How to Secure an Angular Web Application

Transcript

1. How to Secure an Angular Web Application Wednesday May 2,

   2018 Doug Corbett [email protected]

2. Mission Accomplished! 1 Counters 3 Router Guards and Roles 4

   What Could Go Wrong? 2 Agenda Final Thoughts 5

3. on Mission Accomplished!

4. Our Mission To build a hospital information to make our

   users dance with joy. * https://i.makeagif.com/media/6-08-2015/KdEXC-.gif

5. Happy Times HIS * http://www.genesisinfo.com/images/DOSEBC.gif

6. Ingredients • 2 developers * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png

7. Ingredients • 2 developers • 9 months * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png *

   https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg

8. Ingredients • 2 developers • 9 months • 180 pizzas

   * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg

9. Happy Times HIS * https://medium.com/garyyauchan/flatiron-health-emr-product-case-study-edd85049d19

10. Ingredients • 2 developers • 9 months • 180 pizzas

    • 1 Designer * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg * https://i.pinimg.com/origin als/da/a3/55/daa3555f434 9314994b753b4467b88af.j pg

11. Happy Times HIS * https://i.pinimg.com/originals/eb/65/7a/eb657a37f9e9b3e19d52701fecd4d222.png

12. Flow - Login

13. Flow – Sign up

14. Scenario Background * https://s-i.huffpost.com/gen/1323155/thumbs/r-GEORGE-BUSH-AIRCRAFT-CARRIER-large570.jpg?5

15. on What Could Go Wrong?

16. Flow - Login weak passwords

17. Weak Passwords https://en.wikipedia.org/wiki/List_of_the_most_common_passwords

18. Flow - Login dictionary attack weak passwords

19. Flow - Login network sniffer network sniffer dictionary attack weak

    passwords

20. Network Sniffers

21. Flow - Login network sniffer network sniffer plain text passwords

    dictionary attack weak passwords

22. Plain Text Passwords in DB https://www.esecurityplanet.com/network-security/data-breach-at-web-host-exposes-13-million-plain-text-passwords.html

23. Flow - Login network sniffer network sniffer plain text passwords

    disabled security dictionary attack weak passwords

24. Disabled Security on DB https://www.zdnet.com/article/mongodb-ransacking-starts-again-hackers-ransom-26000-unsecured-instances/

25. Flow - Login network sniffer network sniffer plain text passwords

    disabled security dictionary attack dictionary attack weak passwords

26. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack dictionary attack weak passwords

27. Cookie Hijacking The stealing of a sessionid store as a

    cookie in the victims browser and passed with every call to the server.

28. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF

29. Cross Site Request Forgery (CSRF) • An attack whereby the

    attacker only needs your email or for you to click on a link to send a get or post request to an api, possibly triggering an action. • Especially dangerous for restful apis that do not rely on request bodies. • A “blind” attack. Attacker is limited in what they can do.

30. on Counters

31. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF

32. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF password policy

33. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF password policy ssl / tls ssl / tls

34. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF password policy ssl / tls ssl / tls hashing

35. Hashing • An algorithm used to convert a string into

    a fixed length alphanumeric string Characteristics 1. Easy to create a hash value from an input 2. Extremely difficult, if not impossible, to determine the input from a hash value 3. While possible it is extremely unlikely for two inputs to produce the same hash value

36. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF password policy ssl / tls ssl / tls hashing require admin user password

37. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF password policy ssl / tls ssl / tls hashing require admin user password 3x lockout or time delay

38. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack weak passwords CSRF password policy ssl / tls ssl / tls hashing require admin user password 3x lockout or time delay dictionary attack salting

39. Salt Random data that is used as additional input in

    hashing algorithms. Minor changes make a big difference in the hash value.

40. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack weak passwords CSRF password policy ssl / tls ssl / tls hashing require admin user password 3x lockout or time delay dictionary attack salting double cookie

41. Double cookie Add extra header called “crf-token”. Then the server

    will look for both cookies to verify the request is legitimate.

42. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack weak passwords CSRF password policy ssl / tls ssl / tls hashing require admin user password 3x lockout or time delay dictionary attack salting double cookie Gets with no side effects

43. on Loose Ends

44. SQL Injection Attacks http://ddgrafx.com/wp-content/uploads/2017/11/awesome-little-bobby-tables-decorating-ideas-a-bedroom-model.jpg

45. Open Web Application Security Project (OWASP) A worldwide not-for-profit charitable

    organization focused on improving the security of software. https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

46. JSON Web Tokens An alphanumeric string representing claims between parties

    enabling stateless servers and third party authentication. Parts • Header • Payload • Signature HS256 – signature algorithm that based on secrets RS256 – signature algorithm based on public key cryptography

47. Router Guards and Roles

48. on Demo

49. Demo

50. Final Thoughts

51. Tools to Secure Your App • SSL/TLS • Password policy

    • Argon2 hashing algorithm with salted inputs • JWT – RS256 • Make sure security is enabled on your database • If using cookies, use http only cookies

52. Reference Materials Official Angular Documentation https://angular.io ng-book – The Complete

    Book on Angular 4 – Nathan Murray and Ari Lerner Open Web Application Security Project https://www.owasp.org How to Secure an Angular Web Application https://github.com/dougcorbett/event-demo Angular 5 Security Masterclass https://www.udemy.com/angular-security The Complete Node.js Developer Course (2nd Edition) https://www.udemy.com/the-complete-nodejs-developer-course-2