SCJS - Writing Secure Code in JavaScript
Learn how to write secure code in JavaScript and TypeScript, on both client and server-side

If you want to learn how to exploit simple and complex vulnerabilities in NodeJs and React JS applications, you are in the right place. We will look at their exploitation from the hacker angle and at their remediations from a developer's point of view. At the end of the training, you will be equipped with the right knowledge and tools to embed security in each phase of the software development lifecycle. "JSCP - Writing secure code in JavaScript" is a course for developers, security engineers, or professionals that want to improve their skills in performing secure code reviews, pull requests security peer reviews, and vulnerabilities exploitation on applications written in JavaScript. The training is based on the OWASP standards such as the OWASP Top 10 2021 and the OWASP ASVS v4 and includes references to real-world vulnerabilities, bug bounties, and famous hacks. The labs presented in the course have different levels of complexity, in order to meet the need of any type of audience, from beginners to advanced.

Code example of a reflected XSS from our hands-on labs
- Knowledge of JavaScript or TypeScript for both client and server-side programming
- Familiar with frontend JS frameworks (ReactJS, Vue.js ...)
- Interest in security
- Security Engineers
- Security Champions
- DevOps
- Developers
- Any IDE
- Docker (docker-compose)
- Burp Suite Community edition
- Semgrep
- Coffee or Tea ☕️
Module | Topic | Details |
---|---|---|
The hacking mindset | | |
| How attackers will look at your applications | |
Secure coding introduction | | |
| Secure coding principles | |
| From SDLC to SSDLC | |
| OWASP Top 10 2021 | |
| OWASP ASVS and security requirements | |
| CVSS: how to rate vulnerabilities | |
ReactJS security | | |
| Security Headers | |
| LAB: React client-side open redirect | |
| LAB: XSS and dangerous JavaScript React functions | |
| LAB: Attacking Local storage vs Cookies | |
| CSP best practices and limits | |
| LAB: Client side open redirect | |
| React Security Framework | |
Authorization and Broken Access Control in NodeJS | | |
| Attacking JWT (JSON Web Tokens) | |
| | LAB: None algorithm attacks |
| | LAB: Secret bruteforce |
| | LAB: Signature validation failures |
| | Algorithm confusion attacks |
| Attacking wrong OAuth2 implementations | |
| LAB: IDOR (Insecure Direct Object Reference) | |
| LAB: Path Traversal | |
| LAB: CSRF (Cross-Site Request Forgery) | |
| LAB: Prototype pollution attack | |
Server Side Injections in NodeJS | | |
| LAB: SQL injections | |
| | Basics of SQL injection |
| | Bypassing prepared statement in mysqljs |
| LAB: Command injection | |
| LAB: Code and Object Injection | |
| | eval() , setTimeout() , setInterval() and Function() exploitation |
| | Deserialization in JavaScript |
| LAB: XML External Entities | |
| LAB: Server-Side Request Forgery | |
| | Basics of SSRF |
| | Exploiting SSRF using DNS localhost resolution |
| LAB: NoSQL injections | |
| LAB: Local and remote file inclusion | |
| | Abusing require() |
| LAB: Server Side Template Injections | |
| | render() to RCE |
Vulnerable and Outdated Dependencies | | |
| Dependency graphs | |
| The importance of SCA (Software Composition Analysis) | |
| LAB: Detecting known vulnerabilities using Snyk | |
| Integrate SCA in the CI/CD pipeline | |
| npm audit and npm update | |
| Detecting vulnerabilities in Node and React using SCA | |
Scanning your code using Semgrep | | |
| Semgrep basics | |
| LAB: Semgrep for NodeJS: How to write rules | |
| Semgrep automation | |
This course will teach you the inside out of exploiting and securing JavaScript applications via real-life examples. If you are a JavaScript or TypeScript developer / DevOps this is the course for you.
More info? Contact us at [email protected]