This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Friday, May 12 • 15:00 - 15:45
Preventing 10 Common Security Mistakes in the MEAN Stack

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.

The MEAN stack (Mongo, Express, Angular, and NodeJS) provides developers with a collection of open source JavaScript frameworks and technologies for building web applications. The combined simplicity and flexibility of these frameworks has made this a very popular technology stack among developers in recent years. This talk will focus on how to prevent 10 common security mistakes when developing MEAN stack applications. The security mistakes that we will discuss are introduced within the core frameworks, popular third-party plugins, and custom code. The resulting impact ranges from leaking system information through verbose errors to unauthenticated access. Some of the topics we will explore include:

  • MongoDB Query Selector Injection
  • MongoDB HTTP Interface
  • Express Case-Insensitive Routing
  • Express Middleware Precedence
  • Angular Template Injection
  • Angular SCE Misconfiguration
  • Use of LocalStorage vs SessionStorage
  • NodeJS NODE_ENV Configuration
Many of the mistakes are introduced simply by using the core frameworks or common plugins in their default configuration. These insecure-by-default components are problematic and increase the need for developer security awareness. Other mistakes are introduced by misusing or omitting security controls within these frameworks. This talk will include code examples for every type of mistake, a dynamic demonstration of how the defect may be exploited, and the recommended solutions or prevention measures. All demos and examples are based on the intentionally vulnerable open source application MEANBug https://github.com/dbohannon/MEANBug

avatar for David Bohannon

David Bohannon

Senior Security Consultant, Synopsys
David Bohannon is a Senior Security Consultant with Synopsys Software Integrity Group (previously, Cigital). He performs penetration tests and code reviews of various web and mobile applications, frameworks, and middleware technologies. He is also an instructor teaching Defensive... Read More →

Friday May 12, 2017 15:00 - 15:45
Waterfront Center: Hall 1A

Attendees (26)