WingNews logo WingNews
top | item 40338894

(no title)

ethanlew-is | 1 year ago

For anyone thinking of using this, at least a few of these examples are fundamentally broken. There may still be useful info here, but as-is it is dangerous to advertise this to new developers who aren't able to discern the good from the bad.

One example for OP: you should not be representing yourself as a security expert if you're recommending hashing passwords using SHA-256 in the browser [0].

[0] https://github.com/rajamsrgit/JavaScriptSecurityCookbook/blo...

discuss

order

rrishi|1 year ago

Are there other glaring mistakes in this book frequently ?

Do you have suggestions for alternative books dealing with similar topic?

Context: Noob in JS security, but know a decent amount of JS + building apps.

ethanlew-is|1 year ago

A few others that jump out to me:

* 04-AntiForgeryToken would not provide any actual protection against CSRF (there are a few ways to do it, but all at minimum require 1) the token to be generated by the server and 2) a way for the server to compare against a known good value, either from its session DB or by "double-submitting" the token [0]).

* 18-SecureWebStorage encrypts the value without including an authentication tag, meaning it can likely be fully decrypted or modified by the user (lookup a Vaudenay attack or try out https://cryptopals.com/ if you're curious there)

Those are the ones I have specific experience with and looked at first, so maybe the more frontend-oriented examples are better?

[0] https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Re...