SlideShare a Scribd company logo

Securing Angular and Node.js Apps in Azure

B
Brian Clark

The document discusses securing Angular and Node.js applications deployed in Azure. It covers topics like access control, preventing malicious input like cross-site scripting, mitigating request forgery attacks, and securely managing package dependencies. The document provides recommendations on implementing authentication, authorization, input validation, and security headers. It also demonstrates attacks like request forgery and clickjacking, as well as defenses against them using techniques like synchronizer tokens and X-Frame-Options.

Engineering
Related topics:
Node.js DevelopmentCloud Computing Insights
1 of 79
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
Securing Angular and Node.js Apps in Azure Brian Clark _clarkio
Casterly Rock
Casterly Rock
Casterly Rock
Casterly Rock “an impregnable fortress”
Casterly Rock ?!
Casterly Rock
Deter your enemies
Defending against…
MortarsArrowsInfantry Defending against…
O W A S P
pen eb pplication owasp.org O A P ecurity roject W S
Access Control
Authenticatio n Authorization You are who you say you are You have the required permissions for the request
Browser http://insecureheroes.com Server http://insecureheroes.com
Browser http://insecureheroes.com Server http://insecureheroes.com
Browser http://insecureheroes.com Server http://insecureheroes.com
Browser http://insecureheroes.comCookies Server http://insecureheroes.com
Browser http://insecureheroes.comCookies Server http://insecureheroes.com Hero: Luke
Demo
Malicious Input
Insecure Heroes http://insecureheroes.com
An attack that injects malicious code into a trusted web site such that it may be executed unintendedly by other users Cross-site Scripting (XSS)
Prevention Content Security PolicyInput Handling Control what resources the browser is allowed to load Ensure data is aligned with the expectations for its intended use
Input Handling
Input Handling
Input Handling EscapingSanitizationValidation
Sanitization EscapingValidation Ensure the data is legit Invalid Email Result :
Validation EscapingSanitization Clean the bad data BC Result :
SanitizationValidation Escaping Encode the bad data B<script>alert(1);</script>C Result :
Do not trust user input
Where should we apply input handlers?
Where should we apply input handlers? Client? Server?
Browser http://insecureheroes.com Server http://insecureheroes.com
Browser http://insecureheroes.com Server http://insecureheroes.com Security Boundary
Browser http://insecureheroes.com Server http://insecureheroes.com Security Boundary Untruste d
Browser http://insecureheroes.com Server http://insecureheroes.com Security Boundary Truste
Both
Securing Angular and Node.js Apps in Azure
Securing Angular and Node.js Apps in Azure
https://angular.io/guide/security
https://angular.io/guide/security
?
https://www.npmjs.com/package/express-validator
https://www.npmjs.com/package/xss-filters
Demo
Content Security Policy
<script>var x = “yz”;</script> Content Security Policy Content-Security-Policy: default-src 'self ' Describes sources types in directives (css, image, etc.) <div style=“{margin-top:10px;}”> 1 3 4 2
https://www.npmjs.com/package/helmet
https://www.npmjs.com/package/helmet
Faking Requests
Browser http://insecureheroes.comCookies Server http://insecureheroes.com Hero: Luke
Browser http://insecurehe roes.com Cookies Server http://insecureheroes.com http://clickbaity.co
Browser http://insecurehe roes.com Cookies Server http://insecureheroes.com http://attacker.com Attack insecureheroes.com Hero: Darth
Demo
An attack that executes a request on behalf of another authenticated user that was not intending to perform that action being requested Cross-site Request Forgery
Synchronizer Token Pattern Random token Unique to user and session Included as a header Validated server- side
https://www.npmjs.com/package/csu rf
Securing Angular and Node.js Apps in Azure
https://angular.io/guide/http#security-xsrf-protection
Demo
Securing Angular and Node.js Apps in Azure
Stealing Clicks
Demo
An attack that tricks users into clicking on content that they were not intending to click on Clickjacking
Clickjacking Mitigation X-FRAME-OPTIONS DENY SAMEORIGIN ALLOW-FROM: URL* *Content-Security-Policy: frame-ancestors: URL
https://helmetjs.github.io/
Securing Angular and Node.js Apps in Azure
Securing Angular and Node.js Apps in Azure
Securing Angular and Node.js Apps in Azure
Demo
Package Management
Securing Angular and Node.js Apps in Azure
https://nodesecurity.io/opensource
https://snyk.io
Demo
Summary Access Control Faking Requests Stealing Clicks Package Management Malicious Input
© DEVintersection 2017. All rights reserved. https://www.DEVintersection.com References  https://owasp.org  https://github.com/Azure-Samples/angular-cosmosdb  (branch: insecure-heroes)  https://angular.io/guide/security  https://www.npmjs.com/package/csurf  https://angular.io/guide/http#security-xsrf-protection  https://www.npmjs.com/package/helmet  https://nodesecurity.io/opensource  https://snyk.io
© DEVintersection 2017. All rights reserved. https://www.DEVintersection.com Please use EventsXD to fill out a session evaluation. Thank you! Brian Clark _clarkio

More Related Content

PDF
H4x0rs gonna hack
Xchym Hiệp
 
PPTX
Forgotten Security
Brian Clark
 
PPTX
Web Security Jumpstart
Satria Ady Pradana
 
PPTX
Web Security Workshop : A Jumpstart
Satria Ady Pradana
 
PDF
RoadSec 2017 - Trilha AppSec - APIs Authorization
Erick Belluci Tedeschi
 
PDF
Ajax Security
Joe Walker
 
PPTX
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum
 
PPTX
Daniel Crowley - Speaking with Cryptographic Oracles
BaronZor
 
H4x0rs gonna hack
Xchym Hiệp
 
Forgotten Security
Brian Clark
 
Web Security Jumpstart
Satria Ady Pradana
 
Web Security Workshop : A Jumpstart
Satria Ady Pradana
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
Erick Belluci Tedeschi
 
Ajax Security
Joe Walker
 
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery
OWASP Khartoum
 
Daniel Crowley - Speaking with Cryptographic Oracles
BaronZor
 

Similar to Securing Angular and Node.js Apps in Azure (8)

PDF
Web Application Security: Winning When The Odds Are Against You
bendechrai
 
PPTX
Security Protection for WordPress
Samuel Soon
 
PDF
Beyond The Padlock: New Ideas in Browser Security UI
mozilla.presentations
 
PPTX
Malicious Input: Angular Has Our Back
Brian Clark
 
PDF
Securing Your BBC Identity
Marc Littlemore
 
PDF
Os Nightingale
oscon2007
 
PDF
Let's get evil - threat modelling at scale - Jakub Kałużny
PROIDEA
 
PPTX
Believe It Or Not SSL Attacks
Akash Mahajan
 
Web Application Security: Winning When The Odds Are Against You
bendechrai
 
Security Protection for WordPress
Samuel Soon
 
Beyond The Padlock: New Ideas in Browser Security UI
mozilla.presentations
 
Malicious Input: Angular Has Our Back
Brian Clark
 
Securing Your BBC Identity
Marc Littlemore
 
Os Nightingale
oscon2007
 
Let's get evil - threat modelling at scale - Jakub Kałużny
PROIDEA
 
Believe It Or Not SSL Attacks
Akash Mahajan
 
Ad

Recently uploaded (20)

PPTX
Artificial Intelligence
dikshendrasarpate2
 
PDF
737-MAX_SRG.pdf student reference guides
ssusere2119a1
 
PDF
Artificial Superintelligence (ASI) Alliance Vision Paper.pdf
SonaliPatil325517
 
PPTX
Information Storage and Retrieval Techniques Unit III
jeyamohan2519
 
PDF
Unit I ESSENTIAL OF DIGITAL MARKETING.pdf
Nitin Shelake
 
PDF
III.4.1.2_The_Space_Environment.p pdffdf
sittiporn2
 
PPTX
introduction to high performance computing
JuanDavid747466
 
PDF
EXPLORING LEARNING ENGAGEMENT FACTORS INFLUENCING BEHAVIORAL, COGNITIVE, AND ...
johnmathew9417
 
PPTX
Nature of X-rays, X- Ray Equipment, Fluoroscopy
DJERALDINAUXILLIAECE
 
PDF
Categorization of Factors Affecting Classification Algorithms Selection
IJDKP
 
PPTX
Fundamentals of Mechanical Engineering.pptx
MdMowdudAhmed
 
PDF
Influence of Green Infrastructure on Residents’ Endorsement of the New Ecolog...
Journal of Contemporary Urban Affairs
 
PDF
PREDICTION OF DIABETES FROM ELECTRONIC HEALTH RECORDS
ijaia
 
PDF
distributed database system" (DDBS) is often used to refer to both the distri...
Hemlathadhevi Annadhurai
 
PDF
Design Guidelines and solutions for Plastics parts
ferdinand937933
 
PPTX
6ME3A-Unit-II-Sensors and Actuators_Handouts.pptx
anukaranugi
 
PDF
Human-AI Collaboration: Balancing Agentic AI and Autonomy in Hybrid Systems
ijccsa
 
PDF
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
PPTX
Management Information system : MIS-e-Business Systems.pptx
ShankarGowda22
 
PPTX
Graph Data Structures with Types, Traversals, Connectivity, and Real-Life App...
usham61
 
Artificial Intelligence
dikshendrasarpate2
 
737-MAX_SRG.pdf student reference guides
ssusere2119a1
 
Artificial Superintelligence (ASI) Alliance Vision Paper.pdf
SonaliPatil325517
 
Information Storage and Retrieval Techniques Unit III
jeyamohan2519
 
Unit I ESSENTIAL OF DIGITAL MARKETING.pdf
Nitin Shelake
 
III.4.1.2_The_Space_Environment.p pdffdf
sittiporn2
 
introduction to high performance computing
JuanDavid747466
 
EXPLORING LEARNING ENGAGEMENT FACTORS INFLUENCING BEHAVIORAL, COGNITIVE, AND ...
johnmathew9417
 
Nature of X-rays, X- Ray Equipment, Fluoroscopy
DJERALDINAUXILLIAECE
 
Categorization of Factors Affecting Classification Algorithms Selection
IJDKP
 
Fundamentals of Mechanical Engineering.pptx
MdMowdudAhmed
 
Influence of Green Infrastructure on Residents’ Endorsement of the New Ecolog...
Journal of Contemporary Urban Affairs
 
PREDICTION OF DIABETES FROM ELECTRONIC HEALTH RECORDS
ijaia
 
distributed database system" (DDBS) is often used to refer to both the distri...
Hemlathadhevi Annadhurai
 
Design Guidelines and solutions for Plastics parts
ferdinand937933
 
6ME3A-Unit-II-Sensors and Actuators_Handouts.pptx
anukaranugi
 
Human-AI Collaboration: Balancing Agentic AI and Autonomy in Hybrid Systems
ijccsa
 
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
Management Information system : MIS-e-Business Systems.pptx
ShankarGowda22
 
Graph Data Structures with Types, Traversals, Connectivity, and Real-Life App...
usham61
 
Ad

Securing Angular and Node.js Apps in Azure

Editor's Notes

  • #5: Mountain Icon credit: http://kreavi.com/royyanwijaya Mountain Icon Source: https://www.iconfinder.com/icons/1664206/climb_climbing_mountain_nature_rock_stone_icon#size=128
  • #6: Mountain Icon credit: http://kreavi.com/royyanwijaya Mountain Icon Source: https://www.iconfinder.com/icons/1664206/climb_climbing_mountain_nature_rock_stone_icon#size=128 Boat Icon credit: https://chihabjraoui.com/ Boat Icon Source: https://www.iconfinder.com/icons/1308361/boat_solid_tourism_travel_icon#size=128
  • #7: Mountain Icon credit: http://kreavi.com/royyanwijaya Mountain Icon Source: https://www.iconfinder.com/icons/1664206/climb_climbing_mountain_nature_rock_stone_icon#size=128 Boat Icon credit: https://chihabjraoui.com/ Boat Icon Source: https://www.iconfinder.com/icons/1308361/boat_solid_tourism_travel_icon#size=128
  • #8: Mountain Icon credit: http://kreavi.com/royyanwijaya Mountain Icon Source: https://www.iconfinder.com/icons/1664206/climb_climbing_mountain_nature_rock_stone_icon#size=128 Boat Icon credit: https://chihabjraoui.com/ Boat Icon Source: https://www.iconfinder.com/icons/1308361/boat_solid_tourism_travel_icon#size=128
  • #68: Instruct the browser to turn on security measures Helmet.js (available for Node.js and simple set up) Example headers: XSS-Protection, Frame-Options, HSTS https://helmetjs.github.io/ Mention nsp how it alerts of packages with vulns https://nodesecurity.io/opensource