AppSec USA 2016

SPArring with the Security of Single Page Applications

When SPArring with the security of a Single Page Application (SPA) you need to be like a Mixed Martial Artist (MMA) fighter who understands several specialties to be successful.

In MMA, a fighter needs to be skilled in several martial arts styles, such as boxing, kickboxing, Muay Thai for the stand up portion of the fight. Then, he needs to know wrestling or judo to take the fight to the ground, and once he’s on the ground, he needs to know Jujitsu and Sambo to submit his opponent. 

When doing battle with a SPA, a pen-tester must become an MMA hacker…A Mixed Multilayer Application Hacker. As an MMA Hacker, you need to understand the multitude of complex application layers that are only getting more complex and interconnected by the day.

This discussion will include MMA Hacker training on the following application layers:
Interface layer: Become familiar with SPA frameworks (AngularJS, ReactJS). These SPA frameworks fundamentally change the browser communication that security experts have long understood. 
Backend layer: Dig into different REST API’s and learn how they are used and where to find the weaknesses.
Network layer: Learn more about WebSockets and how they fundamentally change TCP/HTTP as you have always known it to be.
Interconnectivity layer: Get to know how SPA’s are often interconnected with 3rd party API’s or presentation elements and how this can create security issues that get inherited from trusting the 3rd party.
Tools: Understand what tools are available to help you address these challenges, and the potential gaps exist in the tools we all depend on.

Join this talk to start your MMA Hacker training today!