Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond Scanning

Dheeraj Joshi
November 15, 2016
Technology
0
440

Beyond Scanning

Slides from my talk at SeleniumConf UK 2016!

Dheeraj Joshi

November 15, 2016
Tweet

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
Secure your Web Application
djadmin
0
6.5k
Let's talk Security
djadmin
0
7.4k

Other Decks in Technology

See All in Technology
LINE API Deep Dive Q1 2025: Unlocking New Possibilities
linedevth
1
140
RF問の対策をした話
bata_24
0
140
みんなで育てるNewsPicksのSLO
troter
4
1k
パスキーでのログインを 実装してみよう!
hibiki_cube
0
520
EMの仕事、あるいは顧客価値創出のアーキテクト
radiocat
0
120
Redefine_Possible
upsider_tech
0
110
AI の活用における課題と現状、今後の期待
asei
4
350
PHPでアクターモデルを活用したSagaパターンの実践法 / php-saga-pattern-with-actor-model
ytake
0
780
Agent Mode とは?GitHub Copilot の新機能を探る
lescoggi
1
180
コード品質向上で得られる効果と実践的取り組み
ham0215
0
170
Explainable Software Engineering in the Public Sector
avandeursen
0
150
リポジトリをまるっとAIに食わせるRepomixの話
yamadashy
0
230

Featured

See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
55
9.3k
How to train your dragon (web standard)
notwaldorf
91
5.9k
The Language of Interfaces
destraynor
156
24k
The Invisible Side of Design
smashingmag
299
50k
Java REST API Framework Comparison - PWX 2021
mraible
29
8.5k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
30k
GraphQLとの向き合い方2022年版
quramy
45
14k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
30
2.3k
For a Future-Friendly Web
brad_frost
176
9.6k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
7.2k
Testing 201, or: Great Expectations
jmmastey
42
7.3k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k

Transcript

  1. Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere

  2. • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me

  3. More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,

    etc. What makes me happy?

  4. In this talk... • Why ? • Cross-site Scripting (XSS)

    • Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo

  5. Why should we Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. None
  7. None
  8. None

  9. Password Reuse Attacks

  10. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown

  11. CROSS SITE SCRIPTING - XSS • XSS attack users •

    Inject Malicious content • Exploits can be real bad

  12. What is XSS? Typical Reflected XSS

  13. Stored XSS

  14. DOM XSS

  15. Hunt... • Data <-> Code • Input Validation • Check

    HTML Encoding • Sanitizers • Analyze places where DOM elements are created

  16. XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html

  17. • Check for HTTPOnly, Secure flag on Session Cookie

  18. CROSS-SITE REQUEST FORGERY (CSRF)

  19. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks

  20. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work

  21. XSS + CSRF = ?

  22. Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)

  23. HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny

    • X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff

  24. Defense • Strategy - Integrate into SDLC • Static Code

    Analysis • Security Audits • CTFs

  25. Show Time !

  26. Questions ?

  27. Thank you @dheerajhere @djadmin