JavaScript Security电子书

JavaScript Security

Table of Contents

JavaScript Security

Credits

About the Author

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. JavaScript and the Web

JavaScript and your HTML/CSS elements

jQuery effects

Hide/Show

Toggle

Animation

Chaining

jQuery Ajax

jQuery GET

jQuery getJSON

jQuery POST

JavaScript beyond the client

JavaScript on the server side

Full-stack JavaScript

JavaScript security issues

Cross-site request forgery

Cross-site scripting

Summary

2. Secure Ajax RESTful APIs

Building a RESTful server

A simple RESTful server in Node.js and Express.js

Frontend code for the to-do list app on top of Express.js

Cross-origin injection

Injecting JavaScript code

Guessing the API endpoints

Basic defense against similar attacks

Summary

3. Cross-site Scripting

What is cross-site scripting?

Persistent cross-site scripting

Nonpersistent cross-site scripting

Examples of cross-site scripting

A simple to-do app using Tornado/Python

Coding up server.py

Cross-site scripting example 1

Cross-site scripting example 2

Cross-site scripting example 3

Defending against cross-site scripting

Do not trust users – parsing input by users

Summary

4. Cross-site Request Forgery

Introducing cross-site request forgery

Examples of CSRF

Basic defense against CSRF attacks

Other examples of CSRF

CSRF using the <img> tags

Other forms of protection

Creating your own app ID and app secret – OAuth-styled

Checking the Origin header

Limiting the lifetime of the token

Summary

5. Misplaced Trust in the Client

When trust gets misplaced

A simple example

Building the server side – mistrust.py

The templates

To trust or not to trust

Manipulating the JavaScript code

Dealing with mistrust

Summary

6. JavaScript Phishing

What is JavaScript phishing?

Examples of JavaScript phishing

Classic examples

Accessing user history by accessing the local state

XSS and CSRF

Intercepting events

Defending against JavaScript phishing

Upgrading to latest versions of web browsers

Recognizing real web pages

Protecting your site against XSS and CSRF

Avoid using pop ups and keep your address bars

Summary

Index