Reactive JS Security Testing & Exploitation presented at SourceBoston 2015

by Matt Wood,

Summary : JavaScript applications continue to become more and more complex. With real-time collaboration in mind and entire applications becoming supported by a "single UI page," a new buzzword for these applications has arisen over the last few years, Reactive Applications/JavaScript. Stated simply, this is the separation of the HTML/CSS UI from the real-time event-driven data-backend. There are many compelling reasons for these advances/changes, unfortunately many of the same application design mistakes are being made that the industry saw when AJAX heavy applications first entered the majority (the over exposure of the data API). While some frameworks allow for secure deployment, it is not easy or intuitive in all cases. Many researchers and framework developers have put a lot of effort into the security design of these "reactive" frameworks, but application developers are not utilizing these features effectively, or worse, do not know it is necessary. This presentation will offensively review some of the new technologies employed, how to identify these event-driven backends, review several OWASP attack classes in the context of "Reactive" frameworks (MeteorJS/RxJS/Microsoft Data API/Angular) and finally how to address data-security within these "Reactive" frameworks. Attendees will witness poorly secured reactive frameworks dumping sensitive information, effective injection techniques against various reactive endpoints and finally what a security professional needs to know and look for to identify and secure "Reactive" endpoints across several frameworks.