AppSec Europe 2018 has ended
                                                                                    ***Content is subject to change.***
Back To Schedule
Friday, July 6 • 1:30pm - 2:15pm
A Methodology for Assessing JavaScript Software Protections LIMITED

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Limited Capacity seats available

JavaScript is a highly dynamic language. At runtime, functions, and event handlers can be redefined. New code can be parsed and executed. While these properties offer a lot of flexibility, they are a nightmare when it comes to security. First, they are powerful weapons for an adversary. But they also make building tamper-resistant and obfuscation techniques a lot harder. As a result, determining if a given protection is strong or weak is a daunting task for an application developer or security practitioner.
In this talk, we explore the peculiarities of protecting JavaScript and how it differs from protecting native code. We then dive into a couple of protected JavaScript examples and demonstrate different attacking techniques e.g. partial evaluation - and investigate their potential for reverse engineering and tampering. We’ll go through different tamper-resistant and obfuscation techniques and test their resilience against modern reverse engineering techniques.
We’ll propose a methodology to help security practitioners evaluate JavaScript code protection. The need to assess software protections has been recently recognized by the OWASP Mobile Security Testing Guide. We provide pointers on what to look on JavaScript code protection, what real value you can get from it, when it makes sense to use and when it doesn’t.
 Expect a highly technical talk, with several demos, including live reverse engineering of protected JavaScript. In the end, you will have learned how to assess the value of available JavaScript code protection techniques.

avatar for Pedro Fortuna

Pedro Fortuna

CTO and Founder, Jscrambler
Once on a trajectory to a full academic career, where he taught security and computer science courses for about 5 years - ended up falling in love with the fast paced world of entrepreneurship. Started Jscrambler where he leads all security research and drives the company product... Read More →

Friday July 6, 2018 1:30pm - 2:15pm BST
St James- 4th Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE