Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond Scanning

Dheeraj Joshi
November 15, 2016
Technology
0
280

Beyond Scanning

Slides from my talk at SeleniumConf UK 2016!

Dheeraj Joshi

November 15, 2016
Tweet

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
Secure your Web Application
djadmin
0
6.2k
Let's talk Security
djadmin
0
7k

Other Decks in Technology

See All in Technology
CDK使用歴1年の僕が現場でCDK導入するときに得たTips
miura55
0
280
私と Nature Remo E / Nature Remo E
orgachem
0
200
エンジニアのためのドキュメントライティング / Docs for Developers and Paragraph Writing
nttcom
3
400
数年先の金融DX/AI活用
abenben
1
230
Race Conditions em Microsserviços: Desmistificando um Problema Comum em Arquiteturas Distribuídas
jordihofc
0
220
ワイヤレス電力伝送について
sbtechnight
PRO
0
430
Snyk の紹介 〜セキュリティの Shift Left を目指す〜
toshiaizawa
0
110
スタートアップだからこそ考えるフロントエンドのテスト戦略
yoshinagaiwnl
4
550
Win Testing Trophy Easily / テスティングトロフィーを獲得する / PHPerKaigi 2023
k1low
1
130
AstroNvim を使おう!
ybrliiu
0
120
学びが形になる!〜DeNAで6年間プロダクト開発に携わって学んだこと〜
dena_tech
PRO
0
340
テスト技法を使ったテストケースの表現方法/How to express test cases using test techniques
shimashima35
0
260

Featured

See All Featured
Fashionably flexible responsive web design (full day workshop)
malarkey
396
64k
Debugging Ruby Performance
tmm1
67
11k
Building a Scalable Design System with Sketch
lauravandoore
451
31k
Art, The Web, and Tiny UX
lynnandtonic
284
18k
Faster Mobile Websites
deanohume
296
29k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
6
920
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
31
20k
YesSQL, Process and Tooling at Scale
rocio
159
13k
Happy Clients
brianwarren
90
5.9k
Making Projects Easy
brettharned
102
4.9k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
214
12k
From Idea to $5000 a Month in 5 Months
shpigford
374
44k

Transcript

  1. Let’s talk Security
    Beyond Scanning
    Dheeraj Joshi
    @dheerajhere

    View Slide

  2. ● Front-End @
    ● Previously @
    ● Open Source (medium-cli)
    ● Ambidextrous TT Player
    About Me

    View Slide

  3. More...
    Uber, CKEditor, Dropbox,
    MailChimp, Recruiterbox, InVision,
    DigitalOcean, Intuit, Groupon, etc.
    What makes me happy?

    View Slide

  4. In this talk...
    ● Why ?
    ● Cross-site Scripting (XSS)
    ● Cross-site Request Forgery (CSRF)
    ● Content Security Policy (CSP)
    ● HTTP Security Headers
    ● Best Practices & Demo

    View Slide

  5. Why should we Care
    about Security?
    Startups & SMEs are known to cut
    corners. One of the first things they
    cut is ‘Security'.

    View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. Password Reuse
    Attacks

    View Slide

  10. HACKER PUTS HOSTING SERVICE “CODE
    SPACES” OUT OF BUSINESS
    The Shutdown

    View Slide

  11. CROSS SITE SCRIPTING - XSS
    ● XSS attack users
    ● Inject Malicious content
    ● Exploits can be real
    bad

    View Slide

  12. What is XSS?
    Typical Reflected XSS

    View Slide

  13. Stored XSS

    View Slide

  14. DOM XSS

    View Slide

  15. Hunt...
    ● Data Code
    ● Input Validation
    ● Check HTML Encoding
    ● Sanitizers
    ● Analyze places where DOM
    elements are created

    View Slide

  16. XSS via template injection
    Using Sandbox Bypasses
    http://blog.portswigger.net/2016/04/adapting-angularjs
    -payloads-to-exploit.html

    View Slide

  17. ● Check for HTTPOnly, Secure flag on Session
    Cookie

    View Slide

  18. CROSS-SITE REQUEST
    FORGERY (CSRF)

    View Slide

  19. Because the attack is carried out
    by the victim, CSRF can bypass:
    ● HTTP Auth
    ● Session-based auth
    ● Firewalls
    CSRF Attacks

    View Slide

  20. ● Only accepting POST requests
    ● Referer Protection
    ● Multi-Step Transactions
    ● URL Rewriting
    ● application/json
    “CSRF Myths”
    Preventions that Won’t work

    View Slide

  21. XSS + CSRF = ?

    View Slide

  22. Content Security Policy (CSP)
    CSP Evaluator
    (https://csp-evaluator.withgoogle.com)

    View Slide

  23. HTTP Security headers
    ● Strict-Transport-Security:
    max-age=16070400; includeSubDomains
    ● X-Frame-Options: deny
    ● X-XSS-Protection: 1; mode=block
    ● X-Content-Type-Options: nosniff

    View Slide

  24. Defense
    ● Strategy - Integrate into SDLC
    ● Static Code Analysis
    ● Security Audits
    ● CTFs

    View Slide

  25. Show Time !

    View Slide

  26. Questions ?

    View Slide

  27. Thank you
    @dheerajhere
    @djadmin

    View Slide