JavaScript Vulnerabilities - The State of the Web
ฝัง
- เผยแพร่เมื่อ 29 พ.ค. 2018
- In this episode of The State of the Web, Rick and Tim talk about how insecure much of the Web really is. They talk about the various vulnerabilities in Web Security that can leave you open to attack, as well as the challenge of making your organization aware of these risks and how they could be exploited.
Snyk State of Open Source Security report → bit.ly/2JjsxPU
HTTP Archive report on percent of pages with vulnerable JavaScript → bit.ly/2JgSLCx
HTTP Archive report on number of vulnerabilities per page → bit.ly/2JgTiV3
Rick: / rick_viscomi
Tim: / tkadlec
Snyk: / snyksec
HTTP Archive: / httparchive
Watch more State of the Web episodes here → bit.ly/2JhAzsh
Subscribe to the Chrome Developers channel to catch a new episode of The State of the Web every other Wednesday → bit.ly/ChromeDevs1 - วิทยาศาสตร์และเทคโนโลยี
4:44 The fact that Chrome developers use Firefox as their main browser tells us a lot about Chrome security.
hahahahah
The face you make when you detect a vulnerability 2:54 lol
after your code works
after your code performs
we should focus on security
but sadly, if we are working for someone else, it is unlikely to happen
managers don't care. just deliver your deadlines and when things go to crap the next person left fixes it.
how often do you think non-devs are given managers positions? where i work there are no devs working as managers. it seems that they consider us second class citizens or something
@@dandan7884 absolutely xD
Fuzz every function in a sandbox and check whether it stays within expected parameters.
having so many great javascript apis today
how feasible do you guys think it is to go back to vanilla js where the experienced devs rely mostly on the language features instead of "that specific framework"?
zero? I mean, feel free to do that and then just third party apis, SaaS, PaaS, databases, containers, servers, etc. You're not mitigating the problem by abandoning dependencies locally.
I'm not denying that dependencies bring vulnerabilities to your code, but I'd also argue that most of these vulnerabilities would never have been fixed if they had been written by yourself.
Like 90% of all NPM vulnerabilities that I see are Regex DoS and I don't know many people who touch a Regex after it has been deemed "working". At least with 3th-party packages these bugs get eventually (or occasionally?) found
Awesome
Thank you sir
I have the feeling that I only know the basics about security. How could I level up and learn what I should look out for?
is this talking about server side or client side?
0:24 "There's so much to say about Web Security and people usually think about "Little Bobby Drop Tables" " 😂😂 he's referencing that XKDC about SQL injections, my professor showed me that, it's hilarious
Honesttly i would prefer to receive precise info about how to secure my code instead of a whole video talking state of the security on the web.
Expecting some live video for vulnerability attacks please do
Thanks... It's really scarry know this value. What is the web page where I can see it?
snyk always catches a ridiculous amount of development dependency vulnerabillities, which basically have no risk.
Secure all the things :D
Does it make sense to install addons like noscript ?
Can u explain in practical
At least thretcon Alpha to start with
OWASP FTW
The title is misleading, these are *WEB* vulnerabilities, unrelated to JS, I was expecting to hear about JS and was disappointed
then watch the whole video
Joking Limit Reached . I did :O
The 77% vulnerability metric comes from open source JS libraries.
Rick Viscomi . Yes, and these are called Web vulnerabilities, not JS vulnerabilities
You can use JS libraries also elsewhere. Not just on the web.
But I guess your point is that you thought this is about language-level vulnerabilities and instead it was about npm packages.
The
"libary" 🤣
xkcd lol