The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

JavaScript Security

Course Description

This course presents an overview of quirks and features that make JavaScript such a flexible, powerful, and popular language. The course does not focus specifically on client-side or server-side JavaScript, but instead gives an overview of security features built into the JavaScript language itself, as well as security features provided by the browsers and utilized by JavaScript web applications.

The main sections of the course offer a deep dive into the most common, most severe, and oldest JavaScript security issue: cross-site scripting (XSS). It examines different JavaScript execution contexts, dataflow concepts for identifying the issues, and protection mechanisms. It also covers the clickjacking vulnerability and mitigation methods. The last lesson focuses on managing dependencies in client-side and server-side applications and tools for identifying vulnerabilities in third-party JavaScript libraries.

Learning Objectives

  • Navigate JavaScript language specifics, like comparisons and scoping, that may cause security issues
  • Identify JavaScript execution contexts
  • Perform manual dataflow analysis with the knowledge of JavaScript sources and sinks 
  • Find common XSS issues in JavaScript code and select the best protection method for each case
  • Apply several mitigation techniques against the clickjacking vulnerability
  • Compare different tools for managing third-party dependencies

Details

Delivery Format: eLearning

Duration: 1 1/4 hours

Level: Beginner

Intended Audience

  • Front-end Developers

Prerequisites

  • N/A

Course Outline

Introduction to JavaScript

  • What's So Great About JavaScript?
  • Traditional Browser Security
  • Same-Origin Policy
  • Modern-Day JavaScript
  • Server-Side JavaScript
  • We Love JavaScript!

Javascript Basics

  • JavaScript Basics
  • Strict Mode
  • Comparing Equality Operators
  • I'm Watching You
  • Avoid Global Scope
  • Separating Scope with ES6 Features
  • Refrain from Setting document.domain

XSS and Untrusted Data Sources

  • Introduction to XSS
  • Dataflow
  • Untrusted Sources
  • I'm Loving It... or NOT
  • “Who Watches the Watchmen?”

JavaScript Execution Contexts

  • JavaScript Execution Contexts
  • Inline JavaScript
  • External JavaScript
  • Event Handlers
  • Scalable Vector Graphics
  • Unique Resource Identifier (URI)
  • Dynamic Execution: eval
  • Taking Remote Control of the Demo Gods
  • Dynamic Execution: Time Functions

XSS Defense Measures

  • XSS Defenses
  • Output Encoding
  • Sanitization
  • React Strategies
  • Input Validation
  • Handling JSON
  • Headers: X-XSS-Protection Header
  • Cookies: httpOnly Flag
  • Load Resources Securely
  • Resources: Subresource Integrity

Content Security Policy

  • Content Security Policy
  • Policies
  • Hashing and Nonces
  • CSP Implications
  • CSP Limitations
  • Configuring CSP
  • Improving Your CSP
  • Writing a Policy for Different Versions of CSP
  • Extracting Inline JavaScript
  • You Shall Not Pass!
  • Final Note: Browser Support

Iframes and Clickjacking

  • Iframes
  • Clickjacking
  • Defense Measure: CSP
  • Defense Measure: X-Frame-Options
  • Defense Measure: Frame Busting
  • Iframe Sandboxing
  • Iframe Sandboxing Options
  • Now You See Me

Managing Third-Party Dependencies and Code Analysis

  • Third-Party Dependencies
  • Package Managers
  • Know Your Dependencies
  • Tools: Third-Party Dependency Audit
  • Tools: Code Analysis
  • Manual Review

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster