How to Secure an Angular Web Application

Slide 1

Slide 1 text

How to Secure an Angular Web Application Wednesday May 2, 2018 Doug Corbett [email protected]

Slide 2

Slide 2 text

Mission Accomplished! 1 Counters 3 Router Guards and Roles 4 What Could Go Wrong? 2 Agenda Final Thoughts 5

Slide 3

Slide 3 text

on Mission Accomplished!

Slide 4

Slide 4 text

Our Mission To build a hospital information to make our users dance with joy. * https://i.makeagif.com/media/6-08-2015/KdEXC-.gif

Slide 5

Slide 5 text

Happy Times HIS * http://www.genesisinfo.com/images/DOSEBC.gif

Slide 6

Slide 6 text

Ingredients • 2 developers * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png

Slide 7

Slide 7 text

Ingredients • 2 developers • 9 months * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg

Slide 8

Slide 8 text

Ingredients • 2 developers • 9 months • 180 pizzas * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg

Slide 9

Slide 9 text

Happy Times HIS * https://medium.com/garyyauchan/flatiron-health-emr-product-case-study-edd85049d19

Slide 10

Slide 10 text

Ingredients • 2 developers • 9 months • 180 pizzas • 1 Designer * https://cdn-images-1.medium.com/max/1024/1*zRrkoarX94CUZe3-NrSYGg.png * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg * https://memegenerator.net/img/instances/400x/54225850/9-months-later.jpg * https://i.pinimg.com/origin als/da/a3/55/daa3555f434 9314994b753b4467b88af.j pg

Slide 11

Slide 11 text

Happy Times HIS * https://i.pinimg.com/originals/eb/65/7a/eb657a37f9e9b3e19d52701fecd4d222.png

Slide 12

Slide 12 text

Flow - Login

Slide 13

Slide 13 text

Flow – Sign up

Slide 14

Slide 14 text

Scenario Background * https://s-i.huffpost.com/gen/1323155/thumbs/r-GEORGE-BUSH-AIRCRAFT-CARRIER-large570.jpg?5

Slide 15

Slide 15 text

on What Could Go Wrong?

Slide 16

Slide 16 text

Flow - Login weak passwords

Slide 17

Slide 17 text

Weak Passwords https://en.wikipedia.org/wiki/List_of_the_most_common_passwords

Slide 18

Slide 18 text

Flow - Login dictionary attack weak passwords

Slide 19

Slide 19 text

Flow - Login network sniffer network sniffer dictionary attack weak passwords

Slide 20

Slide 20 text

Network Sniffers

Slide 21

Slide 21 text

Flow - Login network sniffer network sniffer plain text passwords dictionary attack weak passwords

Slide 22

Slide 22 text

Plain Text Passwords in DB https://www.esecurityplanet.com/network-security/data-breach-at-web-host-exposes-13-million-plain-text-passwords.html

Slide 23

Slide 23 text

Flow - Login network sniffer network sniffer plain text passwords disabled security dictionary attack weak passwords

Slide 24

Slide 24 text

Disabled Security on DB https://www.zdnet.com/article/mongodb-ransacking-starts-again-hackers-ransom-26000-unsecured-instances/

Slide 25

Slide 25 text

Flow - Login network sniffer network sniffer plain text passwords disabled security dictionary attack dictionary attack weak passwords

Slide 26

Slide 26 text

Flow - Login network sniffer network sniffer plain text passwords disabled security cookie hijacking dictionary attack dictionary attack weak passwords

Slide 27

Slide 27 text

Cookie Hijacking The stealing of a sessionid store as a cookie in the victims browser and passed with every call to the server.

Slide 28

Slide 28 text

Flow - Login network sniffer network sniffer plain text passwords disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF

Slide 29

Slide 29 text

Cross Site Request Forgery (CSRF) • An attack whereby the attacker only needs your email or for you to click on a link to send a get or post request to an api, possibly triggering an action. • Especially dangerous for restful apis that do not rely on request bodies. • A “blind” attack. Attacker is limited in what they can do.

Slide 30

Slide 30 text

on Counters

Slide 31

Slide 31 text

Flow - Login network sniffer network sniffer plain text passwords disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF

Slide 32

Slide 32 text

Flow - Login network sniffer network sniffer plain text passwords disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF password policy

Slide 33

Slide 33 text

Flow - Login network sniffer network sniffer plain text passwords disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF password policy ssl / tls ssl / tls

Slide 34

Slide 34 text

Flow - Login network sniffer network sniffer plain text passwords disabled security cookie hijacking dictionary attack dictionary attack weak passwords CSRF password policy ssl / tls ssl / tls hashing

Slide 35

Slide 35 text

Hashing • An algorithm used to convert a string into a fixed length alphanumeric string Characteristics 1. Easy to create a hash value from an input 2. Extremely difficult, if not impossible, to determine the input from a hash value 3. While possible it is extremely unlikely for two inputs to produce the same hash value

Slide 36

Slide 36 text

Slide 37

Slide 37 text

Slide 38

Slide 38 text

Flow - Login network sniffer network sniffer plain text passwords disabled security cookie hijacking dictionary attack weak passwords CSRF password policy ssl / tls ssl / tls hashing require admin user password 3x lockout or time delay dictionary attack salting

Slide 39

Slide 39 text

Salt Random data that is used as additional input in hashing algorithms. Minor changes make a big difference in the hash value.

Slide 40

Slide 40 text

Slide 41

Slide 41 text

Double cookie Add extra header called “crf-token”. Then the server will look for both cookies to verify the request is legitimate.

Slide 42

Slide 42 text

Slide 43

Slide 43 text

on Loose Ends

Slide 44

Slide 44 text

SQL Injection Attacks http://ddgrafx.com/wp-content/uploads/2017/11/awesome-little-bobby-tables-decorating-ideas-a-bedroom-model.jpg

Slide 45

Slide 45 text

Open Web Application Security Project (OWASP) A worldwide not-for-profit charitable organization focused on improving the security of software. https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

Slide 46

Slide 46 text

JSON Web Tokens An alphanumeric string representing claims between parties enabling stateless servers and third party authentication. Parts • Header • Payload • Signature HS256 – signature algorithm that based on secrets RS256 – signature algorithm based on public key cryptography

Slide 47

Slide 47 text

Router Guards and Roles

Slide 48

Slide 48 text

on Demo

Slide 49

Slide 49 text

Demo

Slide 50

Slide 50 text

Final Thoughts

Slide 51

Slide 51 text

Tools to Secure Your App • SSL/TLS • Password policy • Argon2 hashing algorithm with salted inputs • JWT – RS256 • Make sure security is enabled on your database • If using cookies, use http only cookies

Slide 52

Slide 52 text

Reference Materials Official Angular Documentation https://angular.io ng-book – The Complete Book on Angular 4 – Nathan Murray and Ari Lerner Open Web Application Security Project https://www.owasp.org How to Secure an Angular Web Application https://github.com/dougcorbett/event-demo Angular 5 Security Masterclass https://www.udemy.com/angular-security The Complete Node.js Developer Course (2nd Edition) https://www.udemy.com/the-complete-nodejs-developer-course-2