SlideShare a Scribd company logo

Securing your Node.js App

D
Dheeraj Joshi

Slides from my talk at Node.js Conference 2016 - Italy

Technology
1 of 25
Download to read offline
Let’s talk Security Securing Your Node.js App Dheeraj Joshi @dheerajhere
● Front-End @ ● Open Source (medium-cli) ● Ambidextrous TT Player About Me
More... I wear White Hat. Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon, etc. What makes me happy?
Agenda ● Why ? ● Cross-site Scripting (XSS) ● Cross-site Request Forgery (CSRF) ● Content Security Policy (CSP) ● Useful Headers ● Other Best Practices ● Demo
Why should Startups Care about Security? Startups & SMEs are known to cut corners. One of the first things they cut is ‘Security'.
Github Reused password attack
HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The Shutdown
CROSS SITE SCRIPTING - XSS ● XSS attack users ● “Javascript Injection” ● Exploits can be bad, really bad..
What is XSS? Typical Reflected XSS
Stored XSS
Protect Yourself ● Input Validation ● Ensure that outputs are HTML encoded ● Don’t reinvent the wheel (Use proven sanitizers)
Content Security Policy (CSP)
Add Content Security Policy header
● Add HTTPOnly, Secure attributes on Session Cookie
CROSS-SITE REQUEST FORGERY (CSRF)
Because the attack is carried out by the victim, CSRF can bypass: ● HTTP Auth ● Session-based auth ● Firewalls CSRF Attacks
Prevention
● Only accepting POST requests ● Referer Protection ● Multi-Step Transactions ● URL Rewriting ● application/json “CSRF Myths” Preventions that Won’t work
XSS + CSRF = ? (Demo)
List of useful HTTP headers ● Strict-Transport-Security: max-age=16070400; includeSubDomains ● X-Frame-Options: deny ● X-XSS-Protection: 1; mode=block
Prevent Information Disclosure Hide X-Powered-By Or try this ;)
How to improve ? ● SECURITY.md ● Security Middleware (helmet.js, kraken.js ) ● OWASP Node Goat Project ● NSP, Snyk
Questions ?
Thank you @dheerajhere @djadmin

Recommended

Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
Krzysztof Kotowicz
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
Krzysztof Kotowicz
 
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Krzysztof Kotowicz
 
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
inet-lab
 
Xss what the heck-!
Xss what the heck-!Xss what the heck-!
Xss what the heck-!
VodqaBLR
 
Xss attack
Xss attackXss attack
Xss attack
Ambuj Kumar
 
XSS
XSSXSS
XSS
Viral Parmar
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
Phú Phùng
 

Recommended

Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018Trusted Types @ W3C TPAC 2018
Trusted Types @ W3C TPAC 2018
Krzysztof Kotowicz
 
Trusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSSTrusted Types and the end of DOM XSS
Trusted Types and the end of DOM XSS
Krzysztof Kotowicz
 
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Trusted Types - Securing the DOM from the bottom up (JSNation Amsterdam)
Krzysztof Kotowicz
 
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
パフォーマンスを考慮したプリミティブなTrusted TypesによるClient-Side XSS防御手法
inet-lab
 
Xss what the heck-!
Xss what the heck-!Xss what the heck-!
Xss what the heck-!
VodqaBLR
 
Xss attack
Xss attackXss attack
Xss attack
Ambuj Kumar
 
XSS
XSSXSS
XSS
Viral Parmar
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in Browsers
Phú Phùng
 
Story of http headers
Story of http headersStory of http headers
Story of http headers
Vandana Verma
 
Xss and sql injection
Xss and sql injectionXss and sql injection
Xss and sql injection
Bhuridech Sudsee
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
Mindfire Solutions
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 
REST project brief - typical setup for teams
REST project brief - typical setup for teamsREST project brief - typical setup for teams
REST project brief - typical setup for teams
Dian Swanepoel
 
Cryptography in networks
Cryptography in networksCryptography in networks
Cryptography in networks
Kajal Chaudhari
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Charla taller
Charla tallerCharla taller
Charla taller
Maricarmen Gugliotta
 
Singing survey final_with cover
Singing survey final_with coverSinging survey final_with cover
Singing survey final_with cover
Avi Dey
 
Top de lenguajes de programacion2
Top de lenguajes de programacion2Top de lenguajes de programacion2
Top de lenguajes de programacion2
Saul Pereyra
 
सत्र एक कार्यशाला संक्षिप्त अबलोकन
सत्र एक कार्यशाला संक्षिप्त अबलोकन सत्र एक कार्यशाला संक्षिप्त अबलोकन
सत्र एक कार्यशाला संक्षिप्त अबलोकन
INGENAES
 
Pie Charts
Pie ChartsPie Charts
Pie Charts
Adam_wareing
 
Organizational Capacity-Building Series - Session 12: Grant-Writing
Organizational Capacity-Building Series - Session 12: Grant-Writing Organizational Capacity-Building Series - Session 12: Grant-Writing
Organizational Capacity-Building Series - Session 12: Grant-Writing
INGENAES
 
Extraccion de adn nuclear a partir de tejido de pie y manto de cittarium pica...
Extraccion de adn nuclear a partir de tejido de pie y manto de cittarium pica...Extraccion de adn nuclear a partir de tejido de pie y manto de cittarium pica...
Extraccion de adn nuclear a partir de tejido de pie y manto de cittarium pica...D'imr Polo
 
Jennifer Johnson Resume
Jennifer Johnson ResumeJennifer Johnson Resume
Jennifer Johnson ResumeJennifer Johnson
 
«ФОРМИРОВАНИЕ ПЕРВОНАЧАЛЬНЫХ ОСНОВ БЕЗОПАСНОСТИ ЖИЗНИДЕЯТЕЛЬНОСТИ У ДЕТЕЙ ДО...
«ФОРМИРОВАНИЕ ПЕРВОНАЧАЛЬНЫХ ОСНОВ БЕЗОПАСНОСТИ ЖИЗНИДЕЯТЕЛЬНОСТИ У ДЕТЕЙ ДО...«ФОРМИРОВАНИЕ ПЕРВОНАЧАЛЬНЫХ ОСНОВ БЕЗОПАСНОСТИ ЖИЗНИДЕЯТЕЛЬНОСТИ У ДЕТЕЙ ДО...
«ФОРМИРОВАНИЕ ПЕРВОНАЧАЛЬНЫХ ОСНОВ БЕЗОПАСНОСТИ ЖИЗНИДЕЯТЕЛЬНОСТИ У ДЕТЕЙ ДО...
Любовь Ильинична
 
Eco415 2006 oct answer
Eco415 2006 oct answerEco415 2006 oct answer
Eco415 2006 oct answer
Kuncara Owel
 
Analysis of NME
Analysis of NMEAnalysis of NME
Analysis of NME
AS Media Column D
 
Deber de internet
Deber de internetDeber de internet
Deber de internetEscuela Julia Beltrán de González
 
Erika computacion
Erika computacionErika computacion
Erika computacionErii Heredia
 
Organizational Capacity-Building Series - Session 8: Strategic Partnership wi...
Organizational Capacity-Building Series - Session 8: Strategic Partnership wi...Organizational Capacity-Building Series - Session 8: Strategic Partnership wi...
Organizational Capacity-Building Series - Session 8: Strategic Partnership wi...
INGENAES
 

More Related Content

What's hot

Story of http headers
Story of http headersStory of http headers
Story of http headers
Vandana Verma
 
Xss and sql injection
Xss and sql injectionXss and sql injection
Xss and sql injection
Bhuridech Sudsee
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
Mindfire Solutions
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Ryan LaBouve
 
REST project brief - typical setup for teams
REST project brief - typical setup for teamsREST project brief - typical setup for teams
REST project brief - typical setup for teams
Dian Swanepoel
 
Cryptography in networks
Cryptography in networksCryptography in networks
Cryptography in networks
Kajal Chaudhari
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 

What's hot (8)

Story of http headers
Story of http headersStory of http headers
Story of http headers
 
Xss and sql injection
Xss and sql injectionXss and sql injection
Xss and sql injection
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
REST project brief - typical setup for teams
REST project brief - typical setup for teamsREST project brief - typical setup for teams
REST project brief - typical setup for teams
 
Cryptography in networks
Cryptography in networksCryptography in networks
Cryptography in networks
 
Scriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the SillScriptless Attacks - Stealing the Pie without touching the Sill
Scriptless Attacks - Stealing the Pie without touching the Sill
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 

Viewers also liked

Charla taller
Charla tallerCharla taller
Charla taller
Maricarmen Gugliotta
 
Singing survey final_with cover
Singing survey final_with coverSinging survey final_with cover
Singing survey final_with cover
Avi Dey
 
Top de lenguajes de programacion2
Top de lenguajes de programacion2Top de lenguajes de programacion2
Top de lenguajes de programacion2
Saul Pereyra
 
सत्र एक कार्यशाला संक्षिप्त अबलोकन
सत्र एक कार्यशाला संक्षिप्त अबलोकन सत्र एक कार्यशाला संक्षिप्त अबलोकन
सत्र एक कार्यशाला संक्षिप्त अबलोकन
INGENAES
 
Pie Charts
Pie ChartsPie Charts
Pie Charts
Adam_wareing
 
Organizational Capacity-Building Series - Session 12: Grant-Writing
Organizational Capacity-Building Series - Session 12: Grant-Writing Organizational Capacity-Building Series - Session 12: Grant-Writing
Organizational Capacity-Building Series - Session 12: Grant-Writing
INGENAES
 
Extraccion de adn nuclear a partir de tejido de pie y manto de cittarium pica...
Extraccion de adn nuclear a partir de tejido de pie y manto de cittarium pica...Extraccion de adn nuclear a partir de tejido de pie y manto de cittarium pica...
Extraccion de adn nuclear a partir de tejido de pie y manto de cittarium pica...D'imr Polo
 
«ФОРМИРОВАНИЕ ПЕРВОНАЧАЛЬНЫХ ОСНОВ БЕЗОПАСНОСТИ ЖИЗНИДЕЯТЕЛЬНОСТИ У ДЕТЕЙ ДО...
«ФОРМИРОВАНИЕ ПЕРВОНАЧАЛЬНЫХ ОСНОВ БЕЗОПАСНОСТИ ЖИЗНИДЕЯТЕЛЬНОСТИ У ДЕТЕЙ ДО...«ФОРМИРОВАНИЕ ПЕРВОНАЧАЛЬНЫХ ОСНОВ БЕЗОПАСНОСТИ ЖИЗНИДЕЯТЕЛЬНОСТИ У ДЕТЕЙ ДО...
«ФОРМИРОВАНИЕ ПЕРВОНАЧАЛЬНЫХ ОСНОВ БЕЗОПАСНОСТИ ЖИЗНИДЕЯТЕЛЬНОСТИ У ДЕТЕЙ ДО...
Любовь Ильинична
 
Eco415 2006 oct answer
Eco415 2006 oct answerEco415 2006 oct answer
Eco415 2006 oct answer
Kuncara Owel
 
Analysis of NME
Analysis of NMEAnalysis of NME
Analysis of NME
AS Media Column D
 
Organizational Capacity-Building Series - Session 8: Strategic Partnership wi...
Organizational Capacity-Building Series - Session 8: Strategic Partnership wi...Organizational Capacity-Building Series - Session 8: Strategic Partnership wi...
Organizational Capacity-Building Series - Session 8: Strategic Partnership wi...
INGENAES
 
los valores
los valoreslos valores
los valores
luiscoro09
 
naveen resume
naveen resumenaveen resume
naveen resumenaveen b
 
ЗорянI свiти галактики
ЗорянI свiти галактикиЗорянI свiти галактики
ЗорянI свiти галактики
ZAVERTKIN
 
सत्र ८ कृषि बिस्तारसँग रणनितीक साझेदारी
सत्र ८ कृषि बिस्तारसँग रणनितीक साझेदारीसत्र ८ कृषि बिस्तारसँग रणनितीक साझेदारी
सत्र ८ कृषि बिस्तारसँग रणनितीक साझेदारी
INGENAES
 
Violencia en los niños completa blog
Violencia en los niños completa blogViolencia en los niños completa blog
Violencia en los niños completa blogstephaniezie
 

Viewers also liked (20)

Charla taller
Charla tallerCharla taller
Charla taller
 
Singing survey final_with cover
Singing survey final_with coverSinging survey final_with cover
Singing survey final_with cover
 
Top de lenguajes de programacion2
Top de lenguajes de programacion2Top de lenguajes de programacion2
Top de lenguajes de programacion2
 
सत्र एक कार्यशाला संक्षिप्त अबलोकन
सत्र एक कार्यशाला संक्षिप्त अबलोकन सत्र एक कार्यशाला संक्षिप्त अबलोकन
सत्र एक कार्यशाला संक्षिप्त अबलोकन
 
Pie Charts
Pie ChartsPie Charts
Pie Charts
 
Organizational Capacity-Building Series - Session 12: Grant-Writing
Organizational Capacity-Building Series - Session 12: Grant-Writing Organizational Capacity-Building Series - Session 12: Grant-Writing
Organizational Capacity-Building Series - Session 12: Grant-Writing
 
Extraccion de adn nuclear a partir de tejido de pie y manto de cittarium pica...
Extraccion de adn nuclear a partir de tejido de pie y manto de cittarium pica...Extraccion de adn nuclear a partir de tejido de pie y manto de cittarium pica...
Extraccion de adn nuclear a partir de tejido de pie y manto de cittarium pica...
 
Jennifer Johnson Resume
Jennifer Johnson ResumeJennifer Johnson Resume
Jennifer Johnson Resume
 
«ФОРМИРОВАНИЕ ПЕРВОНАЧАЛЬНЫХ ОСНОВ БЕЗОПАСНОСТИ ЖИЗНИДЕЯТЕЛЬНОСТИ У ДЕТЕЙ ДО...
«ФОРМИРОВАНИЕ ПЕРВОНАЧАЛЬНЫХ ОСНОВ БЕЗОПАСНОСТИ ЖИЗНИДЕЯТЕЛЬНОСТИ У ДЕТЕЙ ДО...«ФОРМИРОВАНИЕ ПЕРВОНАЧАЛЬНЫХ ОСНОВ БЕЗОПАСНОСТИ ЖИЗНИДЕЯТЕЛЬНОСТИ У ДЕТЕЙ ДО...
«ФОРМИРОВАНИЕ ПЕРВОНАЧАЛЬНЫХ ОСНОВ БЕЗОПАСНОСТИ ЖИЗНИДЕЯТЕЛЬНОСТИ У ДЕТЕЙ ДО...
 
Eco415 2006 oct answer
Eco415 2006 oct answerEco415 2006 oct answer
Eco415 2006 oct answer
 
Analysis of NME
Analysis of NMEAnalysis of NME
Analysis of NME
 
Deber de internet
Deber de internetDeber de internet
Deber de internet
 
Erika computacion
Erika computacionErika computacion
Erika computacion
 
Organizational Capacity-Building Series - Session 8: Strategic Partnership wi...
Organizational Capacity-Building Series - Session 8: Strategic Partnership wi...Organizational Capacity-Building Series - Session 8: Strategic Partnership wi...
Organizational Capacity-Building Series - Session 8: Strategic Partnership wi...
 
los valores
los valoreslos valores
los valores
 
naveen resume
naveen resumenaveen resume
naveen resume
 
ЗорянI свiти галактики
ЗорянI свiти галактикиЗорянI свiти галактики
ЗорянI свiти галактики
 
Terminos informaticos
Terminos informaticosTerminos informaticos
Terminos informaticos
 
सत्र ८ कृषि बिस्तारसँग रणनितीक साझेदारी
सत्र ८ कृषि बिस्तारसँग रणनितीक साझेदारीसत्र ८ कृषि बिस्तारसँग रणनितीक साझेदारी
सत्र ८ कृषि बिस्तारसँग रणनितीक साझेदारी
 
Violencia en los niños completa blog
Violencia en los niños completa blogViolencia en los niños completa blog
Violencia en los niños completa blog
 

Similar to Securing your Node.js App

Let's talk Security
Let's talk SecurityLet's talk Security
Let's talk Security
Dheeraj Joshi
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defense
Prakashchand Suthar
 
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
PROIDEA
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
CODE BLUE
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
Michael Hendrickx
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptx
ssuser020436
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
morisson
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
Mario Heiderich
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
Minded Security
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
Mario Heiderich
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Chris Burgess
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
The Principles of Secure Development - David Rook
The Principles of Secure Development - David RookThe Principles of Secure Development - David Rook
The Principles of Secure Development - David Rook
Security B-Sides
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
ThreatReel Podcast
 
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
enigma0x3
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Risks With OpenID
Risks With OpenIDRisks With OpenID
Risks With OpenID
Rohit Srivastwa
 

Similar to Securing your Node.js App (20)

Let's talk Security
Let's talk SecurityLet's talk Security
Let's talk Security
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defense
 
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
 
Course_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptxCourse_Presentation cyber --------------.pptx
Course_Presentation cyber --------------.pptx
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
 
The innerHTML Apocalypse
The innerHTML ApocalypseThe innerHTML Apocalypse
The innerHTML Apocalypse
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
An Abusive Relationship with AngularJS
An Abusive Relationship with AngularJSAn Abusive Relationship with AngularJS
An Abusive Relationship with AngularJS
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
The Principles of Secure Development - David Rook
The Principles of Secure Development - David RookThe Principles of Secure Development - David Rook
The Principles of Secure Development - David Rook
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
 
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
“_____ Is Not a Security Boundary: Things I Have Learned and Things That Have...
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Risks With OpenID
Risks With OpenIDRisks With OpenID
Risks With OpenID
 

Recently uploaded

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 

Securing your Node.js App