Some of the very things that make JavaScript awesome can also make it exposed. This talk will go through some sample security flaws unique to JavaScript’s async nature and surrounding ecosystem. We’ll show live exploits to understand the issues and their impact, explain why they happen and – most importantly – how to avoid or fix them.
EVENT: JS Congress, 2016
SPEAKER: Guy Podjarny
PERMISSIONS: The original video was published on JS Congress YouTube channel with the Creative Commons Attribution license (reuse allowed).
ORIGINAL SOURCE: https://www.youtube.com/watch?v=lNk9Ami4Zls
Original source
20 responses to “Worst JavaScript Flaws That Hackers Love To Abuse”
I like how everyone jumps on the bandwagon of hating JS, jQuery, PHP, etc. for no goddamn reason
The most useless sentence in this talk: "JavaScript has won".
Maybe google the term WebAssembly? 🤣
great video, i will watch it later on before sleeping time.
God, that sign language interpreter has a really tough job.
Amazing demonstrations
23:04 , wouldn't that make you a Scriptkiddy,? Using other ppl tools.(just asking)?
That is very scary, memory buffer overflow always scary, I’m glad that I don’t use node or js on backend.
Sleepy dude at 19:19 . That memory leakage is really stupid however it seems that it is fixed (now 2018).
it really annoys me that 70% of all content that claims to talk about javascript, talks about some framework which isn't even mentioned in the title- that's basically like someone going trough my web site which is in vanila js, written by a noob, and acting like all errors i made, are inherent to js.
And in 2018 NPM carrying out vulnerability for us!
Some audiences look worries or serious about security now. On the other hand, Swift language enforce better security.
/* Style inputs with type="text", select elements and textareas */
input[type=text], select, textarea {
width: 100%; /* Full width */
padding: 12px; /* Some padding */
border: 1px solid #ccc; /* Gray border */
border-radius: 4px; /* Rounded borders */
box-sizing: border-box; /* Make sure that padding and width stays in place */
margin-top: 6px; /* Add a top margin */
margin-bottom: 16px; /* Bottom margin */
resize: vertical /* Allow the user to vertically resize the textarea (not horizontally) */
}
/* Style the submit button with a specific background color etc */
input[type=submit] {
background-color: #4CAF50;
color: white;
padding: 12px 20px;
border: none;
border-radius: 4px;
cursor: pointer;
}
/* When moving the mouse over the submit button, add a darker green color */
input[type=submit]:hover {
background-color: #45a049;
}
/* Add a background color and some padding around the form */
.container {
border-radius: 5px;
background-color: #f2f2f2;
padding: 20px;
}
Sitting in front of so many nerds and lecturing them is intimidating. That means the guy is a Bugatti hyper sport car in nerd terms.
The guy is a natural born speaker
a site with a textbox and list of strings that have been submitted into the textbox: 400something dependencies.
…anyone in here dumb enough to try and justify how is that in any way not insane ?
Shit. Going to rewrite some things now…
Are socket.io and express vulnerable?
Nodeshaming
Who the hell filmed this. I don't wanna watch the crowd or a close up of Guy; I wanna watch the demos, the presentation
7:30 damn! Question though, you would have to run nodejs as root for this to work obviously right?