Save 37% off PRO during our Black Friday Sale! »

How to Secure an Angular Web Application

How to Secure an Angular Web Application

n this presentation, we will cover all the elements required to build a secure web application with Angular and Node.

We will discuss SSL/TLS, authentication and authorization, cookies vs JSON Web Tokens (JWT) for session management, password hashing, salting and enforcing password policy. Finally, we will look at how this can be implemented in an example Angular/Node application.

E710a7268891ac8c9c13756fcd28fa5f?s=128

Doug Corbett

May 02, 2018
Tweet

Transcript

  1. How to Secure an Angular Web Application Wednesday May 2,

    2018 Doug Corbett dougccorbett@gmail.com
  2. Mission Accomplished! 1 Counters 3 Router Guards and Roles 4

    What Could Go Wrong? 2 Agenda Final Thoughts 5
  3. on Mission Accomplished!

  4. Our Mission To build a hospital information to make our

    users dance with joy. * https://i.makeagif.com/media/6-08-2015/KdEXC-.gif
  5. Happy Times HIS * http://www.genesisinfo.com/images/DOSEBC.gif

  6. Ingredients • 2 developers * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png

  7. Ingredients • 2 developers • 9 months * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png *

    https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg
  8. Ingredients • 2 developers • 9 months • 180 pizzas

    * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg
  9. Happy Times HIS * https://medium.com/garyyauchan/flatiron-health-emr-product-case-study-edd85049d19

  10. Ingredients • 2 developers • 9 months • 180 pizzas

    • 1 Designer * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg * https://i.pinimg.com/origin als/da/a3/55/daa3555f434 9314994b753b4467b88af.j pg
  11. Happy Times HIS * https://i.pinimg.com/originals/eb/65/7a/eb657a37f9e9b3e19d52701fecd4d222.png

  12. Flow - Login

  13. Flow – Sign up

  14. Scenario Background * https://s-i.huffpost.com/gen/1323155/thumbs/r-GEORGE-BUSH-AIRCRAFT-CARRIER-large570.jpg?5

  15. on What Could Go Wrong?

  16. Flow - Login weak passwords

  17. Weak Passwords https://en.wikipedia.org/wiki/List_of_the_most_common_passwords

  18. Flow - Login dictionary attack weak passwords

  19. Flow - Login network sniffer network sniffer dictionary attack weak

    passwords
  20. Network Sniffers

  21. Flow - Login network sniffer network sniffer plain text passwords

    dictionary attack weak passwords
  22. Plain Text Passwords in DB https://www.esecurityplanet.com/network-security/data-breach-at-web-host-exposes-13-million-plain-text-passwords.html

  23. Flow - Login network sniffer network sniffer plain text passwords

    disabled security dictionary attack weak passwords
  24. Disabled Security on DB https://www.zdnet.com/article/mongodb-ransacking-starts-again-hackers-ransom-26000-unsecured-instances/

  25. Flow - Login network sniffer network sniffer plain text passwords

    disabled security dictionary attack dictionary attack weak passwords
  26. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack dictionary attack weak passwords
  27. Cookie Hijacking The stealing of a sessionid store as a

    cookie in the victims browser and passed with every call to the server.
  28. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF
  29. Cross Site Request Forgery (CSRF) • An attack whereby the

    attacker only needs your email or for you to click on a link to send a get or post request to an api, possibly triggering an action. • Especially dangerous for restful apis that do not rely on request bodies. • A “blind” attack. Attacker is limited in what they can do.
  30. on Counters

  31. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF
  32. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF password policy
  33. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF password policy ssl / tls ssl / tls
  34. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF password policy ssl / tls ssl / tls hashing
  35. Hashing • An algorithm used to convert a string into

    a fixed length alphanumeric string Characteristics 1. Easy to create a hash value from an input 2. Extremely difficult, if not impossible, to determine the input from a hash value 3. While possible it is extremely unlikely for two inputs to produce the same hash value
  36. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF password policy ssl / tls ssl / tls hashing require admin user password
  37. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF password policy ssl / tls ssl / tls hashing require admin user password 3x lockout or time delay
  38. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack weak passwords CSRF password policy ssl / tls ssl / tls hashing require admin user password 3x lockout or time delay dictionary attack salting
  39. Salt Random data that is used as additional input in

    hashing algorithms. Minor changes make a big difference in the hash value.
  40. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack weak passwords CSRF password policy ssl / tls ssl / tls hashing require admin user password 3x lockout or time delay dictionary attack salting double cookie
  41. Double cookie Add extra header called “crf-token”. Then the server

    will look for both cookies to verify the request is legitimate.
  42. Flow - Login network sniffer network sniffer plain text passwords

    disabled security cookie hijacking dictionary attack weak passwords CSRF password policy ssl / tls ssl / tls hashing require admin user password 3x lockout or time delay dictionary attack salting double cookie Gets with no side effects
  43. on Loose Ends

  44. SQL Injection Attacks http://ddgrafx.com/wp-content/uploads/2017/11/awesome-little-bobby-tables-decorating-ideas-a-bedroom-model.jpg

  45. Open Web Application Security Project (OWASP) A worldwide not-for-profit charitable

    organization focused on improving the security of software. https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  46. JSON Web Tokens An alphanumeric string representing claims between parties

    enabling stateless servers and third party authentication. Parts • Header • Payload • Signature HS256 – signature algorithm that based on secrets RS256 – signature algorithm based on public key cryptography
  47. Router Guards and Roles

  48. on Demo

  49. Demo

  50. Final Thoughts

  51. Tools to Secure Your App • SSL/TLS • Password policy

    • Argon2 hashing algorithm with salted inputs • JWT – RS256 • Make sure security is enabled on your database • If using cookies, use http only cookies
  52. Reference Materials Official Angular Documentation https://angular.io ng-book – The Complete

    Book on Angular 4 – Nathan Murray and Ari Lerner Open Web Application Security Project https://www.owasp.org How to Secure an Angular Web Application https://github.com/dougcorbett/event-demo Angular 5 Security Masterclass https://www.udemy.com/angular-security The Complete Node.js Developer Course (2nd Edition) https://www.udemy.com/the-complete-nodejs-developer-course-2