Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Single Page Applications

Zakiullah Khan
December 07, 2014
Programming
2
380

Securing Single Page Applications

Slide deck used for recent presentation at Hydeabad's AngularJS User Group meetup.

Zakiullah Khan

December 07, 2014
Tweet

More Decks by Zakiullah Khan

See All by Zakiullah Khan
Project Manager v/s Program Manager
simplyzaki
0
300
Distributed Messaging with ZeroMQ
simplyzaki
1
320
Designing Big Data Solutions Using AWS
simplyzaki
1
500

Other Decks in Programming

See All in Programming
Jakarta EE meets AI
ivargrimstad
0
280
Vapor Revolution
kazupon
1
180
watsonx.ai Dojo #4 生成AIを使ったアプリ開発、応用編
oniak3ibm
PRO
1
180
macOS でできる リアルタイム動画像処理
biacco42
9
2.4k
Arm移行タイムアタック
qnighy
0
340
デザインパターンで理解するLLMエージェントの作り方 / How to develop an LLM agent using agentic design patterns
rkaga
3
350
React CompilerとFine Grained Reactivityと宣言的UIのこれから / The next chapter of declarative UI
ssssota
1
100
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
1
100
광고 소재 심사 과정에 AI를 도입하여 광고 서비스 생산성 향상시키기
kakao
PRO
0
170
2024/11/8 関西Kaggler会 2024 #3 / Kaggle Kernel で Gemma 2 × vLLM を動かす。
kohecchi
5
950
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
610
Contemporary Test Cases
maaretp
0
140

Featured

See All Featured
Building Adaptive Systems
keathley
38
2.3k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
[RailsConf 2023] Rails as a piece of cake
palkan
52
4.9k
Unsuck your backbone
ammeep
668
57k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
A designer walks into a library…
pauljervisheath
204
24k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
For a Future-Friendly Web
brad_frost
175
9.4k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k

Transcript

  1. Securing Single Page Applications By Zakiullah Khan Mohammed @khan_io

  2. Disclaimer I’m not a Security Expert.

  3. #ngHYD Twitter Hash Tag

  4. About Me Technical Manager @ Fission Labs http://www.khanio.com

  5. Agenda AppSec - OWASP - JWT

  6. Single Page Applications (SPAs) Currently trending ...

  7. None
  8. None

  9. Application Security Who knows it all in your team ?

  10. OWASP Open Web Application Security Project

  11. OWASP Online community dedicated to web application security

  12. OWASP Identify Vulnerabilities Recommend Solutions Document Best Practices

  13. OWASP 2013 Top 10 http://j.mp/OWASP-2013-Top10

  14. OWASP 2013 Top 10 A1 - Injection A2 - Broken

    Authentication & Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitivity Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects & Forwards

  15. OWASP 2013 Top 10 A1 - Injection A2 - Broken

    Authentication & Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitivity Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects & Forwards

  16. A2 Broken Authentication and Session management Credentials - Session -

    Browser Caching - Trust

  17. Defence Encrypt session data ( SSL + HMAC + Salt)

    Timeout idle sessions No plaintext anywhere Authenticate for sensitive data

  18. Cookie vs Token Does it matter ?

  19. None
  20. None
  21. None

  22. A3 Cross-Site Scripting (XSS) Malicious content delivered to user using

    Javascript
  23. None

  24. Defence Always validate user input Escape out URLs, JS data

    and Error pages Rely on program data, not user data

  25. Content Security Policy Whitelisting sources within browser

  26. Content Security Policy Content-Security-Policy: script-src ‘self’ https://api.example.com

  27. Content Security Policy connect-src - font-src - frame-src - img-src

    - media-src - object-src style-src

  28. ngCSP Content Security Policy within AngularJS

  29. A8 Cross-Site Request Forgery (XSRF) Tricks user in submitting data

    to evil endpoint
  30. None

  31. Defence Map HTTP methods rightly Forms authentication token Never rely

    on session

  32. $http XSRF protection within AngularJS using X-XSRF-TOKEN

  33. How to fix all three ? Let’s talk about JWT

  34. JSON Web Token (JWT) Pronounced as JOT

  35. JSON Web Token (JWT) Compact URL-safe means of representing claims

    to be transferred between two parties. The claims in JWT are encoded as JSON object that is digitally signed using JWS.

  36. JSON Web Token (JWT) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImFkbWl uIjp0cnVlfQ.eoaDVGTClRdfxUZXiPs3f8FmJDkDE_VCQFXqKxpLsts

  37. JSON Web Token (JWT) <base64-encoded header>.<base64-encoded claims>.<base64-encoded signature>

  38. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 { "alg": "HS256", "typ": "JWT" }

  39. eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImFkbWl uIjp0cnVlfQ {"sub": 1234567890, "name": "John Doe", "admin": true}

  40. eoaDVGTClRdfxUZXiPs3f8FmJDkDE_VCQFXqKxpLsts HMACSHA256(base64UrlEncode(header)+"."+base64UrlEncode(claims), secret_key)

  41. JSON Web Token (JWT) NO CSRF - NO XSS

  42. angular-jwt https://github.com/auth0/angular-jwt

  43. Thank You Q&A