Overview
Explore the security challenges and vulnerabilities in modern JavaScript frameworks in this JSConf EU 2015 talk by Artur Janc. Gain insights into common pitfalls affecting code written using popular frameworks like Angular, Polymer, and Dart. Learn about real-world examples of bugs in Google apps from a security engineer's perspective. Understand why security reviews of framework-based applications can be more challenging than traditional JavaScript code. Discover the importance of framework design in addressing security concerns. Topics covered include traditional XSS in JS code, mixing Angular with server-side templates, modifying the Angular DOM, dangerous jQuery-like functions, and opting into risky modes. Enhance your understanding of web application security in the context of modern JavaScript development.
Syllabus
Intro
Client security
Traditional XSS in JS code: execution sinks
The times have changed
Lightning-fast Introduction to Angular
Mixing Angular and server-side templates
Modifying the Angular DOM
Forcing evil ng-includes
$http.jsonp() on evil URL
XSS #5.2: Scary jQlite functions: html() & friends
Angular "special" functions
Opting into dangerous modes
Taught by
JSConf