We’re constantly expanding our toolset in the security research group. Whether it’s developing applications to track specific trends, analyzing attack data, or experimenting with new attack vectors, we always have to write new code. And solving interesting problems – pattern recognition, analyzing big data set, self learning algorithms – requires novel tools.
Recently, we wanted to rewrite and improve our supporting back office system that we use to keep track of different HTTP headers we encounter in our CDN. The app also needs to let multiple users update action items and data, and generate custom content (signatures, regexes, and such) with as little effort as possible.
Our choices were: use an existing tool or build a specific tool for the job. We decided it would be a good time to give AureliaJS a try. The deciding factors were:
- It needs to be a CRUD (create, replace, update, delete) application using NodeJS to integrate with other parts of the app.
- Several researchers need to access it from one central location so writing this as an internal web application would be ideal.
- We’d like to keep adding more functionality and “UX shortcuts” to the system, which aren’t always trivial to add in systems such as Splunk.
- And most important, we wanted to give AureliaJS a try ever since we heard about it. We’ve heard it’s “futuristic,” has a compact design, and we feel we can grow our system as the framework grows.
As with other decisions, developing secondary internal applications is a great chance to explore new technologies. We can evaluate the technologies as a team and keep on top of current releases. After experimenting with a new technology, we can either “let it be” for the time being, or start implementing it on a larger scale.
Working with AureliaJS
Aurelia uses extensible HTML so you can extend HTML controls, and add inline binding and dynamically loaded information. If you’re familiar with platforms like Angular and React, you may find Aurelia an interesting technology to check out. When compared to Angular, it provided a more minimalistic code.
All modern web browsers support AureliaJS. It can be used independently, but at least when writing our first project, we decided to use the default option of developing using NodeJS and NPM to make installation and usage as simple as possible.
It requires the following prerequisites:
- NodeJS is not required, but would be really annoying not to use
- Package manager – again, you can do without if you like wasting your time
Providing a tutorial of coding with AureliaJS is beyond the scope of this article, but it’s a very straightforward platform. The tutorial at Aurelia.io gets you up to speed pretty fast, and goes through the routing used in the framework, and how to add modules, views and routes to the web application. You can also build upon the skeleton project available here, which gives you a head start with your app.
Aurelia works with MVVM architecture, which makes it easy to separate UX development and backend development. For every page (or module), we create two files – one for writing the Model (which will contain the “logic” of that page), and one for the ViewModel, which will contain the design in which the content will be displayed (the HTML content). The ViewModel can also have programmatic functionality — for making iterations, Boolean assertions, and more.
Future of AureliaJS
We asked Rob Eisenberg, founder of Aurelia, to tell us the main improvements he thinks Aurelia should advance through in 2016. According to Eisenberg, Aurelia needs to upgrade its documentation and its “Getting Started” documentation to appeal to a wider range of developers. In addition, tooling support for development tools should be improved.
So – what is the team at Durandal occupied with now? Currently they’re working on new tools that will help developers create robust AureliaJS apps more easily. In addition, they’re working on an upcoming Aurelia Interface library.
Eisenberg is happy with the reaction he’s getting from the developers. “We’ve got a great community, lots of real apps in development, and a growing commercial offering,” he says. “Our biggest challenge is in continuing to get the word out about Aurelia so that more developers know that it exists.”
Security Tips for AureliaJS Web Applications
We’d like to share a few guidelines when using AureliaJS to develop web applications. A lot of these practices are true when developing and securing any web application, and please feel free to send in additional tips from your experience in the comments section.
- As with all web applications, we advise that you use HTTPS with up to date protocols and ciphers. This will encrypt the data transferred between the client and the server (in order to prevent man-in-the-middle attacks), and ensures you are connected to a trusted source.
- When you’re making API calls, make sure each call is authenticated and authorized (unless using an anonymous API call). In other words, for each call you make you need to verify that the user is an authenticated user in the system and is authorized to commit the action.
- Make sure you limit cross-domain requests for your resources to prevent attacks such as CORS (cross-origin resource sharing).
- When building forms, such as login forms, use protection against automation-based attacks (for example: password checks against brute force attacks).
- Avoid binding items to innerHTML, as this can let attackers commit XSS (cross-site scripting) attacks on your web application.
- Anytime you’re dynamically creating and compiling client-side templates based on user input, make sure that the content contains no scripts (which may be used for cross site scripting attacks) or Aurelia binding tags (which may be used for template injection attacks). The same goes for templates created on the server for later use.
- Before deploying to production, use bundling and obfuscation on the source files. Keeping in mind that client side code is still client side code (and available to potential attackers), there’s still no point in leaving low-hanging fruit for hackers to understand exactly what goes where and why.
- Avoid publishing the source files of the AureliaJS project. This seems like a basic rule, but in my experience as a hacker, it was surprising to see the amount of products that shipped with source code in them that was not needed.
Along with developing secure web applications, using a leading web application firewall is a must nowadays. Web attacks keep evolving (our WAF is updated several times each week with new security rules), and so do our defenses.
Have you used AureliaJS or any other new and cool technologies to build apps? Let us know if you’d like to share your story or a tip.