Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to Secure an Angular Web Application

How to Secure an Angular Web Application

n this presentation, we will cover all the elements required to build a secure web application with Angular and Node.

We will discuss SSL/TLS, authentication and authorization, cookies vs JSON Web Tokens (JWT) for session management, password hashing, salting and enforcing password policy. Finally, we will look at how this can be implemented in an example Angular/Node application.

Doug Corbett

May 02, 2018
Tweet

More Decks by Doug Corbett

Other Decks in Programming

Transcript

  1. How to Secure an Angular Web
    Application
    Wednesday May 2, 2018
    Doug Corbett
    [email protected]

    View Slide

  2. Mission Accomplished!
    1
    Counters
    3
    Router Guards and Roles
    4
    What Could Go Wrong?
    2
    Agenda
    Final Thoughts
    5

    View Slide

  3. on
    Mission Accomplished!

    View Slide

  4. Our Mission
    To build a hospital
    information to make
    our users dance
    with joy.
    * https://i.makeagif.com/media/6-08-2015/KdEXC-.gif

    View Slide

  5. Happy Times HIS
    * http://www.genesisinfo.com/images/DOSEBC.gif

    View Slide

  6. Ingredients
    • 2 developers
    * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png

    View Slide

  7. Ingredients
    • 2 developers
    • 9 months
    * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png
    * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg

    View Slide

  8. Ingredients
    • 2 developers
    • 9 months
    • 180 pizzas
    * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png
    * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg
    * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg

    View Slide

  9. Happy Times HIS
    * https://medium.com/garyyauchan/flatiron-health-emr-product-case-study-edd85049d19

    View Slide

  10. Ingredients
    • 2 developers
    • 9 months
    • 180 pizzas
    • 1 Designer
    * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png
    * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg
    * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg
    *
    https://i.pinimg.com/origin
    als/da/a3/55/daa3555f434
    9314994b753b4467b88af.j
    pg

    View Slide

  11. Happy Times HIS
    * https://i.pinimg.com/originals/eb/65/7a/eb657a37f9e9b3e19d52701fecd4d222.png

    View Slide

  12. Flow - Login

    View Slide

  13. Flow – Sign up

    View Slide

  14. Scenario Background
    * https://s-i.huffpost.com/gen/1323155/thumbs/r-GEORGE-BUSH-AIRCRAFT-CARRIER-large570.jpg?5

    View Slide

  15. on
    What Could Go Wrong?

    View Slide

  16. Flow - Login
    weak passwords

    View Slide

  17. Weak Passwords
    https://en.wikipedia.org/wiki/List_of_the_most_common_passwords

    View Slide

  18. Flow - Login
    dictionary attack
    weak passwords

    View Slide

  19. Flow - Login
    network sniffer
    network sniffer
    dictionary attack
    weak passwords

    View Slide

  20. Network Sniffers

    View Slide

  21. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    dictionary attack
    weak passwords

    View Slide

  22. Plain Text Passwords in DB
    https://www.esecurityplanet.com/network-security/data-breach-at-web-host-exposes-13-million-plain-text-passwords.html

    View Slide

  23. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    dictionary attack
    weak passwords

    View Slide

  24. Disabled Security on DB
    https://www.zdnet.com/article/mongodb-ransacking-starts-again-hackers-ransom-26000-unsecured-instances/

    View Slide

  25. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    dictionary attack
    dictionary attack
    weak passwords

    View Slide

  26. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    dictionary attack
    weak passwords

    View Slide

  27. Cookie Hijacking
    The stealing of a sessionid store as a cookie in the
    victims browser and passed with every call to the
    server.

    View Slide

  28. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    dictionary attack
    weak passwords
    CSRF

    View Slide

  29. Cross Site Request Forgery (CSRF)
    • An attack whereby the attacker only needs your
    email or for you to click on a link to send a get or
    post request to an api, possibly triggering an
    action.
    • Especially dangerous for restful apis that do not
    rely on request bodies.
    • A “blind” attack. Attacker is limited in what they
    can do.

    View Slide

  30. on
    Counters

    View Slide

  31. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    dictionary attack
    weak passwords
    CSRF

    View Slide

  32. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    dictionary attack
    weak passwords
    CSRF
    password policy

    View Slide

  33. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    dictionary attack
    weak passwords
    CSRF
    password policy
    ssl / tls
    ssl / tls

    View Slide

  34. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    dictionary attack
    weak passwords
    CSRF
    password policy
    ssl / tls
    ssl / tls
    hashing

    View Slide

  35. Hashing
    • An algorithm used to convert a string into a fixed
    length alphanumeric string
    Characteristics
    1. Easy to create a hash value from an input
    2. Extremely difficult, if not impossible, to determine the input from a
    hash value
    3. While possible it is extremely unlikely for two inputs to produce the
    same hash value

    View Slide

  36. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    dictionary attack
    weak passwords
    CSRF
    password policy
    ssl / tls
    ssl / tls
    hashing
    require admin user password

    View Slide

  37. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    dictionary attack
    weak passwords
    CSRF
    password policy
    ssl / tls
    ssl / tls
    hashing
    require admin user password
    3x lockout or
    time delay

    View Slide

  38. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    weak passwords
    CSRF
    password policy
    ssl / tls
    ssl / tls
    hashing
    require admin user password
    3x lockout or
    time delay
    dictionary attack
    salting

    View Slide

  39. Salt
    Random data that is used as additional input in
    hashing algorithms. Minor changes make a big
    difference in the hash value.

    View Slide

  40. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    weak passwords
    CSRF
    password policy
    ssl / tls
    ssl / tls
    hashing
    require admin user password
    3x lockout or
    time delay
    dictionary attack
    salting
    double cookie

    View Slide

  41. Double cookie
    Add extra header called “crf-token”. Then the server will
    look for both cookies to verify the request is legitimate.

    View Slide

  42. Flow - Login
    network sniffer
    network sniffer
    plain text passwords
    disabled security
    cookie hijacking
    dictionary attack
    weak passwords
    CSRF
    password policy
    ssl / tls
    ssl / tls
    hashing
    require admin user password
    3x lockout or
    time delay
    dictionary attack
    salting
    double cookie
    Gets with no side effects

    View Slide

  43. on
    Loose Ends

    View Slide

  44. SQL Injection Attacks
    http://ddgrafx.com/wp-content/uploads/2017/11/awesome-little-bobby-tables-decorating-ideas-a-bedroom-model.jpg

    View Slide

  45. Open Web Application Security Project (OWASP)
    A worldwide not-for-profit charitable organization
    focused on improving the security of software.
    https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

    View Slide

  46. JSON Web Tokens
    An alphanumeric string representing claims between parties enabling
    stateless servers and third party authentication.
    Parts
    • Header
    • Payload
    • Signature
    HS256 – signature algorithm that based on secrets
    RS256 – signature algorithm based on public key cryptography

    View Slide

  47. Router Guards and Roles

    View Slide

  48. on
    Demo

    View Slide

  49. Demo

    View Slide

  50. Final Thoughts

    View Slide

  51. Tools to Secure Your App
    • SSL/TLS
    • Password policy
    • Argon2 hashing algorithm with salted inputs
    • JWT – RS256
    • Make sure security is enabled on your database
    • If using cookies, use http only cookies

    View Slide

  52. Reference Materials
    Official Angular Documentation
    https://angular.io
    ng-book – The Complete Book on Angular 4 – Nathan Murray and Ari Lerner
    Open Web Application Security Project
    https://www.owasp.org
    How to Secure an Angular Web Application
    https://github.com/dougcorbett/event-demo
    Angular 5 Security Masterclass
    https://www.udemy.com/angular-security
    The Complete Node.js Developer Course (2nd Edition)
    https://www.udemy.com/the-complete-nodejs-developer-course-2

    View Slide