jvandemo.com

Review on Angular Security Workshop by Philippe De Ryck

Introduction

user

Jurgen Van de Moere

Follow @jvandemo

Review on Angular Security Workshop by Philippe De Ryck

Posted by Jurgen Van de Moere on .
Featured

Review on Angular Security Workshop by Philippe De Ryck

Posted by Jurgen Van de Moere on .

featureimage

On November 24, 2018, I attended the Angular Security Workshop by Philippe De Ryck in Holiday Inn Ghent Expo.

The purpose of this review is to share how I experienced the workshop as an attendee. It summarizes my personal thoughts only and is by no means influenced by the instructor.

Workshop details

  • Date: November 24, 2018
  • Location: Holiday Inn Gent Expo, Ghent, Belgium
  • Instructor: Philippe De Ryck
  • Ticket price: 379 EUR (excl. VAT) for 1 day
  • Number of attendees: limited to 30

The instructor

Knowledge is the key to getting security right. Philippe's mission is to deliver that knowledge to practitioners. From the early stages of his Ph.D., Philippe has always focused on practical security.

As the founder of Pragmatic Web Security, he inspires developers to build more secure applications with training, conference talks, cheat sheets, and blog posts.

Workshop review

08:45 — The Security Model of The Web

In the first section of the workshop, Philippe introduced the security model of the web. We learned about origins, browsing contexts and how browser security works in general.

We learned that some browser mechanisms are origin related (e.g. localStorage, sessionStorage) while others are domain related (e.g. cookies).

Finally, we learned how web messaging can be used to enable safe cross-origin communication.

Bonus pearl of wisdom from Philippe: Chrome uses a different process per origin to prevent leaking memory between origins, which is the reason why Chrome uses more memory than one would initially expect.

10:10 — Lab

In this lab, we had a look at specific applications we would use during the workshop, such as Eclipse, Burp Suite, Chrome and Firefox.

10:10 — SSL, CSP and HSTS

In this section, Philippe talked in detail about SSL.

After a brief introduction to its history, Philippe explained how SSL can be used to promote confidentiality, integrity, and authenticity.

We learned about mixed content and how the different types of content relate to Content Security Policy (CSP).

In the process, we had a look at HTTP Strict Transport Security (HSTS) and explored a safe upgrade path to migrate a website from HTTP to HTTPS.

13:00 — Lunch

14:10 — Cross Site Scripting (XSS)

In this section, Philippe showed us what Cross Site Scripting (XSS) is and how it can be used by attackers to inject malicious code in trusted websites.

We learned about the different defense mechanisms on the server (encoding, sanitization) and in the client (textContent, DOMPurify, ...).

We looked at how the ngSanitize module can be used in AngularJS 1.x to help protect against XSS attacks.

Finally, we learned how Angular 2+ enables XSS protection by default and which helper functions it offers to finetune sanitization.

Bonus tip from Philippe: do NOT use bypassSecurity* functions!

15:45 — APIs, Sessions and JWTs

In this section we learned about the three pillars of session management:

  • locality and representation of data: client vs server
  • storage mechanisms: cookies vs localStorage vs sessionStorage
  • transport mechanisms: cookies vs headers

We learned how WebSockets support cookies but not Authorization headers and how we can work around that limitation by checking the origin header when the connection is opened.

We looked into the importance of whitelisting Authorization headers so that tokens don't get sent to the wrong parties unintendedly.

In an in-depth section on cookies, we explored the secure and httpOnly flags and how they can be used to tweak cookie behavior. We learned what Cross-Site Request Forgery (CSRF) is and how to deal with CSRF via a variety of defense mechanisms such as double submit cookies, origin header checking and the SameSite cookie attribute.

Once we understood the generic parts, we explored the various mechanisms Angular provides to deal with each one of them.

Bonus tip from Philippe: jwt.decode does not verify whether a JWT is valid. Always use verifier.verify(token) to verify its signature and decode the payload.

17:10 — Subresource Integrity and Sandboxes

In this final section, we learned about Subresource Integrity (SRI) and how we can use it to verify whether a file is exactly the one we expect.

We also had a look at the iframe sandbox attribute and explored how it can be used to control and restrict the behavior inside the iframe so we can tighten security and selectively re-enable features using Allow-* keywords when dealing with untrusted content.

Bonus tip from Philippe: render untrusted HTML in a sandboxed iframe.

Summary

This workshop was packed an incredible amount of valuable knowledge.

Philippe is a fantastic teacher who brings a lot of energy and practical examples. He was very well prepared and has an incredible amount of knowledge about Web Security.

What I particularly appreciated is that Philippe does not shy away from questions that are broader than the workshop's topics.

When someone from the audience asked a question about a challenge they were faced with at work, Philippe went all-in and guided us in how we can tackle such situations.

This provided all attendees with unique practical insights in Philippe's thinking process and left the person (who asked the question) with quality advice to take back to work.

Would I recommend this workshop to others?

Without a doubt: yes!

If you're looking for a full day packed with quality advice, on-hands labs and valuable knowledge you can take away to your projects, then this workshop might just be what you are looking for and I would highly recommend it.

You can find out more about Philippe's upcoming workshops at https://pragmaticwebsecurity.com.

Have a great one!

user

Jurgen Van de Moere

Front-end architect at The Force. Gymnast. Dad. Family man. Creator of Angular Express.