- what the most critical security flaws are
A1 - Injection (SQL Injection)
content spoofing
cross-site scripting (XSS)
ngSanitize -
$sce - contextual escaping $sce.trustAsHtml
A2 - Broken Auth and Session Mgmt
httpProvider AND responseInterceptor
A3 - Cross-Site Scripting
- Content Security Policy (http://content-security-policy.com)
- ngCsp
A4 - Insecure Direct Object References
$resource
A4 - Server Concern
A5 - Security Misconfiguration
- ex. CORS
A6 - Sensative data exposure
- https
- consider using web cryptography api
- be careful about storing sensative data in local storage
A7 - Missing function level access control
- Is Server Concern
A8 - Cross Site Request Forgery (CSRF, XSRF)
-
synchronized token pattern (anti-forgery token)
-
see CSRF prevention cheat sheet
-
httpProvider.interceptors()
- Authorization: Bearer
A9 - Using components with known vulnerabilities
- retire.js
A10 - Unvalidated Redirects and Forwards
- $compileProvider - incorporates regex whitelisting
- ng-href
- unsafe
- linky filter : takes text inpit and turns into html links
- RabbitMQ...pretty much all it was about.
- Batch Processing
- multiplexed streams
- flow control
- server push
- header compression: reduces general overhead of making http requests
- allows more open socket connections (http1 only allows 1)
- frames : each stream is made up of many frames of data (length, type, flags, stream length)
napsack problem - Indian Jones & Temple of Doom (get as much treasure as possible out of the room before ceiling collapses)
-
example showed various items with their respective weights and grabbed the item with the greatest weight
-
greedy algorithm - grab as much valueable information as possible
The main thing is to break the problem up into sub-problems
-
best path algorithm (example: the Shoots and Latters game)
dynamic solution approach
- figures out the distance from the start of the board
- checks
Umm yeah...really basic stuff.