How to Secure an Angular Web Application

Transcript

1. How to Secure an Angular Web
   Application
   Wednesday May 2, 2018
   Doug Corbett
   [email protected]
   

   View Slide

2. Mission Accomplished!
   1
   Counters
   3
   Router Guards and Roles
   4
   What Could Go Wrong?
   2
   Agenda
   Final Thoughts
   5
   

   View Slide

3. on
   Mission Accomplished!
   

   View Slide

4. Our Mission
   To build a hospital
   information to make
   our users dance
   with joy.
   * https://i.makeagif.com/media/6-08-2015/KdEXC-.gif
   

   View Slide

5. Happy Times HIS
   * http://www.genesisinfo.com/images/DOSEBC.gif
   

   View Slide

6. Ingredients
   • 2 developers
   * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png
   

   View Slide

7. Ingredients
   • 2 developers
   • 9 months
   * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png
   * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg
   

   View Slide

8. Ingredients
   • 2 developers
   • 9 months
   • 180 pizzas
   * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png
   * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg
   * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg
   

   View Slide

9. Happy Times HIS
   * https://medium.com/garyyauchan/flatiron-health-emr-product-case-study-edd85049d19
   

   View Slide

10. Ingredients
    • 2 developers
    • 9 months
    • 180 pizzas
    • 1 Designer
    * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png
    * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg
    * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg
    *
    https://i.pinimg.com/origin
    als/da/a3/55/daa3555f434
    9314994b753b4467b88af.j
    pg
    

    View Slide

11. Happy Times HIS
    * https://i.pinimg.com/originals/eb/65/7a/eb657a37f9e9b3e19d52701fecd4d222.png
    

    View Slide

12. Flow - Login
    

    View Slide

13. Flow – Sign up
    

    View Slide

14. Scenario Background
    * https://s-i.huffpost.com/gen/1323155/thumbs/r-GEORGE-BUSH-AIRCRAFT-CARRIER-large570.jpg?5
    

    View Slide

15. on
    What Could Go Wrong?
    

    View Slide

16. Flow - Login
    weak passwords
    

    View Slide

17. Weak Passwords
    https://en.wikipedia.org/wiki/List_of_the_most_common_passwords
    

    View Slide

18. Flow - Login
    dictionary attack
    weak passwords
    

    View Slide

19. Flow - Login
    network sniffer
    network sniffer
    dictionary attack
    weak passwords
    

    View Slide

20. Network Sniffers
    

    View Slide

21. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    dictionary attack
    weak passwords
    

    View Slide

22. Plain Text Passwords in DB
    https://www.esecurityplanet.com/network-security/data-breach-at-web-host-exposes-13-million-plain-text-passwords.html
    

    View Slide

23. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    dictionary attack
    weak passwords
    

    View Slide

24. Disabled Security on DB
    https://www.zdnet.com/article/mongodb-ransacking-starts-again-hackers-ransom-26000-unsecured-instances/
    

    View Slide

25. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    dictionary attack
    dictionary attack
    weak passwords
    

    View Slide

26. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    dictionary attack
    weak passwords
    

    View Slide

27. Cookie Hijacking
    The stealing of a sessionid store as a cookie in the
    victims browser and passed with every call to the
    server.
    

    View Slide

28. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    dictionary attack
    weak passwords
    CSRF
    

    View Slide

29. Cross Site Request Forgery (CSRF)
    • An attack whereby the attacker only needs your
    email or for you to click on a link to send a get or
    post request to an api, possibly triggering an
    action.
    • Especially dangerous for restful apis that do not
    rely on request bodies.
    • A “blind” attack. Attacker is limited in what they
    can do.
    

    View Slide

30. on
    Counters
    

    View Slide

31. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    dictionary attack
    weak passwords
    CSRF
    

    View Slide

32. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    dictionary attack
    weak passwords
    CSRF
    password policy
    

    View Slide

33. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    dictionary attack
    weak passwords
    CSRF
    password policy
    ssl / tls
    ssl / tls
    

    View Slide

34. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    dictionary attack
    weak passwords
    CSRF
    password policy
    ssl / tls
    ssl / tls
    hashing
    

    View Slide

35. Hashing
    • An algorithm used to convert a string into a fixed
    length alphanumeric string
    Characteristics
    1. Easy to create a hash value from an input
    2. Extremely difficult, if not impossible, to determine the input from a
    hash value
    3. While possible it is extremely unlikely for two inputs to produce the
    same hash value
    

    View Slide

36. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    dictionary attack
    weak passwords
    CSRF
    password policy
    ssl / tls
    ssl / tls
    hashing
    require admin user password
    

    View Slide

37. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    dictionary attack
    weak passwords
    CSRF
    password policy
    ssl / tls
    ssl / tls
    hashing
    require admin user password
    3x lockout or
    time delay
    

    View Slide

38. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    weak passwords
    CSRF
    password policy
    ssl / tls
    ssl / tls
    hashing
    require admin user password
    3x lockout or
    time delay
    dictionary attack
    salting
    

    View Slide

39. Salt
    Random data that is used as additional input in
    hashing algorithms. Minor changes make a big
    difference in the hash value.
    

    View Slide

40. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    weak passwords
    CSRF
    password policy
    ssl / tls
    ssl / tls
    hashing
    require admin user password
    3x lockout or
    time delay
    dictionary attack
    salting
    double cookie
    

    View Slide

41. Double cookie
    Add extra header called “crf-token”. Then the server will
    look for both cookies to verify the request is legitimate.
    

    View Slide

42. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    weak passwords
    CSRF
    password policy
    ssl / tls
    ssl / tls
    hashing
    require admin user password
    3x lockout or
    time delay
    dictionary attack
    salting
    double cookie
    Gets with no side effects
    

    View Slide

43. on
    Loose Ends
    

    View Slide

44. SQL Injection Attacks
    http://ddgrafx.com/wp-content/uploads/2017/11/awesome-little-bobby-tables-decorating-ideas-a-bedroom-model.jpg
    

    View Slide

45. Open Web Application Security Project (OWASP)
    A worldwide not-for-profit charitable organization
    focused on improving the security of software.
    https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
    

    View Slide

46. JSON Web Tokens
    An alphanumeric string representing claims between parties enabling
    stateless servers and third party authentication.
    Parts
    • Header
    • Payload
    • Signature
    HS256 – signature algorithm that based on secrets
    RS256 – signature algorithm based on public key cryptography
    

    View Slide

47. Router Guards and Roles
    

    View Slide

48. on
    Demo
    

    View Slide

49. Demo
    

    View Slide

50. Final Thoughts
    

    View Slide

51. Tools to Secure Your App
    • SSL/TLS
    • Password policy
    • Argon2 hashing algorithm with salted inputs
    • JWT – RS256
    • Make sure security is enabled on your database
    • If using cookies, use http only cookies
    

    View Slide

52. Reference Materials
    Official Angular Documentation
    https://angular.io
    ng-book – The Complete Book on Angular 4 – Nathan Murray and Ari Lerner
    Open Web Application Security Project
    https://www.owasp.org
    How to Secure an Angular Web Application
    https://github.com/dougcorbett/event-demo
    Angular 5 Security Masterclass
    https://www.udemy.com/angular-security
    The Complete Node.js Developer Course (2nd Edition)
    https://www.udemy.com/the-complete-nodejs-developer-course-2
    

    View Slide