Building Secure React Applications • Philippe De Ryck • GOTO 2019
Вставка
- Опубліковано 10 бер 2020
- This presentation was recorded at GOTO Berlin 2019. #GOTOcon #GOTOber
gotober.com
Philippe De Ryck - PhD in web security, OWASP and practical security mastermind and founder of Pragmatic Web Security
ABSTRACT
React is a secure framework. It handles cross-site scripting (XSS) out of the box. While these statements sound very hopeful, they are unfortunately far from reality. Building secure applications with React is easier than starting from scratch. However, even with React, there are several guidelines and considerations to take into account.
In this session, we take a deep-dive into two particular topics. We take a close look at XSS, React's defenses, and the responsibilities of the developer. The second topic zooms in on the challenges with including NPM dependencies. We look at how attackers abuse NPM to target your application. Throughout these topics, we build a set of concrete guidelines you can immediately apply to [...]
Download slides and read the full abstract here:
gotober.com/2019/sessions/833...
RECOMMENDED BOOKS
Aaron Parecki • OAuth 2.0 Simplified • amzn.to/2A3IMOf
Aaron Parecki • OAuth 2.0 Servers • amzn.to/3ecHEsz
Aaron Parecki • The Little Book of OAuth 2.0 RFCs • amzn.to/3i7qnlC
Erdal Ozkaya • Cybersecurity: The Beginner's Guide • amzn.to/2T6OIj3
Richer & Sanso • OAuth 2 in Action • amzn.to/3hXiAH6
Wilson & Hingnikar • Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0 • amzn.to/2U8iLY2
/ gotober
/ goto-
/ gotoconferences
#Security #OWASP #React
Looking for a unique learning experience?
Attend the next GOTO Conference near you! Get your ticket at gotocon.com
SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily.
ua-cam.com/users/GotoConf... - Наука та технологія
02:03 XSS Keylogger, GitHub 11:14 DOMPurify 13:42 Avoiding XSS in React 14:32 ReactHtMLParser 19:57 Ron Parris, Avoiding XSS in React is still Hard 25:00 Secure Coding Guidelines, eslint-plugin-react 29:28 97% of code in modern web app, third party dependencies, npm, the average npm module relies on 80 packages, 40% relies on known vulnerable code, handelbars 37:55 continuous monitoring, dependency graph, gitHub, snyk 39:53 Equifax, securing dependencies 44:00 Ron Parris, Lewis Ardern
to summarize this 44 minutes in 1 line: dont use innerHTML but if u do use DOMPurify.
Very interesting especially the part on the dependencies vulnerability that is important but imo this concerns mostly the back end. I never understood why we should bother securing front end (or spending lot of time on it) when any one can dl your app, study it and modify it.. The real part to secure is the back end !
German Beto O’Rourke?
Can’t unsee it
No need for DOM Purify just render it into a sandboxed . No problems