Figure 1.0 Languages ranked by programming jobs(Bouwkamp, 2016)
- Data-Driven Documents (D3.js)
- Angular JS
- Ember JS
React allows one to express how your application will look at any given point in time, it will also automatically manage user interface updates as the dependent data changes. This library uses what is known as a virtual DOM. When changes are made the virtual DOM efficiently re-renders the DOM.
This library is currently being used by organizations such as Netflix, Bleacher Report, SeatGeek, and HelloSign
“One of React’s features is that it handles XSS escapes by default.”(Lolware, 2015). What this means is that developers using the ReactJS have to place their faith in the hands of its’ library.
AngularJS is a structural framework for dynamic web applications, unlike React.js however Angular operates within the browser, this makes it an ideal partner for most if not all server technology. AngularJS “attempts to minimize the impedance mismatch between document centric HTML and what an application needs by creating new HTML constructs. Angular teaches the browser new syntax through a construct we call directives.”(AngularJS, n.d).
AngularJS extends HTML with new attributes and is ideal for Single Page Applications (SPAs). In a post by Lau(2013), declared that “Angular is the only framework that doesn’t make MVC seem like putting lipstick on a pig.”
In a post by Donovan(2015), these are vulnerabilities within AngularJS:
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
Concepts of Cross-Site Scripting
- XSS is a web-based attack performed on vulnerable web applications.
- In XSS attacks, the victim is the user and not the application.
Figure 1.1 Reflective XSS
Figure 1.2 Reflective XSS
The second vulnerability is Cross-Site Request Forgery (CSRF) and occurs when the malicious website sends a request to a web app stating that a user is already authenticated. Thus allowing the attacker to access the web app functionalities as if they were the intended user. These attacks target mostly web apps, namely; social media, in-browser email clients, online banking and web interfaces for network devices.
Concepts of CSRF
- Malicious requests are sent from a site that a user visits to another site that the attacker believes the victim is validated against.
- The malicious requests are routed to the target site via the victim’s browser, which is authenticated against the target site.
- The vulnerability lies in the affected web application, not the victim’s browser or the site hosting the CSRF.(Veracode, n.d)
Bouwkamp, K. (2016) The 9 Most In-Demand Programming Languages of 2016, Available at: http://www.codingdojo.com/blog/9-most-in-demand-programming-languages-of-2016/ (Accessed: June 13, 2016).
Donovan, G. (2015) Top 10 Security Risks for AngularJS Applications – Kevin Hakanson, Available at: http://techjaw.com/2015/03/05/top-10-security-risks-for-angularjs-applications-kevin-hakanson/ (Accessed: June 13, 2016).
Github (n.d) Why React?, Available at: https://facebook.github.io/react/docs/why-react.html (Accessed: June 13, 2016).
Lau, D. (2013) 10 Reasons Why You Should Use AngularJS, Available at: https://www.sitepoint.com/10-reasons-use-angularjs/ (Accessed: June 13, 2016).
Lolware (2015) Testing ReactJS for XSS vulnerabilities, Available at: https://lolware.net/2015/08/19/reactjs-xss-testing.html (Accessed: June 13, 2016).
Veracode (n.d) REQUEST A QUOTESEE A DEMO Cross-Site Request Forgery Guide: Learn All About CSRF Attacks and CSRF Protection, Available at: http://www.veracode.com/security/csrf (Accessed: June 13, 2016).
Veracode (n.d) REQUEST A QUOTESEE A DEMO Cross-Site Scripting (XSS) Tutorial: Learn About XSS Vulnerabilities, Injections and How to Prevent Attacks, Available at: http://www.veracode.com/security/xss (Accessed: June 13, 2016).