AppSec Europe 2016 has ended
Back To Schedule
Wednesday, June 29 • 09:00 - 17:00
Day 1/1 - Defensive Programming for JavaScript & HTML5

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

This one-day course helps web front-end developers understand the risks involved with manipulating JavaScript and HTML5 and apply defensive programming techniques in both languages.

Some of the topics covered include, but are not limited to, important security aspects of modern browser architecture (Document Object Model and Same Origin Policy), common web vulnerabilities, like XSS, CSRF, DOM manipulation, and new HTML5 technologies, like sandboxing iframes, Cross-origin Resource Sharing, Content Security Policy, Web Messaging, Web Storage, and specifics of using JSON.

The JavaScript section will talk about vulnerabilities in Node.js, Express.js and AngularJS

This course is structured into modules and includes exploitation and remediation exercises. The high-level topics for this course are:

•             The HTML5 and JavaScript Risk Landscape
•             Storage of Sensitive Data

•             Secure Cross-domain Communications (CORS, web messaging)

•             Protecting from Cross-site Scripting (CSP, JavaScript Execution Contexts, Output Encoding)

•             Implementing Secure Dataflow

•             Securing AJAX Requests and JSON Data

•             Securing Server-side JavaScript (Node.js and Express.js)

•             Securing Client-side JavaScript (AngularJS)



After completing this course, students will be able to:

•             Apply HTML5 Defensive Programming Techniques

•             Apply JavaScript Defensive Programming Techniques

•             Apply JSON Defensive Programming Techniques


Labs and Demonstrations:

If students bring their own laptops with internet connectivity, they will be able to access online Virtual Machines with labs. In lab sessions students will learn to fix issues related to localStorage, web messaging, sandbox attribute for iframes, CORS, CSP, parsing JSON data, JavaScript injections, and DOM-based cross-site scripting. The course also includes several interactive demonstrations showing how to tamper with client-side data, evade client-side filters, and work with Firebug. The labs are not compulsory to get the full value of the course but strongly recommended.

Video about the training: https://www.youtube.com/watch?v=p0LxLUMXntc  

avatar for Ksenia Dmitrieva

Ksenia Dmitrieva

Associate Principal Consultant, Cigital
Ksenia Dmitrieva is an Associate Principal Consultant at Cigital with over six years of experience in securing web applications and five years of development experience. She performs penetration testing and code review for clients in financial services, entertainment, telecommunications... Read More →

Wednesday June 29, 2016 09:00 - 17:00 CEST
Bramante 14

Attendees (5)