Demystifying UI security JavaScript is the Culprit JavaScript is so much powerful and browsers are smarts All Server side processes are moving to client side. Client side business logic Client side routing Client side access control Client side data storage Caching etc. Understanding the possible threats Trust Never Ever Trust your end user Check all the user inputs like Source of input Content of input How it was transmitted Check for immutability Secure Identity of User Always check authentication and authorization Always have Role and User Based Access Control on server Data Transmission Always Use HTTPS Secure your cookies Just transfer the necessary data Use proper data formats Don’t over engineer it Data Storage Client Side or Server Side? Keep only necessary data Clear the data on session expire Check for leakage and possible impact Identity of Data Use proper cryptography Credentials Hard coded in the code? By mistake checking in to your version control Easily accessible? All team members have access to credentials? Are you changing it frequently? Only share when it’s needed. Always Use Updated Libraries Keep checking the newer version of libraries Keep it updated in your application Don’t wait for the updates Always check before you update Most Common Web Security Vulnerabilities OWASP Top 10 SQL Injection Cross Site Scripting Broken Authentication and Session Management Insecure Direct Object References Cross Site Request Forgery Security Misconfiguration Insecure Cryptographic Storage Failure to restrict URL Access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards SQL Injection Manipulate SQL statements by manipulating user input Data can be modified in database TRUST Do not trust user input Use latest libraries Cross Site Scripting (XSS) XSS is an attack which allows the attacker to execute the scripts on the victim’s browser. Can run Malwares in your application TRUST Do not trust user input Set content security policy Use proper response headers Broken Authentication and Session Management Forgot to clear cookies after session expires Gain unauthorized access to the system DATA STORAGE User Server side session management Enforce policies for user credentials Insecure Direct Object References Mistakes for Developers Gain unauthorized access to the objects and can manipulate system. TRUST Implement strict access control checks Cross Site Request Forgery Execute unwanted actions on a web application in which user session is active. Can manipulate User’s data TRUST, DATA TRANSMISSION Always use HTTPS Implement anti CSRF token SameSite flag in cookie Check the data Security Misconfiguration Mis configuration on server side, framework, application, file access etc. Attacker can gain access to system TRUST Setup proper server architecture Setup proper security configurations Insecure Cryptographic Storage Sensitive data is not stored properly Attacker can use data to steal the identity DATA STORAGE Use proper cryptography to store the data Setup access control Failure to restrict URL Access Improper set up of authorization Attacker can gain access to unauthorized URLs TRUST, DATA TRANSMISSION Implement strong access control checks Role based authentication Insufficient Transport Layer Protection Not using SSL, and proper cryptography while transmission Attacker can gain access to user’s personal data DATA TRANSMISSION Always use HTTPS User proper cryptography Unvalidated Redirects and Forwards Lack of proper validations before redirect and forward Attacker can redirect user to malwares TRUST Avoid using redirects