Javascript

Top JavaScript trends to watch in 2018

I am trying to bet on how many new Javascript frameworks will be released each month. I think, the best developer’s game in the past 5 years. I really think 2018 will be the perfect time for learning one framework for one problem and being able to mix them without (I hope) too much issue. At least before the “next big framework” 🙂

Some of the main frameworks to watch in 2018 are here:

GraphQL:

Brings a new way to query data from server to frontend. You can think of it as a new protocol, a communication standard between client and server. Not only for websites, but also for desktop and mobile apps. This concept of “fetching only what you need” is important and should be at the core of every front and back end development. Reducing the size of every network exchange is crucial, especially for users with slow networks. I believe that GraphQL could become a standard in 2018.

React:

who doesn’t know React in 2018? React is actually not easy to learn, I see my students challenged by it everyday. But when all concepts of props, state, life cycle, actions, etc. are mastered, it is a very powerful tool. It will remain a strong Javascript framework in the year to come.

Vue.js:

we witnessed an interesting fight between React and Vue.js in 2017. Both are powerful, but Vue.js is easier to learn than React. The community around it is starting to grow really fast and we hope the industry will continue to adopt it in production.

React Native and Electron:

Two frameworks for desktop and mobile apps. While they are still not at the level of native app languages (iOS, Android and desktop), their performances are really impressive.

Reason

The new way to write React applications; bye bye pure Javascript! It can be trendy, but I believe that with the support of Facebook it could be the next standard for writing React applications. We should keep an eye on it and watch how the language evolves in 2018.

Next and Now

React has a strong ecosystem. Next and Now are proof of it. Easy to use and make React projects ready for production. Deploying and distributing React applications at scale can be challenging, mainly for  small teams. Next and Now are designed to make a developer’s life easier.

Honorable Mentions for 2018:

  •   Lona (created by AirBnB – https://github.com/airbnb/Lona): Transform Sketch files from designer to UI code: iOS, Android, Web and Web mobile. It’s based on a simple app that can solve a lot of communication issues between Designers and Developers. Trust me, both of them think of themselves as rock stars, and like every rock star, they don’t like compromises. Now with Lona, designers can directly integrate and test their creation easily without bothering developers.
  • Aurelia (http://aurelia.io): Is a complete solution for creating your online presence: web, mobile and desktop. I think it can be a good start for any new project or start-up: easy to learn, easy to put in place and good support.

Inputs provided by Guillaume Salva, Full-Stack Software Engineer at Holberton School.

Here, you can find out the trends and frameworks in 2017

 

Web Application Security Testing – Part 2

We have discussed security testing web application in our last week article. Here is the list of remaining web applications security testing tools.

6. SENSITIVE DATA EXPOSURE

Already explained in Broken Authentication and session management

Examples of vulnerable application

  • Data stored in plain text, such as passwords or credit card data (see the first well-known event)
  • Lack of HTTPS on authenticated pages
  • Hashed passwords with lack of salt, making the password easily cracked
  • Tokens disclosed in public source code
  • Browser header caching sensitive data

7. CROSS SITE FORGERY

Cross-Site Request Forgery (CSRF)-also known as XSRF or session riding- attacks, an attacker forces a victim to make an unexpected web request such as a fraudulent bank transaction. For example, an attacker tricks the victim client into calling a banking function in a vulnerable page that transfers money from the victim’s to the attacker’s account. The victim triggers the attack by following an attacker’s link or visiting an attacker’s page. The vulnerable server page doesn’t recheck the authenticity of the victim’s request and allows the transfer to proceed.

The following steps detail the anatomy of a CSRF attack:

  1. Attacker finds functionality in a web application that is vulnerable to CSRF.
  2. Attacker builds a link invoking the vulnerable function and passing the required parameters as to executed the chosen attack.
  3. Attacker waits until the victim client authenticates with the vulnerable web application.
  4. Attacker tricks victim client into following the malicious link.
  5. Victim client sends forged request to vulnerable server.
  6. Vulnerable server allows and executes the forged request.

For example, the link might looks like this when they payload is to transfer money from the victim’s to the attacker’s account:

/makeTransfer?amount=1000&dest=attacker@attackersite.com

The link below sends an email titled Hello to johny@example.com :

/sendMail?to=johny@example.com&title=Hello&body=I+did+not+send+this

Basic Test for Cross-site Request Forgery

Follow these test steps to test against CSRF bugs.

->Find a web application page that performs an action based on a user request.

->Construct a page containing a link or redirect that sends a forged request to the application server. This link usually contains a tag such as an img or iframe (although mostly any tags can be used) with the source address pointing to the request:

<a href=”http://bank.com/transfer.do?acct=MARIA&amount=100000″>View my Pictures!</a>

<img src=”http://bank.com/transfer.do?acct=MARIA&amount=100000″ width=”1″ height=”1″ border=”0″>

->Note that the links above will both generate a GET request. In order to test for POST requests you must create a page containing a form with the URL parameters passed as hidden input, and add a script to automatically submit the form:

<form action=”http://bank.com/transfer.do” method=”post”>

     <input type=”hidden” name=”acct” value=”MARIA”>

     <input type=”hidden” name=”ammount” value=”100000″>

</form>

<script>

     document.forms[0].submit();

</script>

->Open an Internet browser and log in to the web application as a legitimate user.

->Open the page built in step 2 (follow the link if necessary).

->Confirm if the request was successful.

->Repeat test case for every application create/update/delete/mail action.

Expected result: the test fails if the application trusts and processes the forged request.

–Also the cookies can be manipulated.

Another example,

Suppose, we allow users to post images on our forum. What if one of our users posted this image?

<img src=”http://foo.com/logout>

Not really an image, true, but it will force the target URL to be retrieved by any random user who happens to browse that page — using their browser credentials! From the webserver’s perspective, there is no difference whatsoever between a real user initiated browser request and the above image URL retrieval.

If our logout page was a simple HTTP GET that required no confirmation, every user who visited that page would immediately be logged out.

Examples of cross site forgery,

https://hackerone.com/reports/196458

https://hackerone.com/reports/192131

https://hackerone.com/reports/157993

https://hackerone.com/reports/155774

8. MISSING FUNCTION LEVEL ACCESS CONTROL

If the authentication check in sensitive request handlers is insufficient or non-existent the vulnerability can be categorised as Missing Function Level Access Control.

To test for missing function level access control:

The best way to find out if an application has failed to properly restrict function level access is to verify every application function:

  1. Does the UI show navigation to unauthorized functions?
  2. Are server side authentication or authorization checks missing?
  3. Are server side checks done that solely rely on information provided by the attacker?

Using a proxy, browse the application with a privileged role. Then revisit restricted pages using a less privileged role. If the server responses are alike, the My Organisation application is probably vulnerable.

In one potential scenario an attacker simply force browses to target URLs. Consider the following (non-My Organisation) URLs which are both supposed to require authentication. Admin rights are also required for access to the “admin_getappInfo” page.

http://example.com/app/getappInfo

http://example.com/app/admin_getappInfo

If the attacker is not authenticated, and access to either page is granted, then unauthorized access was allowed. If an authenticated, non-admin, user is allowed to access the “admin_getappInfo” page, this is a flaw, and may lead the attacker to more improperly protected admin pages.

Example:

https://hackerone.com/reports/27404

9. SHELLSHOCK & HEARTBLEED

Shellshock:

Shellshock is a remote command execution vulnerability in Bash. A series of random characters, () { :; }; , confuses Bash because it doesn’t know what to do with them, so by default, it executes the code after it.

Good read: http://garage4hackers.com/showthread.php?t=6902

Tools used to check Shellshock:

Through command line:

  To determine if your Linux or Unix system is vulnerable, from a command line, type:

        env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

 If the system is vulnerable, the output will be:

 vulnerable

 this is a test

 An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt

 bash: error importing function definition for `x’

           this is a test

Online tools:

https://pentest-tools.com/network-vulnerability-scanning/bash-shellshock-scanner

http://shellshock.brandonpotter.com/

http://shellshock.iecra.org/

Heartbleed:

It is a critical bug in the OpenSSL’s implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server’s memory, potentially revealing users data, that the server did not intend to reveal.

An attacker can trick OpenSSL into allocating a 64KB buffer, copy more bytes than is necessary into the buffer, send that buffer back, and thus leak the contents of the victim’s memory, 64KB at a time.

Tools used for Heartbleed:

defribulator v1.16

Command→ python ssltest.py example.com (ssltest.py file is available with me)

Online test tool : https://filippo.io/Heartbleed/

Good read : https://blog.bugcrowd.com/heartbleed-exploit-yet/ , http://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html

For android you can download Bluebox open SSL scanner

Prevention

  • Upgrade the OpenSSL version to 1.0.1g
  • Request revocation of the current SSL certificate
  • Regenerate your private key
  • Request and replace the SSL certificate

Examples of Heartbleed:

https://hackerone.com/reports/49139

https://hackerone.com/reports/44294

https://hackerone.com/reports/6566

https://hackerone.com/reports/6475

10.UNVALIDATED REDIRECTS AND FORWARDS

Unvalidated redirect vulnerabilities occur when an attacker is able to redirect a user to an untrusted site when the user visits a link located on a trusted website. This vulnerability is also often called Open Redirect.

Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

How to test?

Spider the site to see if it generates any redirects (HTTP response codes 300-307, typically 302). Look at the parameters supplied prior to the redirect to see if they appear to be a target URL or a piece of such a URL. If so, change the URL target and observe whether the site redirects to the new target.

Preventing Unvalidated Redirects and Forwards

  • Simply avoid using redirects and forwards.
  • If used, do not allow the url as user input for the destination. This can usually be done. In this case, you should have a method to validate URL.
  • If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user.
  • It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server side code translate this value to the target URL.
  • Sanitize input by creating a list of trusted URL’s (lists of hosts or a regex).
  • Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm.

Example:

https://hackerone.com/reports/175168

https://hackerone.com/reports/169759

This article is written by our QA Rijin Raj.

Latest Javascript frameworks in 2017

trends-js

Java script evolution continues

If you have been using Javascript you probably are aware but if you are picking it up again for another project of yours this article will help you know the best things that have happened to the technology recently.
Javascript has been constantly evolving to meet the challenges of the newer applications that use it. Listed below are some of the most important technologies to know this year.

JavaScript fundamentals

ES6:

Is a major update to JavaScript that includes several of new features. The current version of JavaScript is ES7 .

Built-in methods:

The beauty of these function are, you can use these functions with any Javascript built in object such as String , Number, Date, RegExp, Array.

Callbacks:

The functions are used to send messages about task completion to take further actions, for further processing based on the task.

Most popular javascript Frameworks

React

React makes it painless to create interactive UIs. React is based on component logic so you can easily pass rich data through your app and keep state out of the DOM. React can also render on the server using Node and power mobile apps using React Native.

Here are some of the React tools that are going to stay relevant for at least another year

Chrome dev tool:

Set of web authoring and debugging tools built into Google Chrome. Use the DevTools to debug and profile your site.

Babel:

This compiler used to compile ES6 and writing next generation javascript

Webpack:

Webpack is a module builder for latest JavaScript applications. It’s a project builder, Used to build React web app and angular projects also.

                                                        Angular2+

AngularJS has become one of the most popular open source JavaScript frameworks of web application development. Angular 2+ is the successor to the Angular framework.

Yoemon:

Angular project generator

Grunt:

Runs angular project in local server and compiles angular project

Bower:

Download required libraries for angular project throw Bower.

                                             

Node.js

Modernizing systems and processes has become a top priority for businesses across all verticals. In simplest terms, digital transformation is “the use of technology to radically improve performance or (business) reach.” Node.js is emerging as the de facto choice for companies looking to build the apps to achieve greater agility and drive Digital Transformation.
There are many great reasons to use Node.js. Here are two main of them, why you should love Node.js

  • If you are already a javascript developer or you know a javascript then you should start writing an API’s using Node.Js.
  • Node.Js is fast. It’s a JavaScript runtime that uses the V8 engine which allows you to build fast.

Keep checking back for more information on tech trends in Javascript, PHP and AI on https://www.mantralabsglobal.com/

Java Vs Node.JS for Backend APIs – Developer’s Comparison

Java is considered as the best application development language. It is an object-oriented programming language which is used to create efficient quality applications for both computers and mobile phones. Java dominates Android phones, enterprise computing, and some embedded worlds like Blu-ray disks. While on the other hand Node.JS is a programming platform that allows you to write JavaScript on both the client side and the server side, mostly server-side code that is identical in syntax to browser JavaScript. It opens up new perspectives, still having its “browser” nature. The developers use both the languages to develop applications depending on the preference and the need of application. Read More….