AppSec Europe 2014

Understand JavaScript and HTML5 Features to Secure Your Client-side Code 

HTML5 is the fifth revision of the HTML standard. HTML5, and its integration with JavaScript, introduces new security risks that we need to carefully consider when writing web front-end code. Modern web-based software, including mobile web front-end applications, makes heavy use of innovative JavaScript and HTML5 browser support to deliver advanced user experiences. Front-end developers focus their efforts on creating this experience and are generally not aware of the security implications of the technologies they use. 

The Defensive Programming – JavaScript/HTML5 course helps web front-end developers understand the risks involved with manipulating the HTML Document Object Model (DOM) and using the advanced features of JavaScript and HTML 5 such as cross-domain requests and local storage. The course reinforces some important security aspects of modern browser architecture and presents the student with defensive programming techniques that can be immediately applied to prevent common vulnerabilities to be introduced. Additionally, the course provides a detailed description of typical JavaScript sources and sinks and explains how they can be used to detect problems in code. 

This course is structured into modules that cover the areas of concentration for defensive programming in JavaScript and HTML5 and includes code analysis and remediation exercises. The high-level topics for this course are: 

•The HTML5 and JavaScript Risk Landscape 
•Storage of Sensitive Data 
•Secure Cross-domain Communications 
•Implementing Secure Dataflow 
•JSON-related Techniques 

This course includes 2 labs with hands on exercises where students will learn to apply the defensive programming techniques learned in the course. Students are encouraged to bring laptops with VirtualBox installed to run the VM with the labs. 

Objectives 

After successfully completing this course, you will: 

•Apply HTML5 Defensive Programming Techniques. 
•Apply JavaScript Defensive Programming Techniques. 
•Apply JSON Defensive Programming Techniques. 
•Consider Common Assessment Approaches.