Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond Scanning

Dheeraj Joshi
November 15, 2016

Beyond Scanning

Slides from my talk at SeleniumConf UK 2016!

Dheeraj Joshi

November 15, 2016
Tweet

More Decks by Dheeraj Joshi

Other Decks in Technology

Transcript

  1. In this talk... • Why ? • Cross-site Scripting (XSS)

    • Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo
  2. Why should we Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  3. CROSS SITE SCRIPTING - XSS • XSS attack users •

    Inject Malicious content • Exploits can be real bad
  4. Hunt... • Data <-> Code • Input Validation • Check

    HTML Encoding • Sanitizers • Analyze places where DOM elements are created
  5. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks
  6. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work
  7. Defense • Strategy - Integrate into SDLC • Static Code

    Analysis • Security Audits • CTFs