Links

SCJS - Writing Secure Code in JavaScript

Learn how to write secure code in JavaScript and TypeScript, on both client and server-side
If you want to learn how to exploit simple and complex vulnerabilities in NodeJs and React JS applications, you are in the right place. We will look at their exploitation from the hacker angle and at their remediations from a developer's point of view. At the end of the training, you will be equipped with the right knowledge and tools to embed security in each phase of the software development lifecycle. "JSCP - Writing secure code in JavaScript" is a course for developers, security engineers, or professionals that want to improve their skills in performing secure code reviews, pull requests security peer reviews, and vulnerabilities exploitation on applications written in JavaScript. The training is based on the OWASP standards such as the OWASP Top 10 2021 and the OWASP ASVS v4 and includes references to real-world vulnerabilities, bug bounties, and famous hacks. The labs presented in the course have different levels of complexity, in order to meet the need of any type of audience, from beginners to advanced.
Code example of a reflected XSS from our hands-on labs

Prerequisites

  • Knowledge of JavaScript or TypeScript for both client and server-side programming
  • Familiar with frontend JS frameworks (ReactJS, Vue.js ...)
  • Interest in security

Target audience

  • Security Engineers
  • Security Champions
  • DevOps
  • Developers

Tools used

  • Any IDE
  • Docker (docker-compose)
  • Burp Suite Community edition
  • Semgrep
  • Coffee or Tea ☕️

Syllabus

Module
Topic
Details
The hacking mindset
How attackers will look at your applications
Secure coding introduction
Secure coding principles
From SDLC to SSDLC
OWASP Top 10 2021
OWASP ASVS and security requirements
CVSS: how to rate vulnerabilities
ReactJS security
Security Headers
LAB: React client-side open redirect
LAB: XSS and dangerous JavaScript React functions
LAB: Attacking Local storage vs Cookies
CSP best practices and limits
LAB: Client side open redirect
React Security Framework
Authorization and Broken Access Control in NodeJS
Attacking JWT (JSON Web Tokens)
LAB: None algorithm attacks
LAB: Secret bruteforce
LAB: Signature validation failures
Algorithm confusion attacks
Attacking wrong OAuth2 implementations
LAB: IDOR (Insecure Direct Object Reference)
LAB: Path Traversal
LAB: CSRF (Cross-Site Request Forgery)
LAB: Prototype pollution attack
Server Side Injections in NodeJS
LAB: SQL injections
Basics of SQL injection
Bypassing prepared statement in mysqljs
LAB: Command injection
LAB: Code and Object Injection
eval(), setTimeout(), setInterval() and Function() exploitation
Deserialization in JavaScript
LAB: XML External Entities
LAB: Server-Side Request Forgery
Basics of SSRF
Exploiting SSRF using DNS localhost resolution
LAB: NoSQL injections
LAB: Local and remote file inclusion
Abusing require()
LAB: Server Side Template Injections
render() to RCE
Vulnerable and Outdated Dependencies
Dependency graphs
The importance of SCA (Software Composition Analysis)
LAB: Detecting known vulnerabilities using Snyk
Integrate SCA in the CI/CD pipeline
npm audit and npm update
Detecting vulnerabilities in Node and React using SCA
Scanning your code using Semgrep
Semgrep basics
LAB: Semgrep for NodeJS: How to write rules
Semgrep automation

Trainers

Why should you attend this course?

This course will teach you the inside out of exploiting and securing JavaScript applications via real-life examples. If you are a JavaScript or TypeScript developer / DevOps this is the course for you.

More info? Contact us at [email protected]