This event has ended. Visit the official site or create your own event on Sched.
Back To Schedule
Tuesday, October 20 • 9:00am - 5:00pm
Defensive Programing for JavaScript and HTML5 (Day 1)

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Understand JavaScript and HTML5 Features to Secure Your Client-side Code

This full-day course helps web front-end developers understand the risks involved with manipulating JavaScript and HTML5 and apply defensive programming techniques in both languages.
Some of the topics covered include, but are not limited to, important security aspects of modern browser architecture (Document Object Model and Same Origin Policy), XSS, CSRF, DOM manipulation, Sandboxing iframes, Cross-origin Resource Sharing, Content Security Policy, Web Messaging, Web Storage, and JSON.

This course is structured into modules and includes exploitation and remediation exercises. The high-level topics for this course are:
• The HTML5 and JavaScript Risk Landscape
• Storage of Sensitive Data
• Secure Cross-domain Communications (CORS, web messaging)
• Protecting from Cross-site Scripting (CSP, JavaScript Execution Contexts, Output Encoding)
• Implementing Secure Dataflow
• Securing AJAX Requests and JSON Data

After completing this course, students will be able to:
• Apply HTML5 Defensive Programming Techniques
• Apply JavaScript Defensive Programming Techniques
• Apply JSON Defensive Programming Techniques
There should be a maximum of 20 students.

Labs and Demonstrations
If students bring their own laptops with internet connectivity will be able to access online Virtual Machines with labs. In lab sessions students will learn to fix issues related to localStorage, web messaging, sandbox attribute for iframes, CORS, CSP, parsing JSON data, and DOM-based cross-site scripting. The course also includes several interactive demonstrations showing how to tamper with client-side data, evade client-side filters, and work with Firebug. The labs are not compulsory to get the full value of the course.

Note, the training has been recently updated with the latest information on CORS, CSP, and new lab exercises.

avatar for Ksenia Dmitrieva

Ksenia Dmitrieva

Associate Principal Consultant, Cigital
Ksenia Dmitrieva is an Associate Principal Consultant at Cigital with over six years of experience in securing web applications and five years of development experience. She performs penetration testing and code review for clients in financial services, entertainment, telecommunications... Read More →

Tuesday October 20, 2015 9:00am - 5:00pm CDT
Gemalto Room Norris Conference Center, Austin
  2-Day Training Class

Attendees (0)