Client-side Security for Modern Web Applications
Modern-day web applications have undergone a significant evolution. Instead of rendering a page, browsers now run a self-contained JavaScript application. The backend of the application typically consists of a set of APIs. Since the backend is mostly agnostic to the type of client, various security responsibilities are pushed towards the client.
In this workshop, we dive into the security properties of client-side applications. We look at the impact of this new development paradigm on classic vulnerabilities such as cross-site scripting (XSS). We look at XSS in modern frameworks such as Angular and React. We explore common pitfalls and discuss security best practices. Additionally, we investigate how to enhance the security further using modern mechanisms, such as Content Security Policy (CSP), Subresource Integrity (SRI), and HTML5 sandboxing.
The workshop consists of a mix of lectures and lab sessions. The lectures are used to disseminate in-depth knowledge on vulnerabilities and defenses. The labs give more insights on how these vulnerabilities work in a realistic training application. In the end, you will have learned about current best practices to build secure client-side applications.
Student Requirements Familiarity with building modern client-side web applications. Labs focus on vulnerabilities and defenses. The labs are fully prepared and do not require on-the-spot coding.
Laptop Requirements A laptop capable of running a Virtual Machine configured with 2 CPU cores and 4GB of memory.
