SlideShare ist ein Scribd-Unternehmen logo

How do JavaScript frameworks impact the security of applications?

K
Ksenia Peguero

The best way to enable developers to create secure applications is to “shift left” in security. That means providing developers with the tools and techniques that help build more secure applications from the get-go. Developers may get security controls into their applications in different ways. They may write them from scratch following security training or guidance, they may use open source libraries, or they may use frameworks that have the security features built in already. In this talk we explore JavaScript applications that use different types of security controls implemented at levels ranging from developer code, to libraries and plugins, to different frameworks, and analyze which applications actually turn out to be more secure. This work is based on analysis of over 500 open source JavaScript applications on GitHub that use client-side frameworks and template engines to prevent XSS, as well as server-side frameworks (Express, Koa, Hapi, Sails, Meteor) and CSRF prevention mechanisms. In conclusion, we provide data-driven recommendations for framework maintainers and application developers on how to develop and choose a framework that will actually make applications more secure.

Software
1 von 30
Downloaden Sie, um offline zu lesen
How do JavaScript frameworks impact the security of applications? Ksenia Peguero
• Current: Sr. Research Engineer at Synopsys, part of the Security Research Lab • Prior: Principle Consultant at Cigital/Synopsys • PhD candidate at GWU • Mother • @KseniaDmitrieva whoami
Language popularity by open pull request according the Octoverse report from 2014 to 2018: • JavaScript has been the leading programming language for the last 5 years • JavaScript is used for web applications on client-side and server-side, in mobile applications, desktop applications and IoT software. Why JavaScipt? https://octoverse.github.com/projects#languages
State of the Client-Side JavaScript Field Today
• Client-side: over 50 frameworks, according to the https://jsreport.io/ • Angular, React, Vue • Server-side: over 40 frameworks, according to http://nodeframework.com/ • Express, Koa, Sails • Full-stack frameworks • Meteor, Aurelia, Derby, MEAN.js • Desktop frameworks • Electron • Mobile frameworks • Phonegap, Cordova How many frameworks are there?
• Frameworks provide functionality, easiness of prototyping and development, performance… Hm,… security, anyone? • Following the “shift-left” paradigm in software security, we should not only identify and fix vulnerabilities earlier in the software development lifecycle, but also prevent them earlier. • Questions: • Does the security of a framework help to make applications more secure? • Does building security controls into a framework result in “shifting-left” the security of the application? What is there in the framework for security?
• A vulnerability may be mitigated at the following levels in relation to the framework: • L0 - No mitigation in place. Baseline – no protection • L1 - Custom function. A security control written by developers • L2 - An external library that provides a security control • L3 - A framework plugin. A third-party code used by developers which tightly integrates with the framework • L4 - Built-in mitigation control implemented in the framework as a function or feature Levels of Vulnerability Mitigation proposed by John Steven Developer code Framework 3rd party library function sanitize() {} plugin L1 L2 L3 L4
• L1 - Custom function: developer implementation • L2 - An external library: ESAPI (The OWASP Enterprise Security API) – a security control library https://github.com/ESAPI/esapi-java-legacy • L3 - A framework plugin: the csurf plugin for Express https://www.npmjs.com/package/csurf • L4 - Built-in mitigation control: Spring Security https://spring.io/projects/spring-security Mitigation Levels Examples function cors (res) { res.set({ 'Access-Control-Allow-Origin': '*’, 'Access-Control-Allow-Headers': 'Origin, X-Requested-With, Content-Type, Accept’ }) return res } https://xkcd.com/221/
The closer the mitigation is located to the framework itself, the fewer vulnerabilities the code will have. Hypothesis FrameworkDeveloper code Give me the data!
• XSS is “a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.” (OWASP) • Common protections: • Output encoding • Input validation • Sanitization • Special case: need to allow users to use some HTML, but not malicious JavaScript, for example, blog posts, marketing letters, CMS. • How to implement: display raw HTML and let the browser render it. • How to protect from XSS: only allow a safe subset of HTML (sanitizing the “bad” HTML or using alternative markup languages like Markdown) Case Study 1: XSS
• Use case: the application needs to display user input that contains HTML markup • Application Selection Criteria: • Application type: blog or CMS • Full-stack JavaScript applications • Template engines: Jade/Pug, EJS, AngularJS • Filters: • last commit no later than 2013 • at least 1 star • the language is JavaScript, HTML, CSS Data Selection for XSS (2016) https://insights.bookbub.com/creative-blog-post-ideas-authors/
Total of 170 projects: • 65 Jade/Pug • 54 EJS • 51 AngularJS Resulting Dataset
• Jade/Pug: • Escaping: curly braces, equals sign for tags • Interpolation: bang-sign, no sanitization • EJS: • Escaping: special braces '<%=' and '%>' • Interpolation: '<%-' and '%>', no sanitization • AngularJS: • Escaping: contextually-aware escaping with double curly braces • Interpolation: safe subset with 'ng-bind-html', trustAsHtml() for raw HTML interpolation Escaping and Interpolation in Frameworks h1=title p {article.name} p!=article.content div !{post.body} <%=article.title%> <%-article.body%> <a href="{{post.url}}"> {{post.title}} </a> <p ng-bind-html= "post.description"></p>
Analysis Pipeline Jade/Pug Extended pug-lexer and pug-parser EJS Extended EJS core project, custom analyzer AngularJS ESLint with a custom rule Download project info and template files from GitHub Run parser and analyzer for each template engine Perform manual review Perform statistical analysis of the results
Case Study 1: Results Mitigation Levels: L1 - Custom function L2 - An external library L3 - A framework plugin L4 - Built-in mitigation control Template engine Number of projects Number of vulnerabilities Number of vulnerable projects % of vulnerable projects Mitigation level Jade/Pug 65 72 25 38% L1 or L2 EJS 54 96 23 43% L1 or L2 AngularJS 51 12 6 12% L4 Percentage of applications vulnerable to XSS
• What if AngularJS developers are just better / smarter / more experienced than developers writing Jade/Pug and EJS? • We use ANOVA statistical analysis to verify our results against other factors Confounding Variables Analysis for XSS Criteria P-value Developer’s overall experience 0.319279 Developer’s JavaScript experience 0.132049 Project size 0.431335 Project popularity (stars) 0.200649 Project reuse (forks) 0.211615 Template engine 0.001021 The statistically significant difference is shown by a p-value < 0.05. The choice of a template engine is the only factor affecting the number of vulnerabilities. Hypothesis proved (for XSS): the closer the mitigation is located to the framework itself, the fewer vulnerabilities the code will have value < 0.05
CSRF - “an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated” (OWASP) Protection methods: • Server-Side: • CSRF tokens  In POST parameters  Double-submit cookie • Two-factor authentication • Not using session cookies: • JWT • Using web socket session Case Study 2: CSRF • Client-side: • Same-site cookies • White-listing expected origins • Allowed referrer lists https://linuxsecurityblog.com/2016/02/11/defending-against-csrf-attacks/
Use case: authenticated users call sensitive functionality that change the server state Application Selection Criteria: • Application type: • Blog • CMS • E-commerce • REST API • JavaScript server-side applications • Frameworks: Express, Koa, Hapi, Sails, Meteor* Selection goal: • 100 applications per framework Data Selection for CSRF (2018) http://leanport.com/effective-ways-to-improve-e-commerce-marketing/
Total of 364 projects Resulting Dataset Framework Blog CMS E-commerce REST API Total Express 29 35 45 0 109 Koa 68 26 6 0 100 Hapi 26 3 9 10 48 Sails 72 20 15 0 107
Express: • Plugins csurf L3 Koa: • Plugin koa-csrf L3 Hapi: • Plugin crumb L3 Sails: • Framework configuration L4 Meteor: • Framework architecture L? CSRF Protection in Frameworks const express = require('express'); const csrf = require('csurf'); const cookieParser = require('cookie-parser'); const app = express(); app.use(cookieParser()); app.use(csrf({cookie: true})); Express const Koa = require('koa'); const session = require('koa-session'); const CSRF = require('koa-csrf'); const app = new Koa(); app.use(session(app)); app.use(new CSRF()); Koa
const Hapi = require('hapi'); const Crumb = require('crumb'); const server = new Hapi.Server({port: 8000}); (async () => { await server.register({ plugin: Crumb, options: {restful: true} }); ... Hapi module.exports.csrf = { csrf.grantTokenViaAjax: true, csrf.origin: 'example.com' } Sails Express: • Plugins csurf L3 Koa: • Plugin koa-csrf L3 Hapi: • Plugin crumb L3 Sails: • Framework configuration L4 Meteor: • Framework architecture L? CSRF Protection in Frameworks
A CSRF attack depends on a session being maintained in a cookie. If there is no cookie, the attack is not possible. Meteor: • Meteor uses custom Distributed Data Protocol (DDP) for client-server communication • DDP runs on WebSockets instead of HTTP • A session is maintained via a long-lived WebSocket connection • A third party cannot send a forged request over an established WebSocket connection JSON Web Token (JWT): • Developed as access tokens, but used as session tokens • Not stored in cookies, but transmitted in HTTP headers, which are not added to cross-origin requests by the browser • Have other limitations, but do protect from CSRF Special Case: Meteor and JWT
• A vulnerability may be mitigated at the following levels in relation to the framework: • L0 - No mitigation in place. Baseline – no protection • L1 - Custom function. A security control written by developers • L2 - An external library that provides a security control • L3 - A framework plugin. A third-party code used by developers which tightly integrates with the framework • L4 - Built-in mitigation control implemented in the framework as a function or feature • L5 – Architecture level mitigation control. A framework is designed in a way that makes the attack impossible. Levels of Vulnerability Mitigation Developer code Framework 3rd party library function sanitize() {} plugin L1 L2 L3 L4 Framework design/platformL5
The closer the mitigation is located to the framework itself, the fewer vulnerabilities the code will have. Hypothesis FrameworkDeveloper code Does it work for CSRF?
CSRF plugins: csurf, csrf, alt-XSRF, koa-csrf, crumb, lusca Sails configuration JWT plugins Download project from GitHub Run ESLint with custom rules Perform manual review Perform statistical analysis of the results Analysis Pipeline
Framework Number of projects CSRF protection JWT Total protected % of protected projects Mitigation level Express 109 6 9 15 14% L3 Koa 100 6 14 19* 19% L3 Hapi 48 0 17 17 35% L3 Sails 107 7 8 15 14% L4 Mitigation Levels: L1 - Custom function L2 - An external library L3 - A framework plugin L4 - Built-in mitigation control Percentage of applications protected from CSRF Case Study 2: Results
Results of confounding variables analysis using ANOVA statistical tests Criteria P-value Developer’s overall experience 0.165714 Developer’s JavaScript experience 0.161450 Project size 0.263872 Project popularity (stars) 0.411852 Project reuse (forks) 0.513946 Framework 0.507734 The statistically significant difference is shown by a p-value < 0.05. However, none of the calculated p-values are smaller than 0.05. Thus, none of the confounding variables show a correlation. For CSRF, the hypothesis is not proved. There is no correlation between the level of CSRF mitigation and the presence of the CSRF of vulnerability in the application, except for L5 (Meteor). Confounding Variables Analysis for CSRF
• Compare the percentage of protected projects by mitigation level/framework: Why? • L4 protection in Angular is enabled by default • L4 protection in Sails is disabled by default  Secure defaults are as important as the implementation levels of security controls Comparing XSS and CSRF Results
Recommendations to the framework developers and maintainers:  Implementing security controls as third-party plugins does not ensure secure applications  Other solutions:  Processes: secure coding guidelines, training  Secure SDLC: secure code review, linting rules on every build, static analysis, penetration testing  Instead, build security controls into the framework  Ensure that the default settings are secure and that the security control is enabled  When possible, design a framework in a way that eliminates the possibility of the vulnerability at the architecture level Conclusion
Ksenia Peguero ksenia@synopsys.com Twitter: @KseniaDmitrieva https://www.synopsys.com/software Thank You!

Empfohlen

How to React to JavaScript Insecurity
How to React to JavaScript InsecurityHow to React to JavaScript Insecurity
How to React to JavaScript InsecurityKsenia Peguero
 
How Secure Is AngularJS?
How Secure Is AngularJS?How Secure Is AngularJS?
How Secure Is AngularJS?Ksenia Peguero
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJSLewis Ardern
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Matt Raible
 

Empfohlen

How to React to JavaScript Insecurity
How to React to JavaScript InsecurityHow to React to JavaScript Insecurity
How to React to JavaScript InsecurityKsenia Peguero
 
How Secure Is AngularJS?
How Secure Is AngularJS?How Secure Is AngularJS?
How Secure Is AngularJS?Ksenia Peguero
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
 
Reviewing AngularJS
Reviewing AngularJSReviewing AngularJS
Reviewing AngularJSLewis Ardern
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...Matt Raible
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Matt Raible
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Ajax Security
Ajax SecurityAjax Security
Ajax SecurityRoberto Suggi Liverani
 
Geecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesGeecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesSteve Poole
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - securitydzhengo44
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Santosh_Resume_Java
Santosh_Resume_JavaSantosh_Resume_Java
Santosh_Resume_JavaSANTOSH PATTNAIK
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011Matt Raible
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Java EE and Spring Side-by-Side
Java EE and Spring Side-by-SideJava EE and Spring Side-by-Side
Java EE and Spring Side-by-SideReza Rahman
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSPLukas Weichselbaum
 
Java EE 8: On the Horizon
Java EE 8: On the HorizonJava EE 8: On the Horizon
Java EE 8: On the HorizonJosh Juneau
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Aaron Hnatiw
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITYTubagus Rizky Dharmawan
 
JavaCro'14 - Vaadin web application integration for Enterprise systems – Pete...
JavaCro'14 - Vaadin web application integration for Enterprise systems – Pete...JavaCro'14 - Vaadin web application integration for Enterprise systems – Pete...
JavaCro'14 - Vaadin web application integration for Enterprise systems – Pete...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 

Weitere ähnliche Inhalte

Was ist angesagt?

Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Matt Raible
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Geecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesGeecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesSteve Poole
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - securitydzhengo44
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overviewRudy De Busscher
 
Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011Matt Raible
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EERudy De Busscher
 
Java EE and Spring Side-by-Side
Java EE and Spring Side-by-SideJava EE and Spring Side-by-Side
Java EE and Spring Side-by-SideReza Rahman
 
Java EE 8: On the Horizon
Java EE 8: On the HorizonJava EE 8: On the Horizon
Java EE 8: On the HorizonJosh Juneau
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Aaron Hnatiw
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 

Was ist angesagt? (20)

Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011Java Web Application Security - Utah JUG 2011
Java Web Application Security - Utah JUG 2011
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Geecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesGeecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java Vulnerabilities
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Santosh_Resume_Java
Santosh_Resume_JavaSantosh_Resume_Java
Santosh_Resume_Java
 
Java ee 8 + security overview
Java ee 8 + security overviewJava ee 8 + security overview
Java ee 8 + security overview
 
Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011Java Web Application Security - Jazoon 2011
Java Web Application Security - Jazoon 2011
 
Octopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EEOctopus framework; Permission based security framework for Java EE
Octopus framework; Permission based security framework for Java EE
 
Java EE and Spring Side-by-Side
Java EE and Spring Side-by-SideJava EE and Spring Side-by-Side
Java EE and Spring Side-by-Side
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
 
Java EE 8: On the Horizon
Java EE 8: On the HorizonJava EE 8: On the Horizon
Java EE 8: On the Horizon
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
JavaCro'14 - Vaadin web application integration for Enterprise systems – Pete...
JavaCro'14 - Vaadin web application integration for Enterprise systems – Pete...JavaCro'14 - Vaadin web application integration for Enterprise systems – Pete...
JavaCro'14 - Vaadin web application integration for Enterprise systems – Pete...
 

Ähnlich wie How do JavaScript frameworks impact the security of applications?

OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
Prominent Back-end frameworks to consider in 2022!
Prominent Back-end frameworks to consider in 2022!Prominent Back-end frameworks to consider in 2022!
Prominent Back-end frameworks to consider in 2022!Shelly Megan
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing3S Labs
 
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.jsAsynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.jsChristian Heindel
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
End-to-end HTML5 APIs - The Geek Gathering 2013
End-to-end HTML5 APIs - The Geek Gathering 2013End-to-end HTML5 APIs - The Geek Gathering 2013
End-to-end HTML5 APIs - The Geek Gathering 2013Alexandre Morgaut
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 
Tech io spa_angularjs_20130814_v0.9.5
Tech io spa_angularjs_20130814_v0.9.5Tech io spa_angularjs_20130814_v0.9.5
Tech io spa_angularjs_20130814_v0.9.5Ganesh Kondal
 
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsWWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsVagner Santana
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeHow-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeDevOps.com
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersPhú Phùng
 
Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Dinis Cruz
 
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...Amazon Web Services
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Securitychuckbt
 

Ähnlich wie How do JavaScript frameworks impact the security of applications? (20)

OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Prominent Back-end frameworks to consider in 2022!
Prominent Back-end frameworks to consider in 2022!Prominent Back-end frameworks to consider in 2022!
Prominent Back-end frameworks to consider in 2022!
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing
 
Apache Drill (ver. 0.2)
Apache Drill (ver. 0.2)Apache Drill (ver. 0.2)
Apache Drill (ver. 0.2)
 
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.jsAsynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
Asynchrone Echtzeitanwendungen für SharePoint mit SignalR und knockout.js
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
End-to-end HTML5 APIs - The Geek Gathering 2013
End-to-end HTML5 APIs - The Geek Gathering 2013End-to-end HTML5 APIs - The Geek Gathering 2013
End-to-end HTML5 APIs - The Geek Gathering 2013
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
 
mitra_resume-2
mitra_resume-2mitra_resume-2
mitra_resume-2
 
Tech io spa_angularjs_20130814_v0.9.5
Tech io spa_angularjs_20130814_v0.9.5Tech io spa_angularjs_20130814_v0.9.5
Tech io spa_angularjs_20130814_v0.9.5
 
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsWWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeHow-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsers
 
Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0
 
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
 
Html5 Application Security
Html5 Application SecurityHtml5 Application Security
Html5 Application Security
 

Kürzlich hochgeladen

CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 

Kürzlich hochgeladen (20)

CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 

How do JavaScript frameworks impact the security of applications?

  • 1. How do JavaScript frameworks impact the security of applications? Ksenia Peguero
  • 2. • Current: Sr. Research Engineer at Synopsys, part of the Security Research Lab • Prior: Principle Consultant at Cigital/Synopsys • PhD candidate at GWU • Mother • @KseniaDmitrieva whoami
  • 3. Language popularity by open pull request according the Octoverse report from 2014 to 2018: • JavaScript has been the leading programming language for the last 5 years • JavaScript is used for web applications on client-side and server-side, in mobile applications, desktop applications and IoT software. Why JavaScipt? https://octoverse.github.com/projects#languages
  • 4. State of the Client-Side JavaScript Field Today
  • 5. • Client-side: over 50 frameworks, according to the https://jsreport.io/ • Angular, React, Vue • Server-side: over 40 frameworks, according to http://nodeframework.com/ • Express, Koa, Sails • Full-stack frameworks • Meteor, Aurelia, Derby, MEAN.js • Desktop frameworks • Electron • Mobile frameworks • Phonegap, Cordova How many frameworks are there?
  • 6. • Frameworks provide functionality, easiness of prototyping and development, performance… Hm,… security, anyone? • Following the “shift-left” paradigm in software security, we should not only identify and fix vulnerabilities earlier in the software development lifecycle, but also prevent them earlier. • Questions: • Does the security of a framework help to make applications more secure? • Does building security controls into a framework result in “shifting-left” the security of the application? What is there in the framework for security?
  • 7. • A vulnerability may be mitigated at the following levels in relation to the framework: • L0 - No mitigation in place. Baseline – no protection • L1 - Custom function. A security control written by developers • L2 - An external library that provides a security control • L3 - A framework plugin. A third-party code used by developers which tightly integrates with the framework • L4 - Built-in mitigation control implemented in the framework as a function or feature Levels of Vulnerability Mitigation proposed by John Steven Developer code Framework 3rd party library function sanitize() {} plugin L1 L2 L3 L4
  • 8. • L1 - Custom function: developer implementation • L2 - An external library: ESAPI (The OWASP Enterprise Security API) – a security control library https://github.com/ESAPI/esapi-java-legacy • L3 - A framework plugin: the csurf plugin for Express https://www.npmjs.com/package/csurf • L4 - Built-in mitigation control: Spring Security https://spring.io/projects/spring-security Mitigation Levels Examples function cors (res) { res.set({ 'Access-Control-Allow-Origin': '*’, 'Access-Control-Allow-Headers': 'Origin, X-Requested-With, Content-Type, Accept’ }) return res } https://xkcd.com/221/
  • 9. The closer the mitigation is located to the framework itself, the fewer vulnerabilities the code will have. Hypothesis FrameworkDeveloper code Give me the data!
  • 10. • XSS is “a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.” (OWASP) • Common protections: • Output encoding • Input validation • Sanitization • Special case: need to allow users to use some HTML, but not malicious JavaScript, for example, blog posts, marketing letters, CMS. • How to implement: display raw HTML and let the browser render it. • How to protect from XSS: only allow a safe subset of HTML (sanitizing the “bad” HTML or using alternative markup languages like Markdown) Case Study 1: XSS
  • 11. • Use case: the application needs to display user input that contains HTML markup • Application Selection Criteria: • Application type: blog or CMS • Full-stack JavaScript applications • Template engines: Jade/Pug, EJS, AngularJS • Filters: • last commit no later than 2013 • at least 1 star • the language is JavaScript, HTML, CSS Data Selection for XSS (2016) https://insights.bookbub.com/creative-blog-post-ideas-authors/
  • 12. Total of 170 projects: • 65 Jade/Pug • 54 EJS • 51 AngularJS Resulting Dataset
  • 13. • Jade/Pug: • Escaping: curly braces, equals sign for tags • Interpolation: bang-sign, no sanitization • EJS: • Escaping: special braces '<%=' and '%>' • Interpolation: '<%-' and '%>', no sanitization • AngularJS: • Escaping: contextually-aware escaping with double curly braces • Interpolation: safe subset with 'ng-bind-html', trustAsHtml() for raw HTML interpolation Escaping and Interpolation in Frameworks h1=title p {article.name} p!=article.content div !{post.body} <%=article.title%> <%-article.body%> <a href="{{post.url}}"> {{post.title}} </a> <p ng-bind-html= "post.description"></p>
  • 14. Analysis Pipeline Jade/Pug Extended pug-lexer and pug-parser EJS Extended EJS core project, custom analyzer AngularJS ESLint with a custom rule Download project info and template files from GitHub Run parser and analyzer for each template engine Perform manual review Perform statistical analysis of the results
  • 15. Case Study 1: Results Mitigation Levels: L1 - Custom function L2 - An external library L3 - A framework plugin L4 - Built-in mitigation control Template engine Number of projects Number of vulnerabilities Number of vulnerable projects % of vulnerable projects Mitigation level Jade/Pug 65 72 25 38% L1 or L2 EJS 54 96 23 43% L1 or L2 AngularJS 51 12 6 12% L4 Percentage of applications vulnerable to XSS
  • 16. • What if AngularJS developers are just better / smarter / more experienced than developers writing Jade/Pug and EJS? • We use ANOVA statistical analysis to verify our results against other factors Confounding Variables Analysis for XSS Criteria P-value Developer’s overall experience 0.319279 Developer’s JavaScript experience 0.132049 Project size 0.431335 Project popularity (stars) 0.200649 Project reuse (forks) 0.211615 Template engine 0.001021 The statistically significant difference is shown by a p-value < 0.05. The choice of a template engine is the only factor affecting the number of vulnerabilities. Hypothesis proved (for XSS): the closer the mitigation is located to the framework itself, the fewer vulnerabilities the code will have value < 0.05
  • 17. CSRF - “an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated” (OWASP) Protection methods: • Server-Side: • CSRF tokens  In POST parameters  Double-submit cookie • Two-factor authentication • Not using session cookies: • JWT • Using web socket session Case Study 2: CSRF • Client-side: • Same-site cookies • White-listing expected origins • Allowed referrer lists https://linuxsecurityblog.com/2016/02/11/defending-against-csrf-attacks/
  • 18. Use case: authenticated users call sensitive functionality that change the server state Application Selection Criteria: • Application type: • Blog • CMS • E-commerce • REST API • JavaScript server-side applications • Frameworks: Express, Koa, Hapi, Sails, Meteor* Selection goal: • 100 applications per framework Data Selection for CSRF (2018) http://leanport.com/effective-ways-to-improve-e-commerce-marketing/
  • 19. Total of 364 projects Resulting Dataset Framework Blog CMS E-commerce REST API Total Express 29 35 45 0 109 Koa 68 26 6 0 100 Hapi 26 3 9 10 48 Sails 72 20 15 0 107
  • 20. Express: • Plugins csurf L3 Koa: • Plugin koa-csrf L3 Hapi: • Plugin crumb L3 Sails: • Framework configuration L4 Meteor: • Framework architecture L? CSRF Protection in Frameworks const express = require('express'); const csrf = require('csurf'); const cookieParser = require('cookie-parser'); const app = express(); app.use(cookieParser()); app.use(csrf({cookie: true})); Express const Koa = require('koa'); const session = require('koa-session'); const CSRF = require('koa-csrf'); const app = new Koa(); app.use(session(app)); app.use(new CSRF()); Koa
  • 21. const Hapi = require('hapi'); const Crumb = require('crumb'); const server = new Hapi.Server({port: 8000}); (async () => { await server.register({ plugin: Crumb, options: {restful: true} }); ... Hapi module.exports.csrf = { csrf.grantTokenViaAjax: true, csrf.origin: 'example.com' } Sails Express: • Plugins csurf L3 Koa: • Plugin koa-csrf L3 Hapi: • Plugin crumb L3 Sails: • Framework configuration L4 Meteor: • Framework architecture L? CSRF Protection in Frameworks
  • 22. A CSRF attack depends on a session being maintained in a cookie. If there is no cookie, the attack is not possible. Meteor: • Meteor uses custom Distributed Data Protocol (DDP) for client-server communication • DDP runs on WebSockets instead of HTTP • A session is maintained via a long-lived WebSocket connection • A third party cannot send a forged request over an established WebSocket connection JSON Web Token (JWT): • Developed as access tokens, but used as session tokens • Not stored in cookies, but transmitted in HTTP headers, which are not added to cross-origin requests by the browser • Have other limitations, but do protect from CSRF Special Case: Meteor and JWT
  • 23. • A vulnerability may be mitigated at the following levels in relation to the framework: • L0 - No mitigation in place. Baseline – no protection • L1 - Custom function. A security control written by developers • L2 - An external library that provides a security control • L3 - A framework plugin. A third-party code used by developers which tightly integrates with the framework • L4 - Built-in mitigation control implemented in the framework as a function or feature • L5 – Architecture level mitigation control. A framework is designed in a way that makes the attack impossible. Levels of Vulnerability Mitigation Developer code Framework 3rd party library function sanitize() {} plugin L1 L2 L3 L4 Framework design/platformL5
  • 24. The closer the mitigation is located to the framework itself, the fewer vulnerabilities the code will have. Hypothesis FrameworkDeveloper code Does it work for CSRF?
  • 25. CSRF plugins: csurf, csrf, alt-XSRF, koa-csrf, crumb, lusca Sails configuration JWT plugins Download project from GitHub Run ESLint with custom rules Perform manual review Perform statistical analysis of the results Analysis Pipeline
  • 26. Framework Number of projects CSRF protection JWT Total protected % of protected projects Mitigation level Express 109 6 9 15 14% L3 Koa 100 6 14 19* 19% L3 Hapi 48 0 17 17 35% L3 Sails 107 7 8 15 14% L4 Mitigation Levels: L1 - Custom function L2 - An external library L3 - A framework plugin L4 - Built-in mitigation control Percentage of applications protected from CSRF Case Study 2: Results
  • 27. Results of confounding variables analysis using ANOVA statistical tests Criteria P-value Developer’s overall experience 0.165714 Developer’s JavaScript experience 0.161450 Project size 0.263872 Project popularity (stars) 0.411852 Project reuse (forks) 0.513946 Framework 0.507734 The statistically significant difference is shown by a p-value < 0.05. However, none of the calculated p-values are smaller than 0.05. Thus, none of the confounding variables show a correlation. For CSRF, the hypothesis is not proved. There is no correlation between the level of CSRF mitigation and the presence of the CSRF of vulnerability in the application, except for L5 (Meteor). Confounding Variables Analysis for CSRF
  • 28. • Compare the percentage of protected projects by mitigation level/framework: Why? • L4 protection in Angular is enabled by default • L4 protection in Sails is disabled by default  Secure defaults are as important as the implementation levels of security controls Comparing XSS and CSRF Results
  • 29. Recommendations to the framework developers and maintainers:  Implementing security controls as third-party plugins does not ensure secure applications  Other solutions:  Processes: secure coding guidelines, training  Secure SDLC: secure code review, linting rules on every build, static analysis, penetration testing  Instead, build security controls into the framework  Ensure that the default settings are secure and that the security control is enabled  When possible, design a framework in a way that eliminates the possibility of the vulnerability at the architecture level Conclusion