Offense and Defense: Security in JavaScript

JavaScript has become the programming language of the web. Yet there is very little focus on how to write secure JavaScript. Most developers are unaware of the fact that insecurely written JavaScript can lead to fairly serious security problems.

To raise awareness about insecure JavaScript and to teach you fine developer folks how to defend attacks on your websites, servers and data, null and HasGeek have put together three security tutorials and hands-on practice sessions. This hacknight is open to developers who have written JavaScript before and can quickly learn the concepts which will be covered in the tutorials.  Security Professionals who want to learn about attacks and defences for JavaScript can also attend this hacknight.

The tutorials will cover three topics:

• Secure JavaScript Development: This session will introduce participants to security issues related to JavaScript, JSON and HTML5 and how to identify such issues in the code. Participants will learn how to write secure JavaScript code which leads to fewer security bugs being discovered in the testing phase and therefore spend less time fixing bugs. Emphasis will be on DOM XSS exercises.

• CORS (Cross Origin Resource Sharing) and JavaScript: CORS has attained significance in the world of mashups where applications need to communicate across domains. CORS comes to the rescue of applications which run on browsers that were originally designed to strictly adhere to the Single Origin Policy. All modern browsers follow it. However, like with every new mechanism, CORS also gives rise to new problems via configuration and implementation errors. This session will explain how CORS can be correctly configured and how attackers abuse this mechanism in the absence of a secure implementation. Participants will see multiple demos, including implementations gone wrong, to understand CORS better and how the mechanism can be abused by attackers to steal data and cause loss of privacy.

• JavaScript Obfuscation demystified: Everyone writing JavaScript knows that there are multiple ways of doing the same thing. Developers build filters to catch malicious JavaScript, but a wily attacker can obfuscate JavaScript so that filters can be bypassed. This session will teach participants multiple JavaScript implementation details and how these are used to build obfuscated code. We will also discuss how to dissect already obfuscated code. The session is divided into two parts: first part will expose participants to different components of JavaScript internals and how they can be used to create obfuscated code. The second part will help them to decipher obfuscated code.

Trainers for this event are: Lavakumar Kuppan, Riyaz Walikar and Prasanna K.

This event has been put together by null and facilitated by HasGeek.