Loading…
This event has ended. Visit the official site or create your own event on Sched.
View analytic
Wednesday, October 21 • 9:00am - 5:00pm
Defensive Programming for JavaScript and HTML5 (Day 2)

Sign up or log in to save this to your schedule and see who's attending!

Understand JavaScript and HTML5 Features to Secure Your Client-side Code

This full-day course helps web front-end developers understand the risks involved with manipulating JavaScript and HTML5 and apply defensive programming techniques in both languages.
Some of the topics covered include, but are not limited to, important security aspects of modern browser architecture (Document Object Model and Same Origin Policy), XSS, CSRF, DOM manipulation, Sandboxing iframes, Cross-origin Resource Sharing, Content Security Policy, Web Messaging, Web Storage, and JSON.

This course is structured into modules and includes exploitation and remediation exercises. The high-level topics for this course are:
• The HTML5 and JavaScript Risk Landscape
• Storage of Sensitive Data
• Secure Cross-domain Communications (CORS, web messaging)
• Protecting from Cross-site Scripting (CSP, JavaScript Execution Contexts, Output Encoding)
• Implementing Secure Dataflow
• Securing AJAX Requests and JSON Data

Objectives
After completing this course, students will be able to:
• Apply HTML5 Defensive Programming Techniques
• Apply JavaScript Defensive Programming Techniques
• Apply JSON Defensive Programming Techniques
There should be a maximum of 20 students.

Labs and Demonstrations
If students bring their own laptops with internet connectivity will be able to access online Virtual Machines with labs. In lab sessions students will learn to fix issues related to localStorage, web messaging, sandbox attribute for iframes, CORS, CSP, parsing JSON data, and DOM-based cross-site scripting. The course also includes several interactive demonstrations showing how to tamper with client-side data, evade client-side filters, and work with Firebug. The labs are not compulsory to get the full value of the course.

Note, the training has been recently updated with the latest information on CORS, CSP, and new lab exercises.

Speakers
avatar for Ksenia Dmitrieva

Ksenia Dmitrieva

Associate Principal Consultant, Cigital
Ksenia Dmitrieva is an Associate Principal Consultant at Cigital with over six years of experience in securing web applications and five years of development experience. She performs penetration testing and code review for clients in financial services, entertainment, telecommunications, energy, and enterprise security industries. Her current concentration is on researching HTML5 technologies and new JavaScript frameworks, their security... Read More →


Wednesday October 21, 2015 9:00am - 5:00pm
Gemalto Room Norris Conference Center, Austin

Attendees (5)