Securing Angular Apps Brian Noyes

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
EECS 354 Network Security Cross Site Scripting (XSS)
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.
App development in SharePoint 2013 LIVE Introducing Cloud App Model Cloud-hosted Apps Experiences from the Field.
Understanding SharePoint 2013 Add-In Security Vulnerabilities
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Session 11: Security with ASP.NET
OWASP Zed Attack Proxy Project Lead
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Remotely authenticating against the Service Framework.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
© 2010 Cisco and/or its affiliates. All rights reserved. 1 Web Security Fear, Surprise, and Ruthless Efficiency Mary Ellen Zurko.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Krishna Mohan Koyya Glarimy Technology Services
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
Openid Connect
Module 11: Securing a Microsoft ASP.NET Web Application.
Building Secure Web Applications With ASP.Net MVC.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Deconstructing API Security
Windows 10 UWP MVVM In Depth
Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.
Getting Started with Aurelia
UNDERSTANDING YOUR OPTIONS FOR CLIENT-SIDE DEVELOPMENT IN OFFICE 365 Mark Rackley
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
Solliance ( CTO Microsoft Regional Director Microsoft MVP Pluralsight author t e
WEB-API & MVC5 - Identity & Security Mait Poska & Andres Käver, IT Kolledž 2014.
Web Login, Cookies Web Login | Old way HTML
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Secure Mobile Development with NetIQ Access Manager
Modern Development Technologies in SharePoint SHAREPOINT SATURDAY OMAHA APRIL, 2016.
#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson
Build Hybrid Mobile Apps with Ionic, Angular, & Cordova Brian
Solliance ( CTO and Co-founder Microsoft Regional Director Microsoft MVP Pluralsight author
ArcGIS for Server Security: Advanced
DYNAMIC CONTENT DELIVERY
NodeJS Security Using PassportJS and HelmetJS:
An Introduction to Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
5/13/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Embed Power BI in your Web application
Node.js Express Web Applications
API Security Auditing Be Aware,Be Safe
Migrating SharePoint Add-ins from Azure ACS to Azure AD
CAS and Web Single Sign-on at UConn
WEB-API & MVC5 - Identity & Security
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Build Windows 10 UWP MVVM Apps with Prism
Cross-Site Forgery
Azure AD Line Of Business Application Integration
BY: SHIVI AGRAWAL ( ) CSE-(6)C
DotnetConf 11/17/ :06 AM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE.
Riding Someone Else’s Wave with CSRF
ASP.NET Module Subtitle.
Agenda OAuth Concepts Programming OAuth.
HTTP GET vs POST SE-2840 Dr. Mark L. Hornick.
Office 365 Development.
TechEd /22/2019 9:22 PM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Token-based Authentication
Building production-ready APIs with ASP.NET Core 2.2
Western Mass Microsoft Technology Users Group
The Future is Now with ASP.NET Core 3.0
Presentation transcript:

Securing Angular Apps Brian Noyes CTO & Co-founder, Solliance Inc (www.solliance.net) brian.noyes@solliance.net, @briannoyes

Visual Studio Connections About Brian Noyes CTO and Co-founder, Solliance www.solliance.net Microsoft Regional Director Microsoft MVP Pluralsight author www.pluralsight.com Web API Insider, Windows Azure Insider, Window Store App Insider, C#/VB Insider t e brian.noyes@solliance.net @briannoyes http://briannoyes.net Updates will be available at http://www.devconnections.com/updates/LasVegas_Fall08/VS

Agenda Security in the SPA Architecture Authentication options Securing SPA pages Securing Web API calls Dealing with CORS Protecting against CSRF Client security context

What does it mean to “secure”? More than just “logging in” Authentication Authorization Transport protection Cross Origin Resource Sharing (CORS) Cross Site Request Forgery (CSRF/XSRF) Cross Site Scripting (XSS) User and access control management

Single Page App Architecture Single Page Application Presentation (HTML/CSS) UI Logic (JavaScript) Data/Service Access – Client Services (JS) Server Web Service Web Service UI Rendering Database

Securing SPA Pages Leverage server page rendering security Block return of root SPA page Block return of HTML fragments and/or JavaScript Only really makes sense if the structure or static content of your pages are sensitive Most content in a SPA delivered as “data” via Web API calls

Securing Web API Calls Need to decide on authentication mechanism No automatic redirects to login page for service calls – must present valid authorization token Cookie or Authorization header Set up depends on your back end technology Up to server to allow the calls or not Validates the token or cookie based on shared secret trust relationship with the Authorization Server Might supplement the Authorization Server claims with more fine grained app specific claims

Authentication Options Windows authentication Basic authentication Cookie-based authentication with host site Token-based authentication (STS)

Protecting against CSRF Cross Site Request Forgery Important concern with SPAs due to prevalence of Web API calls Only relevant when using cookie authentication with AJAX calls Browser automatically sends cookie based on host address for request, even from other tabs ASP.NET MVC has built in support Layer on a two-factor protocol for validating request Web APIs require manual means Can mimic what MVC does Using Bearer tokens for authorization helps to avoid

Token Authentication Options .NET Backend ASP.NET Identity IdentityServer NodeJS Backend Passport, etc. Commercial option Auth0 Each of the above can act as an “Authorization Server” or Security Token Service (STS) for one or more apps

Token-based Redirect Browser 3 4 1 6 2 Login Page POST Credentials 4 Set JSON Cookie 7 1 6 {…} 2 OIDC Authentication Request JWT Authenticate Issue Claims Web Site DB STS 5 OpenID Connect (OIDC) Authentication Request

OAuth2 Implicit Flow SPA 6 App 2 3 5 1 7 OAuth2 Implicit Flow Java {…} Java Script 2 Login Page POST Credentials 3 5 OAuth2 Implicit Flow 1 {…} 7 JWT {…} DB Web API STS Authenticate Issue Claims 4 OAuth2 Implicit Flow

Dealing with CORS Cross Origin Resource Sharing Web APIs on a different host than pages rendered from Built in to all modern browsers Simple CORS GET/POST, form encoded, no additional header Sends Origin header in request, expects Access-Control-Allow-Origin in response Most CORS Sends “preflight” OPTIONS request specifying what is being requested (Verb, headers, cookies,etc) Destination server decides who gets in Have to populate appropriate headers in your $http service calls Automatic with Angular $http service with right configuration

Client Security Context Client may collect credentials to send to authentication server for validation Resource owner password flow Discouraged in OAuth2 spec Can track success or failure of login process Can obtain claims from returned tokens Can request server authorization roles/claims Should only be used to drive client UX – not treated as “securing the app” Hide/show navigation links Enable features

Protecting Against XSS Script injection through input controls Angular protection: ngSanitize

Resources ASP.NET Identity: http://www.asp.net/identity brian.noyes@solliance.net @briannoyes http://briannoyes.net ASP.NET Identity: http://www.asp.net/identity ASP.NET SPA Template: http://blogs.msdn.com/b/webdev/archive/2013/09/20/understanding-security-features-in-spa-template.aspx IdentityServer: https://github.com/IdentityServer/Thinktecture.IdentityServer3 Pluralsight courses: Web API v2 Security: http://www.pluralsight.com/courses/webapi-v2-security Securing JavaScript Applications: http://www.pluralsight.com/courses/angularjs-security-fundamentals

Please use Event Board to fill out a session evaluation. Questions? Please use Event Board to fill out a session evaluation. Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.