JavaScript Security
By Y.E Liang
4/5
()
About this ebook
This book starts off with an introduction to JavaScript security and gives you an overview of the basic functions JavaScript can perform on the Web, both on the client side and the server side. It demonstrates a couple of ways in which RESTful APIs can be laden with security flaws. You will also create a simple RESTful server using Express.js and Node.js. You will then focus on one of the most common JavaScript security attacks, cross-site scripting, and how to prevent cross-site scripting and cross-site forgery.
Last but not least, the book covers JavaScript phishing, how it works, and ways to counter it.
By the end of this book, you will be able to identify various risks of JavaScript and how to prevent them.
Related to JavaScript Security
Related ebooks
JavaScript Unlocked Rating: 5 out of 5 stars5/5Mastering JavaScript Design Patterns - Second Edition Rating: 5 out of 5 stars5/5Mastering JavaScript Object-Oriented Programming Rating: 0 out of 5 stars0 ratingsMastering JavaScript Rating: 4 out of 5 stars4/5Learning jQuery 3 - Fifth Edition Rating: 0 out of 5 stars0 ratingsExpress Web Application Development Rating: 3 out of 5 stars3/5JavaScript Regular Expressions Rating: 3 out of 5 stars3/5Clean Code in JavaScript: Develop reliable, maintainable, and robust JavaScript Rating: 5 out of 5 stars5/5Jasmine JavaScript Testing - Second Edition Rating: 0 out of 5 stars0 ratingsDeploying Node.js Rating: 5 out of 5 stars5/5Learning Bootstrap Rating: 1 out of 5 stars1/5Getting Started with React Rating: 0 out of 5 stars0 ratingsPHP 7 Programming Blueprints Rating: 0 out of 5 stars0 ratingsLearning AngularJS Animations Rating: 4 out of 5 stars4/5ReactJS for Jobseekers: The Only Guide You Need to Learn React and Crack Interviews (English Edition) Rating: 0 out of 5 stars0 ratingsJavaScript Projects for Kids Rating: 0 out of 5 stars0 ratingsReact Components Rating: 0 out of 5 stars0 ratingsASP.NET Web API Security Essentials Rating: 0 out of 5 stars0 ratingsGetting Started with React Native Rating: 4 out of 5 stars4/5Modular Programming with PHP 7 Rating: 0 out of 5 stars0 ratingsJavaScript: Beginner's Guide to Programming Code with JavaScript: JavaScript Computer Programming Rating: 0 out of 5 stars0 ratingsJavaScript: Beginner's Guide to Programming Code with JavaScript Rating: 5 out of 5 stars5/5React.js Design Patterns: Learn how to build scalable React apps with ease (English Edition) Rating: 0 out of 5 stars0 ratingsLearn Java 12 Programming: A step-by-step guide to learning essential concepts in Java SE 10, 11, and 12 Rating: 0 out of 5 stars0 ratingsRESTful Web API Design with Node.js - Second Edition Rating: 1 out of 5 stars1/5Modern JavaScript Applications Rating: 0 out of 5 stars0 ratingsReact Design Patterns and Best Practices Rating: 0 out of 5 stars0 ratingsMastering JavaScript Design Patterns Rating: 4 out of 5 stars4/5Node.js By Example Rating: 2 out of 5 stars2/5
Programming For You
Python: For Beginners A Crash Course Guide To Learn Python in 1 Week Rating: 4 out of 5 stars4/5Python Programming : How to Code Python Fast In Just 24 Hours With 7 Simple Steps Rating: 4 out of 5 stars4/5HTML & CSS: Learn the Fundaments in 7 Days Rating: 4 out of 5 stars4/5Java for Beginners: A Crash Course to Learn Java Programming in 1 Week Rating: 5 out of 5 stars5/5SQL: For Beginners: Your Guide To Easily Learn SQL Programming in 7 Days Rating: 5 out of 5 stars5/5SQL QuickStart Guide: The Simplified Beginner's Guide to Managing, Analyzing, and Manipulating Data With SQL Rating: 4 out of 5 stars4/5Learn to Code. Get a Job. The Ultimate Guide to Learning and Getting Hired as a Developer. Rating: 5 out of 5 stars5/5Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5Python Machine Learning By Example Rating: 4 out of 5 stars4/5101 Amazing Nintendo NES Facts: Includes facts about the Famicom Rating: 4 out of 5 stars4/5Pokemon Go: Guide + 20 Tips and Tricks You Must Read Hints, Tricks, Tips, Secrets, Android, iOS Rating: 5 out of 5 stars5/5Linux: Learn in 24 Hours Rating: 5 out of 5 stars5/5Grokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5Learn SQL in 24 Hours Rating: 5 out of 5 stars5/5SQL All-in-One For Dummies Rating: 3 out of 5 stars3/5Excel : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Excel Programming: 1 Rating: 5 out of 5 stars5/5PYTHON: Practical Python Programming For Beginners & Experts With Hands-on Project Rating: 5 out of 5 stars5/5Modern C++ for Absolute Beginners: A Friendly Introduction to C++ Programming Language and C++11 to C++20 Standards Rating: 0 out of 5 stars0 ratingsPython Projects for Beginners: A Ten-Week Bootcamp Approach to Python Programming Rating: 0 out of 5 stars0 ratings
Reviews for JavaScript Security
1 rating1 review
- Rating: 4 out of 5 stars4/5This is a review I wrote for purposes of testing. smoketest2 reviews on rails4. Still doesn't work. Maybe due to X-XXS-Protection.
Book preview
JavaScript Security - Y.E Liang
Table of Contents
JavaScript Security
Credits
About the Author
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
1. JavaScript and the Web
JavaScript and your HTML/CSS elements
jQuery effects
Hide/Show
Toggle
Animation
Chaining
jQuery Ajax
jQuery GET
jQuery getJSON
jQuery POST
JavaScript beyond the client
JavaScript on the server side
Full-stack JavaScript
JavaScript security issues
Cross-site request forgery
Cross-site scripting
Summary
2. Secure Ajax RESTful APIs
Building a RESTful server
A simple RESTful server in Node.js and Express.js
Frontend code for the to-do list app on top of Express.js
Cross-origin injection
Injecting JavaScript code
Guessing the API endpoints
Basic defense against similar attacks
Summary
3. Cross-site Scripting
What is cross-site scripting?
Persistent cross-site scripting
Nonpersistent cross-site scripting
Examples of cross-site scripting
A simple to-do app using Tornado/Python
Coding up server.py
Cross-site scripting example 1
Cross-site scripting example 2
Cross-site scripting example 3
Defending against cross-site scripting
Do not trust users – parsing input by users
Summary
4. Cross-site Request Forgery
Introducing cross-site request forgery
Examples of CSRF
Basic defense against CSRF attacks
Other examples of CSRF
CSRF using the tags
Other forms of protection
Creating your own app ID and app secret – OAuth-styled
Checking the Origin header
Limiting the lifetime of the token
Summary
5. Misplaced Trust in the Client
When trust gets misplaced
A simple example
Building the server side – mistrust.py
The templates
To trust or not to trust
Manipulating the JavaScript code
Dealing with mistrust
Summary
6. JavaScript Phishing
What is JavaScript phishing?
Examples of JavaScript phishing
Classic examples
Accessing user history by accessing the local state
XSS and CSRF
Intercepting events
Defending against JavaScript phishing
Upgrading to latest versions of web browsers
Recognizing real web pages
Protecting your site against XSS and CSRF
Avoid using pop ups and keep your address bars
Summary
Index
JavaScript Security
JavaScript Security
Copyright © 2014 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: November 2014
Production reference: 1141114
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78398-800-6
www.packtpub.com
Credits
Author
Y.E Liang
Reviewers
Jan Borgelin
Sergio Viudes Carbonell
Moxley Stratton
Mihai Vilcu
Commissioning Editor
Kunal Parikh
Acquisition Editor
Llewellyn Rozario
Content Development Editors
Shali Sasidharan
Anila Vincent
Technical Editor
Mrunal M. Chavan
Copy Editors
Sarang Chari
Rashmi Sawant
Project Coordinator
Neha Bhatnagar
Proofreaders
Simran Bhogal
Maria Gould
Ameesha Green
Paul Hindle
Indexer
Tejal Soni
Production Coordinator
Aparna Bhagat
Cover Work
Aparna Bhagat
About the Author
Y.E Liang is a researcher, author, web developer, and business developer. He has experience in both frontend and backend development, particularly in engineering, user experience using JavaScript/CSS/HTML, and performing social network analysis. He has authored multiple books and research papers.
About the Reviewers
Jan Borgelin is a technical geek with over 15 years of professional software development experience. He currently works as the CTO at BA Group Ltd., a consultancy based in Finland. In his daily work with modern web applications, JavaScript security has become an increasingly important topic as more and more business logic is being implemented within browsers.
Sergio Viudes Carbonell is a 32-year-old mobile developer (apps and games) from Elche, Spain.
He studied Computer Science at the University of Alicante. Then, he worked on developing computer programs and web apps. Now, he works as a mobile developer, creating apps and video games for Android, iOS, and the Web.
He has previously reviewed AndEngine for Android Game Development Cookbook and Mobile Game Design Essentials. Both of these books were published by Packt Publishing. Currently, he is reviewing Mastering AndEngine Game Development, Packt Publishing.
I would like to thank the author of this book for writing it. A special thanks goes to my wife, Fani, who encourages and supports me every day.
After writing his first program in 1981 in BASIC on a Commodore CBM 8032, Moxley Stratton was hooked to programming. His interests include open source software, object-oriented design, artificial intelligence, Clojure, and computer language theory. In his past jobs, he has written software in JavaScript, CoffeeScript, Java, PHP, Perl, and C. He is currently employed with Househappy as a senior backend engineer. He enjoys playing jazz piano, surfing, snowboarding, hiking, and spending time with his daughter.
Software testing excellence
is the motto that drives Mihai Vilcu. Having gained exposure to top technologies in both automated and manual testing, functional and nonfunctional, he