Beyond Scanning

99a1c6a52cc56cc25cde65be5d54081a?s=47 Dheeraj Joshi
November 15, 2016
Technology
0
130

Beyond Scanning

Slides from my talk at SeleniumConf UK 2016!

99a1c6a52cc56cc25cde65be5d54081a?s=128

Dheeraj Joshi

November 15, 2016
Tweet

Want more?

99a1c6a52cc56cc25cde65be5d54081a?s=48 djadmin
0
5.9k
99a1c6a52cc56cc25cde65be5d54081a?s=48 djadmin
0
6.7k
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
10
560
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
2
280
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
190
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
6
360
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
7
230
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
3
310
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
4
580
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
170
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
4
250
Ef32e0b1ac5082450dc8c1fca3a26b5c?s=48 cherdarchuk
61
250k

Transcript

  1. 1.

    Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere

  2. 2.

    • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me
  3. 3.

    More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,

    etc. What makes me happy?
  4. 4.

    In this talk... • Why ? • Cross-site Scripting (XSS)

    • Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo
  5. 5.

    Why should we Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. 6.
    None
  7. 7.
    None
  8. 8.
    None
  9. 9.

    Password Reuse Attacks

  10. 10.

    HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown
  11. 11.

    CROSS SITE SCRIPTING - XSS • XSS attack users •

    Inject Malicious content • Exploits can be real bad
  12. 12.

    What is XSS? Typical Reflected XSS

  13. 13.

    Stored XSS

  14. 14.

    DOM XSS

  15. 15.

    Hunt... • Data <-> Code • Input Validation • Check

    HTML Encoding • Sanitizers • Analyze places where DOM elements are created
  16. 16.

    XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html

  17. 17.

    • Check for HTTPOnly, Secure flag on Session Cookie

  18. 18.

    CROSS-SITE REQUEST FORGERY (CSRF)

  19. 19.

    Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks
  20. 20.

    • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work
  21. 21.

    XSS + CSRF = ?

  22. 22.

    Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)

  23. 23.

    HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny

    • X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff
  24. 24.

    Defense • Strategy - Integrate into SDLC • Static Code

    Analysis • Security Audits • CTFs
  25. 25.

    Show Time !

  26. 26.

    Questions ?

  27. 27.

    Thank you @dheerajhere @djadmin