Anand Vemuri: What Your Scanner Doesn’t Tell You CAN Hurt You
Modern JavaScript libraries and frameworks have become the de facto standard in web application development. However, the great strides in innovation have created framework-specific security vulnerabilities that most modern JavaScript security scanners are not programmed to search for. Personal research with intentionally vulnerable applications as well as live production code has shown that many popular scanners do not detect common application vulnerabilities.
This talk will discuss some common security pitfalls developers make when working with popular client-side JavaScript frameworks. Intentionally vulnerable applications developed with Backbone.js, Angular.js, Ember.js, and Meteor,js will be attacked and exploited live. Github links to the vulnerable applications used in this presentation will be released after the presentation. Through strengthening the security posture of JavaScript applications, we can take strides towards creating a more secure Internet.