JavaScript and the AST

Generators in ECMAScript provide a way to write iterator functions using the yield keyword. This allows for writing functions that can be iterated over manually or used to create infinite streams. Generators also enable asynchronous programming using coroutines instead of callbacks. They allow for cooperative multitasking by starting multiple generator functions as "threads" that yield values in a nondeterministic order. Array comprehensions are also proposed as a shorthand for transforming arrays using generators.

Presentation I gave at a Rust Austin meetup in November 2018 about exploring different approaches for interpreting custom DSLs in Rust with varying speed characteristics and associated safety issues.

This document provides examples and explanations of JavaScript concepts including objects and arrays, functions and contexts, closures, inheritance, namespaces and scope, module patterns, and dispatching. It demonstrates creating and manipulating objects and arrays, defining functions, using closures, implementing inheritance with prototypes and Object.create, creating namespaces, revealing and constructor module patterns, and a publisher/subscriber dispatching example.

The document provides 11 powerful JavaScript tips and best practices for programmers, including using short-circuit evaluation to set default values, immediately invoked function expressions to avoid polluting the global namespace, and splice instead of delete to remove array items without leaving undefined holes.

This document discusses JavaScript unit testing with Jasmine. It provides an overview of Jasmine's syntax including describes, contexts, matches, spies and stubs. It also discusses tools that can be used with Jasmine like jasmine-jquery for DOM testing and jasmine-given for behavior-driven development style tests.

This document discusses using Jasmine to test JavaScript code. It describes Jasmine as a behavior driven development framework for JavaScript testing. It then provides instructions on installing Jasmine, creating spec files to contain test cases, and including source code files. The document uses an example of testing a master-slave checkbox relationship to demonstrate how to set up tests, DOM elements, and code the tests against the actual code implementation.

This talk discusses various issues of low-level PHP performance, such as: When is it more efficient to use arrays or objects? What causes catastrophic garbage collection? Does adding type annotations make PHP faster or slower? I will answer these types of question with a (shallow) dive into PHP internals, touching on various topics like value representation, bytecode optimization and GC.

This document discusses best practices for developing a chess game app called ChessMate. It covers topics like architecture patterns, design principles, testing practices, code quality, and project organization. Examples are provided to illustrate concepts like separation of concerns, dependency injection, protocol-oriented programming and value types vs reference types. The goal is to build a well-designed, extensible and maintainable chess app following industry standards.

Some tidbits about weird behavior and/or performance characteristics in PHP, in particular relating to object properties.

The document summarizes new features coming in PHP 7.4, including typed properties, arrow functions, the nullsafe operator, and array spread syntax. It also discusses future language features like property accessors and generics. Some deprecations are noted, such as changes to ternary operator and concatenation precedence to avoid ambiguity.

PHP 8.0 is expected to be released by the end of the year, so it’s time to take a first look at the next major version of PHP. Attributes, union types, and a just-in-time compiler are likely the flagship features of this release, but there are many more improvements to be excited about. As PHP 8.0 is a major version, this release also includes backwards-incompatible changes, many of which are centered around stricter error handling and more type safety. This talk will discuss new features already implemented in PHP 8, backwards-compatibility breaks to watch out for, as well as some features that are still under discussion.

1. The document discusses strategies for optimizing software costs, including the costs of introduction, change, and ownership over the lifetime of a project. 2. It emphasizes focusing on optimizing for cost of introduction early on, as this cost is relatively easy to optimize and loses relevance over time. However, cost of change increases exponentially and is most important to optimize for longer-term projects. 3. Cost of ownership involves ongoing maintenance and allows balancing the costs of introduction and change by selectively taking ownership of only necessary logic through techniques like testing and refactoring.

Great design patterns are reusable, modular expressions of what’s going on in your code. They allow you to communicate to other developers simply by the way you code, in addition to being easily maintainable themselves. Put simply, patterns are the available tools in the developer’s toolbox. In this presentation, I review a few common patterns, their advantages/disadvantages, and how they can be implemented. The source for this presentation can be found here: https://github.com/derekbrown/designpatterns

Love it or hate it, JavaScript is playing an increasingly important role in the next generation of web and mobile apps. As code continues to move from the server to the client, JavaScript is being used to do more than simple HTML manipulation. Be prepared for this transition and make sure the JavaScript you write is optimized and ready to perform on desktops and devices! In this session, you will learn ten practical tips that you can use today to write faster, more maintainable, memory friendly JavaScript.

The document discusses craftsmanship in software development. It provides examples of Wozniak's meticulous and perfectionist approach to engineering when designing Apple hardware and software. It also discusses different stages of craftsmanship like apprentice, journeyman, and master, and how these relate to becoming better at software development through continually learning, building, and improving skills. The emphasis is on cultivating high standards of quality and care in one's work.

Functional programming, though far from new, has gained much traction recently. Functional programming characteristics have started to appear in the PHP world, too. Microframeworks including Silex and Slim, middleware architectures (Stack) and even standards (PSR-7) rely on concepts such as lambdas, referential transparency and immutability, all of which come from functional programming. I’ll give you a crash course in Erlang, a pragmatic functional language to make you feel familiar with the functional paradigm. By comparing code samples between Erlang and PHP, you’ll find out how and why you should employ functional programming in your PHP applications. You’ll see that functional programming is nothing to be scared of. On the contrary, understanding its concepts broadens your programming horizon and provides you with valuable solutions to your problems.

The document discusses different approaches for handling asynchronous code in JavaScript, including callbacks, promises, and async/await. It provides examples of each approach, such as using callbacks for sequential asynchronous functions, chaining promises together, and using async/await to write asynchronous code that looks synchronous. It also addresses error handling with each approach, noting that while async/await code looks cleaner, error handling can be more complex so different options like try/catch blocks are demonstrated.

Shape Security analyzes 1.5 billion logins per week and protects 350 million user accounts. In 2016 alone, 1.6 billion credentials were leaked and sold or traded by criminals on dark web markets. Shape uses headless browsers like PhantomJS to automatically test leaked credentials on other sites, stopping over $1 billion in fraud losses in 2016. However, captchas intended to prevent automated attacks do not work and ruin the user experience.

Fraud is a key--and evolving--challenge facing security teams today. This presentations highlight tactics organizations can deploy to dramatically reduce incidents of fraud, provides a high-level, technical overview of client-side attacks and demonstrates how man-in-the-browser attacks operate, reveals two techniques that can be used by a Web application to detect infected clients, and discusses practical aspects of implementing these two methods and how to use the output of the detection process in the application.

This document discusses Content Security Policy (CSP), including the different levels of CSP, new directives introduced in each level, browser compatibility, common violations, and best practices for deployment. It provides an overview of CSP, how to implement it, common mistakes, analyzing violation reports, and backward compatibility considerations. Data on CSP policies used on the top 1,000,000 Alexa sites is presented, showing common errors, strictness of policies, and differences between XSS protection levels. Resources for further information and tools are listed.

Applications are constantly under attack. Unfortunately, nearly all applications have no capability of detecting an attacker or responding before a breach occurs. Those applications sit passively and allow the attacker to constantly unleash attack after attack. Let's change the game and equip our application with the resources to detect an attack with high accuracy and respond in real time to prevent a compromise by eliminating the threat from the system. In this talk we'll cover the OWASP AppSensor project – a project that details how to instrument an application to become attack aware and immediately respond to neutralize threats.  This project is backed by multiple talented security experts that have been advancing the project for the past three years. AppSensor has been featured in the Department of Defense Cross Talk journal, presented at the US Department of Homeland Security resilient software conference and at security conferences around the world.

This presentation by Sergey Shekyan and Bei Zhang discusses offensive use of headless browsers tools, and how to counteract them in practice.

The document summarizes a seminar presentation on symbol table generation. It defines what a symbol table is, explaining that it collects information about identifiers in a source program like their storage allocation, type, and scope. This information includes the type of arguments for procedures, how arguments are passed, and the return type. A symbol table is necessary because declarations appear once but uses may be in many places, and it is used by compiler phases for type checking, verifying definitions are used correctly, and generating code.

This document summarizes security features in Microsoft Azure to prevent control-flow hijacking and arbitrary code generation. It describes Control Flow Guard, Arbitrary Code Guard, and Code Integrity Guard which enforce control flow integrity, prevent dynamic code generation and modification, and only allow signed code pages. It also discusses some known limitations and bypasses that Microsoft is working to address through additional security features like Control-flow Enforcement Technology (CET).

The document discusses the design of symbol tables used in compilers. It describes symbol tables as data structures that store information about identifiers from the source code, such as their names, attributes, and scopes. The analysis phase of a compiler constructs a symbol table by entering identifiers and attributes. The synthesis phase then uses the symbol table to check semantics and generate code. Symbol tables support nested scopes through a stack structure with a separate table for each scope.

Casting for not so strange Actos - A presentation about the Actors pattern and a look at prototypes in 4 different programming languages - Jruby (Celluloid), Erlang, Elixir and Scala (Akka) - Presented in "Strange Group Berlin" meetup on 12.03.2015 held at 6Wunderkinder

The following illustrates some of the common security challanges Node.js developers are up against. The presentation covers various types of JavaScript-related hacks and NoSQL injection hacking via Express and MongoDB.

The document discusses serializing EMF models with Xtext. It covers: - The new Xtext serializer is better than the old one in terms of errors, performance and deprecation. - Serialization is used for quickfixes, refactoring, persistence, generators and more. It guarantees syntactical correctness and handles comments/whitespace. - The serializer must parse a serialized model back to the original, and serialize modifications with minimal textual diffs. Ambiguities can cause parsing/serialization mismatches. - The architecture uses state machines and observer pattern. Hooks allow customizing cross-references, keywords, values and more during serialization.

JavaScript objects must implement certain standard properties and methods. Objects have a prototype property that is either an object or null, and prototype chains must have finite length. The typeof operator returns a string indicating the type of a variable or value. JavaScript supports basic types like undefined, null, boolean, number, string, and object. Functions are objects that can be called, and have properties like length and arguments. Variables declared with var have function scope, while variables assigned without var have global scope. Arrays, objects, and functions can be declared using various syntaxes. JavaScript uses prototypal inheritance rather than classes.

Represent major data manipulate API in jQuery 1.6; such as .data(), removeData(), index(), globalEval() and so no. Also, HTML5 data-* attributes. I will walk you through with diving into jQuery source code and find out the killing techniques used in jQuery.

Lets look at writing a new Struts 2 application from square one, using the Yahoo User Interface (YUI) Library on the front end, and Struts 2 on the backend. YUI provides the glitz and the glamour, and Struts 2 provides the dreary business logic, input validation, and text formatting.

Ajax is the web's hottest user interface. Struts is Java's most popular web framework. What happens when we put Ajax on Struts? In this session, we look at writing a new Struts 2 application from square one, using the Yahoo User Interface (YUI) Library on the front end, and Struts 2 on the backend. YUI provides the glitz and the glamour, and Struts 2 provides the dreary business logic, input validation, and text formatting. During the session, we will cover * How to integrate an Ajax UI with Struts 2 * Basics of the Yahoo User Interface (YUI) Library * Business services Struts can provide to an Ajax UI Who should attend: Ajax developers who would like to utilize Struts as a back-end, and Struts developers who would like to utilize Ajax as a front-end. To get the most from this session, some familiarity with an Ajax library, like YUI or Dojo, is helpful.

Slides supporting a talk on Swift and functional programming. These are not entirely free-standing, alas. Just come to the next talk! :)

Backbone.js gives structure to web applications by providing models, collections, views and connecting them to APIs. It includes models for representing and handling data, collections for managing multiple models, views for presenting data and handling user interaction, and connects everything to APIs. Using Backbone avoids callback soup and keeps logic separated. Many large sites use Backbone including GitHub, Medium, and Uber.

This document provides an overview of using the Backbone.js framework for client-side MVC applications. It discusses why Backbone is useful for structuring JavaScript applications, its core architecture including models, collections, views and routers. It also provides examples of how to convert jQuery code to use a Backbone-based approach and lists some real-world applications that use Backbone.

This document provides an overview of the Scala programming language, including what it is, its toolchain, basic syntax examples comparing it to Java, built-in support for XML, actors, and advantages and disadvantages. Scala is an object-functional language that runs on the JVM and is intended to be a "better Java". It has features like XML support, an actor model for concurrency, and combines object-oriented and functional programming paradigms, but its ecosystem and compiler can be slow and syntax for some functional features is verbose.

Philip Poots is a Ruby developer who works at Audacio.us. He focuses on structure frameworks, state applications, and speed with JavaScript.

This document contains a summary of jQuery secrets presented by Bastian Feder. It discusses various techniques including saving and removing state from DOM elements using jQuery.data() and jQuery.removeData(), extending jQuery functionality through plugins, and customizing AJAX requests and event handling. The presentation provides code examples for working with jQuery's data storage methods, namespaces, promises/deferreds, global AJAX settings, and extending jQuery.

This document discusses various jQuery secrets including: 1. Utilities for saving and removing state from DOM elements using jQuery.data() and jQuery.removeData(). 2. Hidden events like getData, setData, and changeData that are emitted when data is read, set, or changed on an element. 3. Extending jQuery with custom functions, properties, and AJAX shortcuts. 4. Binding custom events and namespaces, self-defined animation speeds, and extending jQuery plugins.

The document defines a LineChart class that extends the Chart class. The LineChart class constructor calls the parent constructor and draws the chart. The draw method builds a line chart from the series data using an SVG library, appends it to the canvas, and adds statistics for each data point by calling the parent addStats method. The getSerieData static method calculates max and average values for a data series. The class is exported for use in other code.

Sails.js is a realtime MVC framework for Node.js that is inspired by some of the best ideas behind Ruby on Rails and realtime frameworks like Meteor.js. In this presentation I'll overview getting started with Sails.js, its architecture and features, as well as some advice on place to look at when you are getting started. Learn a brand new way to think about web application development with Node.js!

The document describes the Backbone.js framework and how it can be used to build single page applications. It explains the core components of Backbone - Models, Collections, Views and Routers. It provides examples of initializing a Backbone application, defining models and collections, creating views to render data, and setting up routes and navigation. It also covers events, templating, and best practices for structuring Backbone code into separate JavaScript files for models, collections, views etc.

This document discusses best practices for developing Node.js applications. It recommends using frameworks like Express for building web apps, libraries like Async to avoid callback hell, and organizing code into modular sub-applications. It also covers testing, error handling, documentation, and open-sourcing projects. Standards like Felix's Style Guide and domain-driven design principles are advocated. Communication channels like events, HTTP APIs, and WebSockets are examined.

The document discusses code generation and abstract syntax tree (AST) transformations. It provides an overview of Project Lombok, a Java library that generates boilerplate code through annotation processing and AST transformations. It also discusses how to analyze and transform code by visiting and rewriting AST nodes, giving examples of checking for null checks and instanceof expressions.

This document introduces Scala and its key features. Scala is a JVM language that combines object-oriented and functional programming. It allows for concise code through features like type inference, method declaration simplification, and pattern matching. Scala supports both object-oriented concepts like classes and traits as well as functional programming with immutable data structures and higher-order functions. It also builds in support for concurrency through its Actor model. In summary, Scala aims to make code more concise while enabling functional and concurrent programming on the JVM.

This All Things Open 2022 talk shows how to use current-gen WebAssembly to build complex applications out of components.

This talk was given at AppSec California, January 2020. Credential stuffing and other automated attacks are evolving passed every defense thrown in their way. CAPTCHAs don't work, Fingerprints don't work, Magical AI-whatevers don't work. The value is just too great.

Slides for talk given at PasswordsCon Sweden 2019. Credentials Stuffing is an automated attack that exploits users who reuse passwords by taking breached credentials and replaying them across sites.

This document summarizes an analysis of an exploited NPM package called event-stream. It describes how an attacker gained control of the package and added malicious code that was downloaded by thousands of projects whenever their dependencies were updated. The malicious code stole cryptocurrency from wallets containing large amounts. It highlights the risks of supply chain attacks and emphasizes the importance of auditing dependencies, locking versions, and thinking carefully before adding new dependencies to avoid compromising entire projects and their users.

Jarrod Overson presented on a supply chain attack that occurred in 2018 through the compromise of the event-stream Node.js package. An unauthorized developer gained commit access and introduced malicious code through new dependencies that was then installed by millions of users. The malware harvested cryptocurrency private keys from the Copay wallet app. While the community responded quickly, such attacks demonstrate vulnerabilities in open source software supply chains and dependency management that will continue to be exploited if not properly addressed through changes to practices and tooling.

Deepfakes originally started as cheap costing but believable video effects and have expanded into AI-generated content of every format. This session dove into the state of deepfakes and how the technology highlights an exciting but dangerous future.

Jarrod Overson discusses the evolution of credential stuffing attacks and where they may go in the future. He summarizes that credential stuffing started as basic automated login attempts but has evolved through generations as defenses were put in place, such as CAPTCHAs and behavior analysis. The next generation involves more sophisticated imitation attacks that flawlessly emulate human behavior using real device fingerprints to blend in. Beyond credential stuffing, malware may start scraping user accounts and environments directly from infected machines. As defenses raise the cost of attacks, fraudsters will diversify methods to preserve the value of valid accounts and user data.

Workshop slides originally given at the WOPR Summit in Atlantic City. Use JavaScript parsers and generators like Shift combined with Puppeteer and Chrome to reverse engineer web applications

OWASP RTP Presentation on Data breaches, credential spills, the lifespan of data, credential stuffing, the attack lifecycle, and what you can do to protect yourself or your users.

QCon SF 2016 security talk about who uses data from massive breaches (like Yahoo, Target), what tools they use, and what damage they inflict.

Talk given at Mozilla's first View Source Conference in Portland, 2015. Details out the parallels between graphics and game developments compared to traditional web development.

This document discusses the dark side of web security, including automated threats from bots and attackers. It notes that traditional security like flossing is difficult to measure effectiveness. It outlines the OWASP top 10 vulnerabilities and automated threats attackers use. While captchas are meant to stop bots, services have made bypassing captchas easier. If a site has value like money, data, or content, there is value in exploiting it. Detection of attacks is difficult as attackers use many proxies and fingerprints to avoid detection. Patching is not enough, and spikes in traffic from many IPs could indicate an attack.

The document discusses achieving maintainability in code through examining code quality with linters, generating visual reports on metrics like complexity and coverage, and automating processes like builds, linting, and testing through tools like Grunt and Gulp. It emphasizes setting limits on metrics like complexity, enforcing code style through automation, and treating documentation as important as code.

1) The document discusses achieving maintainability in code through analysis, automation, and enforcement of standards. 2) It recommends setting up linting, code coverage, and other analysis tools to examine code quality and automatically enforcing code style through build processes. 3) The key is to automate as many processes as possible like testing, linting, and documentation to make the code easy to work with and prevent issues from being introduced.

Slides for the keynote given at QCon Sao Paulo 2014. Talk goes into the problems scaling Riot and how we've tried to solve them as well as what we've learned from the web and what lies in store next.

This document discusses managing complexity in JavaScript projects. It addresses coming to terms with the challenges of dynamic languages being messy, having an immature tooling ecosystem, and rapid evolution. It emphasizes respecting code style conventions, enforcing linting rules, documenting code, and using metrics like cyclomatic complexity to reduce testing difficulty. The overall message is that perseverance is needed to tame JavaScript's complexity through automation, visualization, honesty and acceptance of its challenges and opportunities.

The document discusses web components, which include HTML templates, custom elements, shadow DOM, and HTML imports. Web components allow the creation of reusable custom elements with their own styles and DOM structure. They provide encapsulation and help avoid issues with global namespaces. While browser support is still emerging for some features, polyfills exist and frameworks like Polymer make web components accessible today. Web components represent an important evolution of the web that will improve how code is structured and shared.

These are the slides for the talk "Managing and Visualizing JavaScript Complexity" given at QCon SF 2013 by Jarrod Overson