#security

Subscribe
Security is the practice of protecting data, networks, programs and other information from unauthorized or unintended access, destruction or change. It involves a set of measures designed to ensure the confidentiality, integrity and availability of data and systems. In the context of JavaScript, security refers to techniques used to protect code, such as authentication, encryption, and access control. It also includes measures that prevent malicious code from executing, such as input validation, content security policies, and secure coding practices.
The State of Passwordless Auth on the Web
JSNation 2023JSNation 2023
30 min
The State of Passwordless Auth on the Web
Passwords are terrible and easily hacked, with most people not using password managers. The credential management API and autocomplete attribute can improve user experience and security. Two-factor authentication enhances security but regresses user experience. Passkeys offer a seamless and secure login experience, but browser support may be limited. Recommendations include detecting Passkey support and offering fallbacks to passwords and two-factor authentication.
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Top Content
The talk discusses the importance of supply chain security in the open source ecosystem, highlighting the risks of relying on open source code without proper code review. It explores the trend of supply chain attacks and the need for a new approach to detect and block malicious dependencies. The talk also introduces Socket, a tool that assesses the security of packages and provides automation and analysis to protect against malware and supply chain attacks. It emphasizes the need to prioritize security in software development and offers insights into potential solutions such as realms and Deno's command line flags.
Securing Server-Rendered Applications – Next.js Case
React Advanced 2024React Advanced 2024
20 min
Securing Server-Rendered Applications – Next.js Case
Welcome to Securing Server on the Red Applications in the Context of Next.js talk. Next.js brings new challenges for front-end developers with its server-side rendering technologies. We need to consider security in Next.js applications and address the common vulnerabilities listed in the OWASP top 10. Server-side request forgery (SSRF) is a common vulnerability that allows attackers to exploit the server's privileges. Security logging and monitoring failures are critical, as proper setup is necessary to detect attacks. Being cautious with npm packages, addressing identification and authentication failures, and updating vulnerable components are crucial for application security. Database seeding, security headers, and permissions policies are important for application security. It's important to reduce the criticality of an attack, check strict transport security header, and prevent security issues by following best practices. Understanding CSRF vulnerability, image injection vulnerability, and cryptographic failures is important. Broken access control can result in unauthorized access and should be mitigated. Thank you for watching this talk and stay safe!
OWASP Top Ten Security Vulnerabilities in Node.js
JSNation 2024JSNation 2024
97 min
OWASP Top Ten Security Vulnerabilities in Node.js
Workshop
Marco Ippolito
Marco Ippolito
In this workshop, we'll cover the top 10 most common vulnerabilities and critical security risks identified by OWASP, which is a trusted authority in Web Application Security.During the workshop, you will learn how to prevent these vulnerabilities and develop the ability to recognize them in web applications.The workshop includes 10 code challenges that represent each of the OWASP's most common vulnerabilities. There will be given hints to help solve the vulnerabilities and pass the tests.The trainer will also provide detailed explanations, slides, and real-life examples in Node.js to help understand the problems better. Additionally, you'll gain insights from a Node.js Maintainer who will share how they manage security within a large project.It's suitable for Node.js Developers of all skill levels, from beginners to experts, it requires a general knowledge of web application and JavaScript.
Table of contents:- Broken Access Control- Cryptographic Failures- Injection- Insecure Design- Security Misconfiguration- Vulnerable and Outdated Components- Identification and Authentication Failures- Software and Data Integrity Failures- Security Logging and Monitoring Failures- Server-Side Request Forgery
Web Fortified: Best Practices for Web App Security
JSNation 2024JSNation 2024
22 min
Web Fortified: Best Practices for Web App Security
This Talk, titled 'Fortify or App Fortified', discusses the concept of treating your application as a fortress to protect it from outside threats. It highlights the importance of web application security and the risks associated with broken access control, injection, and cryptographic values. The Talk also emphasizes the need to apply best practices and use frameworks' security features. Additionally, it addresses the security concerns related to user-provided URLs, style injection, and JavaScript injections. The summary concludes by emphasizing the importance of keeping dependencies updated and following best practices to ensure project security.
Mastering Cryptography Fundamentals With Node’s Crypto Module
JSNation 2024JSNation 2024
25 min
Mastering Cryptography Fundamentals With Node’s Crypto Module
This Talk provides an introduction to cryptography with Node.js, covering encryption concepts, AES-256-CBC algorithm, initialization vector for encryption, key derivation function and salt, randomness and key agreement, key distribution and RSA, signing and verification, public key certificates, and trust in certificate hierarchy.
How to Build Front-End Access Control with NFTs
JSNation 2024JSNation 2024
88 min
How to Build Front-End Access Control with NFTs
WorkshopFree
Solange Gueiros
Solange Gueiros
Understand the fundamentals of NFT technology and its application in bolstering web security. Through practical demonstrations and hands-on exercises, attendees will learn how to seamlessly integrate NFT-based access control mechanisms into their front-end development projects.
Who Are Vue? Authn In Vue, The Important Parts
Vue.js Live 2024Vue.js Live 2024
23 min
Who Are Vue? Authn In Vue, The Important Parts
This Talk introduces authentication in Vue.js and emphasizes that it is not as difficult as it may seem. The speaker explains the concept of authentication and its importance. A code example is used to demonstrate how to implement authentication in Vue.js, including separate UI parts for login, home, and dashboard views. The Talk also covers handling authentication in the Vue.js router, including defining routes, accessing user credentials, and making requests to the backend.
More Secure Vue & Nuxt Apps - By Default
Vue.js Live 2024Vue.js Live 2024
21 min
More Secure Vue & Nuxt Apps - By Default
Handling security in front-end development is crucial, and the OWASP Top 10 is a valuable resource for secure coding. The list of security risks is constantly evolving, and the Nuxt security module provides features like security headers, rate limiting, and cross-site request forgery protection. Frontend developers should prioritize security to avoid information leaks and mitigate risks. Understanding the difference between public and private tokens is important for secure token handling.
How to Improve Your Web Application's Security Using Mozilla Observatory
React Day Berlin 2023React Day Berlin 2023
9 min
How to Improve Your Web Application's Security Using Mozilla Observatory
Watch video: How to Improve Your Web Application's Security Using Mozilla Observatory
The Talk discusses how to improve web application security using Mozilla Observatory. It covers topics such as evaluating security headers, maintaining grade history, and implementing content security policies. The importance of securing cookies and enabling HTTP to HTTPS redirection is emphasized. The use of referrer headers to control browser behavior and sub-resource integrity to prevent compromising files are also highlighted.
Escape Security Flaws
React Day Berlin 2023React Day Berlin 2023
7 min
Escape Security Flaws
Watch video: Escape Security Flaws
The Talk discusses web security and the importance of strong code protection. It highlights a vulnerability where a weak five-digit numeric code was used, allowing easy access to sensitive content. The speaker emphasizes the need for throttling as a mechanism to prevent attacks. The company implemented throttling and blocked access to photos to improve security. However, stronger code and additional measures, such as limiting access to specific IP addresses and timeframes, are still needed.
Content Security Policy with Next.js: Leveling Up your Website's Security
React Summit US 2023React Summit US 2023
9 min
Content Security Policy with Next.js: Leveling Up your Website's Security
Top Content
Watch video: Content Security Policy with Next.js: Leveling Up your Website's Security
Lucas Estevão, a Principal UI Engineer and Technical Manager at Avenue Code, discusses how to implement Content Security Policy (CSP) with Next.js to enhance website security. He explains that CSP is a security layer that protects against cross-site scripting and data injection attacks by restricting browser functionality. The talk covers adding CSP to an XJS application using meta tags or headers, and demonstrates the use of the 'nonce' attribute for allowing inline scripts securely. Estevão also highlights the importance of using content security reports to identify and improve application security.
Shield Your Next.js App With a Content Security Policy
React Advanced 2023React Advanced 2023
6 min
Shield Your Next.js App With a Content Security Policy
Watch video: Shield Your Next.js App With a Content Security Policy
Lucas Esteveau discusses the importance of Content Security Policy (CSP) as an additional layer of security for browsers. He explains how to validate and implement CSP using tools like csp-evaluator.withgoogle.com and observatory.mozilla.org. He also highlights the use of server components and middleware in the Hudafor project to set and enforce CSP directives. Lucas advises starting with a report-only CSP, reviewing the results, and gradually enforcing the policy. He emphasizes the importance of reviewing policy violation reports and iterating the process when making changes.
I Run Code From the Internet!
React Advanced 2023React Advanced 2023
20 min
I Run Code From the Internet!
Watch video: I Run Code From the Internet!
npm packages are unsanitized inputs from the internet that we run without much scrutiny, so we need to address the issue of malicious packages. Lavamote offers proactive runtime protections to automatically detect and mitigate threats. Lava Mode uses Hardened JavaScript to provide isolation and enforce a policy for your application's build process. The talk introduces a webpack plugin for those who don't want to use the browserify ecosystem. Lavamote's behavior is explored, showcasing how it restricts package access to certain properties. Beta testing is open to gather feedback and improve Lava Mode.
Secrets in Source Code - How Your JS Code is Exposing Your Credentials
React Summit 2023React Summit 2023
11 min
Secrets in Source Code - How Your JS Code is Exposing Your Credentials
Watch video: Secrets in Source Code - How Your JS Code is Exposing Your Credentials
This lightning presentation discusses the issue of secrets leaking in code and how it can expose digital authentication credentials. GitGuardian scanned over 10 million secrets in public repositories on GitHub, with Python being the top language for leaked secrets. The exposure of secrets can occur in both public and private repositories, and it is important to avoid hardcoding secrets and store keys securely. Best practices for handling keys and secrets include using a centralized place for storing keys, using tools like .env for loading secrets, and implementing vaults and secrets managers.
Zod === Typescript, but at Runtime in Your React Applications
React Summit 2023React Summit 2023
8 min
Zod === Typescript, but at Runtime in Your React Applications
Watch video: Zod === Typescript, but at Runtime in Your React Applications
Today's Talk discusses how Zod, an NPM library, can guarantee the TypeSystem at runtime, providing all the benefits of TypeScript. Zod's parse method allows for checking if objects match the schema, creating a validation layer between applications and APIs. By combining TypeScript with Zod, developers can ensure type safety at both runtime and build time, preventing code execution with incorrect data and improving the user experience.
5 Ways You Could Have Hacked Node.js
JSNation 2023JSNation 2023
22 min
5 Ways You Could Have Hacked Node.js
Top Content
The Node.js security team is responsible for addressing vulnerabilities and receives reports through HackerOne. The Talk discusses various hacking techniques, including DLL injections and DNS rebinding attacks. It also highlights Node.js security vulnerabilities such as HTTP request smuggling and certification validation. The importance of using HTTP proxy tunneling and the experimental permission model in Node.js 20 is emphasized. NearForm, a company specializing in Node.js, offers services for scaling and improving security.
0 to Auth in an hour with ReactJS
React Summit 2023React Summit 2023
56 min
0 to Auth in an hour with ReactJS
WorkshopFree
Kevin Gao
Kevin Gao
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps.
While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows
At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.
Securing Your Software Supply Chain
Node Congress 2023Node Congress 2023
21 min
Securing Your Software Supply Chain
Today's Talk focuses on securing the software supply chain, particularly in the JavaScript ecosystem. The number of transitive dependencies in JavaScript projects can contribute to vulnerabilities. Attacks on the open-source supply chain have increased significantly, leading to initiatives to improve supply chain security. Accuracy in package manager dependencies is crucial, and caching and bundling dependencies can help achieve reproducible installations. Mitigating threats involves active scanning, creating profiles, and sharing information. Tools like NPM Audit Signatures can verify package integrity. Future developments include reproducible installations and powerful dependency queries.
Supply Chain Security Experience
Node Congress 2023Node Congress 2023
8 min
Supply Chain Security Experience
Supply chain security is important in software development, and it's crucial to assess the actual impact of threats. When dealing with security vendors, ask practical questions about vulnerabilities and impacts. Focus on quality signal and noise ratios when considering the number of dependencies. Ongoing conversations with vendors are important to address concerns. Stay informed and make informed decisions.
Eval all the strings! - Hardened JavaScript
Node Congress 2023Node Congress 2023
8 min
Eval all the strings! - Hardened JavaScript
NPM packages can be potentially dangerous, so it's important to be proactive in managing them. Lava Mode allows you to detect and investigate suspicious packages before deploying your app. Lavamote prevents unauthorized access to sensitive resources by isolating dependencies and using hardened JavaScript. Lava Mode makes it easier to analyze obfuscated files and understand their actions.
The tale of avoiding a time-based DDOS attack in Node.js
Node Congress 2023Node Congress 2023
29 min
The tale of avoiding a time-based DDOS attack in Node.js
Web applications face constant threats from DDoS attacks, including the new Zoloris attack that can bring down a server with minimal bandwidth. Node.js has had vulnerabilities in its timeout handling, but recent versions like Node 18 provide better protection. NGINX is recommended for protection against slow loris attacks due to its superior timeout handling. Mitigating slow loris attacks for WebSockets involves enforcing higher timeouts and shutting down idle clients. It is important to prioritize security over performance and use common sense in software development.
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
JSNation 2022JSNation 2022
99 min
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
WorkshopFree
Matthew Salmon
Matthew Salmon
npm and security, how much do you know about your dependencies?Hack-along, live hacking of a vulnerable Node app https://github.com/snyk-labs/nodejs-goof, Vulnerabilities from both Open source and written code. Encouraged to download the application and hack along with us.Fixing the issues and an introduction to Snyk with a demo.Open questions.
New Way of Envisioning Security in the Dependencies
React Summit 2022React Summit 2022
21 min
New Way of Envisioning Security in the Dependencies
Today's Talk explores the importance of understanding security issues and dependencies in software development. It emphasizes the role of developers in cybersecurity incidents and the need to detect and respond to vulnerabilities early. The Talk also discusses the risks associated with third-party dependencies and the impact of security breaches on organizations. Additionally, it highlights the significance of addressing security concerns and the potential consequences of exploiting vulnerabilities and exfiltrating data.
Automated Application Security Testing
React Summit 2022React Summit 2022
9 min
Automated Application Security Testing
StackHawk is a dynamic application security testing tool that helps developers find and fix security issues. The scan identified a SQL injection issue and a cross site scripting issue. The StackHawk YAML is used to configure the scanner with important information such as the application's location, environment, and ID. The scanner can also be pointed at open API spec or GraphQL definitions. Try StackHawk for free at stackhawk.com and integrate it into your development process to improve software quality.
Finding Stealthy Bots in Javascript Hide and Seek
JSNation 2022JSNation 2022
11 min
Finding Stealthy Bots in Javascript Hide and Seek
The Talk discusses the challenges of detecting and combating bots on the web. It explores various techniques such as user agent detection, tokens, JavaScript behavior, and cache analysis. The evolution of bots and the advancements in automated browsers have made them more flexible and harder to detect. The Talk also highlights the use of canvas fingerprinting and the need for smart people to combat the evolving bot problem.
How React Applications Get Hacked in the Real-World
React Summit 2022React Summit 2022
7 min
How React Applications Get Hacked in the Real-World
How to hack a RealWorld live React application in seven minutes. Tips, best practices, and pitfalls when writing React code. XSS and cross-site scripting in React. React's secure by default, but not always. The first thing to discover: adding a link to a React application. React code vulnerability: cross-site scripting with Twitter link. React doesn't sanitize or output H ref attributes. Fix attempts: detect JavaScript, use dummy hashtag, transition to lowercase. Control corrector exploit. Best practices: avoid denialist approach, sanitize user inputs. React's lack of sanitization and output encoding for user inputs. Exploring XSS vulnerabilities and the need to pretty print JSON. The React JSON pretty package and its potential XSS risks. The importance of context encoding and secure coding practices.
Security Controls in the JavaScript Supply Chain
JSNation 2022JSNation 2022
28 min
Security Controls in the JavaScript Supply Chain
This talk discusses the security challenges in the JavaScript ecosystem, including supply chain security, lock file tampering, and arbitrary command execution. It highlights the risks of blind upgrades and hidden comments in code. The talk also covers dependency confusion attacks and the importance of establishing a threat model for node applications.
Automated Application Security Testing
JSNation 2022JSNation 2022
9 min
Automated Application Security Testing
StackHawk is a dynamic application security testing tool that runs active security tests on various types of applications, providing simple descriptions and examples of security issues. It integrates with CI processes and provides feedback on scan findings. The StackHawk YAML is used to configure the scanner, including important information about the application and additional configuration options. OpenAPI and GraphQL integration is possible with minimal configuration.
Avoiding CSRF with Remix
React Summit 2022React Summit 2022
7 min
Avoiding CSRF with Remix
Welcome to my session on avoiding CSRF with Remix. Remix helps protect against CSRF by thinking about actions in terms of HTML form elements. To avoid CSRF with Remix, set the same site attribute on cookies and consider using a token in addition to the attribute. The token-based approach involves generating a unique token per session and form, transmitting it with the form, sending it back when the user submits the form, and securely validating it on the server side.
Bring Code Quality and Security to your CI/CD pipeline
DevOps.js Conf 2022DevOps.js Conf 2022
76 min
Bring Code Quality and Security to your CI/CD pipeline
WorkshopFree
Elena Vilchik
Elena Vilchik
In this workshop we will go through all the aspects and stages when integrating your project into Code Quality and Security Ecosystem. We will take a simple web-application as a starting point and create a CI pipeline triggering code quality monitoring for it. We will do a full development cycle starting from coding in the IDE and opening a Pull Request and I will show you how you can control the quality at those stages. At the end of the workshop you will be ready to enable such integration for your own projects.
Passwordless Auth to Servers: hands on with ASA
DevOps.js Conf 2022DevOps.js Conf 2022
32 min
Passwordless Auth to Servers: hands on with ASA
WorkshopFree
E. Dunham
E. Dunham
These days, you don't need a separate password for every website you log into. Yet thanks to tech debt and tradition, many DevOps professionals are still wrangling a host of SSH keys to access the servers where we sometimes need to be. With modern OAuth, a single login and second factor to prove your identity are enough to securely get you into every service that you're authorized to access. What if SSHing into servers was that easy? In this workshop, we'll use Okta's Advanced Server Access tool (formerly ScaleFT) to experience one way that the dream of sending SSH keys the way of the password has been realized.
- we'll discuss how ASA works and when it's the right tool for the job- we'll walk through setting up a free trial Okta account to use ASA from, and configuring the ASA gateway and server on Linux servers- we'll then SSH into our hosts with the ASA clients without needing to supply an SSH key from our laptops- we'll review the audit logs of our SSH sessions to examine what commands were run
How to Make GraphQL Security Easier with StackHawk
GraphQL Galaxy 2021GraphQL Galaxy 2021
9 min
How to Make GraphQL Security Easier with StackHawk
StackHawk is a dynamic application security testing tool that integrates with CI/CD workflows and helps developers quickly understand and fix security issues. It can be used to test running HTTP applications and API endpoints for security bugs, and provides simple descriptions and examples of security issues. The talk demonstrates testing a blog service with StackHawk, which identified critical security vulnerabilities like SQL injection and remote OS command injection. StackHawk allows developers to easily investigate and fix these issues by providing well-formatted requests and allowing for easy replay in the application.
JS Security Testing Automation for Developers on Every Build
TestJS Summit 2021TestJS Summit 2021
111 min
JS Security Testing Automation for Developers on Every Build
WorkshopFree
Oliver Moradov
Bar Hofesh
2 authors
As a developer, you need to deliver fast, and you simply don't have the time to constantly think about security. Still, if something goes wrong it's your job to fix it, but security testing blocks your automation, creates bottlenecks and just delays releases...but it doesn't have to...

NeuraLegion's developer-first Dynamic Application Security Testing (DAST) scanner enables developers to detect, prioritise and remediate security issues EARLY, on every commit, with NO false positives/alerts, without slowing you down.

Join this workshop to learn different ways developers can access Nexploit & start scanning without leaving the terminal!

We will be going through the set up end-to-end, whilst setting up a pipeline, running security tests and looking at the results.

Table of contents:
- What developer-first DAST (Dynamic Application Security Testing) actually is and how it works
- See where and how a modern, accurate dev-first DAST fits in the CI/CD
- Integrate NeuraLegion's Nexploit scanner with GitHub Actions
- Understand how modern applications, APIs and authentication mechanisms can be tested
- Fork a repo, set up a pipeline, run security tests and look at the results
Let Me Show You How React Applications Get Hacked in the Real-World
React Advanced 2021React Advanced 2021
22 min
Let Me Show You How React Applications Get Hacked in the Real-World
Top Content
React's default security against XSS vulnerabilities, exploring and fixing XSS vulnerabilities in React, exploring control characters and security issues, exploring an alternative solution for JSON parsing, and exploring JSON input and third-party dependencies.
How Developers Can Use Automated App Security Testing To Protect Vue Apps
Vue.js London Live 2021Vue.js London Live 2021
7 min
How Developers Can Use Automated App Security Testing To Protect Vue Apps
Today, I'm going to tell you how developers can use automated application security testing to protect their Vue apps. I'll explain what it means to shift left, show an example of a cross-site scripting vulnerability, and provide the tools you need to find these vulnerabilities before production. Let's jump into an example of our Vue app with cross-site scripting. We have FontTalk, a message board where users can discuss fonts and style their posts. Bob logs in and sees a conversation about fonts. Unaware of cross-site scripting, his account is compromised. The malicious image tag sends his confidential information to the attacker. To prevent this, we need to make changes in the code.
You thought your React application is secure? Think again
React Finland 2021React Finland 2021
42 min
You thought your React application is secure? Think again
Modern frontend frameworks like React are well thought-of in their application security design and that’s great. However, there is still plenty of room for developers to make mistakes and use insecure APIs, vulnerable components, or generally do the wrong thing that turns user input into a Cross-site Scripting vulnerability (XSS). Let me show you how React applications get hacked in the real-world.
You're 5 Minutes Away from Code Quality & Code Security
DevOps.js Conf 2021DevOps.js Conf 2021
7 min
You're 5 Minutes Away from Code Quality & Code Security
Sonar Cloud makes it easy to set up projects for code quality and security analysis. It automatically analyzes code and provides insights into bugs, vulnerabilities, and other issues. The UI helps understand vulnerability flow across functions and files. Sonar Cloud supports multiple languages and offers rule descriptions and code samples for best practices. Overall, it simplifies code analysis and helps developers improve code quality.
The Security Toolbox For Node
Node Congress 2021Node Congress 2021
29 min
The Security Toolbox For Node
The Talk focuses on Node application security, covering topics such as OWASP top 10 vulnerabilities, handling packages, managing data, and protecting servers. Best practices include password security, input validation, and data encryption. The importance of securing access to packages and managing data is emphasized. Encrypting data for secure communication is discussed, along with protecting servers using HTTPS and rate limiting. The challenges of security implementation and resources for learning are mentioned, as well as the use of attacker tools. Docker security and preventing IP attacks are also touched upon.
Securing Node.js APIs with Decentralised Identity Tokens
JSNation Live 2021JSNation Live 2021
9 min
Securing Node.js APIs with Decentralised Identity Tokens
This talk introduces the concept of securing a Node.js API using a decentralized identity token. The token is encoded as a Base64 string and consists of a proof and claim. The API is built using Express and protected using Magic. The application has multiple routes, with the secret route being protected by middleware. The authorization header is checked and the DID token is validated for access to protected routes.
Automated Security Testing for JS Apps & Underlying APIs
JSNation Live 2021JSNation Live 2021
8 min
Automated Security Testing for JS Apps & Underlying APIs
StackHawk is a dynamic application security testing tool that helps find and fix security vulnerabilities. It integrates with your engineering stack and works with popular players in CICD. The DAST scanner crawls your application, tests it, and provides a summary of the findings, including cross-site scripting and SQL injection issues. The output in CICD includes a link to triage the issues.