Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Single Page Applications

Zakiullah Khan
December 07, 2014
Programming
2
370

Securing Single Page Applications

Slide deck used for recent presentation at Hydeabad's AngularJS User Group meetup.

Zakiullah Khan

December 07, 2014
Tweet

More Decks by Zakiullah Khan

See All by Zakiullah Khan
Project Manager v/s Program Manager
simplyzaki
0
300
Distributed Messaging with ZeroMQ
simplyzaki
1
320
Designing Big Data Solutions Using AWS
simplyzaki
1
490

Other Decks in Programming

See All in Programming
雑に思考を整理する技術と効能
konifar
62
30k
MetricKitで予期せぬ終了を検知する話 / Detect unexpected termination with MetricKit
nekowen
1
200
CDKコントリビュートの最初の壁を越えよう! -簡単issueの見つけ方-
badmintoncryer
3
180
2 週間で Twitter Bot を作ってみた
contour_gara
0
760
Goのエラースタックトレースの歴史と今後
sonatard
10
1.8k
冗長なエラーログを削減し、スタックトレースを手に入れる / Reducing Verbose Error Logs and Obtaining Stack Traces
upamune
0
980
敵対的ポイフル
futabato
0
120
Elm Form Validation
bkuhlmann
0
510
Introducing Kotlin Multiplatform in an existing mobile app - Workshop Edition | AndroidMakers Paris
prof18
0
140
ServerAction で Progressive Enhancement はどこまで頑張れるか? / progressive-enhancement-with-server-action
takefumiyoshii
6
390
OpenAPIを中心に考えるAPI開発入門 / Introduction to API Development with a Focus on OpenAPI
seike460
PRO
2
170
if constexpr文はテンプレート世界のラムダ式である
faithandbrave
3
670

Featured

See All Featured
Designing for Performance
lara
602
67k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Typedesign – Prime Four
hannesfritz
36
2.1k
How GitHub (no longer) Works
holman
305
140k
It's Worth the Effort
3n
180
27k
YesSQL, Process and Tooling at Scale
rocio
165
13k
Practical Orchestrator
shlominoach
183
9.7k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.2k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
11
1k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
14
1.5k
Visualization
eitanlees
137
14k

Transcript

  1. Securing Single Page Applications By Zakiullah Khan Mohammed @khan_io

  2. Disclaimer I’m not a Security Expert.

  3. #ngHYD Twitter Hash Tag

  4. About Me Technical Manager @ Fission Labs http://www.khanio.com

  5. Agenda AppSec - OWASP - JWT

  6. Single Page Applications (SPAs) Currently trending ...

  7. None
  8. None

  9. Application Security Who knows it all in your team ?

  10. OWASP Open Web Application Security Project

  11. OWASP Online community dedicated to web application security

  12. OWASP Identify Vulnerabilities Recommend Solutions Document Best Practices

  13. OWASP 2013 Top 10 http://j.mp/OWASP-2013-Top10

  14. OWASP 2013 Top 10 A1 - Injection A2 - Broken

    Authentication & Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitivity Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects & Forwards

  15. OWASP 2013 Top 10 A1 - Injection A2 - Broken

    Authentication & Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitivity Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects & Forwards

  16. A2 Broken Authentication and Session management Credentials - Session -

    Browser Caching - Trust

  17. Defence Encrypt session data ( SSL + HMAC + Salt)

    Timeout idle sessions No plaintext anywhere Authenticate for sensitive data

  18. Cookie vs Token Does it matter ?

  19. None
  20. None
  21. None

  22. A3 Cross-Site Scripting (XSS) Malicious content delivered to user using

    Javascript
  23. None

  24. Defence Always validate user input Escape out URLs, JS data

    and Error pages Rely on program data, not user data

  25. Content Security Policy Whitelisting sources within browser

  26. Content Security Policy Content-Security-Policy: script-src ‘self’ https://api.example.com

  27. Content Security Policy connect-src - font-src - frame-src - img-src

    - media-src - object-src style-src

  28. ngCSP Content Security Policy within AngularJS

  29. A8 Cross-Site Request Forgery (XSRF) Tricks user in submitting data

    to evil endpoint
  30. None

  31. Defence Map HTTP methods rightly Forms authentication token Never rely

    on session

  32. $http XSRF protection within AngularJS using X-XSRF-TOKEN

  33. How to fix all three ? Let’s talk about JWT

  34. JSON Web Token (JWT) Pronounced as JOT

  35. JSON Web Token (JWT) Compact URL-safe means of representing claims

    to be transferred between two parties. The claims in JWT are encoded as JSON object that is digitally signed using JWS.

  36. JSON Web Token (JWT) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImFkbWl uIjp0cnVlfQ.eoaDVGTClRdfxUZXiPs3f8FmJDkDE_VCQFXqKxpLsts

  37. JSON Web Token (JWT) <base64-encoded header>.<base64-encoded claims>.<base64-encoded signature>

  38. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 { "alg": "HS256", "typ": "JWT" }

  39. eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImFkbWl uIjp0cnVlfQ {"sub": 1234567890, "name": "John Doe", "admin": true}

  40. eoaDVGTClRdfxUZXiPs3f8FmJDkDE_VCQFXqKxpLsts HMACSHA256(base64UrlEncode(header)+"."+base64UrlEncode(claims), secret_key)

  41. JSON Web Token (JWT) NO CSRF - NO XSS

  42. angular-jwt https://github.com/auth0/angular-jwt

  43. Thank You Q&A