comments (not for humans)

This post describes how OWASP Top 10 - A6: Security Miconfiguration affects javascript applications. This is a wide category which covers a lot more than this blog post. I'll try to focus on the aspects that often occur in applications that rely heavily on JavaScript.


[...]

The vulnerability known as A5 - Cross-Site Request Forgery (CSRF) has many names including session riding and one-click attack. It's a blind attack in the sense that the attacker is not directly attacking the application, but rather tricks a user into doing the attack for him. In this article we'll look at what's going on, how to fix it and also look at an attack specific to single page web applications.


[...]
How do A4 - Insecure Direct Object References apply to Javascript? Well, it all depends on how the system was formed, but this is very likely to become a problem in pure JavaScript apps. Read on for an explanation of why.
[...]

In this post I'll describe how OWASP Top 10: A3 - Broken Authentication and Session Management applies to javascript based applications. Problems around broken authentication and session management can happen for a number of reasons. The end result is the same. The attacker is somehow able to log in as another user, and get hold of content which the user should not have access too.


[...]

In this post I'll describe how OWASP Top 10: A2-Cross Site Scripting applies to javascript based applications. Cross site Scripting - or XSS - is probably one of the most common and one of the most difficult problems to fully mitigate. At first mitigation seems simple, but as contexts grow in complexity and the amount of code grows, it get's harder to discover all the different sinks.


[...]

In this post I'll describe how OWASP Top 10 - A1 Injection applies to javascript based applications. Injection problems usually occur whenever unsanitized user data is concatenated with a static template to build a structure (typically a query of some kind).


[...]

The OWASP Top 10 is a risk focused list of the top 10 most critical web application security risk.


[...]
"So now that you've seen how contexts are important when mitigating XSS, I'll give you a new example", David said. "Take a look at the following example from a social networking web site".
[...]
HackPra (@HackPra) was kind enough to invite me to do a talk. On the 7th of December I heald a talk called "Attacks on web application crypto".
[...]

I recently presented on Web application security at Framsia (a user group for frontend development). Great crowd and lots of questions and good feedback afterwards. The slides from the presentation can be found below.


[...]