Getting Started with Node.js Security with Express and Angular

This course will teach you how to apply common security mitigation techniques to a web application built with Angular, Express.js, and Node.js.
Course info
Rating
(22)
Level
Beginner
Updated
Sep 7, 2016
Duration
1h 33m
Table of contents
Course Introduction
Protecting Data from Extraction
Hide Network Traffic from Snooping
Ensure Legitimacy of Requests
Block Content Hijacking
Summary
Description
Course info
Rating
(22)
Level
Beginner
Updated
Sep 7, 2016
Duration
1h 33m
Description

Node.js is a server-side JavaScript platform that's rapidly being adopted by many individuals and large companies. This course, Getting Started with Node.js Security with Express and Angular, shows you how to apply secure application development practices to Node.js with Express and Angular by learning some of the security risks that are of concern in this area. You'll see the execution of exploits associated with these risks and follow through with the implementation steps for mitigating each one. First, you'll learn about protecting data from extraction, as well as how to mitigate this risk. Next, you'll learn about how to ensure legitimacy of requests. Finally, you'll learn about blocking content-hijacking and what you can do to prevent it in the first place. By the end of this course, you'll have learned about many of the risks, vulnerabilities, and mitigation techniques, why they are so important, and you'll be more equipped to use secure application development practices.

About the author
About the author

Brian is a Solution Architect Specialist who has been building and architecting software for many years now. His initial focus was on ASP.NET, C#, SQL and WPF, but has since been leveraging technologies such as Angular, Node.js, JavaScript, HTML and CSS. You can find Brian on twitter @_clarkio or at clarkio.com.

More from the author
Play by Play: Extending the Browser
Beginner
38m
Apr 30, 2018
Play by Play: iOS and Swift from Scratch
Beginner
1h 29m
Mar 6, 2017
More courses by Brian Clark
Section Introduction Transcripts
Section Introduction Transcripts

Course Introduction
Hi, I'm Brian Clark, and in this course we'll be talking about web application security and how to apply what we learn to a sample web application. This web application is built using a Node. js server with Express in an Angular UI. But before we go any further, let's talk about why we should care about security. As developers and engineers, we have great pressure to build applications, and providing the features required in it as quickly and efficiently as possible. We become focused on making sure the application fulfills our business and user needs, but can get caught up in this focus not always realizing what else we need to take into consideration while implementing these features. This leaves our applications potentially open to security vulnerabilities, and we may not be aware of them.

Protecting Data from Extraction
Hi, this is Brian Clark, and the first risk we'll be exploring together is how our data can be exfiltrated from our web applications. This can have serious implications when the data is particularly sensitive and can lead to a breakdown in the integrity of our apps. We'll take a look at how an attacker would explore for this type of risk in our sample web application. This will provide us a better understanding of what we're trying to protect against within our applications. Once we've gotten familiar with this risk, we'll talk about the technical definition of the attack used to exploit it, and the high-level approaches that can be used for mitigation. After that, we will actually use those techniques that protect our apps by implementing them in the vulnerable application. We'll take advantage of the Node. js specific modules that assist in addressing this type of attack, and see just how easy they are to plug in. Let's put our hacker hats on, and attempt to extract information of interest from a web application.

Hide Network Traffic from Snooping
Hi, this is Brian Clark, and the second risk we'll be exploring together is how our network traffic between users and our server can be snooped on. It is not something often thought about when building web applications today, but is a serious risk to both our users and our system. The location from which users may be accessing our web applications can be vulnerable to attackers working on the same network. We'll first see how we can emulate the attack in a simulation on our local machine, and therefore identifying the risk that is present with such an attack. After, we'll discuss the name of such an attack, and walk through a visual example of the attacker positioning, so that we may better understand the scenario in which this can occur. We'll learn of the way to protect our network traffic from such an attack, and actually implement this protection in the vulnerable application. This implementation will leverage the mechanisms available within the Node. js platform, but the technique can be applied to any other platform as well. Taking on the role of the attacker again, let's attempt to snoop on the vulnerable application's network traffic.

Ensure Legitimacy of Requests
Hi, this is Brian Clark, and the third risk we'll be exploring together is illegitimate requests being made on behalf of the application's end user. It is possible that the request a server receives may not have been generated by the client-side associated with that server. This can happen either by someone formulating the requests using various tools available, such as a REST client, or through manipulation of the existing client-side code, but triggered through hidden mechanisms. We'll first get more acquainted with how this can be possible by following along what an attacker might do in such a scenario. After, we will learn of the name that is used to describe such an attack, and talk through the various ways we can prevent it. Once we're familiar with the prevention approaches, we will implement them in the vulnerable application. Once again, acting on behalf of the attacker, let's look at how an attacker might create illegitimate requests against the vulnerable application.

Block Content Hijacking
Hi, this is Brian Clark, and the fourth risk we'll be exploring together is the hijacking of our sites content to trick users into clicking things they weren't intending to do. Attackers can use your content without your knowledge and leverage it to trick your authenticated users into executing operations they were not intending to do. The first thing we'll do is see how this can be accomplished through the vulnerable application so we know the type of situation we're dealing with. Then we will talk about what vulnerability and web applications makes this possible, and learn of the way we can stop them. After that, we will put this plan into action by implementing the technique within the vulnerable application. One more time, we'll approach the vulnerable application as an attacker and attempt to hijack the content so that we may use it to our advantage.

Summary
In this final module, we're going to do a quick recap of everything we learned throughout this course to help solidify the topics of importance. It is crucial that we understand these topics so that we may be conscious of them as we build our web applications in the future. At a high level, we covered four main security topics in this course that we'll briefly review again here. Those topics were cross-site scripting, Man in the Middle, cross-site request forgery, and clickjacking. Let's quickly rehash each one and what we learned about them.