JavaScript Security Learning Path

Learn JavaScript-related attacks and how to build safer JavaScript applications.

10 hours, 33 minutes

Start 7-Day Free Trial
View All Training

Quick facts

About this learning path

  • courses

    100% online

  • Duration

    10 hours, 33 minutes

  • Assessment

    questions

About JavaScript Security

This learning path will help you understand the diverse threats and protections of the JavaScript world. We will start by covering the basics, as misunderstanding them often leads developers to write less safe code. Then, we will discuss authentication, XSS and CSRF. We will also spend a bit of time understanding regular expressions through the prism of security. We will also cover serverless security and what a JavaScript developer should do to keep their own desktop machine safe while using development tools.

 

Syllabus

Secure Coding - JavaScript

Lab - 00:30:00
This lab covers multiple secure coding errors commonly found in JavaScript, including DOM rewrites and the use of the eval() statement.
JavaScript Security Skill Assessment

Assessment - 54 questions
JavaScript Security Project

Course - 02:20:00
In the first four challenges, you will find vulnerabilities and exploit them. In the next five challenges, you will fix the vulnerabilities.
Secure JavaScript Programming overview

Course - 00:54:00
In this course, we will cover some base concepts of JavaScript and its runtime environments. We will start by doing a few refreshers on the languages and its history; then we will look at an overview of web browsers and Node.js as JavaScript runtimes.
Authentication

Course - 00:50:00
Here, we will go through refreshers on authentication and a bit of cryptography. We will cover the case of cookies and non-cookies-based front-end authentication. We will also cover best practices in term of front-end identity management.
XSS and JavaScript remote code executions

Course - 01:34:00
XSS attacks are arguably the main threat against JavaScript web applications. In this course, we will cover them in detail and leave no stone unturned as we check everything about reflected, stored, DOM-based XSS. We will extensively cover CSP and trusted types.
CSRF and browser security

Course - 00:37:00
CSRF (cross-site request forgery) attacks can be disastrous for a website. In this course, we will learn exactly what they are and take a back-end (examples with Node.js) and front-end approach against them. Browsers have multiple security mechanisms to block certain attacks, and any web developer should have an idea of what these mechanisms are and how to use them.
Regular expressions

Course - 00:34:00
Regular expressions are one of the most powerful, yet dangerous parts of JavaScript. In this course, we will dig into them to understand what risks they can bring and how to mitigate them.
Prototype pollution

Course - 00:35:00
Prototype pollution is a JavaScript-specific kind of attacks that can lead to multiple outcomes, including SQL injections (in back-end code), Denial of Service or even arbitrary code execution. In this course, we will go through real-life examples of such attacks and learn how to protect against them.
Ecosystem modules (npm) and supply chain

Course - 01:13:00
npm is the biggest software ecosystem in history. Navigating it can be complicated. In this course, we will see everything we need to know to find and assess packages. We will even see what to do if one of the packages we use is flagged as vulnerable.
Serverless JavaScript

Course - 01:05:00
All major cloud providers now provide serverless services. But what are the security implications of using them? In this course, we will review the security best practices of a safe serverless project.
Web developer desktop security

Course - 00:11:00
Building web applications can open some parts of your own workstation to attacks. In this short course, we will go through a few "gotchas" anyone building web applications should know about.

Meet the author

Vladimir de Turckheim

Vladimir is a core Node.js collaborator and is involved in most security-related topics of the Node.js project. He has worked for seven years as an Application Security expert at Sqreen and as a Staff Engineer at Datadog. He is now building a new company.
Learn More

The details

Learning path insights

How to claim CPEs

Should you complete this learning path, you’ll be able to download a certificate of completion. Use this to claim your CPEs or CPUs.

Associated NICE Work Roles

All Infosec training maps directly to the NICE Workforce Framework for Cybersecurity to guide you from beginner to expert across 52 Work Roles.

  • All-Source Analyst
  • Mission Assessment Specialist
  • Exploitation Analyst

No software. No set up. Unlimited access.

Skip the server racks and spin up a realistic environment with one click. Infosec Skills cyber ranges require no additional software, hardware or server space so your team can spend less time configuring environments and more time learning. Unlimited cyber range access is included in every Infosec Skills subscription so your team can skill up however they learn best.

Start 7-Day Free Trial

Unlock 7 days of free training

  • 1,400+ hands-on courses and labs
  • Certification practice exams
  • Skill assessments
Start a Free Trial

Plans & pricing

Infosec Skills Personal

$299 / year

Buy Now 7-Day Free Trial
  • 190+ role-guided learning paths (e.g., Ethical Hacking, Threat Hunting)
  • 100s of hands-on labs in cloud-hosted cyber ranges
  • Custom certification practice exams (e.g., CISSP, Security+)
  • Skill assessments
  • Infosec peer community support

Infosec Skills Teams

$799 per license / year

Book a Meeting
  • Team administration and reporting
  • Dedicated client success manager
  • Single sign-on (SSO)
    Easily authenticate and manage your learners by connecting to any identity provider that supports the SAML 2.0 standard.
  • Integrations via API
    Retrieve training performance and engagement metrics and integrate learner data into your existing LMS or HRS.
  • 190+ role-guided learning paths and assessments (e.g., Incident Response)
  • 100s of hands-on labs in cloud-hosted cyber ranges
  • Create and assign custom learning paths
  • Custom certification practice exams (e.g., CISSP, CISA)
  • Optional upgrade: Guarantee team certification with live boot camps

Learn about scholarships and financing with

Affirm logo