JavaScript Security

JavaScript Security

by Y.E Liang
Released November 2014
Publisher(s): Packt Publishing
ISBN: 9781783988006

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Learn JavaScript security to make your web applications more secure

In Detail

This book starts off with an introduction to JavaScript security and gives you an overview of the basic functions JavaScript can perform on the Web, both on the client side and the server side. It demonstrates a couple of ways in which RESTful APIs can be laden with security flaws. You will also create a simple RESTful server using Express.js and Node.js. You will then focus on one of the most common JavaScript security attacks, cross-site scripting, and how to prevent cross-site scripting and cross-site forgery.

Last but not least, the book covers JavaScript phishing, how it works, and ways to counter it.

By the end of this book, you will be able to identify various risks of JavaScript and how to prevent them.

What You Will Learn

  • Review the features of JavaScript and its vulnerabilities
  • Use JavaScript in tandem with Ajax RESTful APIs
  • Deal with cross-site scripting
  • Make basic GET and POST calls to an endpoint
  • Explore what cross-site forgery is and how to deal with it
  • Avoid misplaced trust in the client and explore various examples
  • Understand JavaScript phishing

Table of contents

  1. JavaScript Security
    1. Table of Contents
    2. JavaScript Security
    3. Credits
    4. About the Author
    5. About the Reviewers
    6. www.PacktPub.com
      1. Support files, eBooks, discount offers, and more
        1. Why subscribe?
        2. Free access for Packt account holders
    7. Preface
      1. What this book covers
      2. What you need for this book
      3. Who this book is for
      4. Conventions
      5. Reader feedback
      6. Customer support
        1. Downloading the example code
        2. Errata
        3. Piracy
        4. Questions
    8. 1. JavaScript and the Web
      1. JavaScript and your HTML/CSS elements
        1. jQuery effects
          1. Hide/Show
          2. Toggle
          3. Animation
        2. Chaining
        3. jQuery Ajax
          1. jQuery GET
          2. jQuery getJSON
          3. jQuery POST
      2. JavaScript beyond the client
        1. JavaScript on the server side
        2. Full-stack JavaScript
      3. JavaScript security issues
        1. Cross-site request forgery
        2. Cross-site scripting
      4. Summary
    9. 2. Secure Ajax RESTful APIs
      1. Building a RESTful server
        1. A simple RESTful server in Node.js and Express.js
        2. Frontend code for the to-do list app on top of Express.js
        3. Cross-origin injection
        4. Injecting JavaScript code
        5. Guessing the API endpoints
      2. Basic defense against similar attacks
      3. Summary
    10. 3. Cross-site Scripting
      1. What is cross-site scripting?
        1. Persistent cross-site scripting
        2. Nonpersistent cross-site scripting
      2. Examples of cross-site scripting
        1. A simple to-do app using Tornado/Python
          1. Coding up server.py
        2. Cross-site scripting example 1
        3. Cross-site scripting example 2
        4. Cross-site scripting example 3
      3. Defending against cross-site scripting
        1. Do not trust users – parsing input by users
      4. Summary
    11. 4. Cross-site Request Forgery
      1. Introducing cross-site request forgery
        1. Examples of CSRF
        2. Basic defense against CSRF attacks
      2. Other examples of CSRF
        1. CSRF using the <img> tags
      3. Other forms of protection
        1. Creating your own app ID and app secret – OAuth-styled
        2. Checking the Origin header
        3. Limiting the lifetime of the token
      4. Summary
    12. 5. Misplaced Trust in the Client
      1. When trust gets misplaced
        1. A simple example
        2. Building the server side – mistrust.py
          1. The templates
        3. To trust or not to trust
          1. Manipulating the JavaScript code
        4. Dealing with mistrust
      2. Summary
    13. 6. JavaScript Phishing
      1. What is JavaScript phishing?
      2. Examples of JavaScript phishing
        1. Classic examples
        2. Accessing user history by accessing the local state
        3. XSS and CSRF
        4. Intercepting events
      3. Defending against JavaScript phishing
        1. Upgrading to latest versions of web browsers
        2. Recognizing real web pages
        3. Protecting your site against XSS and CSRF
        4. Avoid using pop ups and keep your address bars
      4. Summary
    14. Index

Product information

  • Title: JavaScript Security
  • Author(s): Y.E Liang
  • Release date: November 2014
  • Publisher(s): Packt Publishing
  • ISBN: 9781783988006