Plants vs Thieves: Automated Tests in the World of Web Security

Rate this content
Bookmark

Web security is crucial in a constantly evolving environment where potential threats are always present. To better understand this concept, we can imagine our web application as a garden or a home that needs to be protected from possible attacks. We can draw parallels with the popular game "Plants vs. Zombies," which aims to safeguard your garden from intruders.

Our automated tests function as diligent guardians whose primary objective is to identify and address potential vulnerabilities, much like the diverse plant arsenal in the game. Instead of framing the security process as a never-ending fight, we will explore how automated tests act as defenders against possible issues, whether they are zombies or intruders. Next to an overview of tools you can utilize, we emphasize the importance of fundamental testing types, such as unit or end-to-end tests, in securing your digital garden.

This is my draft slide deck: https://speakerdeck.com/leichteckig/plants-vs-thieves-automated-tests-in-the-world-of-web-security. I'm thinking about replacing the code snippets with videos or live coding.

After my session, the Attendees will better understand the tools to choose from. However, there are other focuses than this - I'd like to highlight how to ensure web security by using fundamental testing types like unit or End-To-End tests to keep the maintenance and learning curve low. A nice side effect will be the showcase of common security threats by seeing the tests used to catch them. 
- The attendee will learn an overview of the tools you choose from
- The Attendee will explore options to use test automation to improve web security without the need for new dependencies

This talk is rather framework-agnostic. However, Testing and Security are highly relevant topics for the React community, as both secure a high-quality application and protect users and features. Security is essential, especially nowadays. My talk combines Security and Testing. Both can be daunting, too, so I'd love to help the viewers build their applications securely. 

This talk has been presented at React Day Berlin 2024, check out the latest edition of this React Conference.

FAQ

The talk covers security and testing in web development, specifically focusing on building defenses against security threats through test automation.

The speaker uses 'Plants vs. Zombies' as an allegory for web security, where zombies represent threats and exploits, and plants represent countermeasures and security fixes.

OWASP (Open Worldwide Application Security Project) is a project aimed at improving web security. It provides a top 10 ranking of the most critical security risks, helping developers focus on addressing these issues.

The top three security risks are broken access control, cryptographic failures, and injection attacks.

Testing can help identify security vulnerabilities by simulating attacks, such as injection attacks, and checking for broken access controls. Tools and frameworks like Cypress can be used for writing these tests.

Tools like Sonocube, Snick, and Cypress with the OWASP plugin are recommended for security testing. OWASP also offers a list of recommended open-source tools for various security tasks.

Test automation acts as a messenger by notifying developers of security issues through tests, helping to ensure applications are built securely.

Understanding application vulnerabilities is crucial for building secure applications and knowing what to test for in order to protect sensitive data and features.

Negative testing focuses on identifying error behaviors and vulnerabilities, such as injection attacks, by simulating malicious inputs to ensure the application can handle them securely.

Developers can incorporate security testing by learning their applications, identifying vulnerabilities, creating test plans, executing and analyzing test results, and integrating tools for continuous testing and improvement.

Ramona Schwering
Ramona Schwering
25 min
16 Dec, 2024

Comments

Sign in or register to post your comment.
Video Summary and Transcription
Hello everyone, and I'm so happy to see you here in React Day Berlin. This talk is on security and testing, two topics I'm passionate about. It's a wonderful allegory on web security using Plants vs. Zombies as inspiration. There are reasons to focus on testing as a line of defense. Learn your application and its vulnerabilities. Tests are the messenger, listen to them. Use OWASP's top 10 ranking to understand the most important security risks, including broken access control and cryptographic failure. Injection is a major security risk. Writing proper tests and using test cases can help mitigate this issue. To test for injection vulnerabilities, write negative tests that simulate extra injections in input fields. Test content security policies using Cypress. Implementing best practices and multiple defenses can keep attackers at bay. Automation is essential for detecting security issues in your app. Write test cases, use the features of test frameworks, and consider using different types of testing.

1. Introduction to Web Security and Testing

Short description:

Hello everyone, and I'm so happy to see you here in React Day Berlin. This talk is on security and testing, two topics I'm passionate about. It's a wonderful allegory on web security using Plants vs. Zombies as inspiration. The house represents the protected part of our application, and the garden is our line of defense. Let's build our garden with best practices and testing, not just relying on tooling like Sonocube and Snick.

Hello everyone, and I'm so happy to see you here, or, okay, I cannot see you through the screen, but I know that you're there. I'm just happy to have you here in React Day Berlin. And actually this talk was one of the reasons why I got nostalgic when preparing it. And it's not, it's not only Christmas time, and of course this gives me nostalgic feelings as well.

It is the topic of my talk actually. Maybe a few of you guys already recognize the title. But I guess this is a theme which will keep you away from Christmas mood, at least for a little, okay? On the technical side, this talk is on security and it's on testing. So two topics I'm passionate about and I really love. And I hope we can get some wonderful defenses built up using test automation.

Okay, the few people who might have already got this nostalgia thingy, maybe you recognize the font in the title or the title as a whole, Plants vs. Beefs, because it's derived by Plants vs. Zombies. This is a game created by PopCup, company was called like that, in 2009, I think. Yes. And it was a wonderful game, cross-platform, actually the only game I played on my mobile phone because I'm a console and PC player, but that's not important right now.

It is a tower defense game where you try to basically defend some base against enemies, right? And in Plants vs. Zombies, as the name already implies, you will try to protect your house against zombies in a zombie apocalypse. I know, not that Christmas-ish, but a zombie apocalypse by using plants inside of your garden. Well, of course, this is a wonderful allegory, right? It's nostalgic, it's nerdy, but what does that have to do with web development?

Well, what if I told you it's a wonderful allegory on web security? I really think that because, let's see it like that, we have a zombie, which is a threat and attacker, a security risk and exploit anything which could be a danger to your system, right? And the plant here, it's the countermeasure, the mitigation strategy, a security fix, anything which could protect your application against attackers, against those security risk or exploits. With a more general lens here, you can see that the house is basically the protected area, the protected part in our application that might be data we want to protect because it's sensitive, it's important.

Or we want to fulfill laws, we need to protect our data or protect features because we want people to basically pay some money for applications, right? Or at least be registered users we know about. So the property here, the complete thing, including the house, including the garden, are our defenses against those tricks. So defenses against the zombies, right? And defenses against security threats. So if we consider our garden, our defenses, let's build our garden, right? Because our plants inside of this garden are our lines of defense. All the defenses we got under our belt. And my first thought would be like, okay, best practices. We are cool at building our applications in a secure way, right? Testing can be an idea too, in my mind, at least. Not only because I'm passionate about testing, because I do know that it might help us and be a line of defense as well. So can testing help us? And of course, the first thought inside of my mind, and I guess in your minds as well, is tooling, like Sonocube, like Snick, or all those things which test for security issues and notify you. But, of course, it would be the easy way.

2. Testing as a Line of Defense

Short description:

There are reasons to focus on testing as a line of defense. Learn your application and its vulnerabilities. Tests are the messenger, listen to them. Use OWASP's top 10 ranking to understand the most important security risks, including broken access control and cryptographic failure.

It would just say like, okay, let's pay for some tools, install them, learn them, that's it. Well, what if I don't want to learn new tools or spend money on, again, new tools, if I don't want to be dependent on third party, basically, right? Or if I want to learn what those tools are already doing? Well, there's lots of reasons to go by testing as well. And even if it's just one line of defense from many.

But before that, real quick, let me do the important disclaimer or an honorable mention where you bought it. Learn your application. You're still the most important person in charge, right? It will pay onto your testing efforts, but generally on the quality of your application as well. So learn the vulnerabilities of your application so you know how to build your application in a secure way. And of course, know what to test, but we'll get to that a little later.

And be aware of one thing, tests are always the messenger, not more than that because they will just notify you on security issues, you still need to act on your own. So basically, be aware that you still play a role in that. You cannot automate everything, but listen to the warnings, listen to your messenger, listen to the tests.

Okay, so how can we learn our application and learn vulnerabilities and learn where to look to ride those tests? Well, there's a group of people or a project helping us a lot. It's called OVASP, which is a shorthand for Open Worldwide Application Security Project. And it's a project which goal is to raise security inside of the web. So they published a top 10 ranking of the most important security risks, and they raise it in a certain rhythm. I guess the last one was 2021. And as far as I know, right now in December, they're collecting the data set for a new ranking in 2025. So stay tuned, there might be some changes, but for now, the 2021 is the last ranking and it's the most recent one. So for that, we will take a look at the top three risks. So spoiler alert, we are all front-end developers, we are doing React, and even if you're doing other frameworks, you're still working in front-end.

So there's one point which we will explicitly take a look at because it's important for front-end devs. But we'll get to that. I don't want to rush through this talk, even though I'd be mindful of your time. Okay, so, where to look at? As said, the three most important risks by OWASP, which are the first one, the most important one, the broken access control one, which means that a user can act outside their permissions, being able to read or to change things they shouldn't be able to. The second one will be injection. No, I'm too fast, sorry. It's cryptographic failure. So basically, that cryptographic needs are not met. Stuff is not properly encrypted. Maybe data, maybe connection, you're not using HTTP, stuff like that.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Top Content
The talk discusses the importance of supply chain security in the open source ecosystem, highlighting the risks of relying on open source code without proper code review. It explores the trend of supply chain attacks and the need for a new approach to detect and block malicious dependencies. The talk also introduces Socket, a tool that assesses the security of packages and provides automation and analysis to protect against malware and supply chain attacks. It emphasizes the need to prioritize security in software development and offers insights into potential solutions such as realms and Deno's command line flags.
The State of Passwordless Auth on the Web
JSNation 2023JSNation 2023
30 min
The State of Passwordless Auth on the Web
Passwords are terrible and easily hacked, with most people not using password managers. The credential management API and autocomplete attribute can improve user experience and security. Two-factor authentication enhances security but regresses user experience. Passkeys offer a seamless and secure login experience, but browser support may be limited. Recommendations include detecting Passkey support and offering fallbacks to passwords and two-factor authentication.
5 Ways You Could Have Hacked Node.js
JSNation 2023JSNation 2023
22 min
5 Ways You Could Have Hacked Node.js
Top Content
The Node.js security team is responsible for addressing vulnerabilities and receives reports through HackerOne. The Talk discusses various hacking techniques, including DLL injections and DNS rebinding attacks. It also highlights Node.js security vulnerabilities such as HTTP request smuggling and certification validation. The importance of using HTTP proxy tunneling and the experimental permission model in Node.js 20 is emphasized. NearForm, a company specializing in Node.js, offers services for scaling and improving security.
Content Security Policy with Next.js: Leveling Up your Website's Security
React Summit US 2023React Summit US 2023
9 min
Content Security Policy with Next.js: Leveling Up your Website's Security
Top Content
Watch video: Content Security Policy with Next.js: Leveling Up your Website's Security
Lucas Estevão, a Principal UI Engineer and Technical Manager at Avenue Code, discusses how to implement Content Security Policy (CSP) with Next.js to enhance website security. He explains that CSP is a security layer that protects against cross-site scripting and data injection attacks by restricting browser functionality. The talk covers adding CSP to an XJS application using meta tags or headers, and demonstrates the use of the 'nonce' attribute for allowing inline scripts securely. Estevão also highlights the importance of using content security reports to identify and improve application security.
Let Me Show You How React Applications Get Hacked in the Real-World
React Advanced 2021React Advanced 2021
22 min
Let Me Show You How React Applications Get Hacked in the Real-World
Top Content
React's default security against XSS vulnerabilities, exploring and fixing XSS vulnerabilities in React, exploring control characters and security issues, exploring an alternative solution for JSON parsing, and exploring JSON input and third-party dependencies.
How React Applications Get Hacked in the Real-World
React Summit 2022React Summit 2022
7 min
How React Applications Get Hacked in the Real-World
Top Content
How to hack a RealWorld live React application in seven minutes. Tips, best practices, and pitfalls when writing React code. XSS and cross-site scripting in React. React's secure by default, but not always. The first thing to discover: adding a link to a React application. React code vulnerability: cross-site scripting with Twitter link. React doesn't sanitize or output H ref attributes. Fix attempts: detect JavaScript, use dummy hashtag, transition to lowercase. Control corrector exploit. Best practices: avoid denialist approach, sanitize user inputs. React's lack of sanitization and output encoding for user inputs. Exploring XSS vulnerabilities and the need to pretty print JSON. The React JSON pretty package and its potential XSS risks. The importance of context encoding and secure coding practices.

Workshops on related topic

Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs
JSNation US 2024JSNation US 2024
148 min
Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs
Featured Workshop
Gregor Biswanger
Gregor Biswanger
In this hands-on workshop, you will be equipped with the tools to effectively test the security of web applications. This course is designed for beginners as well as those already familiar with web application security testing who wish to expand their knowledge. In a world where websites play an increasingly central role, ensuring the security of these technologies is crucial. Understanding the attacker's perspective and knowing the appropriate defense mechanisms have become essential skills for IT professionals.This workshop, led by the renowned trainer Gregor Biswanger, will guide you through the use of industry-standard pentesting tools such as Burp Suite, OWASP ZAP, and the professional pentesting framework Metasploit. You will learn how to identify and exploit common vulnerabilities in web applications. Through practical exercises and challenges, you will be able to put your theoretical knowledge into practice and expand it. In this course, you will acquire the fundamental skills necessary to protect your websites from attacks and enhance the security of your systems.
0 to Auth in an hour with ReactJS
React Summit 2023React Summit 2023
56 min
0 to Auth in an hour with ReactJS
WorkshopFree
Kevin Gao
Kevin Gao
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps.
While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows
At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.
OWASP Top Ten Security Vulnerabilities in Node.js
JSNation 2024JSNation 2024
97 min
OWASP Top Ten Security Vulnerabilities in Node.js
Workshop
Marco Ippolito
Marco Ippolito
In this workshop, we'll cover the top 10 most common vulnerabilities and critical security risks identified by OWASP, which is a trusted authority in Web Application Security.During the workshop, you will learn how to prevent these vulnerabilities and develop the ability to recognize them in web applications.The workshop includes 10 code challenges that represent each of the OWASP's most common vulnerabilities. There will be given hints to help solve the vulnerabilities and pass the tests.The trainer will also provide detailed explanations, slides, and real-life examples in Node.js to help understand the problems better. Additionally, you'll gain insights from a Node.js Maintainer who will share how they manage security within a large project.It's suitable for Node.js Developers of all skill levels, from beginners to experts, it requires a general knowledge of web application and JavaScript.
Table of contents:- Broken Access Control- Cryptographic Failures- Injection- Insecure Design- Security Misconfiguration- Vulnerable and Outdated Components- Identification and Authentication Failures- Software and Data Integrity Failures- Security Logging and Monitoring Failures- Server-Side Request Forgery
How to Build Front-End Access Control with NFTs
JSNation 2024JSNation 2024
88 min
How to Build Front-End Access Control with NFTs
WorkshopFree
Solange Gueiros
Solange Gueiros
Understand the fundamentals of NFT technology and its application in bolstering web security. Through practical demonstrations and hands-on exercises, attendees will learn how to seamlessly integrate NFT-based access control mechanisms into their front-end development projects.
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
JSNation 2022JSNation 2022
99 min
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
WorkshopFree
Matthew Salmon
Matthew Salmon
npm and security, how much do you know about your dependencies?Hack-along, live hacking of a vulnerable Node app https://github.com/snyk-labs/nodejs-goof, Vulnerabilities from both Open source and written code. Encouraged to download the application and hack along with us.Fixing the issues and an introduction to Snyk with a demo.Open questions.
Bring Code Quality and Security to your CI/CD pipeline
DevOps.js Conf 2022DevOps.js Conf 2022
76 min
Bring Code Quality and Security to your CI/CD pipeline
WorkshopFree
Elena Vilchik
Elena Vilchik
In this workshop we will go through all the aspects and stages when integrating your project into Code Quality and Security Ecosystem. We will take a simple web-application as a starting point and create a CI pipeline triggering code quality monitoring for it. We will do a full development cycle starting from coding in the IDE and opening a Pull Request and I will show you how you can control the quality at those stages. At the end of the workshop you will be ready to enable such integration for your own projects.