your app secure

•

1 like•100 views

Chathuranga Bandara

Securing Angular or Single Page application app from XSS and XSRF (CSRF) attacks

Software

Is Your App Secure
Chathur anga Bandar a

Who TF is this?
• Engineer by profession, Husband and a Father by decision
• Love Python
• Love and hate JavaScript
• Have 8 odd years of experience doing some coding and shit
• Like CnH2n+1OH, Gin to be specific

Best Practices
-
Security Implementations

“enables an attacker toinject
client-side script into web pages
viewed by other users”

Rather Like an overprotective Girl/Boy Friend

“Angular treats all values as
untrusted bydefault. When a
value is insertedinto the DOM
froma template, via property,
attribute, style and class binding,
orinterpolation,
Angular sanitizes and escapes
untrusted values.”

unsafe value usedin a resource URL context.

“You can compilethe app
in the browser, at runtime,
as the application loads,
usingthe just-in-time (JIT) compiler.
This is the standard development approach
shownthroughout the documentation.
It's great but it has shortcomings.”

“With AOT, the compiler
runs onceat build time
using oneset of libraries;
with JIT it runs every time
forevery user at runtime
using a different set of libraries.”

Faster Rendering
FewerAsync Requests
Smaller Angular frameworkdownload
Detect Template Errors earlier
Better Security

Never use Angular Templating fromServer side

“Cross-Site Request Forgery(CSRF) is an attack
that forcesan end user to executeunwanted
actions ona web application in whichthey're
currentlyauthenticated.”

To prevent this, the application
must ensure that a user
request originates fromthe
real application

Angular's HttpClient has built-in support
for theclient-side half ofthis technique.

What's hot

April jakartajs meetup how to handle 300k user traffic @kumparan

Ferdian Robianto

Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet

5h1vang

Password Management

Rick Chin

Esoteric xss payloads

Riyaz Walikar

Dzhengis 93098 ajax - security

dzhengo44

The Patsy Proxy

BaronZor

What's hot (6)

April jakartajs meetup how to handle 300k user traffic @kumparan

Owasp Top 10 (M-10 : Lack of Binary Protection) | Null Meet

Password Management

Esoteric xss payloads

Dzhengis 93098 ajax - security

The Patsy Proxy

Similar to Is your app secure

PADMA_UI_HYDERABAD_3_YRS

padmavathi elluru

React commonest security flaws and remedial measures!

Shelly Megan

Hiring Django Developers for Success.pdf

AIS Technolabs Pvt Ltd

Mr. Mohammed Aldoub - A case study of django web applications that are secur...

nooralmousa

Case Study of Django: Web Frameworks that are Secure by Default

Mohammed ALDOUB

In mobile app spaces, with all these evolving technologies and competitors, 𝗽𝗲𝗿𝗳𝗼𝗿𝗺𝗮𝗻𝗰𝗲 plays an important role in terms of delivering a seamless end-user experience. Improving performance has become the top priority for all global mobile app companies as it directly impacts user experience, retention rates, conversions, and ultimately revenue. Even if we deliver a brilliant feature with performance issues, people will eventually stop using those apps. As high-performing apps are user favourites, we testers should also adopt performance-centric strategies while testing mobile apps. In this talk, you will learn about: Basic types of mobile apps. An overview of important performance metrics to consider. Basics and importance of mobile app performance testing with trends and parameters. Factors to consider while evaluating an app’s performance & ideas to prepare a performance-oriented testing strategy. Best practices and tools to consider for providing valuable insights to stakeholders. Quick glance at the rise of 5G and its impact in the mobile app space.

[TTT Meetup] Enhance mobile app testing with performance-centric strategies (...

NITHIN S.S

Django (Web Applications that are Secure by Default)

Kishor Kumar

Best Web Development Frameworks.pptx

Biztech Consulting & Solutions

CGG and TiE "Officially Supported" by Department of Communications and IT, Government of Andhra Pradesh along with E2labs, Asia's first Anti - Hacking Academy is jointly organizing a 5 days Advanced Program on "Learn - Breaking Down the Security of a Website, Web Application or Company for Real" from Monday, 22nd October to Friday, 26th October at CGG (Centre of Good Governance),Rd# 25,Jubilee Hills, Hyderabad.

E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE

e2-labs

Understanding the development process, the variables that affect development costs, and the best practices for budgeting and managing blockchain projects is crucial for ensuring their success and efficiency. Learn how to plan for and control the spending on your blockchain projects with this comprehensive guide, updated for 2023. https://www.semaphore-software.com/emerging-technologies/hire-blockchain-developers/

Blockchain-budget-app-development.pptx

SemaphoreSoftware1

Stapling and patching the web of now - ForwardJS3, San Francisco

Christian Heilmann

Erik Costlow, Product Evangelist at Contrast Security, was Oracle's principal product manager for Java 8 and 9, focused on security and performance. His security expertise involves threat modeling, code analysis, and instrumentation of security sensors. He is working to broaden this approach to security with Contrast Security. Before becoming involved in technology, Erik was a circus performer who juggled fire on a three-wheel vertical unicycle.

Securing a Cloud Migration

Carlos Andrés García

Securing a Cloud Migration

VMware Tanzu

Mobile app developers have been engaged in a philosophical debate about "HTML5 vs. Native" for a couple of years now. But more and more in-the-know mobile strategists are deciding the answer is "Neither." Rather than choose between rich and interactive native experiences or portable and cost-effective web development, more apps are being deployed using web technologies and "native containers" to deliver the best of both worlds. Highlights: - What is a "container?" - What are the different types of containers? - For which types of apps is each appropriate? - What are the advantages of a container deployment strategy? - Are there good examples of successfully deployed containerized mobile apps?

Demystifying the Mobile Container - PART I

Relayware

DaZhangJM0203JM0203

Da Zhang

LATEST_TRENDS_IN_WEBSITE_DEVELOPMENT.pptx

chitrachauhan21

Native - Hybrid - Web Mobile Architectures

Phong Le Duy

Big Improvement_ New AngularJS Tools Changing How We Develop.pptx

sarah david

Building SPAs with AngularJS

Cezar Carneiro

quantum_leap_angularjs_tools_redefining_development_in_2023.pptx

sarah david

Similar to Is your app secure (20)

PADMA_UI_HYDERABAD_3_YRS

React commonest security flaws and remedial measures!

Hiring Django Developers for Success.pdf

Mr. Mohammed Aldoub - A case study of django web applications that are secur...

Case Study of Django: Web Frameworks that are Secure by Default

[TTT Meetup] Enhance mobile app testing with performance-centric strategies (...

Django (Web Applications that are Secure by Default)

Best Web Development Frameworks.pptx

E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE

Blockchain-budget-app-development.pptx

Stapling and patching the web of now - ForwardJS3, San Francisco

Securing a Cloud Migration

Demystifying the Mobile Container - PART I

DaZhangJM0203JM0203

LATEST_TRENDS_IN_WEBSITE_DEVELOPMENT.pptx

Native - Hybrid - Web Mobile Architectures

Big Improvement_ New AngularJS Tools Changing How We Develop.pptx

Building SPAs with AngularJS

quantum_leap_angularjs_tools_redefining_development_in_2023.pptx

Recently uploaded

WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...

WSO2

%in Soweto+277-882-255-28 abortion pills for sale in soweto

masabamasaba

WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...

WSO2

WSO2CON 2024 - Lessons from the Field: Legacy Platforms – It's Time to Let Go...

WSO2

ADR, or Architecture Decision Record, is a valuable tool in software development for several reasons. It provides a centralized location for documenting and tracking architectural decisions, aiding both current and future team members. ADRs enhance communication among team members by documenting the rationale behind architectural decisions, especially beneficial during onboarding of new team members or when revisiting decisions. They serve as a knowledge base, enabling teams to learn from past decisions and refine their decision-making process. Additionally, ADRs contribute to transparency by helping stakeholders understand the reasons behind specific architectural choices. As with any other tool or process, introducing them into an organization can face several obstacles, and overcoming these challenges is crucial for successful implementation. In this talk I go through some common problems and our way of solving them.

Architecture decision records - How not to get lost in the past

Papp Krisztián

WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity

WSO2

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

Shane Coughlan

WSO2Con204 - Hard Rock Presentation - Keynote

WSO2

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

WSO2

WSO2CON 2024 - Does Open Source Still Matter?

WSO2

WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source

WSO2

%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein

masabamasaba

WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration

WSO2

WSO2CON 2024 - Building a Digital Government in Uganda

WSO2

WSO2CON2024 - It's time to go Platformless

WSO2

WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...

WSO2

WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...

WSO2

WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...

WSO2

WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation

WSO2

Modeling languages are generally applied for developing systems and software – both internally, with domain-specific languages, and with standardized languages targeting a general purpose and a wide audience. Way too often these languages are weakly created and defined leading to poor quality: Language definitions tend to contain errors and inconsistencies; notations do not recognize the communication and problem-solving needs of humans; standardization organizations push exchange formats that do not fully work and offer certificates that do not measure mastery of the language. We describe common problems in language development and point them out with examples from known cases. To overcome these problems, we suggest several solutions to improve language development, including using modeling languages specifically designed to define modeling languages, continuous testing and prototyping, and keeping language users in the loop.

What Goes Wrong with Language Definitions and How to Improve the Situation

Juha-Pekka Tolvanen

Recently uploaded (20)

WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...

%in Soweto+277-882-255-28 abortion pills for sale in soweto

WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...

WSO2CON 2024 - Lessons from the Field: Legacy Platforms – It's Time to Let Go...

Architecture decision records - How not to get lost in the past

WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

WSO2Con204 - Hard Rock Presentation - Keynote

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

WSO2CON 2024 - Does Open Source Still Matter?

WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source

%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein

WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration

WSO2CON 2024 - Building a Digital Government in Uganda

WSO2CON2024 - It's time to go Platformless

WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...

WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...

WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...

WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation

What Goes Wrong with Language Definitions and How to Improve the Situation

Is your app secure

1. Is Your App Secure Chathur anga Bandar a

2. Who TF is this? • Engineer by profession, Husband and a Father by decision • Love Python • Love and hate JavaScript • Have 8 odd years of experience doing some coding and shit • Like CnH2n+1OH, Gin to be specific

4. What Does Securing your app means?

5. Best Practices - Security Implementations

6. Use Latest Angular Possible

7. XSS | XSRF

8. XSS?

9. “enables an attacker toinject client-side script into web pages viewed by other users”

10.

11.

12. How toPrevent?

13. Angular is a Good Guy..

14. Rather Like an overprotective Girl/Boy Friend

15. “Angular treats all values as untrusted bydefault. When a value is insertedinto the DOM froma template, via property, attribute, style and class binding, orinterpolation, Angular sanitizes and escapes untrusted values.”

16.

17. unsafe value usedin a resource URL context.

18. Bypassing?

19. Makesure you sanitize after!

20.

21.

22. Avoid direct DOMmanipulations

23.

24.

25. Ahead-of-Time Compilation

26. “You can compilethe app in the browser, at runtime, as the application loads, usingthe just-in-time (JIT) compiler. This is the standard development approach shownthroughout the documentation. It's great but it has shortcomings.”

27. “With AOT, the compiler runs onceat build time using oneset of libraries; with JIT it runs every time forevery user at runtime using a different set of libraries.”

28. Faster Rendering FewerAsync Requests Smaller Angular frameworkdownload Detect Template Errors earlier Better Security

29. Never use Angular Templating fromServer side

30. XSRF??

31. “Cross-Site Request Forgery(CSRF) is an attack that forcesan end user to executeunwanted actions ona web application in whichthey're currentlyauthenticated.”

32. To prevent this, the application must ensure that a user request originates fromthe real application

33. Angular's HttpClient has built-in support for theclient-side half ofthis technique.

34. CookieXSRFStrategy

35.

36. Macaroons

37. Decentralized Authorization

38. js-macaroon

39. Python, C, C++,C#,Java

40. http://macaroons.io/

41. Thank you

Editor's Notes

Good evening everyone. In this session I’m going to talk about Angular-CLI. Which is the Command Line Interface for Angular 2 development
Angular throwing this error because the <iframe src> attribute is a resource URL security context, because an untrusted source can, for example, smuggle in file downloads that unsuspecting users could execute.
Faster rendering With AOT, the browser downloads a pre-compiled version of the application. The browser loads executable code so it can render the application immediately, without waiting to compile the app first. Fewer asynchronous requests The compiler inlines external HTML templates and CSS style sheets within the application JavaScript, eliminating separate ajax requests for those source files. Smaller Angular framework download size There's no need to download the Angular compiler if the app is already compiled. The compiler is roughly half of Angular itself, so omitting it dramatically reduces the application payload. Detect template errors earlier The AOT compiler detects and reports template binding errors during the build step before users can see them. Better security AOT compiles HTML templates and components into JavaScript files long before they are served to the client. With no templates to read and no risky client-side HTML or JavaScript evaluation, there are fewer opportunities for injection attacks.
CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request

Is your app secure

Recommended

Recommended

More Related Content

What's hot

What's hot (6)

Similar to Is your app secure

Similar to Is your app secure (20)

More from Chathuranga Bandara

More from Chathuranga Bandara (9)

Recently uploaded

Recently uploaded (20)

Is your app secure

Editor's Notes