SCJS - Writing Secure Code in JavaScript
Learn how to write secure code in JavaScript and TypeScript, on both client and server-side
Last updated
Learn how to write secure code in JavaScript and TypeScript, on both client and server-side
Last updated
If you want to learn how to exploit simple and complex vulnerabilities in NodeJs and React JS applications, you are in the right place. We will look at their exploitation from the hacker angle and at their remediations from a developer's point of view. At the end of the training, you will be equipped with the right knowledge and tools to embed security in each phase of the software development lifecycle. "JSCP - Writing secure code in JavaScript" is a course for developers, security engineers, or professionals that want to improve their skills in performing secure code reviews, pull requests security peer reviews, and vulnerabilities exploitation on applications written in JavaScript. The training is based on the OWASP standards such as the OWASP Top 10 2021 and the OWASP ASVS v4 and includes references to real-world vulnerabilities, bug bounties, and famous hacks. The labs presented in the course have different levels of complexity, in order to meet the need of any type of audience, from beginners to advanced.
Knowledge of JavaScript or TypeScript for both client and server-side programming
Familiar with frontend JS frameworks (ReactJS, Vue.js ...)
Interest in security
Security Engineers
Security Champions
DevOps
Developers
Any IDE
Docker (docker-compose)
Burp Suite Community edition
Semgrep
Coffee or Tea ☕️
The hacking mindset
How attackers will look at your applications
Secure coding introduction
Secure coding principles
From SDLC to SSDLC
OWASP Top 10 2021
OWASP ASVS and security requirements
CVSS: how to rate vulnerabilities
ReactJS security
Security Headers
LAB: React client-side open redirect
LAB: XSS and dangerous JavaScript React functions
LAB: Attacking Local storage vs Cookies
CSP best practices and limits
LAB: Client side open redirect
React Security Framework
Authorization and Broken Access Control in NodeJS
Attacking JWT (JSON Web Tokens)
LAB: None algorithm attacks
LAB: Secret bruteforce
LAB: Signature validation failures
Algorithm confusion attacks
Attacking wrong OAuth2 implementations
LAB: IDOR (Insecure Direct Object Reference)
LAB: Path Traversal
LAB: CSRF (Cross-Site Request Forgery)
LAB: Prototype pollution attack
Server Side Injections in NodeJS
LAB: SQL injections
Basics of SQL injection
Bypassing prepared statement in mysqljs
LAB: Command injection
LAB: Code and Object Injection
eval(), setTimeout(), setInterval() and Function() exploitation
Deserialization in JavaScript
LAB: XML External Entities
LAB: Server-Side Request Forgery
Basics of SSRF
Exploiting SSRF using DNS localhost resolution
LAB: NoSQL injections
LAB: Local and remote file inclusion
Abusing require()
LAB: Server Side Template Injections
render() to RCE
Vulnerable and Outdated Dependencies
Dependency graphs
The importance of SCA (Software Composition Analysis)
LAB: Detecting known vulnerabilities using Snyk
Integrate SCA in the CI/CD pipeline
npm audit and npm update
Detecting vulnerabilities in Node and React using SCA
Scanning your code using Semgrep
Semgrep basics
LAB: Semgrep for NodeJS: How to write rules
Semgrep automation
This course will teach you the inside out of exploiting and securing JavaScript applications via real-life examples. If you are a JavaScript or TypeScript developer / DevOps this is the course for you.
