SlideShare a Scribd company logo
Classification: Public
Welcome
to the SBA Live Academy
#bleibdaheim #remotelearning
Today: A Primer in Single Page Application Security
by Thomas Konrad
You are automatically muted by entry, please use the chat for interacting with us.
This talk will be recorded as soon as the presentation starts!
Recording will end BEFORE the Q&A Session starts.
Classification: Public
A Primer in
Single Page Application Security
Thomas Konrad, SBA Research
SBA Research gGmbH, 2020
Classification: Public 3
What are Single Page Applications?
SBA Research gGmbH, 2020
Imagesource:https://dotcms.com/blog/post/what-is-a-
single-page-application-and-should-you-use-one-
Classification: Public 4
Popular SPA Frameworks
SBA Research gGmbH, 2020
Classification: Public 5
SPAs: Advantages
• Speed
• Re-use of APIs
• Offline app usage (PWA)
• Separation of Concerns
• Security.
• But!
SBA Research gGmbH, 2020
Imagesource:https://dotcms.com/blog/post/what-is-a-
single-page-application-and-should-you-use-one-
Classification: Public 6
SPA Security Concerns Tag Cloud
SBA Research gGmbH, 2020
CORS
Outdated Libraries
Server-side Template Injection
CSRF
Authentication
Transport Security
Classification: Public 7
Cross-Site Scripting (XSS)
And its relation to Single Page Application frameworks
SBA Research gGmbH, 2020
Classification: Public 8
SPAs and XSS?
SPA XSS = DOM XSS
Easy to introduce,
hard to detect
SBA Research gGmbH, 2020
https://www.youtube.com/watch?v=H_XDL1juAkQ
Classification: Public 9
DOM XSS: A Basic Example
• User-controlled input
• DOM XSS sink
SBA Research gGmbH, 2020
<script>
var x = window.location.hash;
document.querySelector('#el').innerHTML = x;
</script>
<script>
var x = window.location.hash;
document.querySelector('#el').innerHTML = x;
</script>
https://example.com/#<img src=x onerror=alert(1)/>https://example.com/#<img src=x onerror=alert(1)/>
Classification: Public 10
The DOM Is A Mess: XSS Sinks
SBA Research gGmbH, 2020
Imagesource:https://www.youtube.com/watch?v=vYA81UAExKA
https://github.com/wisec/domxsswiki/wiki
Classification: Public 11
SPAs, innerHTML and XSS
SBA Research gGmbH, 2020
<span [innerHTML]="html"></span><span [innerHTML]="html"></span>
Angular sanitizes this!
<span dangerouslySetInnerHTML={html}></span><span dangerouslySetInnerHTML={html}></span>
Makes you fear!
<span v-html="html"></span><span v-html="html"></span>
Makes you feel safe!
const html = '<img src=x onerror=alert(1)/>';const html = '<img src=x onerror=alert(1)/>';Input:
<img src=x />
Classification: Public 12
SPAs, href and XSS
SBA Research gGmbH, 2020
<a [href]="link">Click</a><a [href]="link">Click</a>
Angular sanitizes this!
<a href={link}>Click</a><a href={link}>Click</a>
<a :href="link">Click</a><a :href="link">Click</a>
Makes you feel safe!
const link = 'javascript:alert(1)';const link = 'javascript:alert(1)';Input:
Makes you feel safe!
unsafe:javascript:alert(1)
Classification: Public 13
DOMPurify
SBA Research gGmbH, 2020
import createDOMPurify from 'dompurify';
const purify = createDOMPurify();
purify.sanitize('<img src=x onerror=alert(1)//>’);
// becomes <img src="x">
purify.sanitize('<svg><g/onload=alert(2)//<p>');
// becomes <svg><g></g></svg>
purify.sanitize('<p>abc<iframe//src=jAva&Tab;script:aler
t(3)>def</p>’);
// becomes <p>abcdef</p>
import createDOMPurify from 'dompurify';
const purify = createDOMPurify();
purify.sanitize('<img src=x onerror=alert(1)//>’);
// becomes <img src="x">
purify.sanitize('<svg><g/onload=alert(2)//<p>');
// becomes <svg><g></g></svg>
purify.sanitize('<p>abc<iframe//src=jAva&Tab;script:aler
t(3)>def</p>’);
// becomes <p>abcdef</p>
https://github.com/cure53/DOMPurify
Classification: Public 14
Limitations of the Angular Sanitizer
• It is strict and does not allow e.g.
style, custom tags, customization
• Then people do this:
SBA Research gGmbH, 2020
https://angular.io/guide/security#sanitization-and-security-
contexts
import { Pipe, PipeTransform } from '@angular/core';
import { DomSanitizer, SafeHtml } from '@angular/platform-browser';
@Pipe({ name: 'sainitizeHtml', pure: false })
export class sanitizeHtmlPipe implements PipeTransform {
constructor(private sanitizer: DomSanitizer) {}
transform(content) {
return this.sanitizer.bypassSecurityTrustHtml(content);
}
}
import { Pipe, PipeTransform } from '@angular/core';
import { DomSanitizer, SafeHtml } from '@angular/platform-browser';
@Pipe({ name: 'sainitizeHtml', pure: false })
export class sanitizeHtmlPipe implements PipeTransform {
constructor(private sanitizer: DomSanitizer) {}
transform(content) {
return this.sanitizer.bypassSecurityTrustHtml(content);
}
}
Don’t do this!
Classification: Public 15
Creating an Angular Pipe safeHtml
SBA Research gGmbH, 2020
import createDOMPurify from 'dompurify';
@Pipe({ name: 'safeHtml'})
export class SafeHtmlPipe implements PipeTransform {
private domPurify;
constructor(private sanitized: DomSanitizer) {
this.domPurify = createDOMPurify();
}
transform(value) {
return this.sanitized.bypassSecurityTrustHtml(
this.domPurify.sanitize(value, {
ADD_TAGS: ['custom-element'], // Explicitly allow this tag
ADD_ATTR: ['x-data']
// Be careful with the style attribute! [1] [2]
})
);
}
}
import createDOMPurify from 'dompurify';
@Pipe({ name: 'safeHtml'})
export class SafeHtmlPipe implements PipeTransform {
private domPurify;
constructor(private sanitized: DomSanitizer) {
this.domPurify = createDOMPurify();
}
transform(value) {
return this.sanitized.bypassSecurityTrustHtml(
this.domPurify.sanitize(value, {
ADD_TAGS: ['custom-element'], // Explicitly allow this tag
ADD_ATTR: ['x-data']
// Be careful with the style attribute! [1] [2]
})
);
}
}
[1] https://code.google.com/archive/p/browsersec/wikis/Part1.wiki (see section „Cascading stylesheets“)
[2] https://github.com/angular/angular/blob/master/packages/core/src/sanitization/style_sanitizer.ts
Classification: Public 16
Defense in Depth: Content Security Policy (CSP)
• HTTP response header (or meta tag)
• Created for reducing XSS risk
• Whitelist for dynamic resources
2020 - SBA Research
Content-Security-Policy: script-src 'self' cdn.example.com
<script src="//cdn.example.com/jquery.min.js"></script>
<script src="/js/app.js"></script>
<script src="http://evil.com/pwnage.js"></script>
Refused to load the script 'http://evil.com/pwnage.js' because it violates the
following Content Security Policy directive: "script-src 'self'
cdn.example.com".
Classification: Public 17
The Heart of CSP
• By default,
o inline scripts are prohibited,
o eval() is prohibited,
o setTimeout() and setInterval()
with inline code are prohibited,
o the Function() constructor is prohibited
SBA Research gGmbH, 2020
Classification: Public 18
CSP and SPAs Are Friends
If you go the happy path, there are no inline scripts!
SBA Research gGmbH, 2020
<!DOCTYPE html>
<html>
<head>
<title>My App</title>
<link href=/js/app.4d3dc64c.js rel=preload as=script>
<link href=/js/chunk-vendors.6cb936cb.js rel=preload as=script>
<link href=/css/app.5a859f25.css rel=stylesheet>
<link href=/css/chunk-vendors.87ee1366.css rel=stylesheet>
</head>
<body>
<div id=app></div>
<script src=/js/chunk-vendors.6cb936cb.js></script>
<script src=/js/app.4d3dc64c.js></script>
</body>
</html>
<!DOCTYPE html>
<html>
<head>
<title>My App</title>
<link href=/js/app.4d3dc64c.js rel=preload as=script>
<link href=/js/chunk-vendors.6cb936cb.js rel=preload as=script>
<link href=/css/app.5a859f25.css rel=stylesheet>
<link href=/css/chunk-vendors.87ee1366.css rel=stylesheet>
</head>
<body>
<div id=app></div>
<script src=/js/chunk-vendors.6cb936cb.js></script>
<script src=/js/app.4d3dc64c.js></script>
</body>
</html>
Classification: Public 19
The Future: Trusted Types
• The idea
o Don’t pass strings to DOM XSS sinks
o Use objects instead
o Make security decisions explicit
o Strongly typed DOM API!
SBA Research gGmbH, 2020
const el = document.createElement('div');
el.innerHTML = { toString: () => 'test' };
el.innerHTML; // "test"
const el = document.createElement('div');
el.innerHTML = { toString: () => 'test' };
el.innerHTML; // "test"
Classification: Public 20
Trusted Types: CSP
SBA Research gGmbH, 2020
Content-Security-Policy: trusted-types *
const el = document.createElement('div');
el.innerHTML = '<img src=x onerror=alert(1)/>';
const el = document.createElement('div');
el.innerHTML = '<img src=x onerror=alert(1)/>';
Classification: Public 21
Trusted Types: Browser Support
SBA Research gGmbH, 2020
Classification: Public 22
Trusted Types: Angular
SBA Research gGmbH, 2020
Classification: Public 23
SPA Developer’s Checklist: XSS
❑ Follow the “happy path” wherever possible
❑ A.k.a. avoid DOM Kung-fu
❑ Blacklist common DOM XSS sinks via the linter
❑ If you process HTML, sanitize it with DOMPurify
❑ Use event handlers instead of dynamic href
❑ Never use non-trusted templates
❑ Use a sensible Content Security Policy
SBA Research gGmbH, 2020
Classification: Public 24
Outdated Libraries
And approaches to get them under control
SBA Research gGmbH, 2020
Classification: Public 25
Angular Project with Router and SCSS
SBA Research gGmbH, 2020
> cloc node_modules
------------------------------------------------------
Language files blank comment code
------------------------------------------------------
JavaScript 16214 171274 786507 3076493
JSON 1887 298 0 247588
Markdown 1628 73253 4 177074
TypeScript 3069 16591 128264 153548
HTML 227 13191 214 25464
CSS 135 380 2275 22039
> cloc node_modules
------------------------------------------------------
Language files blank comment code
------------------------------------------------------
JavaScript 16214 171274 786507 3076493
JSON 1887 298 0 247588
Markdown 1628 73253 4 177074
TypeScript 3069 16591 128264 153548
HTML 227 13191 214 25464
CSS 135 380 2275 22039
https://github.com/cure53/DOMPurify
Classification: Public 26SBA Research gGmbH, 2020
https://angular.io/guide/setup-local
Classification: Public 27
npm audit
SBA Research gGmbH, 2020
> npm audit
# ...
found 81959 vulnerabilities (81914 low, 45
moderate) in 2120806 scanned packages
run `npm audit fix` to fix 81624 of them.
335 vulnerabilities require manual review. See
the full report for details.
> npm audit
# ...
found 81959 vulnerabilities (81914 low, 45
moderate) in 2120806 scanned packages
run `npm audit fix` to fix 81624 of them.
335 vulnerabilities require manual review. See
the full report for details.
Classification: Public 28
Automate Dependency Checks!
1. Trigger them automatically on every git push
2. Fail the build!
3. Do it regularly even if no pushes happen!
SBA Research gGmbH, 2020
Classification: Public 29
SPA Developer’s Checklist: Dependencies
❑ Choose your dependencies wisely
❑ Check your dependencies in an automated way
❑ Fail the build if there are severe vulnerabilities
❑ Run the check regularly even if there is no push
❑ Advanced
❑ Have a good test coverage
❑ A bot submits a pull request with updates
❑ Merge it automatically if tests are green
SBA Research gGmbH, 2020
Classification: Public 30
A Few More Things
Transport Security, CSRF, CORS, Server-side Template
Injection, WebSockets
SBA Research gGmbH, 2020
Classification: Public 31
SPA Developer’s Checklist: Multiple Topics
❑ Use TLS with Strict-Transport-Security and Preload!
❑ Use the SameSite Cookie flag or explicit auth against CSRF!
❑ Don’t use a * whitelist or Origin reflection for CORS!
❑ For WebSockets, check the Origin header on the server!
❑ Never render SPA templates dynamically on the server!
SBA Research gGmbH, 2020
Classification: Public 32
Thomas Konrad
SBA Research gGmbH
Floragasse 7, 1040 Wien
+43 664 889 272 17
tkonrad@sba-research.org
@_thomaskonrad
SBA Research gGmbH, 2020
Classification: Public 33
Photo by Emily Morter on Unsplash
Follow me on Twitter! @_thomaskonradFollow me on Twitter! @_thomaskonrad
Classification: Public 34
Resources
• Krzysztof Kotowicz on Trusted Types & the end of DOM XSS: https://youtu.be/vYA81UAExKA
• Philippe De Ryck – Angular / OWASP Top 10 Cheat Sheet:
https://pragmaticwebsecurity.com/files/cheatsheets/angularowasptop10.pdf
• Philippe De Ryck – React XSS Avoidance Cheat Sheet:
https://pragmaticwebsecurity.com/files/cheatsheets/reactxss.pdf
• W3C GitHub repository on Trusted Types: https://github.com/w3c/webappsec-trusted-types
• Anguar DOM Sanitizer docs: https://angular.io/api/platform-browser/DomSanitizer
• React docs on dangerouslySetInnerHTML: https://reactjs.org/docs/dom-
elements.html#dangerouslysetinnerhtml
• Vue.js docs on security: https://vuejs.org/v2/guide/security.html
• GitHub docs on Security Alerts: https://help.github.com/en/github/managing-security-
vulnerabilities/about-security-alerts-for-vulnerable-dependencies
• GitLab docs on Dependency Scanning:
https://docs.gitlab.com/ee/user/application_security/dependency_scanning/
SBA Research gGmbH, 2020
Classification: Public 35
Professional Services
Penetration Testing
Architecture Reviews
Security Audit
Security Trainings
Incident Response Readiness
ISMS & ISO 27001 Consulting
Bridging Science and Industry
Applied Research
Industrial Security | IIoT Security |
Mathematics for Security Research |
Machine Learning | Blockchain | Network
Security | Sustainable Software Systems |
Usable Security
SBA Research
Knowledge Transfer
SBA Live Academy | sec4dev | Trainings |
Events | Teaching | sbaPRIME
Contact us: anfragen@sba-research.org
Classification: Public 36
#bleibdaheim #remotelearning
Coming up @ SBA Live Academy
Mi, 22. April, 13.00 Uhr, live
Datenschutz Teil 1:
Wozu Datenschutzgesetze?
Gerald Sendera
Join our Meetup group!
https://www.meetup.com/Security-Meetup-by-SBA-Research/

More Related Content

What's hot

WebAuthn - The End of the Password As We Know It?
WebAuthn - The End of the Password As We Know It?WebAuthn - The End of the Password As We Know It?
WebAuthn - The End of the Password As We Know It?
Thomas Konrad
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
OWASP
 
BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophistication
BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophisticationBSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophistication
BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophistication
Paül Jaramillo
 
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonZero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
SSIMeetup
 
Trusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsTrusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tips
Kaspersky
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
Sergey Gordeychik
 
One Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueOne Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue Technique
Daniel Weiss
 
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Research
 
Mitre getting-started-with-attack-october-2019
Mitre getting-started-with-attack-october-2019Mitre getting-started-with-attack-october-2019
Mitre getting-started-with-attack-october-2019
Thang Nguyen
 
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Clare Nelson, CISSP, CIPP-E
 

What's hot (10)

WebAuthn - The End of the Password As We Know It?
WebAuthn - The End of the Password As We Know It?WebAuthn - The End of the Password As We Know It?
WebAuthn - The End of the Password As We Know It?
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
 
BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophistication
BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophisticationBSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophistication
BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophistication
 
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare NelsonZero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
Zero-Knowledge Proofs: Privacy-Preserving Digital Identity with Clare Nelson
 
Trusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tipsTrusted Environment. Blockchain for business: best practices, experience, tips
Trusted Environment. Blockchain for business: best practices, experience, tips
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
One Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue TechniqueOne Technique, Two Techniques, Red Technique, Blue Technique
One Technique, Two Techniques, Red Technique, Blue Technique
 
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
SBA Security Meetup - Deploying and managing azure sentinel as code by Bojan ...
 
Mitre getting-started-with-attack-october-2019
Mitre getting-started-with-attack-october-2019Mitre getting-started-with-attack-october-2019
Mitre getting-started-with-attack-october-2019
 
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
Privacy-Preserving Authentication, Another Reason to Care about Zero-Knowledg...
 

Similar to SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad

A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
Manish Shekhawat
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
cgmonroe
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Miriam Schwab
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
Miriam Schwab
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
ksudhakarreddy5
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
 
Desenvolvimento Mobile Híbrido
Desenvolvimento Mobile HíbridoDesenvolvimento Mobile Híbrido
Desenvolvimento Mobile Híbrido
Juliano Martins
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber Security
Ayoma Wijethunga
 
CIRCUIT 2015 - Responsive Websites & Grid-Based Layouts
CIRCUIT 2015 - Responsive Websites & Grid-Based LayoutsCIRCUIT 2015 - Responsive Websites & Grid-Based Layouts
CIRCUIT 2015 - Responsive Websites & Grid-Based Layouts
ICF CIRCUIT
 
AEM responsive
AEM responsiveAEM responsive
AEM responsive
Damien Antipa
 
Droidcon Paris 2015
Droidcon Paris 2015Droidcon Paris 2015
Droidcon Paris 2015
Renaud Boulard
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Responsive Websites and Grid-Based Layouts by Gabriel Walt
Responsive Websites and Grid-Based Layouts by Gabriel Walt Responsive Websites and Grid-Based Layouts by Gabriel Walt
Responsive Websites and Grid-Based Layouts by Gabriel Walt
AEM HUB
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
Ksenia Peguero
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
Mario Heiderich
 
10 ways to make your code rock
10 ways to make your code rock10 ways to make your code rock
10 ways to make your code rock
martincronje
 
[rwdsummit2012] Adaptive Images in Responsive Web Design
[rwdsummit2012] Adaptive Images in Responsive Web Design[rwdsummit2012] Adaptive Images in Responsive Web Design
[rwdsummit2012] Adaptive Images in Responsive Web Design
Christopher Schmitt
 

Similar to SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad (20)

A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
 
Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...Content Security Policies: A whole new way of securing your website that no o...
Content Security Policies: A whole new way of securing your website that no o...
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
 
Desenvolvimento Mobile Híbrido
Desenvolvimento Mobile HíbridoDesenvolvimento Mobile Híbrido
Desenvolvimento Mobile Híbrido
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber Security
 
CIRCUIT 2015 - Responsive Websites & Grid-Based Layouts
CIRCUIT 2015 - Responsive Websites & Grid-Based LayoutsCIRCUIT 2015 - Responsive Websites & Grid-Based Layouts
CIRCUIT 2015 - Responsive Websites & Grid-Based Layouts
 
AEM responsive
AEM responsiveAEM responsive
AEM responsive
 
Droidcon Paris 2015
Droidcon Paris 2015Droidcon Paris 2015
Droidcon Paris 2015
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Responsive Websites and Grid-Based Layouts by Gabriel Walt
Responsive Websites and Grid-Based Layouts by Gabriel Walt Responsive Websites and Grid-Based Layouts by Gabriel Walt
Responsive Websites and Grid-Based Layouts by Gabriel Walt
 
Preventing XSS with Content Security Policy
Preventing XSS with Content Security PolicyPreventing XSS with Content Security Policy
Preventing XSS with Content Security Policy
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksJSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
JSMVCOMFG - To sternly look at JavaScript MVC and Templating Frameworks
 
10 ways to make your code rock
10 ways to make your code rock10 ways to make your code rock
10 ways to make your code rock
 
[rwdsummit2012] Adaptive Images in Responsive Web Design
[rwdsummit2012] Adaptive Images in Responsive Web Design[rwdsummit2012] Adaptive Images in Responsive Web Design
[rwdsummit2012] Adaptive Images in Responsive Web Design
 

More from SBA Research

NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
SBA Research
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Research
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Research
 
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a ContainerSBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Research
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
SBA Research
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
SBA Research
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Research
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Research
 
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
Tools &amp; techniques, building a dev secops culture at mozilla   sba live a...Tools &amp; techniques, building a dev secops culture at mozilla   sba live a...
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
SBA Research
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
SBA Research
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Research
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Research
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Research
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Research
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Research
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Research
 
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Research
 
SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...
SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...
SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...
SBA Research
 
SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...
SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...
SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...
SBA Research
 

More from SBA Research (19)

NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...
 
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...
 
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...
 
SBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a ContainerSBA Security Meetup: I want to break free - The attacker inside a Container
SBA Security Meetup: I want to break free - The attacker inside a Container
 
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig
 
Secure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas FalkSecure development on Kubernetes by Andreas Falk
Secure development on Kubernetes by Andreas Falk
 
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talksSBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks
 
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen MitarbeiternSBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern
 
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
Tools &amp; techniques, building a dev secops culture at mozilla   sba live a...Tools &amp; techniques, building a dev secops culture at mozilla   sba live a...
Tools &amp; techniques, building a dev secops culture at mozilla sba live a...
 
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...
 
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Live Academy - Secure Containers for Developer by Mathias Tausig
SBA Live Academy - Secure Containers for Developer by Mathias Tausig
 
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...
 
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...
 
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...
 
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon TjoaSBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa
 
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald SenderaSBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera
 
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
SBA Live Academy: Remote Access – Top Security Challenges – Teil 2 by Günther...
 
SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...
SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...
SBA Live Academy, Supply Chain & Cyber Security in einem Atemzug by Stefan Ja...
 
SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...
SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...
SBA Live Academy - Remote Access – Top Security Challenges, Part 1 - Günther ...
 

Recently uploaded

Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 

Recently uploaded (20)

Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 

SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad

  • 1. Classification: Public Welcome to the SBA Live Academy #bleibdaheim #remotelearning Today: A Primer in Single Page Application Security by Thomas Konrad You are automatically muted by entry, please use the chat for interacting with us. This talk will be recorded as soon as the presentation starts! Recording will end BEFORE the Q&A Session starts.
  • 2. Classification: Public A Primer in Single Page Application Security Thomas Konrad, SBA Research SBA Research gGmbH, 2020
  • 3. Classification: Public 3 What are Single Page Applications? SBA Research gGmbH, 2020 Imagesource:https://dotcms.com/blog/post/what-is-a- single-page-application-and-should-you-use-one-
  • 4. Classification: Public 4 Popular SPA Frameworks SBA Research gGmbH, 2020
  • 5. Classification: Public 5 SPAs: Advantages • Speed • Re-use of APIs • Offline app usage (PWA) • Separation of Concerns • Security. • But! SBA Research gGmbH, 2020 Imagesource:https://dotcms.com/blog/post/what-is-a- single-page-application-and-should-you-use-one-
  • 6. Classification: Public 6 SPA Security Concerns Tag Cloud SBA Research gGmbH, 2020 CORS Outdated Libraries Server-side Template Injection CSRF Authentication Transport Security
  • 7. Classification: Public 7 Cross-Site Scripting (XSS) And its relation to Single Page Application frameworks SBA Research gGmbH, 2020
  • 8. Classification: Public 8 SPAs and XSS? SPA XSS = DOM XSS Easy to introduce, hard to detect SBA Research gGmbH, 2020 https://www.youtube.com/watch?v=H_XDL1juAkQ
  • 9. Classification: Public 9 DOM XSS: A Basic Example • User-controlled input • DOM XSS sink SBA Research gGmbH, 2020 <script> var x = window.location.hash; document.querySelector('#el').innerHTML = x; </script> <script> var x = window.location.hash; document.querySelector('#el').innerHTML = x; </script> https://example.com/#<img src=x onerror=alert(1)/>https://example.com/#<img src=x onerror=alert(1)/>
  • 10. Classification: Public 10 The DOM Is A Mess: XSS Sinks SBA Research gGmbH, 2020 Imagesource:https://www.youtube.com/watch?v=vYA81UAExKA https://github.com/wisec/domxsswiki/wiki
  • 11. Classification: Public 11 SPAs, innerHTML and XSS SBA Research gGmbH, 2020 <span [innerHTML]="html"></span><span [innerHTML]="html"></span> Angular sanitizes this! <span dangerouslySetInnerHTML={html}></span><span dangerouslySetInnerHTML={html}></span> Makes you fear! <span v-html="html"></span><span v-html="html"></span> Makes you feel safe! const html = '<img src=x onerror=alert(1)/>';const html = '<img src=x onerror=alert(1)/>';Input: <img src=x />
  • 12. Classification: Public 12 SPAs, href and XSS SBA Research gGmbH, 2020 <a [href]="link">Click</a><a [href]="link">Click</a> Angular sanitizes this! <a href={link}>Click</a><a href={link}>Click</a> <a :href="link">Click</a><a :href="link">Click</a> Makes you feel safe! const link = 'javascript:alert(1)';const link = 'javascript:alert(1)';Input: Makes you feel safe! unsafe:javascript:alert(1)
  • 13. Classification: Public 13 DOMPurify SBA Research gGmbH, 2020 import createDOMPurify from 'dompurify'; const purify = createDOMPurify(); purify.sanitize('<img src=x onerror=alert(1)//>’); // becomes <img src="x"> purify.sanitize('<svg><g/onload=alert(2)//<p>'); // becomes <svg><g></g></svg> purify.sanitize('<p>abc<iframe//src=jAva&Tab;script:aler t(3)>def</p>’); // becomes <p>abcdef</p> import createDOMPurify from 'dompurify'; const purify = createDOMPurify(); purify.sanitize('<img src=x onerror=alert(1)//>’); // becomes <img src="x"> purify.sanitize('<svg><g/onload=alert(2)//<p>'); // becomes <svg><g></g></svg> purify.sanitize('<p>abc<iframe//src=jAva&Tab;script:aler t(3)>def</p>’); // becomes <p>abcdef</p> https://github.com/cure53/DOMPurify
  • 14. Classification: Public 14 Limitations of the Angular Sanitizer • It is strict and does not allow e.g. style, custom tags, customization • Then people do this: SBA Research gGmbH, 2020 https://angular.io/guide/security#sanitization-and-security- contexts import { Pipe, PipeTransform } from '@angular/core'; import { DomSanitizer, SafeHtml } from '@angular/platform-browser'; @Pipe({ name: 'sainitizeHtml', pure: false }) export class sanitizeHtmlPipe implements PipeTransform { constructor(private sanitizer: DomSanitizer) {} transform(content) { return this.sanitizer.bypassSecurityTrustHtml(content); } } import { Pipe, PipeTransform } from '@angular/core'; import { DomSanitizer, SafeHtml } from '@angular/platform-browser'; @Pipe({ name: 'sainitizeHtml', pure: false }) export class sanitizeHtmlPipe implements PipeTransform { constructor(private sanitizer: DomSanitizer) {} transform(content) { return this.sanitizer.bypassSecurityTrustHtml(content); } } Don’t do this!
  • 15. Classification: Public 15 Creating an Angular Pipe safeHtml SBA Research gGmbH, 2020 import createDOMPurify from 'dompurify'; @Pipe({ name: 'safeHtml'}) export class SafeHtmlPipe implements PipeTransform { private domPurify; constructor(private sanitized: DomSanitizer) { this.domPurify = createDOMPurify(); } transform(value) { return this.sanitized.bypassSecurityTrustHtml( this.domPurify.sanitize(value, { ADD_TAGS: ['custom-element'], // Explicitly allow this tag ADD_ATTR: ['x-data'] // Be careful with the style attribute! [1] [2] }) ); } } import createDOMPurify from 'dompurify'; @Pipe({ name: 'safeHtml'}) export class SafeHtmlPipe implements PipeTransform { private domPurify; constructor(private sanitized: DomSanitizer) { this.domPurify = createDOMPurify(); } transform(value) { return this.sanitized.bypassSecurityTrustHtml( this.domPurify.sanitize(value, { ADD_TAGS: ['custom-element'], // Explicitly allow this tag ADD_ATTR: ['x-data'] // Be careful with the style attribute! [1] [2] }) ); } } [1] https://code.google.com/archive/p/browsersec/wikis/Part1.wiki (see section „Cascading stylesheets“) [2] https://github.com/angular/angular/blob/master/packages/core/src/sanitization/style_sanitizer.ts
  • 16. Classification: Public 16 Defense in Depth: Content Security Policy (CSP) • HTTP response header (or meta tag) • Created for reducing XSS risk • Whitelist for dynamic resources 2020 - SBA Research Content-Security-Policy: script-src 'self' cdn.example.com <script src="//cdn.example.com/jquery.min.js"></script> <script src="/js/app.js"></script> <script src="http://evil.com/pwnage.js"></script> Refused to load the script 'http://evil.com/pwnage.js' because it violates the following Content Security Policy directive: "script-src 'self' cdn.example.com".
  • 17. Classification: Public 17 The Heart of CSP • By default, o inline scripts are prohibited, o eval() is prohibited, o setTimeout() and setInterval() with inline code are prohibited, o the Function() constructor is prohibited SBA Research gGmbH, 2020
  • 18. Classification: Public 18 CSP and SPAs Are Friends If you go the happy path, there are no inline scripts! SBA Research gGmbH, 2020 <!DOCTYPE html> <html> <head> <title>My App</title> <link href=/js/app.4d3dc64c.js rel=preload as=script> <link href=/js/chunk-vendors.6cb936cb.js rel=preload as=script> <link href=/css/app.5a859f25.css rel=stylesheet> <link href=/css/chunk-vendors.87ee1366.css rel=stylesheet> </head> <body> <div id=app></div> <script src=/js/chunk-vendors.6cb936cb.js></script> <script src=/js/app.4d3dc64c.js></script> </body> </html> <!DOCTYPE html> <html> <head> <title>My App</title> <link href=/js/app.4d3dc64c.js rel=preload as=script> <link href=/js/chunk-vendors.6cb936cb.js rel=preload as=script> <link href=/css/app.5a859f25.css rel=stylesheet> <link href=/css/chunk-vendors.87ee1366.css rel=stylesheet> </head> <body> <div id=app></div> <script src=/js/chunk-vendors.6cb936cb.js></script> <script src=/js/app.4d3dc64c.js></script> </body> </html>
  • 19. Classification: Public 19 The Future: Trusted Types • The idea o Don’t pass strings to DOM XSS sinks o Use objects instead o Make security decisions explicit o Strongly typed DOM API! SBA Research gGmbH, 2020 const el = document.createElement('div'); el.innerHTML = { toString: () => 'test' }; el.innerHTML; // "test" const el = document.createElement('div'); el.innerHTML = { toString: () => 'test' }; el.innerHTML; // "test"
  • 20. Classification: Public 20 Trusted Types: CSP SBA Research gGmbH, 2020 Content-Security-Policy: trusted-types * const el = document.createElement('div'); el.innerHTML = '<img src=x onerror=alert(1)/>'; const el = document.createElement('div'); el.innerHTML = '<img src=x onerror=alert(1)/>';
  • 21. Classification: Public 21 Trusted Types: Browser Support SBA Research gGmbH, 2020
  • 22. Classification: Public 22 Trusted Types: Angular SBA Research gGmbH, 2020
  • 23. Classification: Public 23 SPA Developer’s Checklist: XSS ❑ Follow the “happy path” wherever possible ❑ A.k.a. avoid DOM Kung-fu ❑ Blacklist common DOM XSS sinks via the linter ❑ If you process HTML, sanitize it with DOMPurify ❑ Use event handlers instead of dynamic href ❑ Never use non-trusted templates ❑ Use a sensible Content Security Policy SBA Research gGmbH, 2020
  • 24. Classification: Public 24 Outdated Libraries And approaches to get them under control SBA Research gGmbH, 2020
  • 25. Classification: Public 25 Angular Project with Router and SCSS SBA Research gGmbH, 2020 > cloc node_modules ------------------------------------------------------ Language files blank comment code ------------------------------------------------------ JavaScript 16214 171274 786507 3076493 JSON 1887 298 0 247588 Markdown 1628 73253 4 177074 TypeScript 3069 16591 128264 153548 HTML 227 13191 214 25464 CSS 135 380 2275 22039 > cloc node_modules ------------------------------------------------------ Language files blank comment code ------------------------------------------------------ JavaScript 16214 171274 786507 3076493 JSON 1887 298 0 247588 Markdown 1628 73253 4 177074 TypeScript 3069 16591 128264 153548 HTML 227 13191 214 25464 CSS 135 380 2275 22039 https://github.com/cure53/DOMPurify
  • 26. Classification: Public 26SBA Research gGmbH, 2020 https://angular.io/guide/setup-local
  • 27. Classification: Public 27 npm audit SBA Research gGmbH, 2020 > npm audit # ... found 81959 vulnerabilities (81914 low, 45 moderate) in 2120806 scanned packages run `npm audit fix` to fix 81624 of them. 335 vulnerabilities require manual review. See the full report for details. > npm audit # ... found 81959 vulnerabilities (81914 low, 45 moderate) in 2120806 scanned packages run `npm audit fix` to fix 81624 of them. 335 vulnerabilities require manual review. See the full report for details.
  • 28. Classification: Public 28 Automate Dependency Checks! 1. Trigger them automatically on every git push 2. Fail the build! 3. Do it regularly even if no pushes happen! SBA Research gGmbH, 2020
  • 29. Classification: Public 29 SPA Developer’s Checklist: Dependencies ❑ Choose your dependencies wisely ❑ Check your dependencies in an automated way ❑ Fail the build if there are severe vulnerabilities ❑ Run the check regularly even if there is no push ❑ Advanced ❑ Have a good test coverage ❑ A bot submits a pull request with updates ❑ Merge it automatically if tests are green SBA Research gGmbH, 2020
  • 30. Classification: Public 30 A Few More Things Transport Security, CSRF, CORS, Server-side Template Injection, WebSockets SBA Research gGmbH, 2020
  • 31. Classification: Public 31 SPA Developer’s Checklist: Multiple Topics ❑ Use TLS with Strict-Transport-Security and Preload! ❑ Use the SameSite Cookie flag or explicit auth against CSRF! ❑ Don’t use a * whitelist or Origin reflection for CORS! ❑ For WebSockets, check the Origin header on the server! ❑ Never render SPA templates dynamically on the server! SBA Research gGmbH, 2020
  • 32. Classification: Public 32 Thomas Konrad SBA Research gGmbH Floragasse 7, 1040 Wien +43 664 889 272 17 tkonrad@sba-research.org @_thomaskonrad SBA Research gGmbH, 2020
  • 33. Classification: Public 33 Photo by Emily Morter on Unsplash Follow me on Twitter! @_thomaskonradFollow me on Twitter! @_thomaskonrad
  • 34. Classification: Public 34 Resources • Krzysztof Kotowicz on Trusted Types & the end of DOM XSS: https://youtu.be/vYA81UAExKA • Philippe De Ryck – Angular / OWASP Top 10 Cheat Sheet: https://pragmaticwebsecurity.com/files/cheatsheets/angularowasptop10.pdf • Philippe De Ryck – React XSS Avoidance Cheat Sheet: https://pragmaticwebsecurity.com/files/cheatsheets/reactxss.pdf • W3C GitHub repository on Trusted Types: https://github.com/w3c/webappsec-trusted-types • Anguar DOM Sanitizer docs: https://angular.io/api/platform-browser/DomSanitizer • React docs on dangerouslySetInnerHTML: https://reactjs.org/docs/dom- elements.html#dangerouslysetinnerhtml • Vue.js docs on security: https://vuejs.org/v2/guide/security.html • GitHub docs on Security Alerts: https://help.github.com/en/github/managing-security- vulnerabilities/about-security-alerts-for-vulnerable-dependencies • GitLab docs on Dependency Scanning: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/ SBA Research gGmbH, 2020
  • 35. Classification: Public 35 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Bridging Science and Industry Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowledge Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Contact us: anfragen@sba-research.org
  • 36. Classification: Public 36 #bleibdaheim #remotelearning Coming up @ SBA Live Academy Mi, 22. April, 13.00 Uhr, live Datenschutz Teil 1: Wozu Datenschutzgesetze? Gerald Sendera Join our Meetup group! https://www.meetup.com/Security-Meetup-by-SBA-Research/