SPArring with the Security of Single Page Applications

Presented at AppSec USA 2016, Oct. 13, 2016, 10:45 a.m. (60 minutes)

SPArring with the Security of Single Page Applications When SPArring with the security of a Single Page Application (SPA) you need to be like a Mixed Martial Artist (MMA) fighter who understands several specialties to be successful. In MMA, a fighter needs to be skilled in several martial arts styles, such as boxing, kickboxing, Muay Thai for the stand up portion of the fight. Then, he needs to know wrestling or judo to take the fight to the ground, and once he's on the ground, he needs to know Jujitsu and Sambo to submit his opponent.  When doing battle with a SPA, a pen-tester must become an MMA hacker…A Mixed Multilayer Application Hacker. As an MMA Hacker, you need to understand the multitude of complex application layers that are only getting more complex and interconnected by the day. This discussion will include MMA Hacker training on the following application layers: Interface layer: Become familiar with SPA frameworks (AngularJS, ReactJS). These SPA frameworks fundamentally change the browser communication that security experts have long understood.  Backend layer: Dig into different REST API's and learn how they are used and where to find the weaknesses. Network layer: Learn more about WebSockets and how they fundamentally change TCP/HTTP as you have always known it to be. Interconnectivity layer: Get to know how SPA's are often interconnected with 3rd party API's or presentation elements and how this can create security issues that get inherited from trusting the 3rd party. Tools: Understand what tools are available to help you address these challenges, and the potential gaps exist in the tools we all depend on. Join this talk to start your MMA Hacker training today!

Presenters:

• Dan Kuykendall - Senior Director, Application Security Products  - Rapid7
  Dan Kuykendall is the Senior Director of Application Security Products at Rapid7 where he directs the strategic vision, research and product development for the company's application security solutions. In addition to keeping up with the latest attack patterns, Dan remains focused on one of the toughest aspects of application security - the rapidly evolving web and mobile application development trends. He does this with the philosophy that we need to help security experts keep up by automating as much as possible to free up pen testers for the tough work that requires human brains.

Links:

• https://appsecusa2016.sched.com/event/7t9F/sparring-with-the-security-of-single-page-applications
• https://www.youtube.com/watch?v=78r5Vi9I680

Similar Presentations:

• DEF CON 14 (2006) / Service Cloaking and Anonymous Access; Combining Tor with Single Packet Authorization (SPA)
• HOPE Number Nine (2012) / Recent Advances in Single Packet Authorization
• The Last HOPE (2008) / Port Knocking and Single Packet Authorization: Practical Deployments