SCJS - Writing Secure Code in JavaScript

Learn how to write secure code in JavaScript and TypeScript, on both client and server-side

If you want to learn how to exploit simple and complex vulnerabilities in NodeJs and React JS applications, you are in the right place. We will look at their exploitation from the hacker angle and at their remediations from a developer's point of view. At the end of the training, you will be equipped with the right knowledge and tools to embed security in each phase of the software development lifecycle. "JSCP - Writing secure code in JavaScript" is a course for developers, security engineers, or professionals that want to improve their skills in performing secure code reviews, pull requests security peer reviews, and vulnerabilities exploitation on applications written in JavaScript. The training is based on the OWASP standards such as the OWASP Top 10 2021 and the OWASP ASVS v4 and includes references to real-world vulnerabilities, bug bounties, and famous hacks. The labs presented in the course have different levels of complexity, in order to meet the need of any type of audience, from beginners to advanced.


  • Knowledge of JavaScript or TypeScript for both client and server-side programming

  • Familiar with frontend JS frameworks (ReactJS, Vue.js ...)

  • Interest in security

Target audience

  • Security Engineers

  • Security Champions

  • DevOps

  • Developers

Tools used

  • Any IDE

  • Docker (docker-compose)

  • Burp Suite Community edition

  • Semgrep

  • Coffee or Tea ☕️



The hacking mindset

How attackers will look at your applications

Secure coding introduction

Secure coding principles


OWASP Top 10 2021

OWASP ASVS and security requirements

CVSS: how to rate vulnerabilities

ReactJS security

Security Headers

LAB: React client-side open redirect

LAB: XSS and dangerous JavaScript React functions

LAB: Attacking Local storage vs Cookies

CSP best practices and limits

LAB: Client side open redirect

React Security Framework

Authorization and Broken Access Control in NodeJS

Attacking JWT (JSON Web Tokens)

LAB: None algorithm attacks

LAB: Secret bruteforce

LAB: Signature validation failures

Algorithm confusion attacks

Attacking wrong OAuth2 implementations

LAB: IDOR (Insecure Direct Object Reference)

LAB: Path Traversal

LAB: CSRF (Cross-Site Request Forgery)

LAB: Prototype pollution attack

Server Side Injections in NodeJS

LAB: SQL injections

Basics of SQL injection

Bypassing prepared statement in mysqljs

LAB: Command injection

LAB: Code and Object Injection

eval(), setTimeout(), setInterval() and Function() exploitation

Deserialization in JavaScript

LAB: XML External Entities

LAB: Server-Side Request Forgery

Basics of SSRF

Exploiting SSRF using DNS localhost resolution

LAB: NoSQL injections

LAB: Local and remote file inclusion

Abusing require()

LAB: Server Side Template Injections

render() to RCE

Vulnerable and Outdated Dependencies

Dependency graphs

The importance of SCA (Software Composition Analysis)

LAB: Detecting known vulnerabilities using Snyk

Integrate SCA in the CI/CD pipeline

npm audit and npm update

Detecting vulnerabilities in Node and React using SCA

Scanning your code using Semgrep

Semgrep basics

LAB: Semgrep for NodeJS: How to write rules

Semgrep automation


Davide Cioccia

Why should you attend this course?

This course will teach you the inside out of exploiting and securing JavaScript applications via real-life examples. If you are a JavaScript or TypeScript developer / DevOps this is the course for you.

More info? Contact us at

Last updated