New!

XSSing JavaScript-MVC Applications -XJA

$80.00 $40.00

Cross Site Scripting right from its days of inception has always been one of the most popular client side vulnerabilities. With the recent increase in usage of JavaScript Model-View-Controller Frameworks (like AngularJS, BackboneJS etc..) for building single page web applications, the search for XSS is more challenging but rewarding if done carefully. The main objective of this course is to bring students up to speed with various security aspects of testing these interfaces developed using multitude of JS-MVC ideology. This course is in no way related to finding bypasses in the core frameworks, but more related to finding vulnerabilities in the applications developed by improper usage of these otherwise perfect frameworks. This is a deep dive course where the students will be walked through the basic architecture of these frameworks and their inbuilt protection mechanisms. Knowledge of building userscripts for dynamic hooking of different templating engines to fuzz for XSS vulnerabilities is practiced over real world applications.

View Course Curriculum

Description

Cross Site Scripting right from its days of inception has always been one of the most popular client side vulnerabilities. With the recent increase in usage of JavaScript Model-View-Controller Frameworks (like AngularJS, BackboneJS etc..) for building single page web applications, the search for XSS is more challenging but rewarding if done carefully.

The main objective of this course is to bring students up to speed with various security aspects of testing these interfaces developed using multitude of JS-MVC ideology. This course is in no way related to finding bypasses in the core frameworks, but more related to finding vulnerabilities in the applications developed by improper usage of these otherwise perfect frameworks. This is a deep dive course where the students will be walked through the basic architecture of these frameworks and their inbuilt protection mechanisms. Knowledge of building userscripts for dynamic hooking of different templating engines to fuzz for XSS vulnerabilities is practiced over real world applications.

The course starts from absolute basics of JavaScript and builds to a point where the student will be able to write static and dynamic analyzers for JS templating engines.

Curriculum

  • JavaScript Refresher
    • Basics.
    • Object Proxying and Function Hooking.
  • Developer tools and UserScripts.
  • MVC frameworks
    •  Architecture Analysis
    • Templating Engines
  •  Ways of XSS detection
    • Static Source Code Analysis
    • Dynamic Analysis
  •  Case Studies of applications built using
    • HandlebarsJS
    • DustJS
    • AngularJS
  • Quick recap & Conclusion
    • Course Slides

Audience

Pentesters, Front-End developers and anyone who are unable find reflected XSS with the help of “View Source”.

Pre-requisite Knowledge

https://developer.mozilla.org/en-US/Learn/Getting_started_with_the_web/JavaScript_basics

Reviews

There are no reviews yet.

Be the first to review “XSSing JavaScript-MVC Applications -XJA”

Time limit is exhausted. Please reload CAPTCHA.