Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond Scanning

Dheeraj Joshi
November 15, 2016
Technology
0
430

Beyond Scanning

Slides from my talk at SeleniumConf UK 2016!

Dheeraj Joshi

November 15, 2016
Tweet

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
Secure your Web Application
djadmin
0
6.4k
Let's talk Security
djadmin
0
7.4k

Other Decks in Technology

See All in Technology
2024AWSで個人的にアツかったアップデート
nagisa53
1
100
KMP with Crashlytics
sansantech
PRO
0
240
Copilotの力を実感! 3ヶ月間の生成AI研修の試行錯誤&成功事例をご紹介。果たして得たものとは・・?
ktc_shiori
0
340
Cloudflareで実現する AIエージェント ワークフロー基盤
kmd09
0
280
商品レコメンドでのexplicit negative feedbackの活用
alpicola
1
340
Oracle Base Database Service:サービス概要のご紹介
oracle4engineer
PRO
1
16k
【NGK2025S】動物園(PINTO_model_zoo)に遊びに行こう
kazuhitotakahashi
0
220
今年一年で頑張ること / What I will do my best this year
pauli
1
220
iPadOS18でフローティングタブバーを解除してみた
sansantech
PRO
1
130
Formal Development of Operating Systems in Rust
riru
1
420
デジタルアイデンティティ技術 認可・ID連携・認証 応用 / 20250114-OIDF-J-EduWG-TechSWG
oidfj
2
630
EMConf JP の楽しみ方 / How to enjoy EMConf JP
pauli
2
150

Featured

See All Featured
Rails Girls Zürich Keynote
gr2m
94
13k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3.1k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.6k
Making the Leap to Tech Lead
cromwellryan
133
9k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Building an army of robots
kneath
302
45k
Being A Developer After 40
akosma
89
590k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Learning to Love Humans: Emotional Interface Design
aarron
274
40k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
860
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Speed Design
sergeychernyshev
25
730

Transcript

  1. Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere

  2. • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me

  3. More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,

    etc. What makes me happy?

  4. In this talk... • Why ? • Cross-site Scripting (XSS)

    • Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo

  5. Why should we Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. None
  7. None
  8. None

  9. Password Reuse Attacks

  10. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown

  11. CROSS SITE SCRIPTING - XSS • XSS attack users •

    Inject Malicious content • Exploits can be real bad

  12. What is XSS? Typical Reflected XSS

  13. Stored XSS

  14. DOM XSS

  15. Hunt... • Data <-> Code • Input Validation • Check

    HTML Encoding • Sanitizers • Analyze places where DOM elements are created

  16. XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html

  17. • Check for HTTPOnly, Secure flag on Session Cookie

  18. CROSS-SITE REQUEST FORGERY (CSRF)

  19. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks

  20. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work

  21. XSS + CSRF = ?

  22. Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)

  23. HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny

    • X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff

  24. Defense • Strategy - Integrate into SDLC • Static Code

    Analysis • Security Audits • CTFs

  25. Show Time !

  26. Questions ?

  27. Thank you @dheerajhere @djadmin