Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond Scanning

99a1c6a52cc56cc25cde65be5d54081a?s=47 Dheeraj Joshi
November 15, 2016
Technology
0
140

Beyond Scanning

Slides from my talk at SeleniumConf UK 2016!

99a1c6a52cc56cc25cde65be5d54081a?s=128

Dheeraj Joshi

November 15, 2016
Tweet

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
99a1c6a52cc56cc25cde65be5d54081a?s=48 djadmin
0
6k
99a1c6a52cc56cc25cde65be5d54081a?s=48 djadmin
0
6.7k

Other Decks in Technology

See All in Technology
71c9ebde850996d2533c5df4df2c93c6?s=48 opdavies
0
170
325ce6fcd0a74ff78990b8632817da55?s=48 yukihirochiba
0
2.7k
C0c0e8e4d7f83912cb1b1a0699df82a5?s=48 miyakemito
0
160
E4159c65ac8decc882bfaf10088bd07e?s=48 daikimiura
5
1.7k
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
PRO
1
240
6afbe110d33ef7e859fb8649b86bae55?s=48 mashabow
0
120
D8e79ab09f15e69d600c00131bf7d2a9?s=48 yfutamura
0
720
E598c2f9a8e5c94eea0e6505b4233d81?s=48 tomohide_tanaka
1
600
05f8401462c2d4694f006634e970d577?s=48 ttakaguchi
0
110
4649f3418cb4e7b951ca28e65003c7ac?s=48 sumi
1
510
1f7f0085220d6e48e5bdbf9b199b847c?s=48 mmclsntr
0
110
2f73f93f91c4401b0baf12029226a681?s=48 tobachi
0
3.2k

Featured

See All Featured
B47b288784fda77a94aeb234ca743c24?s=48 keavy
108
14k
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
12
900
Dad095ea7038f89f760419ce475d5d14?s=48 michaelherold
226
8.7k
78b475797a14c84799063c7cd073962f?s=48 holman
462
280k
3d6ace9554821d552146413bcdf874f6?s=48 trishagee
26
3.3k
4262b9cfacfb6b2c77f23e1d0310cd3e?s=48 myddelton
109
11k
170b760e0147792d0140e59ec78e9893?s=48 eitanlees
116
10k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
495
110k
B6a8f005f39d23ffc930508ac9da68b9?s=48 vanstee
118
4.9k
C86443373fbfe92996aa882d0d7a59f8?s=48 imathis
479
150k
11c84dff30266b907714802088852677?s=48 jasonvnalue
82
8.2k
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
238
23k

Transcript

  1. Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere

  2. • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me

  3. More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,

    etc. What makes me happy?

  4. In this talk... • Why ? • Cross-site Scripting (XSS)

    • Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo

  5. Why should we Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. None
  7. None
  8. None

  9. Password Reuse Attacks

  10. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown

  11. CROSS SITE SCRIPTING - XSS • XSS attack users •

    Inject Malicious content • Exploits can be real bad

  12. What is XSS? Typical Reflected XSS

  13. Stored XSS

  14. DOM XSS

  15. Hunt... • Data <-> Code • Input Validation • Check

    HTML Encoding • Sanitizers • Analyze places where DOM elements are created

  16. XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html

  17. • Check for HTTPOnly, Secure flag on Session Cookie

  18. CROSS-SITE REQUEST FORGERY (CSRF)

  19. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks

  20. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work

  21. XSS + CSRF = ?

  22. Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)

  23. HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny

    • X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff

  24. Defense • Strategy - Integrate into SDLC • Static Code

    Analysis • Security Audits • CTFs

  25. Show Time !

  26. Questions ?

  27. Thank you @dheerajhere @djadmin