Ran Bar-Zik, profile picture
Uploaded byRan Bar-Zik
PPTX, PDF2,023 views

Javascript Security - Three main methods of defending your MEAN stack

The document outlines critical security practices for JavaScript applications, focusing on vulnerabilities like XSS, CSRF, and SQL injection, emphasizing the importance of input validation and output sanitization. It presents practical solutions such as using validation libraries and middleware in Node.js, along with best practices for ensuring secure application development. Additionally, it stresses that developers don't need to be hackers to implement robust security measures effectively.

Embed presentation

Downloaded 17 times
JAVASCRIPT SECURITY RAN BAR-ZIK, HPE 2016
RAN BAR-ZIK Blogger an writer @ internet- Israel.com [Hebrew] Software developer at HPE Father of 4 children Marathoner Expert in PowerPoint :P Connect with me on LinkedIn
HACKERS - MYTH Source: https://commons.wikimedia.org/wiki/File:Hacker_-_Hacking_-_Symbol.jpg
HACKERS - REALITY Source: https://pixabay.com/static/uploads/photo/2014/04/03/11/55/robot-312566_960_720.png
HACKS CYCLE Security hole created Someone finds it (Vulnerability test, penetration testing etc.) Patch is being issues Hackers track the patch list and create bot Programmer create code
YOU DON’T NEED TO BE A HACKER TO PROTECT YOURSELF • You don’t need to be a professional burglar in order to know how to lock doors. • First know about the attack, and then learn how to deal with it. • Implementing security in JavaScript is easy, fun and can win you true love!
XSS – CROSS SIDE SCRIPTING XSS is very simple: Attacker can insert custom JavaScript to the site.
TWO MAIN WAYS TO HELL XSS • By not validating the input before insertion to the DataBase. • By not sanitizing the output before showing it to the user.
VALIDATE Input validation on server side. Making sure that the input is what you want. Using node.js? Great! Use validate.js module, this is what we do.
VALIDATE.JS EXAMPLE var express = require("express"); var validation = require("validator"); var bodyParser = require("body-parser"); var app = express(); app.use(bodyParser.urlencoded({ extended: false })); app.get('/',function(req,res){ res.sendFile(__dirname + '/form.html'); }); /* Form will redirect here with Input data */ app.post('/validateform',function(req,res){ if(!validation.isEmail(req.body.email)) { //True or false return by this function. res.send("Email is Bad"); } else if(!validation.isAlpha(req.body.user_name)) { res.send("Name is Bad"); } else { res.send("Form submitted"); } }); app.listen(4000);
WHY HASSLE? USE EXPRESS.JS MIDDLEWARE Express.js entry point express- validator middle ware All your strings are validated See for yourself! https://github.com/ctavan/express-validator
SANITIZATION Simple: Do not allow running JavaScript code in the output.
DOING SANITIZATION • Using angular.js? It comes free without charge! Even ngBindHtml is not allowing <script> tag. • Using another platform? Use the sanitization tools that come with it.
There are more ways to insert JavaScript to elements! Meet the wonderful world of HTML5 vulnerabilities! Allowing users to insert <videos> elements? <video><source onerror="alert(1)"> Will work on ChromeFirefox Check https://html5sec.org/
CROSS SITE REQUEST FORGERY (CSRF) • Every site operation is REST API request. For example: • GET /users • DELETE user/123 • PUT user/123 {role: admin}
<a href="https://most-secured-site.com/delete- all-users"> Click here to see the model naked! <img src="hot_model_almost_naked" /> </a>
SOLUTION TO CSRF Use tokens! Server generated unique strings that is based on some hash value + time and generated every time the form is outputted and submitted along the form. No valid token? Get out!
HOW TO IMPLEMENT CSRF? In node.js Express.js just use csurf middleware! https://github.com/expressjs/csurf Make sure to implement it both on client and server side!
SQL INJECTION IN NOSQL DATABASENODE.JS • SQL Injection can be performed on any database. • The Database can be MongoDB, the server can be Node.js, but the method is the same.
NOSQL INJECTION IN MONGODB db.users.find({username: username, password: password}); app.post('/', function (req, res) { db.users.find({username: req.body.username, password: req.body.password}, function (err, users) { // if it is True, run the following code. }); }); POST http://target/ HTTP/1.1 Content-Type: application/json { "username": {"$gt": ""}, "password": {"$gt": ""} }
SOLUTION TO SQL INJECTION • Sanitize and validate, the same as XSS.
FINAL WORDS OF WISDOM

More Related Content

PPTX
Client-side JavaScript Vulnerabilities
byOry Segal
 
PPTX
Javascript Security
byjgrahamc
 
PDF
JavaScript Security
byJason Harwig
 
PPT
Node.JS security
byDeepu S Nath
 
PPTX
Flash it baby!
bySoroush Dalili
 
PPTX
WordPress automation and CI
byRan Bar-Zik
 
PDF
Make CSRF Again
byNetsparker
 
PPTX
Your Script Just Killed My Site
bySteve Souders
 
Client-side JavaScript Vulnerabilities
byOry Segal
 
Javascript Security
byjgrahamc
 
JavaScript Security
byJason Harwig
 
Node.JS security
byDeepu S Nath
 
Flash it baby!
bySoroush Dalili
 
WordPress automation and CI
byRan Bar-Zik
 
Make CSRF Again
byNetsparker
 
Your Script Just Killed My Site
bySteve Souders
 

What's hot

PPTX
Server-side template injection- Slides
byAmit Dubey
 
PPTX
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
bylokeshpidawekar
 
PDF
How to secure web applications
byMohammed A. Imran
 
PPTX
Manual JavaScript Analysis Is A Bug
byLewis Ardern
 
PPTX
Case Study of Django: Web Frameworks that are Secure by Default
byMohammed ALDOUB
 
PDF
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bybugcrowd
 
PDF
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
PDF
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
PPTX
Bug Bounty for - Beginners
byHimanshu Kumar Das
 
PPTX
Cache is King
bySteve Souders
 
PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
PPTX
Same-origin Policy (SOP)
byNetsparker
 
PDF
Frontend SPOF
byPatrick Meenan
 
PDF
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
byCysinfo Cyber Security Community
 
PPT
Fav
byhelloppt
 
PDF
Polyglot payloads in practice by avlidienbrunn at HackPra
byMathias Karlsson
 
PDF
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
byOtto Kekäläinen
 
PDF
OWASP Portland - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
PPT
Logical Attacks(Vulnerability Research)
byAjay Negi
 
PDF
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
Server-side template injection- Slides
byAmit Dubey
 
Hacker's Practice Ground - Wall of Sheep workshops - Defcon 2015
bylokeshpidawekar
 
How to secure web applications
byMohammed A. Imran
 
Manual JavaScript Analysis Is A Bug
byLewis Ardern
 
Case Study of Django: Web Frameworks that are Secure by Default
byMohammed ALDOUB
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bybugcrowd
 
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
Bug Bounty for - Beginners
byHimanshu Kumar Das
 
Cache is King
bySteve Souders
 
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
Same-origin Policy (SOP)
byNetsparker
 
Frontend SPOF
byPatrick Meenan
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
byCysinfo Cyber Security Community
 
Fav
byhelloppt
 
Polyglot payloads in practice by avlidienbrunn at HackPra
byMathias Karlsson
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
byOtto Kekäläinen
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
byLewis Ardern
 
Logical Attacks(Vulnerability Research)
byAjay Negi
 
Hacking Adobe Experience Manager sites
byMikhail Egorov
 

Similar to Javascript Security - Three main methods of defending your MEAN stack

PDF
Security in Node.JS and Express:
byPetros Demetrakopoulos
 
PDF
Neoito — Secure coding practices
byNeoito
 
PDF
DEF CON 23 - amit ashbel and maty siman - game of hacks
byFelipe Prado
 
PDF
Node.js Security Done Right - Tips and Tricks They Won't Teach You In School
byLiran Tal
 
PDF
Secure java script-for-developers
byn|u - The Open Security Community
 
PDF
Cluj JSHeroes 2017 - Liran Tal on Node.js Security
byLiran Tal
 
PPTX
Secure Coding for NodeJS
byThang Chung
 
PDF
4 andrii kudiurov - web application security 101
byIevgenii Katsan
 
PDF
Application security 101
byVlad Garbuz
 
PDF
Securing your AngularJS Application
byPhilippe De Ryck
 
PDF
Surviving Web Security
byGergely Németh
 
PDF
Testing NodeJS Security
byJose Manuel Ortega Candel
 
PDF
Locking the Throneroom 2.0
byMario Heiderich
 
PPTX
Security in NodeJS applications
byDaniel Garcia (a.k.a cr0hn)
 
PPTX
Prevoty NYC Java SIG 20150730
bychadtindel
 
PDF
Securing Your BBC Identity
byMarc Littlemore
 
PDF
Appsec XSS Case Study
byMohamed Ridha CHEBBI, CISSP
 
PPTX
Web Application Security in front end
byErlend Oftedal
 
PDF
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
byMario Heiderich
 
PPT
(In)Security Implication in the JS Universe
byStefano Di Paola
 
Security in Node.JS and Express:
byPetros Demetrakopoulos
 
Neoito — Secure coding practices
byNeoito
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
byFelipe Prado
 
Node.js Security Done Right - Tips and Tricks They Won't Teach You In School
byLiran Tal
 
Secure java script-for-developers
byn|u - The Open Security Community
 
Cluj JSHeroes 2017 - Liran Tal on Node.js Security
byLiran Tal
 
Secure Coding for NodeJS
byThang Chung
 
4 andrii kudiurov - web application security 101
byIevgenii Katsan
 
Application security 101
byVlad Garbuz
 
Securing your AngularJS Application
byPhilippe De Ryck
 
Surviving Web Security
byGergely Németh
 
Testing NodeJS Security
byJose Manuel Ortega Candel
 
Locking the Throneroom 2.0
byMario Heiderich
 
Security in NodeJS applications
byDaniel Garcia (a.k.a cr0hn)
 
Prevoty NYC Java SIG 20150730
bychadtindel
 
Securing Your BBC Identity
byMarc Littlemore
 
Appsec XSS Case Study
byMohamed Ridha CHEBBI, CISSP
 
Web Application Security in front end
byErlend Oftedal
 
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...
byMario Heiderich
 
(In)Security Implication in the JS Universe
byStefano Di Paola
 

More from Ran Bar-Zik

PPTX
How to track users
byRan Bar-Zik
 
PPTX
7 deadly front end sins
byRan Bar-Zik
 
PPTX
Javascript static code analysis
byRan Bar-Zik
 
PPTX
Quality code in wordpress
byRan Bar-Zik
 
PPTX
How to get your first job at the Israeli high tech industry
byRan Bar-Zik
 
PPTX
WordPress Security 101 for developers
byRan Bar-Zik
 
PDF
Drupal Security
byRan Bar-Zik
 
PPTX
Presentation skills - course example
byRan Bar-Zik
 
PPTX
HTML5 for dummies
byRan Bar-Zik
 
PPTX
Basic web dveleopers terms for UX and graphic designers
byRan Bar-Zik
 
PPTX
HTML55 media api
byRan Bar-Zik
 
PPTX
Features in Drupal 7/6
byRan Bar-Zik
 
How to track users
byRan Bar-Zik
 
7 deadly front end sins
byRan Bar-Zik
 
Javascript static code analysis
byRan Bar-Zik
 
Quality code in wordpress
byRan Bar-Zik
 
How to get your first job at the Israeli high tech industry
byRan Bar-Zik
 
WordPress Security 101 for developers
byRan Bar-Zik
 
Drupal Security
byRan Bar-Zik
 
Presentation skills - course example
byRan Bar-Zik
 
HTML5 for dummies
byRan Bar-Zik
 
Basic web dveleopers terms for UX and graphic designers
byRan Bar-Zik
 
HTML55 media api
byRan Bar-Zik
 
Features in Drupal 7/6
byRan Bar-Zik
 

Recently uploaded

PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PDF
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
PPTX
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 

Javascript Security - Three main methods of defending your MEAN stack

  • 1.
  • 2.
    RAN BAR-ZIK Bloggeran writer @ internet- Israel.com [Hebrew] Software developer at HPE Father of 4 children Marathoner Expert in PowerPoint :P Connect with me on LinkedIn
  • 3.
    HACKERS - MYTH Source:https://commons.wikimedia.org/wiki/File:Hacker_-_Hacking_-_Symbol.jpg
  • 4.
    HACKERS - REALITY Source:https://pixabay.com/static/uploads/photo/2014/04/03/11/55/robot-312566_960_720.png
  • 5.
    HACKS CYCLE Security hole created Someonefinds it (Vulnerability test, penetration testing etc.) Patch is being issues Hackers track the patch list and create bot Programmer create code
  • 6.
    YOU DON’T NEEDTO BE A HACKER TO PROTECT YOURSELF • You don’t need to be a professional burglar in order to know how to lock doors. • First know about the attack, and then learn how to deal with it. • Implementing security in JavaScript is easy, fun and can win you true love!
  • 7.
    XSS – CROSSSIDE SCRIPTING XSS is very simple: Attacker can insert custom JavaScript to the site.
  • 8.
    TWO MAIN WAYSTO HELL XSS • By not validating the input before insertion to the DataBase. • By not sanitizing the output before showing it to the user.
  • 9.
    VALIDATE Input validation onserver side. Making sure that the input is what you want. Using node.js? Great! Use validate.js module, this is what we do.
  • 10.
    VALIDATE.JS EXAMPLE var express= require("express"); var validation = require("validator"); var bodyParser = require("body-parser"); var app = express(); app.use(bodyParser.urlencoded({ extended: false })); app.get('/',function(req,res){ res.sendFile(__dirname + '/form.html'); }); /* Form will redirect here with Input data */ app.post('/validateform',function(req,res){ if(!validation.isEmail(req.body.email)) { //True or false return by this function. res.send("Email is Bad"); } else if(!validation.isAlpha(req.body.user_name)) { res.send("Name is Bad"); } else { res.send("Form submitted"); } }); app.listen(4000);
  • 11.
    WHY HASSLE? USEEXPRESS.JS MIDDLEWARE Express.js entry point express- validator middle ware All your strings are validated See for yourself! https://github.com/ctavan/express-validator
  • 12.
    SANITIZATION Simple: Do notallow running JavaScript code in the output.
  • 13.
    DOING SANITIZATION • Usingangular.js? It comes free without charge! Even ngBindHtml is not allowing <script> tag. • Using another platform? Use the sanitization tools that come with it.
  • 14.
    There are moreways to insert JavaScript to elements! Meet the wonderful world of HTML5 vulnerabilities! Allowing users to insert <videos> elements? <video><source onerror="alert(1)"> Will work on ChromeFirefox Check https://html5sec.org/
  • 15.
    CROSS SITE REQUESTFORGERY (CSRF) • Every site operation is REST API request. For example: • GET /users • DELETE user/123 • PUT user/123 {role: admin}
  • 16.
    <a href="https://most-secured-site.com/delete- all-users"> Click hereto see the model naked! <img src="hot_model_almost_naked" /> </a>
  • 17.
    SOLUTION TO CSRF Usetokens! Server generated unique strings that is based on some hash value + time and generated every time the form is outputted and submitted along the form. No valid token? Get out!
  • 18.
    HOW TO IMPLEMENTCSRF? In node.js Express.js just use csurf middleware! https://github.com/expressjs/csurf Make sure to implement it both on client and server side!
  • 19.
    SQL INJECTION INNOSQL DATABASENODE.JS • SQL Injection can be performed on any database. • The Database can be MongoDB, the server can be Node.js, but the method is the same.
  • 20.
    NOSQL INJECTION INMONGODB db.users.find({username: username, password: password}); app.post('/', function (req, res) { db.users.find({username: req.body.username, password: req.body.password}, function (err, users) { // if it is True, run the following code. }); }); POST http://target/ HTTP/1.1 Content-Type: application/json { "username": {"$gt": ""}, "password": {"$gt": ""} }
  • 21.
    SOLUTION TO SQLINJECTION • Sanitize and validate, the same as XSS.
  • 22.