JavaScript - The Evil Parts
Offered By: JSConf via YouTube
Course Description
Overview
Explore the darker side of JavaScript in this provocative JSConf talk. Delve into security vulnerabilities, design flaws, and potential exploits within the language. Learn about application content hijacking, namespace emulation, and client-side database manipulation. Discover timing attacks, browser history theft techniques, and de-anonymization methods. Examine how attackers can leverage JavaScript to target internal systems and enterprise networks. Gain insights into obfuscated JavaScript and invisible malicious code. Walk away with a deeper understanding of JavaScript's potential security risks and how to mitigate them in your own applications.
Syllabus
Intro
Security Vulnerability == Sexy Bug
Security Winerability -- Sexy Bug
Design Flaws
JavaScript Can Application Content
Hijacking Applications
Emulating Namespaces
Shimming Ajax.Request
Shimmed Version of Ajax.Request
Dumping Client-side Databases List Mania!
Detecting Remote Application State
OMG! Timing Attacks. 3
In The Beginning...
Blast From The Past
Steal Browser History
Expanding History Theft
Word Case & Order Affect URL
How Many Combos?
Totally Doable
De-anonymization
Attacking The Enterprise With JavaScript
Attackers Want Internal Systems
Browsers Provide a Foothold
Everything has a Web Interface
Obfuscated JavaScript
Hydrate Function
Invisible Malicious Code!
Take Away
Taught by
JSConf
Related Courses
Side-Channel AttacksTheIACR via YouTube TPM-FAIL - TPM Meetings Timing and Lattice Attacks
TheIACR via YouTube FPGA Glitching & Side Channel Attacks
Hackaday via YouTube Timeless Timing Attacks
Black Hat via YouTube How the Best Hackers Learn Their Craft
RSA Conference via YouTube