Latest Posts

Security Audit for Dummies

Introduction to security auditing

Security audit is the final and the most important step in implementing security defenses. When you build your service, you always have to remember to make it as safe as possible. The bigger it is, the most important its security is. The first step is to run a risk analysis in order to find possible holes and find out what type of attacks you can expect. The second step is to develop a proper policy to defend against them. Finally, you undertake a security audit to check if it really works.

What type of tests can we use?

Penetration Testing

In order to check for possible attacks, we can use penetration testing (informally pen test). They are controlled attacks that look for security weaknesses. Their goal is to check our security system against known possible threats and return the report (what do we need to improve?). Thanks to that we can identify which defenses are effective and which ones (if any) are defeated and need to be fixed. A penetration test target may be either white box (provides background and system information) or black box (provides only basic information or no information at all except the company name).

We’ve compiled some Websites and Tools that can help you learn more about Penetration Testing:

Kali Linux
Parrot Security OS
PentestBox Windows
More distros…

More tools…

Kali Tutorials – Pen Testing for Beginners
OWASP Web App Pen Testing
Offensive Security Online Training

Sans Pen Testing Blog
Offensive Security Blog
Pentest Mag Blog

Upcoming Conferences

Risk-based testing (RBT)

In this kind of test we prioritize and emphasize what risks are the most important to us. With this knowledge we can choose and prepare proper tests during test execution. Shortly – we can call “risk” to an undesirable outcome which we want to ensure that it won’t happen. There is not always enough time to efficiently check all security areas, so risk-based testing concerning the functionality of the systems that have the highest impact and probability of failure can be the best choice.

We can summarize the whole idea of Risk-based testing in a few points:

  • it starts from the early beginning. We try to define the most
    dangerous threats and with this knowledge we try to prepare
    proper plans for testing.

  • as it accompanies us during the whole development process, it’s
    very helpful in reducing the likelihood of defects and creating
    working workarounds (and test them as well).

  • allows us to define what threats are the most
    dangerous to us and which ones we still have to work on.

  • it measures how well we are doing in reducing the probability of
    failure. If we know we can’t deal with something, we can search for tools and people to help.

Learn more…


Heuristic Risk-Based Testing
How to choose what to test more and less
What is Risk Based Testing in Software testing?
Risk Based Testing, Strategies for Prioritizing Tests against Deadlines
Risk-Based Testing What It Is and How You Can Benefit
RBT Tutorial at guru99

Most common type of attacks

Cross-Site Request Forgery (CSRF) is a very simple attack. It basically uses two facts. One, communication between server and client is based on requests. Two, cookies are sent automatically to the server. CSRF attack allows an attacker to execute authenticated actions without user knowledge and approval. It depends mainly on forcing the browser to execute malicious requests and using an user logged in status. Learn more about CSRF:

What is CSRF?
Cross-Site Request Forgery Guide: Learn All About CSRF Attacks and CSRF Protection
CSRF Attacks, XSRF or Sea-Surf – What They Are and How to Defend Against Them
How to Prevent Cross Site Request Forgery (CSRF) Attacks in PHP
Do Your Anti-CSRF Tokens Really Protect Your Web Apps from CSRF Attacks?
Robust Defenses for Cross-Site Request Forgery

Another type of attack is Cross-site scripting (XSS), in which malicious scripts are injected into theoretically trusted web sites. It could be JavaScript, it could be, for instance, VBScript. The main thing is it may be run in the browser. In result an attacker can execute any script he wants. It can be injected very easily using comments system for example. You post a comment with a JavaScript code and if the server doesn’t do anything about it, it will execute your malicious code as well. [Read about XSS at OWASP](

You can also take a look here for more information:

Types of XSS
Excess XS – A comprehensive tutorial on cross-site scripting
What is an XSS Vulnerability?

While XSS works on the client side, the SQL Injection uses databases. SQL Injection attack uses the form system in order to manipulate the data. Let’s say your query look like this:

DELETE FROMUsersWHEREid= '$_GET['id']'

If attacker changes the proper id to the string like this 1' OR '1'='1, your query will look like this:

DELETE FROMUsersWHEREid= '1' OR '1'='1'

…and in result it will delete all the users from the table.

In order to understand this better you can watch a great Computerphile video about this subject.

Other links for more info:

SQL Injection Cheat Sheet & Tutorial: Vulnerabilities & How to Prevent SQL Injection Attacks
How to Prevent SQL Injection Attacks
SQL Injection Attacks and Some Tips on How to Prevent Them

The Denial of Service (DoS) is a type of attack that is focused on making a resource unavailable. It uses a mechanism of sending massive amount of requests to the server making it incapable of returning the result. It’s a very common attack and not so hard to prepare. It’s often hard to defend against it because defining if a request is valid or if it’s an attack is not always so easy. Learn more about DoS:

US Cert
Best Practices for Preventing DoS/Denial of Service Attacks
What is a Denial of Service Attack? DOS, DDos, Hacking

How to prevent those attacks if you’re not an expert?

Most important of all, use solid solutions. Don’t try to reinvent the wheel and to do everything your way. Before building your application try to find a solid base. Check for secure and popular frameworks. They’re often made by experts and their popularity makes them really secure. No one is perfect, but if they’re checked everyday by its users, the holes and errors are easy to eliminate. Deciding to stick with your hand-made framework could bring a lot of harm if an attack really occurs. You can also use security frameworks in order to help yourself in security auditing. Learn more about them here.

Try popular tools. Don’t be afraid of using the captcha mechanism, testing automation tools and so on. There are many of them in the market. You could check SoapUI, TestingWhiz… It could really make your life easier.

If you can afford it, the ideal situation would be to hire an external professional team. It’s the most expensive case but surely the best one. Try to find an expert to back you up in terms of security. It can be really useful. He will always see a lot more than you because he knows more about the threats out there. If you can’t afford an expert for a whole development process, try to find him after finishing the job. Make him check security and after all…

do a quality security audit. And if the results aren’t perfect repeat the whole process. It’s pointless to carry it and ignore the results. Also, don’t check only for holes. Check efficiency of the security improving solutions. For instance, if you deploy a strong password changing policy, make sure there is no way to bypass this function. Let’s say you require changing password every week. If you don’t design it well, you could, for instance, give the user possibility to change it just only to return to the old password after a minute. Password has been changed? Yes! But… it won’t do any good.

Try to be as detailed as you can. Check for everything, not only for most common type of attacks. Even big names we all have heard of have been the victims of imperfect security systems. Thus, it is certainly not a piece of cake.


Does good security auditing make you completely secure? Not really. They say, your security audit is as good as the auditors, but there aren’t perfect tools and perfect people. However… try to make it as safe as possible. If you are going for a poor audit, better to not do it at all. Weak security auditing can leave you with a false sense of security that is extremely dangerous for your organization.
So if you do it, and you should, try to be as effective as you can. There can be no shortcuts! Use the best tools, hire the best auditors, do the most detailed audits and don’t try to save some money here! If you save it now, there’s a very high risk of losing it in the future.

How to build real-time applications using Node.js and RethinkDB


About RethinkDB

If you need a NoSQL database which work with JSON data, has full support for realtime searching and has a mix of paradigms between SQL and NoSQL, a good option is RethinkDB.
This is a open-source database, which all JSON’s data is persisted into tables like a conventional SQL database, allowing you to run queries among multiple tables using the classic join command. But you can also persist arrays and sub-documents like you are used to do it in MongoDB, CouchDB or PostgreSQL.

There are some cool stuffs from RethinkDB like:

  • GeoSpartial support;
  • API to handle with Strings, Dates, Booleans and Documents;
  • Math API;
  • Map-reduce support;
  • HTTP client to catch some external data;
  • Changefeeds which is a realtime searching;
  • Index support (simple, compound and multi);
  • Native web admin dashboard;

Building the application

What about building something useful using RethinkDB? To explore the realtime searching, let’s build a simple global timeline using the changefeed feature to list all data in the timeline in realtime, by using Node.js, Express, Socket.IO and RethinkDB.

First, you need to install RethinkDB server, before you start writing the codes below, to install this database I recommend you to read and follow the instruction of this link according to your operation system.

After you install it, run this commands below to initiate the project:

mkdir timeline
cd timeline
npm init
npm install --save express rethinkdb

Now let’s work! To simplify things we are going to use ES6 code native from Node v6.x.x version and the backend will be a single file code for study purposes, but if you need to build a complex and well structure backend server using RethinkDB, you can see this project node-api-examples which has a list some API’s examples using some web routers and databases, there are some examples using RethinkDB with Koa, Express and Hapi.js.

Well, let’s write the backend server of our application, you can create the file index.js using the code below:

const http = require('http');
const fs = require('fs');
const express = require('express');
const socketIO = require('');
const r = require('rethinkdb');
const config = require('./config.json');

// Loading Express, HTTP, Socket.IO and RethinkDB
const db = Object.assign(config.rethinkdb, { db: 'timeline' });
const app = express();
const server = http.Server(app);
const io = socketIO(server);

// Connecting to RethinkDB server
  .then(conn => {
    // Index route which renders the index.html
    app.get('/', (req, res) => {
      fs.readFile(`${__dirname}/index.html`, (err, html) => {
        res.end(html || err);

    // The changefeed is provided by change() function
    // which emits broadcast of new messages for all clients
      .then(cursor => {
        cursor.each((err, data) => {
          const message = data.new_val;
          io.sockets.emit('/messages', message);

    // Listing all messages when new user connects into
    io.on('connection', (client) => {
        .then(cursor => {
          cursor.each((err, message) => {
            io.sockets.emit('/messages', message);
      // Listening the event from client and insert new messages
      client.on('/messages', (body) => {
        const { name, message } = body;
        const data = { name, message, date: new Date() };

    server.listen(3000, () => console.log('Timeline Server!'));
  .error(err => {
    console.log('Can\'t connect to RethinkDB');
    throw err;

There are some important details you must know when you work with RethinkDB, first almost all functions from this module works using callbacks or using Promises, if you choose Promises you can write well structure async functions with better error handlers.

The changefeed (via r.table('messages').changes()) feature is database’s subscriber, which is a query observer and returns any modification from a table, the combination with the io.sockets.emit() allows the server send realtime data for the clients.

Now, let’s create a simple migration script to prepare the database before starts the server. This migration is very common in relational databases. Create the database.js file with the script below:

const r = require('rethinkdb');
const config = require('./config.json');
let conn;

  .then(connection => {
    console.log('Connecting RethinkDB...');
    conn = connection;
    return r.dbCreate('timeline').run(conn);
  .then(() => {
    console.log('Database "timeline" created!');
    return r.db('timeline').tableCreate('messages').run(conn);
  .then(() => console.log('Table "messages" created!'))
  .error(err => console.log(err))
  .finally(() => process.exit(0))

And don’t forget to create the config.json which contains data to connect in the RethinkDB server:

  "rethinkdb": {
    "host": "localhost",
    "port": 28015

To finish our application, now we must create the index.html which will be the client-side part for the users send messages in the timeline.

<!DOCTYPE html>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width,initial-scale=1">
  <script src="/"></script>
  <form style="text-align:center;margin:50px 0">
    <label for="name">Name:</label>
    <input type="text" id="name"/>
    <label for="message">Message:</label>
    <input type="text" id="message"/>
    <button type="submit">Send</button>
  <fieldset style="padding: 20px;width:50%;margin:0 auto">
    <legend style="text-align:center">Timeline</legend>
    <p id="messages"></p>
    (function() {
      var socket = io();
      var form = document.querySelector('form');
      form.addEventListener('submit', function(e) {
        var name ='#name');
        var message ='#message');
        var data = {
          name: name.value,
          message: message.value
        socket.emit('/messages', data);;
      socket.on('/messages', function(data) {
        var messages = document.querySelector('#messages');
        var message = '<b>'+ +':</b> '+ data.message +'<br />';
        messages.innerHTML += message;

Now we are ready to start this application! But before start the server you must run in the first time, the database’s migration to create the database and table for this project, so you just need to run this command:

node database.js

If everything goes fine, You can start the server by running:

node index.js

And you can play sending messages in this application accessing the http://localhost:3000 address.


The RethinkDB is awesome NoSQL! This database can provide a fully support for realtime applications just using changefeed +, in this link you can read more about what you can do using changefeeds. Almost all functions can run using Promises which makes you write better code and you can use easily the ES7 async/await feature to simplify the promises functions too.

JS13KGAMES – A JavaScript Coding Competition


JS13K JavaScript HTML5 Competition

Jscrambler will be sponsoring Js13kGames, a JavaScript coding competition for HTML5 Game Developers. The fun part of the compo is the file size limit set to 13 kilobytes. The competition will start at 13:00 CEST, 13th August and will end at 13:00 CEST, 13th September 2016. Theme will be announced on 13th August. Save the date!

The Js13kGames is a competition where developers are limited to a maximum game size of 13 kilobytes, including all assets like images and sounds. The challenge in this competition is to make the coolest game in only 13 kilobytes. You have exactly one month to work on your game, win the cool prizes and the admiration of your peers!

All the source codes have to be hosted open source on GitHub, so other developers can learn from your coding skills. You will have to provide both the compressed and the uncompressed versions of the game source files. External libraries are not allowed which means that your game should be able to run offline without the need of loading any external resources. It should also be kept in mind that only pure JavaScript code can be submitted.

There are 3 different categories and they are desktop, mobile, and server. You can submit your game in any of these categories to be part of the competition.


All the participating HTML5 games will be reviewed by experienced people in the HTML5 game industry and JavaScript development. Among the major renowned personalities are Andrzej Mazur, Christer Kaitila, Jupiter Hadley, Pablo Farías Navarro, Robert Podgórski, Jason Weathersby, Elle Chen and of course our CTO Pedro Fortuna, who has been participating as a judge since last year’s edition.

How can I know if I won?

Judges will review and vote for the games after September 13th and the winners will be announced on September 28th.

How can I join?!

Just click on this link, and follow the details on the Js13kGames website. And please let us know if you are planning to join! We know there are a lot of HTML5 game developers in our community of users, don’t be shy!

15 Most Popular JavaScript Conferences

js_conferencesThere are some great ways for programmers to stay in touch with the latest news about JavaScript and web development community, like reading blogs, websites or even searching for a specific question on forums such as Quora. But, for those who want to really dive into the web development business the best thing to do is to attend JavaScript conferences.

Besides giving a glance of the new products, tools and innovative ideas in firsthand, these kind of event are a really good deal for networking with some of the best professionals and companies in the field and share some experiences.

And there are no excuses for those who don’t want to leave their city, state or country to participate: these events may happen in many parts of the world and on many different dates (there might be one happening close to you right now!).

So, in case you don’t want to miss your spot when they get to your city or country, stay tuned for the most popular JavaScript conferences and events dedicated to web developers around the world:

Read More

An Introduction to Content Security Policy (CSP)

introduction-to-content-security-policyAs a Javascript developer you’re no doubt painfully aware of some of the common vulnerabilities in web applications which are made possible by the language; most notably, XSS (Cross Site Scripting) attacks.

At the root of XSS attacks is a simple premise; the injection of malicious code into your website or web application.

The first line of defence against XSS usually involves sanitizing user input, particularly anything which is later echo’ed back to the page. Content Security Policy is a subtly different approach to defending against similar types of attack. In this article we’ll look at it in more detail.

Note that CSP is not a replacement for input sanitization, which remains as important as ever. Rather, it complements the best practices you’re already (hopefully!) following.

The Basics of CSP

Essentially CSP allows you to be explicit about what resources should be trusted. Resources means scripts — which is what we’re going to focus on in particular in this article — but also things like:

  • stylesheets
  • media (for example audio and video)
  • fonts
  • form actions
  • frame sources
  • types of objects and plugins

In essence, what CSP provides is a means to “whitelist” the source of these resources. So we could say, for example, that we wish to allow third-party scripts from our analytics provider, from certain CDNs or social networks — but, make clear that anything else is not to be trusted. Let’s look at how to actually implement CSP in the next section.

Implementing CSP

There are two ways to implement CSP:

  1. Via HTTP headers
  2. Via meta tags in your HTML

Although they’re slightly more complex to set up than meta tags, HTTP headers are the preferred approach. There are numerous ways to accomplish this; for example setting them on your web server, by using middleware, or by setting them programmatically as required, for example on a per-route basis.

The CSP Headers and Simple CSP packages are just two JS-orientated packages which may help you to implement CSP. There are plenty more for your server-side language of choice, so it’s worth doing some research before you start implementing it yourself.

Here’s an example of setting up CSP headers in an Express.js application, using the Simple CSP package:

var express = require( 'express' );
var app = express();
var csp = require( "simple-csp" );

var csp_headers = {
"default-src": ["'self'", ""],
"connect-src": ["'self'", ""],
"img-src": ["'self'", "data:", ""]

app.use( "/", function ( req, res, done ) {
csp.header( csp_headers, res );
} );

// Static files from ./public
app.use( "/", express.static( "./public" ) );

app.listen( 8888 );

Right now you might be wondering what those headers mean; let’s take a look in more detail.

Whitelisting Sources with CSP

You can specify what’s trusted in a number of ways.

For example, you might want to say:

  • Trust only scripts from the same source via HTTPS, as well as from
  • Disallow all inline scripts
  • Only allow images from a particular CDN
  • Disallow frames
  • Only allow fonts from Google Fonts

Let’s look at how to define the source of a resource. Consider the following:

This will allow resources from using any scheme (e.g. http, https, data), on any port.

You can explicitly define the scheme, for example:

You can also explicitly define a subdomain:

If you want to be slightly more flexible about protocols you can do this:


Wildcards can also be used for the leftmost portion of the domain; for example a subdomain:


Note that this will not match

You can also explicitly specify the port:

There are also four important constants you can use.

'self' is probably the most common. It basically means that resources from the current host are to be trusted, which is usually going to be the case.
'none' is just as it implies; trust nothing. It can be used for a “safety-first” rule-set, or be applied to certain resource types; for example you could use it to disallow all frame sources.
'unsafe-inline' allows potentially unsafe inline JavaScript. As the name implies, this requires caution – we’ll look at inline JavaScript shortly.
'unsafe-eval' permits potentially unsafe eval‘ed code. Use with even more caution!

For all of these constants, it’s important that you wrap them in single quotations, as listed.

Once you have your sources defined, you simply append them to a keyword representing the resource type. For scripts, that means using the script-src keyword.

Separate sources with a space, for example:

Content-Security-Policy: script-src 'self'

Other resources can be specified using keywords such as connect-src for XHR or web socket connections, style-src, font-src, img-src for styles, fonts and images respectively, child-src for workers and embedded frame contents, and more.

You can specify a default source for all resources using default-src, for example:

default-src 'self'

What about Inline JavaScript?

That’s all very well, you might be thinking, but aren’t inline scripts what we should really be worrying about when trying to combat XSS?

The short answer is that by CSP takes the view that all inline scripts are potentially harmful, thus encouraging you to move inline JS code to a separate file. You can tell CSP to ignore this restriction using unsafe-inline, but there are better ways.

If you do still want to execute inline code, CSP still provides two mechanisms for telling the browser what inline code is legitimate.

The first is to use a nonce; that is, a random unguessable string which is used to identify trusted inline code. It should be random, unguessable and ideally re-generated on each page load.

The first step to using the nonce approach is to attach it to your <script type="text/javascript">// <![CDATA[ tags using the nonce attribute, for example:

Then, the same value should be inserted into your CSP header or meta tag, for example:

Content-Security-Policy: script-src 'nonce-d9j8g9irjgirjheg9i'

The second approach is to generate a hash of the inline code, using an encryption mechanism such as SHA.

For example:

<script type="text/javascript">// <![CDATA[
alert('Hello, world.');
// ]]></script>

Take the hash of the contents of the <script type="text/javascript">// <![CDATA[ tag, and refer to it in your headers:

Content-Security-Policy: script-src 'sha256-qznLcsROx4GACP2dm0UCKCzCG-HiZ1guq6ZZDob_Tng='

Note that the first part of the hash identifies the mechanism used to encode it; in this case, SHA256


Another key feature of the CSP specification is reporting. Indeed, it's relatively common just to use this feature; that is, as a tool to monitor potential vulnerabilities rather than as a preventative measure, although you can of course use both.

What the reporting element does is monitor for violations of the policy, and POSTs a report to the endpoint you specify via the report-uri keyword. Here's an example:

Content-Security-Policy: ...; report-uri /csp-report-endpoint;

When a violation occurs, your endpoint will be "pinged" with an HTTP POST request with a JSON-formatted body. Here's an example of what such a report might look like:

  "csp-report": {
    "document-uri": "",
    "referrer": "",
    "blocked-uri": "",
    "violated-directive": "style-src",
    "original-policy": "default-src 'none'; style-src; report-uri /_/csp-reports"

How you interpret or respond to these reports is up to you; there are third-party parsers and endpoint implementations available for various server-side languages — CSP Endpoint is just one example, for Node.js.

Browser Support

As always, it's important to be aware of browser support - you can find more details on

The Future of CSP

CSP as a standard is constantly evolving. Level two support is fairly common, (see for full details), whereas Level Three is a work-in-progress. It might be worth keeping an eye on the public-webappsec mailing list archives archives to keep up-to-date with developments, as well as referring to the draft Level Three standard.

Flaws and Limitations of CSP

CSP isn't perfect, and it's easy to mis-use. We'll cover CSP's limitations in a future post, but for now you may find the notes from this presentation useful reading.

Links and Further Reading

There's a lot more to CSP than we've been able to cover in this short introduction, but if you're interested in finding out more then here are some useful links and resources:

  • [The Level Two Candidate Recommendation}( is essential reading.
  • The Level Three Editor's Draft is worth keeping an eye on.
  • HTML5Rocks has a comprehensive tutorial on CSP.
  • If you have Chrome 52+, you might like to try out these experiments.
  • Chrome users might find the CSP Tester extension useful for testing your CSP rules.
  • There's a great presentation, Making CSP Great Again which looks at some of the common pitfalls of CSP, as well as a look to the future.
    // ]]>

The Case for Multiple Layers of JavaScript Application Security

app_secJavaScript is here to stay. First shipped in September 1995, over the last two decades has become the most popular programming language on earth. As of today, in 2016, over 88% of all websites use JavaScript and they do not show signs of stopping. You will find it also on mobile sites, games and web applications.

Read More

Developing An Isomorphic GraphQL App With React

isomorphic_app_reactSingle page applications or SPAs are in trend. SPAs put emphasis on a thick JavaScript client with a thin back end. Node.js takes this further with JavaScript on the client and on the server. Given the popularity of JavaScript, polyglot programming got put aside. What if I told you that the same code that runs on the server, also runs on the client? Yes, welcome to isomorphic programming in JavaScript. In this take Iʼll introduce a bar tab app using isomorphic principles. This idea takes “code reuse” to new heights. Read More

Getting Started With Relay

relay_imageWe know what you are thinking, what the heck is Relay and why do I care? Arenʼt there enough frameworks already? Relay is a framework meant to complement both GraphQL and React. If you think about it, a lot of developer productivity goes towards fetching data. React is a nice way to think about the UI as separate components. Each component has clean cut separation of concerns. The problem at hand is how do you feed it data? One can dream up any push and pull solution to do this. This may involve Ajax slapped with a framework or two. Or, you could bridge client side components with Relay. If you are already knee deep in React and GraphQL, Relay will offer a nice way to bridge the two. Read More

How to Build a To-Do App in Vue.js – Part 2

vuejs_2This is the second part of a two part series on building a Vue.js Todo Application. In the first part, we touched on how to supply data to templates from a component class, loop over data in the templates and more. In this second part, we will see how to handle events coming in from the template which will allow us to create more Todos, edit them and eventually delete them. Read More

How to Build a To-Do App in Vue.js – Part 1


With web applications becoming more sophisticated, the popularity of JavaScript frameworks has been on the rise. With this increased fame, there are several capable frameworks out there to choose from. Some of the most popular choices are AngularJS, Ember.js and Vue.js. All these frameworks are capable of building large and modern web applications. Read More