# JavaScript and Browser Basics

The importance of understanding how web applications work is key to application security and vulnerability assessments. There isn't a book big enough to teach you all the ways in which a modern web application could be compromised. Understanding the basics of how applications work, the tools to assist you, and creative thinking when figuring out how to "break things" are the keys to success.

** Understand the desired behavior and then try to achieve unintended behaviors from there. **

### HTTP Requests
  - Remember that web applications are 99.9% HTTP traffic
  - Remember that HTTP is a stateless protocol
  - Remember that HTTP has 4 main utilities:
      - CRUD/HTTP method mappings
        - Create/POST
        - Read/GET
        - Update/PUT
        - Delete/DELETE
      - Lesser known HTTP methods
        - HEAD
        - CONNECT
        - TRACE
        - OPTIONS
    
### JavaScript
  - What is it?
  - What do we use it for?
  - ALL browser based applications these days are powered by JavaScript and the following technologies
  - Flash, NetBeans, etc... are all dead or dying
  - JavaScript is King
  - What is a SPA(Single Page Application)?
      - What frameworks are being used?
      - What version of framework is being used?
  
### How is JavaScript executed in the browser
  - JavaScript files referenced by the HTML via `<script>` tags are executed as soon as they're downloaded
  - Any embedded JavaScript code within the HTML document with an opening and closing `<script></script>` tag pair is executed as soon as it is encountered in the HTML
  
```javascript
<script src="/js/main.js" type="text/javascript" />
<script src="https://someotherdomain.com/js/somelibrary.js" type="text/javascript" />
```
  
```javascript
<script>
    alert('hello hacker');
</script>
```
  
### Things to know about modern applications
  - AJAX/XHR (Asynchronous JavaScript and XML)
      - Used to make roundtrip calls to servers without page reloads, often undetected
  - Local Storage
      - Used to store information/data that the application needs on the client
  - Cookies/Sessions
      - Used to maintain state in a stateless protocol
      - Can't have users login every time they make a request
  - Query String Parameters
      - A method to pass data back to the server without using a POST request and a `<form>`

### Browser Developer Tools
  - Network tab
    - What resources are being loaded
    - XHR
    - View Request and Response headers and data
  - Sources tab
    - Good for exploring code
    - Obfuscation/De-obsfucation
    - Debugging/Breakpoints
  - Console
    - Execute any JavaScript
    - `console.log` output
    - `window.*` - Show all variables/functions in browser scope
  - HTML inspector/Elements tab
    - Event Listeners
    - Things to look for:
        - Form routes
        - Dynamic content
        - URL paths
        - "break stuff"
  - Application
      - Storage -> Local Storage
          - Stores data with no expiration date, and gets cleared only through JavaScript, or clearing the Browser Cache / Locally Stored Data
      - Storage -> Session Storage
          - Similar to localStorage but expires when the browser closed (not the tab)
      - Storage -> Cookies
  
### Web Application Developer Tools
  - Browser inspector tools
  - Postman
  - cURL
  - Browser Extensions
    - What are browser extensions?
    - What access do they have?
    - Edit This Cookie
    - Wappalyzer
    - FoxyProxy(Google equivalent)
    - Others to note:
      - Ugly Email(not super related but interesting concept to discuss)
      - Privacy Badger
      - AdBlock
  - Proxy Tools
    - BurpSuite
    - OWASP ZAP
    
### Sessions
  - What are sessions?
  - How do sessions work?
  - Remember sessions are ALWAYS stored on the server
  
### Cookies and Local/Session Storage
  - What are cookies?
  - When/how are they sent?
      - Sent by server using the `Set-Cookie` HTTP header
  - Stored on browser/read by server
  - https://curl.haxx.se/docs/httpscripting.html#Cookie_Basics
  - What is Local Storage?
  - What is Session Storage?
  - Cookies are automatically sent back to the server on any request that matches the domain that set them
      - All cookies set for devleague.com with the Set-Cookie HTTP Response header will be sent by the browser to any request to devleague.com

### Postman/cURL
  - Postman
      - http://www.getpostman.com/
  - cURL
      - `apt-get install curl`
      - https://duckduckgo.com/?q=curl+commands&t=canonical&ia=cheatsheet&iax=1
      - Common flags:
          - `-d` Send data
          - `-L` Follow redirects
          - `-b` Send cookie file
          - `-c` Store cookies to file
          - `-H` Send custom headers
          - `-A` Specifies User Agent
      - https://curl.haxx.se/docs/httpscripting.html
  - What is fuzzing?
  
### How hard is it to get application data with JavaScript?

###### Retreive cookies:
```
document.cookie;
```

###### Retrieve cookies(in nice format):
```
document.cookie.split(';').reduce((cookies, cookie) => {
  let [ name, value ] = cookie.split('=').map(c => c.trim());
  cookies[name] = value;
  return cookies;
}, {});
```

###### Enumerate local storage:
```
for (var key in localStorage){
   console.log(key)
}
```

### Securing Cookies
- Cookie Attributes on Server
    - HttpOnly
        - Blocks the browser from being able to read the cookie
    - Secure
        - Only send the cookie over an HTTPS connection
        - Remember that even an image being requested over http will send the cookie, not just the main URL request
        
### Whitelabel Services