Join our in person Smart Contract Hacking training at BlackHat Asia 2025

Secure Development Trainings

SCJS – DevSec JS Masterclass

Everything you need create secure JavaScript code. Start now by enrolling in this course!

Online

Trainers

Picture of Davide Cioccia

Davide Cioccia

Founder and Principal Security Architect @DCODX

Hi there! I’m Davide Cioccia, founder of DCODX, an ethical hacking, and DevSecOps consulting and coaching firm. Besides helping companies implement their Sec in DevOps, I’m also a developer of security tools (check our GitHub), OWASP Mobile Security Testing Guide contributor and DevSecCon Chapter Lead for the Netherlands. You can find my talks at security conferences like BlackHat, OWASP AppSec, DevSecCon, DevDays Europe and more online, together with some CVE disclosed to Microsoft and other big vendors. Enjoy my course :)

Course overview

Are you ready to become a guardian of JavaScript fortresses? Delve into the intricate world of JavaScript security with our comprehensive training program, “JSCP – DevSec JavaScript Masterclass.” Designed for developers, security engineers, and professionals seeking to elevate their skills, this course is your pathway to effectively identify and mitigate vulnerabilities in Node.js and ReactJS applications. Our training is meticulously crafted based on industry standards such as the OWASP Top 10 2021 and the OWASP ASVS v4. Drawing on real-world vulnerabilities, bug bounties, and infamous hacks, we provide practical references that bring the concepts to life. You’ll engage in immersive, hands-on labs featuring varying levels of complexity, tailored to cater to individuals at all proficiency levels – from beginners to advanced practitioners. Through this transformative program, you will:
  • Enhance your ability to perform thorough and effective secure code reviews.
  • Strengthen your expertise in conducting security peer reviews for pull requests.
  • Master the art of exploiting vulnerabilities in JavaScript applications.
  • Familiarize yourself with the OWASP standards and industry best practices.
  • Acquire a deep understanding of the OWASP Top 10 2021 and the OWASP ASVS v4.
  • Develop a security-conscious mindset to embed protection into every aspect of your code.

Prerequisites

  • Knowledge of JavaScript or TypeScript for both client and server-side programming
  • Familiar with frontend JS frameworks (ReactJS, Vue.js …)
  • Interest in security

Target audience

  • Security Engineers
  • Security Champions
  • DevOps
  • Developers

Tools used

  • Any IDE
  • Docker (docker-compose)
  • Burp Suite Community edition
  • Semgrep
  • Coffee or Tea ☕️
 

Syllabus

Secure coding introduction
Secure coding principles
From SDLC to SSDLC
OWASP Top 10 2021 and OWASP ASVS: security requirements
CVSS: how to rate vulnerabilities
ReactJS security
Security Headers
LAB: XSS and dangerous JavaScript React functions
LAB: Attacking Local storage vs Cookies
Content-Security-Policy best practices and limits
LAB: Client side open redirect
React Security Framework
Authorization and Broken Access Control in NodeJS
Attacking JWT (JSON Web Tokens)
LAB: JWT None algorithm attacks
LAB: Secret bruteforce
LAB: Signature validation failures
LAB: IDOR (Insecure Direct Object Reference)
LAB: Path Traversal
LAB: CSRF (Cross-Site Request Forgery)
LAB: Prototype pollution attack
Server Side Injections in NodeJS
LAB: SQL injections
Bypassing prepared statement in mysqljs
LAB: Command injection
LAB: Code and Object Injection
LAB: Server-Side Request Forgery
LAB: NoSQL injections
LAB: Local and remote file inclusion
LAB: Server Side Template Injections
Vulnerable and Outdated Dependencies
Dependency graphs
The importance of SCA (Software Composition Analysis)
LAB: Detecting known vulnerabilities using Snyk
Integrate SCA in the CI/CD pipeline
npm audit and npm update
Detecting vulnerabilities in Node and React using SCA
Scanning your code using Semgrep
Semgrep basics
LAB: Semgrep for NodeJS: How to write rules
Semgrep automation in CI/CD