ConfPad

Hackers are everywhere! Are they also in your client-side code? What do attackers target when they are breaking JavaScript frameworks and libraries? How are they stealing those elusive crypto keys and your authentication protected data?Detecting and exploiting JavaScript security issues can easily become complex since the scope for attack would be constrained by features built into the framework and libraries. Allowing external resources to be loaded via Content Delivery Networks, improper dynamic parsing of user input, using 3rd party widgets and extensions can all lead to security troubles.This talk will take the audience through multiple case studies of JavaScript framework/library bugs and the impact that these bugs would have if exploited. Real world examples of application security testing that show how we were able to bypass controls and gain access to data will also be covered. The talk will also cover some common security server configurations that can break client-side applications when implemented as is.