Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Securing Single Page Applications
Search
Zakiullah Khan
December 07, 2014
Programming
2
370
Securing Single Page Applications
Slide deck used for recent presentation at Hydeabad's AngularJS User Group meetup.
Zakiullah Khan
December 07, 2014
Tweet
Share
More Decks by Zakiullah Khan
See All by Zakiullah Khan
Project Manager v/s Program Manager
simplyzaki
0
300
Distributed Messaging with ZeroMQ
simplyzaki
1
320
Designing Big Data Solutions Using AWS
simplyzaki
1
490
Other Decks in Programming
See All in Programming
雑に思考を整理する技術と効能
konifar
62
30k
MetricKitで予期せぬ終了を検知する話 / Detect unexpected termination with MetricKit
nekowen
1
200
CDKコントリビュートの最初の壁を越えよう! -簡単issueの見つけ方-
badmintoncryer
3
180
2 週間で Twitter Bot を作ってみた
contour_gara
0
760
Goのエラースタックトレースの歴史と今後
sonatard
10
1.8k
冗長なエラーログを削減し、スタックトレースを手に入れる / Reducing Verbose Error Logs and Obtaining Stack Traces
upamune
0
980
敵対的ポイフル
futabato
0
120
Elm Form Validation
bkuhlmann
0
510
Introducing Kotlin Multiplatform in an existing mobile app - Workshop Edition | AndroidMakers Paris
prof18
0
140
ServerAction で Progressive Enhancement はどこまで頑張れるか? / progressive-enhancement-with-server-action
takefumiyoshii
6
390
OpenAPIを中心に考えるAPI開発入門 / Introduction to API Development with a Focus on OpenAPI
seike460
PRO
2
170
if constexpr文はテンプレート世界のラムダ式である
faithandbrave
3
670
Featured
See All Featured
Designing for Performance
lara
602
67k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Typedesign – Prime Four
hannesfritz
36
2.1k
How GitHub (no longer) Works
holman
305
140k
It's Worth the Effort
3n
180
27k
YesSQL, Process and Tooling at Scale
rocio
165
13k
Practical Orchestrator
shlominoach
183
9.7k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.2k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
11
1k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
14
1.5k
Visualization
eitanlees
137
14k
Transcript
Securing Single Page Applications By Zakiullah Khan Mohammed @khan_io
Disclaimer I’m not a Security Expert.
#ngHYD Twitter Hash Tag
About Me Technical Manager @ Fission Labs http://www.khanio.com
Agenda AppSec - OWASP - JWT
Single Page Applications (SPAs) Currently trending ...
None
None
Application Security Who knows it all in your team ?
OWASP Open Web Application Security Project
OWASP Online community dedicated to web application security
OWASP Identify Vulnerabilities Recommend Solutions Document Best Practices
OWASP 2013 Top 10 http://j.mp/OWASP-2013-Top10
OWASP 2013 Top 10 A1 - Injection A2 - Broken
Authentication & Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitivity Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects & Forwards
OWASP 2013 Top 10 A1 - Injection A2 - Broken
Authentication & Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitivity Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects & Forwards
A2 Broken Authentication and Session management Credentials - Session -
Browser Caching - Trust
Defence Encrypt session data ( SSL + HMAC + Salt)
Timeout idle sessions No plaintext anywhere Authenticate for sensitive data
Cookie vs Token Does it matter ?
None
None
None
A3 Cross-Site Scripting (XSS) Malicious content delivered to user using
Javascript
None
Defence Always validate user input Escape out URLs, JS data
and Error pages Rely on program data, not user data
Content Security Policy Whitelisting sources within browser
Content Security Policy Content-Security-Policy: script-src ‘self’ https://api.example.com
Content Security Policy connect-src - font-src - frame-src - img-src
- media-src - object-src style-src
ngCSP Content Security Policy within AngularJS
A8 Cross-Site Request Forgery (XSRF) Tricks user in submitting data
to evil endpoint
None
Defence Map HTTP methods rightly Forms authentication token Never rely
on session
$http XSRF protection within AngularJS using X-XSRF-TOKEN
How to fix all three ? Let’s talk about JWT
JSON Web Token (JWT) Pronounced as JOT
JSON Web Token (JWT) Compact URL-safe means of representing claims
to be transferred between two parties. The claims in JWT are encoded as JSON object that is digitally signed using JWS.
JSON Web Token (JWT) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImFkbWl uIjp0cnVlfQ.eoaDVGTClRdfxUZXiPs3f8FmJDkDE_VCQFXqKxpLsts
JSON Web Token (JWT) <base64-encoded header>.<base64-encoded claims>.<base64-encoded signature>
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 { "alg": "HS256", "typ": "JWT" }
eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImFkbWl uIjp0cnVlfQ {"sub": 1234567890, "name": "John Doe", "admin": true}
eoaDVGTClRdfxUZXiPs3f8FmJDkDE_VCQFXqKxpLsts HMACSHA256(base64UrlEncode(header)+"."+base64UrlEncode(claims), secret_key)
JSON Web Token (JWT) NO CSRF - NO XSS
angular-jwt https://github.com/auth0/angular-jwt
Thank You Q&A