You are previewing JavaScript Security.
O'Reilly logo
JavaScript Security

Book Description

Learn JavaScript security to make your web applications more secure

In Detail

This book starts off with an introduction to JavaScript security and gives you an overview of the basic functions JavaScript can perform on the Web, both on the client side and the server side. It demonstrates a couple of ways in which RESTful APIs can be laden with security flaws. You will also create a simple RESTful server using Express.js and Node.js. You will then focus on one of the most common JavaScript security attacks, cross-site scripting, and how to prevent cross-site scripting and cross-site forgery.

Last but not least, the book covers JavaScript phishing, how it works, and ways to counter it.

By the end of this book, you will be able to identify various risks of JavaScript and how to prevent them.

What You Will Learn

  • Review the features of JavaScript and its vulnerabilities
  • Use JavaScript in tandem with Ajax RESTful APIs
  • Deal with cross-site scripting
  • Make basic GET and POST calls to an endpoint
  • Explore what cross-site forgery is and how to deal with it
  • Avoid misplaced trust in the client and explore various examples
  • Understand JavaScript phishing
  • Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

    Table of Contents

    1. JavaScript Security
      1. Table of Contents
      2. JavaScript Security
      3. Credits
      4. About the Author
      5. About the Reviewers
      6. www.PacktPub.com
        1. Support files, eBooks, discount offers, and more
          1. Why subscribe?
          2. Free access for Packt account holders
      7. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Errata
          3. Piracy
          4. Questions
      8. 1. JavaScript and the Web
        1. JavaScript and your HTML/CSS elements
          1. jQuery effects
            1. Hide/Show
            2. Toggle
            3. Animation
          2. Chaining
          3. jQuery Ajax
            1. jQuery GET
            2. jQuery getJSON
            3. jQuery POST
        2. JavaScript beyond the client
          1. JavaScript on the server side
          2. Full-stack JavaScript
        3. JavaScript security issues
          1. Cross-site request forgery
          2. Cross-site scripting
        4. Summary
      9. 2. Secure Ajax RESTful APIs
        1. Building a RESTful server
          1. A simple RESTful server in Node.js and Express.js
          2. Frontend code for the to-do list app on top of Express.js
          3. Cross-origin injection
          4. Injecting JavaScript code
          5. Guessing the API endpoints
        2. Basic defense against similar attacks
        3. Summary
      10. 3. Cross-site Scripting
        1. What is cross-site scripting?
          1. Persistent cross-site scripting
          2. Nonpersistent cross-site scripting
        2. Examples of cross-site scripting
          1. A simple to-do app using Tornado/Python
            1. Coding up server.py
          2. Cross-site scripting example 1
          3. Cross-site scripting example 2
          4. Cross-site scripting example 3
        3. Defending against cross-site scripting
          1. Do not trust users – parsing input by users
        4. Summary
      11. 4. Cross-site Request Forgery
        1. Introducing cross-site request forgery
          1. Examples of CSRF
          2. Basic defense against CSRF attacks
        2. Other examples of CSRF
          1. CSRF using the <img> tags
        3. Other forms of protection
          1. Creating your own app ID and app secret – OAuth-styled
          2. Checking the Origin header
          3. Limiting the lifetime of the token
        4. Summary
      12. 5. Misplaced Trust in the Client
        1. When trust gets misplaced
          1. A simple example
          2. Building the server side – mistrust.py
            1. The templates
          3. To trust or not to trust
            1. Manipulating the JavaScript code
          4. Dealing with mistrust
        2. Summary
      13. 6. JavaScript Phishing
        1. What is JavaScript phishing?
        2. Examples of JavaScript phishing
          1. Classic examples
          2. Accessing user history by accessing the local state
          3. XSS and CSRF
          4. Intercepting events
        3. Defending against JavaScript phishing
          1. Upgrading to latest versions of web browsers
          2. Recognizing real web pages
          3. Protecting your site against XSS and CSRF
          4. Avoid using pop ups and keep your address bars
        4. Summary
      14. Index