XSSing JavaScript-MVC Applications -XJA

$19.99

Cross Site Scripting right from its days of inception has always been one of the most popular client side vulnerabilities. With the recent increase in usage of JavaScript Model-View-Controller Frameworks (like AngularJS, BackboneJS etc..) for building single page web applications, the search for XSS is more challenging but rewarding if done carefully. The main objective of this course is to bring students up to speed with various security aspects of testing these interfaces developed using multitude of JS-MVC ideology. This course is in no way related to finding bypasses in the core frameworks, but more related to finding vulnerabilities in the applications developed by improper usage of these otherwise perfect frameworks. This is a deep dive course where the students will be walked through the basic architecture of these frameworks and their inbuilt protection mechanisms. Knowledge of building userscripts for dynamic hooking of different templating engines to fuzz for XSS vulnerabilities is practiced over real world applications.

Description

Cross Site Scripting right from its days of inception has always been one of the most popular client side vulnerabilities. With the recent increase in usage of JavaScript Model-View-Controller Frameworks (like AngularJS, BackboneJS etc..) for building single page web applications, the search for XSS is more challenging but rewarding if done carefully.

The main objective of this course is to bring students up to speed with various security aspects of testing these interfaces developed using multitude of JS-MVC ideology. This course is in no way related to finding bypasses in the core frameworks, but more related to finding vulnerabilities in the applications developed by improper usage of these otherwise perfect frameworks. This is a deep dive course where the students will be walked through the basic architecture of these frameworks and their inbuilt protection mechanisms. Knowledge of building userscripts for dynamic hooking of different templating engines to fuzz for XSS vulnerabilities is practiced over real world applications.

The course starts from absolute basics of JavaScript and builds to a point where the student will be able to write static and dynamic analyzers for JS templating engines.

What are the requirements?

What am I going to get from this course?

  • Over 12 lectures and 1 hour 50 minutes of content
  • Learn how to find XSS vulnerabilities in modern templating engines and MVC frameworks
  • Learn how to fuzz for XSS using Static and Dynamic Analysis methods
  • Certificate of Appreciation upon successful course completion.

What is the target audience?

  • Application Security Professionals interested in Client Side JavaScript/Frontend Framework Security.
  • Pentesters, Front-End developers and anyone who are unable to find reflected XSS with the help of “View Source”.
  • Developers who want to catch insecure coding practices and security issues while they are developing the apps.
  • If you want to learn the basics of Client Side JavaScript Security, this course is probably not for you.

Curriculum

Section 1: Introduction

1. Introduction to the Course

Section 2: JavaScript Refresher

2. Basics of JavaScript
3. Object Proxying and Function Hooking.

Section 3: Developer tools

4. Developer Tools & UserScripts

Section 4: MVC frameworks

5. Architecture Analysis
6. Templating Engines

Section 5: Ways of XSS detection

7. Static Source Code Analysis
8. Dynamic Analysis

Section 6: Case Studies of JS MVC Frameworks

9. HandlebarsJS
10. DustJS
11. AngularJS

Section 7: Conclusion

12. Quick Recap & Conclusion
13. Course Slides

Reviews

There are no reviews yet.

Only logged in customers who have purchased this product may leave a review.