Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond Scanning

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Dheeraj Joshi Dheeraj Joshi
November 15, 2016
Technology
0
480

Beyond Scanning

Slides from my talk at SeleniumConf UK 2016!

Avatar for Dheeraj Joshi

Dheeraj Joshi

November 15, 2016
Tweet

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
Secure your Web Application
Avatar for Dheeraj Joshi djadmin
0
6.7k
Let's talk Security
Avatar for Dheeraj Joshi djadmin
0
7.6k

Other Decks in Technology

See All in Technology
開発チームとQAエンジニアの新しい協業モデル -年末調整開発チームで実践する【QAリード施策】-
Avatar for kaomi kaomi_wombat
0
200
CyberAgentの生成AI戦略 〜変わるものと変わらないもの〜
Avatar for katayan katayan
0
280
バクラク最古参プロダクトで重ねた技術投資を振り返る
Avatar for ypresto ypresto
0
200
Zero Data Loss Autonomous Recovery Service サービス概要
Avatar for oracle4engineer oracle4engineer
PRO
2
13k
テストプロセスにおけるAI活用 :人間とAIの共存
Avatar for hacomono Inc. hacomono
PRO
0
130
20年以上続く PHP 大規模プロダクトを Kubernetes へ ── クラウド基盤刷新プロジェクトの4年間
Avatar for Yuichi Sugiyama oogfranz
PRO
0
150
「コントロールの三分法」で考える「コト」への向き合い方 / phperkaigi2026
Avatar for blue_goheimochi blue_goheimochi
0
120
俺の/私の最強アーキテクチャ決定戦開催 ― チームで新しいアーキテクチャに適合していくために / 20260322 Naoki Takahashi
Avatar for SHIFT EVOLVE shift_evolve
PRO
1
380
20260321_エンベディングってなに?RAGってなに?エンベディングの説明とGemini Embedding 2 の紹介
Avatar for tsho tsho
0
140
visionOS 開発向けの MCP / Skills をつくり続けることで XR の探究と学習を最大化
Avatar for kazuhiro hara karad
1
1.2k
OpenClaw を Amazon Lightsail で動かす理由
Avatar for Uechi Shingo uechishingo
0
250
Agent Skill 是什麼?對軟體產業帶來的變化
Avatar for Bo-Yi Wu appleboy
0
180

Featured

See All Featured
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
11
860
Visual Storytelling: How to be a Superhuman Communicator
Avatar for David Neal reverentgeek
2
480
Data-driven link building: lessons from a $708K investment (BrightonSEO talk)
Avatar for Szymon Słowik szymonslowik
1
980
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
46
2.7k
How to train your dragon (web standard)
Avatar for Monica Dinculescu notwaldorf
97
6.6k
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
378
71k
Leveraging LLMs for student feedback in introductory data science courses - posit::conf(2025)
Avatar for Mine Cetinkaya-Rundel minecr
1
200
Learning to Love Humans: Emotional Interface Design
Avatar for Aarron Walter aarron
275
41k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
231
22k
AI: The stuff that nobody shows you
Avatar for John Nunemaker jnunemaker
PRO
3
460
Public Speaking Without Barfing On Your Shoes - THAT 2023
Avatar for David Neal reverentgeek
1
340
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
75
11k

Transcript

  1. Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere

  2. • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me

  3. More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,

    etc. What makes me happy?

  4. In this talk... • Why ? • Cross-site Scripting (XSS)

    • Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo

  5. Why should we Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. None
  7. None
  8. None

  9. Password Reuse Attacks

  10. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown

  11. CROSS SITE SCRIPTING - XSS • XSS attack users •

    Inject Malicious content • Exploits can be real bad

  12. What is XSS? Typical Reflected XSS

  13. Stored XSS

  14. DOM XSS

  15. Hunt... • Data <-> Code • Input Validation • Check

    HTML Encoding • Sanitizers • Analyze places where DOM elements are created

  16. XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html

  17. • Check for HTTPOnly, Secure flag on Session Cookie

  18. CROSS-SITE REQUEST FORGERY (CSRF)

  19. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks

  20. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work

  21. XSS + CSRF = ?

  22. Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)

  23. HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny

    • X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff

  24. Defense • Strategy - Integrate into SDLC • Static Code

    Analysis • Security Audits • CTFs

  25. Show Time !

  26. Questions ?

  27. Thank you @dheerajhere @djadmin