null Bachaav | Client-Side JavaScript Security | 21st December 2013

Client-Side Javascript Security

Bachaav sessions are free to attend but only with prior invitation. Participants will be selected based on how they fill the registration form. All applications are evaluated by the Bachaav Champion to select those who the Champion thinks will get the most from the session. Only selected applicants will be emailed further details. Even though we would like to get everyone to attend, sometimes the topic at hand requires extensive knowledge of the subject and this means that the Champion may not feel confident to have an applicant in the session.

Click here to register for this workshop

Session Introduction

This session will cover a small part of JavaScript security, which is of prime importance nowadays. Today, JavaScript is the only language which runs on every machine by default, owing to the fact that it is the scripting language of the browsers. Due to the not so awesome nature of earlier ECMAScript versions and a very quirky implementation of the Document Object Model (DOM) in the browser, dealing with JavaScript code can become very tricky at times.

If you have ever wondered about the security implications which lies beneath these quirky behaviors, this session is totally for you. Talking about client-side browser security for a whole day would be cool, but how about we make it more relevant to our day to day web applications?

The session would concentrate on

  • Fixing browser based injection attacks like DOM XSS
  • Sandboxing the DOM properties
  • Implications of polluting the global namespace
  • Thought process of bypassing an XSS filters and then fixing them

Since defending requires a very good understanding of what the attack surface is like, we make sure that the attacking part is completely covered as a primer, before defending something. You don’t need to be a Mutation XSS expert to attend this. As long you know what Javascript is and have written basic web applications, you will find this useful and interesting.


  • Basic knowledge of JavaScript.
  • Written a few basic web applications

Bachaav Champion | @skeptic_fx

Nafeez Ahamed works as a security engineer solving exciting and new problems in the security space. His areas of expertise include client-side security and network security. Most of his time is spent, trying to find new ways to defend things in the browser. He feels that defending anything is much harder than attacking, especially if you know what the sophisticated attackers are up to.

For more information about Bachaav Workshops you can visit here.