Learning Path
JavaScript Security
Learn JavaScript-related attacks and how to build safer JavaScript applications.
What you will learn
This learning path will help you understand the diverse threats and protections of the JavaScript world. We will start by covering the basics, as misunderstanding them often leads developers to write less safe code. Then, we will discuss authentication, XSS and CSRF. We will also spend a bit of time understanding regular expressions through the prism of security. We will also cover serverless security and what a JavaScript developer should do to keep their own desktop machine safe while using development tools.Syllabus
Secure Coding - JavaScript
Lab - 00:30:00
This lab covers multiple secure coding errors commonly found in JavaScript, including DOM rewrites and the use of the eval() statement.
JavaScript Security Skill Assessment
Assessment - 54 questions
JavaScript Security Project
Course - 02:20:00
In the first four challenges, you will find vulnerabilities and exploit them. In the next five challenges, you will fix the vulnerabilities.
Secure JavaScript Programming overview
Course - 00:54:00
In this course, we will cover some base concepts of JavaScript and its runtime environments. We will start by doing a few refreshers on the languages and its history; then we will look at an overview of web browsers and Node.js as JavaScript runtimes.
Authentication
Course - 00:50:00
Here, we will go through refreshers on authentication and a bit of cryptography. We will cover the case of cookies and non-cookies-based front-end authentication. We will also cover best practices in term of front-end identity management.
XSS and JavaScript remote code executions
Course - 01:34:00
XSS attacks are arguably the main threat against JavaScript web applications. In this course, we will cover them in detail and leave no stone unturned as we check everything about reflected, stored, DOM-based XSS. We will extensively cover CSP and trusted types.
CSRF and browser security
Course - 00:37:00
CSRF (cross-site request forgery) attacks can be disastrous for a website. In this course, we will learn exactly what they are and take a back-end (examples with Node.js) and front-end approach against them. Browsers have multiple security mechanisms to block certain attacks, and any web developer should have an idea of what these mechanisms are and how to use them.
Regular expressions
Course - 00:34:00
Regular expressions are one of the most powerful, yet dangerous parts of JavaScript. In this course, we will dig into them to understand what risks they can bring and how to mitigate them.
Prototype pollution
Course - 00:35:00
Prototype pollution is a JavaScript-specific kind of attacks that can lead to multiple outcomes, including SQL injections (in back-end code), Denial of Service or even arbitrary code execution. In this course, we will go through real-life examples of such attacks and learn how to protect against them.
Ecosystem modules (npm) and supply chain
Course - 01:13:00
npm is the biggest software ecosystem in history. Navigating it can be complicated. In this course, we will see everything we need to know to find and assess packages. We will even see what to do if one of the packages we use is flagged as vulnerable.
Serverless JavaScript
Course - 01:05:00
All major cloud providers now provide serverless services. But what are the security implications of using them? In this course, we will review the security best practices of a safe serverless project.
Web developer desktop security
Course - 00:11:00
Building web applications can open some parts of your own workstation to attacks. In this short course, we will go through a few "gotchas" anyone building web applications should know about.
Meet the author
The details
Learning path insights
How to claim CPEs
Should you complete this learning path, you’ll be able to download a certificate of completion. Use this to claim your CPEs or CPUs.
Associated NICE Work Roles
All Infosec training maps directly to the NICE Workforce Framework for Cybersecurity to guide you from beginner to expert across 52 Work Roles.
- All-Source Analyst
- Mission Assessment Specialist
- Exploitation Analyst
No software. No set up. Unlimited access.
Skip the server racks and spin up a realistic environment with one click. Infosec Skills cyber ranges require no additional software, hardware or server space so your team can spend less time configuring environments and more time learning. Unlimited cyber range access is included in every Infosec Skills subscription so your team can skill up however they learn best.
Plans & pricing
Infosec Skills Personal
$299 / year
- 190+ role-guided learning paths (e.g., Ethical Hacking, Threat Hunting)
- 100s of hands-on labs in cloud-hosted cyber ranges
- Custom certification practice exams (e.g., CISSP, Security+)
- Skill assessments
- Infosec peer community support
Infosec Skills Teams
$799 per license / year
- Team administration and reporting
- Dedicated client success manager
-
Single sign-on (SSO)
Easily authenticate and manage your learners by connecting to any identity provider that supports the SAML 2.0 standard.
-
Integrations via API
Retrieve training performance and engagement metrics and integrate learner data into your existing LMS or HRS.
- 190+ role-guided learning paths and assessments (e.g., Incident Response)
- 100s of hands-on labs in cloud-hosted cyber ranges
- Create and assign custom learning paths
- Custom certification practice exams (e.g., CISSP, CISA)
- Optional upgrade: Guarantee team certification with live boot camps
Unlock 7 days of free training
- 1,400+ hands-on courses and labs
- Certification practice exams
- Skill assessments