Ron Perris, a Security Engineer at Reddit, discusses best practices and common pitfalls in web development security. Topics include dangerous URLs, JSON injection attacks, React security, simplifying backend development with Appwrite, and the role of security engineers and teams in organizations.
Cross-site scripting attacks can be prevented by using content security policy and contextual output encoding when using data binding.
Developers should be cautious when handling user-controlled URLs to prevent URL-based script injection and utilize libraries like Lit for added protection.
To avoid server-side request forgery vulnerabilities, developers should carefully handle user-provided URLs by checking their validity and ensuring they don't point to internal resources.
Switching between frameworks requires understanding their unique security considerations and utilizing proper usage of security features and escape hatches to prevent common web vulnerabilities.
Deep dives
Front-End Best Practices: Default to Using Cross-Site Scripting Protection
When using data binding, it is important to default to using cross-site scripting protection. This involves applying content security policy and contextual output encoding to prevent cross-site scripting attacks. Developers should be aware of the potential dangers of using dangerously set inner HTML and should use proper HTML entity escaping and attribute sanitization to mitigate the risks.
Front-End Best Practices: Watch Out for Dangerous URLs and URL-Based Script Injection
Developers need to be cautious when handling user-controlled URLs that can be used for script injection. Care should be taken to prevent the inclusion of JavaScript protocols in URLs and to ensure that only external URLs are allowed. Libraries like Lit have built-in protections against URL-based script injection, but developers should still be mindful of how and where they are using URLs to prevent such vulnerabilities.
Front-End Best Practices: Be Mindful of Server-Side Request Forgery (SSRF)
Developers should handle user-provided URLs with caution to avoid server-side request forgery (SSRF) vulnerabilities. This includes checking the validity of URLs and ensuring they do not point to internal resources. Libraries like Advocate can help protect against DNS rebinding attacks and handle URL validation effectively. It is important to apply these checks at the time of use, rather than during the initial validation process.
Front-End Best Practices: Security Considerations for Switching Frameworks
When switching between frameworks, developers should familiarize themselves with the specific security considerations and best practices associated with the new framework. Each framework may have its own unique attack surface and potential vulnerabilities. It is crucial to understand the proper usage of security features and escape hatches within the chosen framework to prevent common web vulnerabilities like cross-site scripting and injection attacks.
Importance of Secure Coding and Vulnerability Testing
This podcast episode discusses the importance of secure coding and vulnerability testing. The hosts highlight the need to hire professionals to evaluate running applications for common security flaws. They emphasize that even with careful consideration of dependencies and staying updated on CVEs, the greatest threat to application security is often the developers themselves. The episode explores different methods of vulnerability testing, such as static and dynamic analysis tools, bug bounty programs, and hiring security consultants. Additionally, the hosts touch on the importance of using linter configurations and avoiding dangerous library code to enhance application security.
Front-End Security vs. Back-End Security
The episode briefly touches on the difference between front-end and back-end security. While the focus is primarily on front-end security in JavaScript, it is mentioned that back-end security involves concerns such as command and data store injection vulnerabilities, access control, and authentication. The hosts recommend centralized access control and authentication frameworks to prevent logical flaws and inject business logic into microservices. Overall, it is emphasized that front-end security in JavaScript often involves securing the rendering of web pages and handling data received from web clients or APIs.
Educating Developers on Secure Coding
The hosts discuss the lack of emphasis on secure coding education for developers and offer insights into potential reasons for this gap. They mention that historically, books on secure coding often neglect code-level recommendations, and so developers have had to learn through experience and specialized training or roles within organizations. However, as the developer community becomes more aware of the importance of security and frameworks like React and Lit prioritize security features, secure coding education is expected to evolve. The episode encourages developers interested in security to explore specialized roles, such as product security engineers, who embed security practices into development teams and contribute to building secure libraries and frameworks.
This week, we’re joined by Ron Perris, a Security Engineer at Reddit and software security enthusiast. Together, we dive into best practices and common pitfalls, covering topics from dangerous URLs to JSON injection attacks. Tune in for an educational conversation, and don’t forget to bring your notebooks!
Changelog++ members get a bonus 4 minutes at the end of this episode and zero ads. Join today!
Sponsors:
Convex – Convex is a better type of backend — the full-stack TypeScript development platform that lets you replace your database, server functions, and glue code. Get started at convex.dev
Appwrite – Build Fast. Scale Big. All in One Place. Appwrite is a backend platform for developing Web, Mobile, and Flutter applications. Built with the open source community and optimized for developer experience in the coding languages you love.
