Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Securing Single Page Applications
Search
Zakiullah Khan
December 07, 2014
Programming
2
380
Securing Single Page Applications
Slide deck used for recent presentation at Hydeabad's AngularJS User Group meetup.
Zakiullah Khan
December 07, 2014
Tweet
Share
More Decks by Zakiullah Khan
See All by Zakiullah Khan
Project Manager v/s Program Manager
simplyzaki
0
300
Distributed Messaging with ZeroMQ
simplyzaki
1
320
Designing Big Data Solutions Using AWS
simplyzaki
1
500
Other Decks in Programming
See All in Programming
AWS Serverless Application Model入門_20250708
smatsuzaki
0
120
The State of Fluid (2025)
s2b
0
190
大規模FlutterプロジェクトのCI実行時間を約8割削減した話
teamlab
PRO
0
490
新しいモバイルアプリ勉強会(仮)について
uetyo
1
260
学習を成果に繋げるための個人開発の考え方 〜 「学習のための個人開発」のすすめ / personal project for leaning
panda_program
1
110
AI OCR API on Lambdaを Datadogで可視化してみた
nealle
0
160
DockerからECSへ 〜 AWSの海に出る前に知っておきたいこと 〜
ota1022
5
1.8k
Kiroの仕様駆動開発から見えてきたAIコーディングとの正しい付き合い方
clshinji
1
130
Honoアップデート 2025年夏
yusukebe
1
830
Scale out your Claude Code ~自社専用Agentで10xする開発プロセス~
yukukotani
9
2.5k
書き捨てではなく継続開発可能なコードをAIコーディングエージェントで書くために意識していること
shuyakinjo
1
290
Portapad紹介プレゼンテーション
gotoumakakeru
1
130
Featured
See All Featured
A Tale of Four Properties
chriscoyier
160
23k
For a Future-Friendly Web
brad_frost
179
9.9k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Into the Great Unknown - MozCon
thekraken
40
2k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
Raft: Consensus for Rubyists
vanstee
140
7.1k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
8
470
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1.1k
Why Our Code Smells
bkeepers
PRO
338
57k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
126
53k
jQuery: Nuts, Bolts and Bling
dougneiner
64
7.9k
Unsuck your backbone
ammeep
671
58k
Transcript
Securing Single Page Applications By Zakiullah Khan Mohammed @khan_io
Disclaimer I’m not a Security Expert.
#ngHYD Twitter Hash Tag
About Me Technical Manager @ Fission Labs http://www.khanio.com
Agenda AppSec - OWASP - JWT
Single Page Applications (SPAs) Currently trending ...
None
None
Application Security Who knows it all in your team ?
OWASP Open Web Application Security Project
OWASP Online community dedicated to web application security
OWASP Identify Vulnerabilities Recommend Solutions Document Best Practices
OWASP 2013 Top 10 http://j.mp/OWASP-2013-Top10
OWASP 2013 Top 10 A1 - Injection A2 - Broken
Authentication & Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitivity Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects & Forwards
OWASP 2013 Top 10 A1 - Injection A2 - Broken
Authentication & Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitivity Data Exposure A7 - Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 - Unvalidated Redirects & Forwards
A2 Broken Authentication and Session management Credentials - Session -
Browser Caching - Trust
Defence Encrypt session data ( SSL + HMAC + Salt)
Timeout idle sessions No plaintext anywhere Authenticate for sensitive data
Cookie vs Token Does it matter ?
None
None
None
A3 Cross-Site Scripting (XSS) Malicious content delivered to user using
Javascript
None
Defence Always validate user input Escape out URLs, JS data
and Error pages Rely on program data, not user data
Content Security Policy Whitelisting sources within browser
Content Security Policy Content-Security-Policy: script-src ‘self’ https://api.example.com
Content Security Policy connect-src - font-src - frame-src - img-src
- media-src - object-src style-src
ngCSP Content Security Policy within AngularJS
A8 Cross-Site Request Forgery (XSRF) Tricks user in submitting data
to evil endpoint
None
Defence Map HTTP methods rightly Forms authentication token Never rely
on session
$http XSRF protection within AngularJS using X-XSRF-TOKEN
How to fix all three ? Let’s talk about JWT
JSON Web Token (JWT) Pronounced as JOT
JSON Web Token (JWT) Compact URL-safe means of representing claims
to be transferred between two parties. The claims in JWT are encoded as JSON object that is digitally signed using JWS.
JSON Web Token (JWT) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImFkbWl uIjp0cnVlfQ.eoaDVGTClRdfxUZXiPs3f8FmJDkDE_VCQFXqKxpLsts
JSON Web Token (JWT) <base64-encoded header>.<base64-encoded claims>.<base64-encoded signature>
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 { "alg": "HS256", "typ": "JWT" }
eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImFkbWl uIjp0cnVlfQ {"sub": 1234567890, "name": "John Doe", "admin": true}
eoaDVGTClRdfxUZXiPs3f8FmJDkDE_VCQFXqKxpLsts HMACSHA256(base64UrlEncode(header)+"."+base64UrlEncode(claims), secret_key)
JSON Web Token (JWT) NO CSRF - NO XSS
angular-jwt https://github.com/auth0/angular-jwt
Thank You Q&A
simplyzaki
smatsuzaki
s2b
teamlab
uetyo
panda_program
nealle
ota1022
clshinji
yusukebe
yukukotani
shuyakinjo
gotoumakakeru
chriscoyier
brad_frost
wjessup
thekraken
yeseniaperezcruz
vanstee
tammyeverts
sergeychernyshev
bkeepers
aki_iinuma
dougneiner
ammeep
