Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Beyond Scanning
Search
Dheeraj Joshi
November 15, 2016
Technology
0
350
Beyond Scanning
Slides from my talk at SeleniumConf UK 2016!
Dheeraj Joshi
November 15, 2016
Tweet
Share
More Decks by Dheeraj Joshi
See All by Dheeraj Joshi
Secure your Web Application
djadmin
0
6.3k
Let's talk Security
djadmin
0
7.2k
Other Decks in Technology
See All in Technology
DevOps Topologies 10 years on: what have we learned about silos, collaboration, and flow? - Matthew Skelton, Conflux
matthewskelton
PRO
2
420
SmartHR プロダクトエンジニア求人ガイド 2024上期
smarthr
0
140
AWS IAM の結果整合性を避けるためセッションポリシーを用いてポリシーの動作確認を行う、を解説する
yukihirochiba
0
380
プレイヤーとしてのチームのテスト力UP/Improving team skills for testing
goyoki
2
230
人工衛星管制システムにおけるCICD / CICD in satellite control systems
iselegant
5
900
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
4
34k
SecurityCamp2023基板作るコース講義資料/Security Camp 2023 Lecture Materials
tnishinaga
5
1.3k
君はApplication Composerというサービスを知っているか
tsukuboshi
1
520
GitHub Actions Runner Controller
takesection
0
110
[2024년 3월 세미나] 다른 회사는 퍼널 분석 어떻게 하고 있을까?
datarian
1
1.6k
技育祭2024春 LT Finatextホールディングス
kevinrobot34
1
120
B+木入門:PHPで理解する データベースインデックスの仕組み/b-plus-tree-101
hanhan1978
5
2.8k
Featured
See All Featured
Teambox: Starting and Learning
jrom
126
8.3k
GraphQLとの向き合い方2022年版
quramy
28
12k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
4
1.4k
Designing with Data
zakiwarfel
94
4.8k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
1.2k
Being A Developer After 40
akosma
56
580k
No one is an island. Learnings from fostering a developers community.
thoeni
14
2k
Faster Mobile Websites
deanohume
296
30k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
18
1.7k
VelocityConf: Rendering Performance Case Studies
addyosmani
319
23k
The Pragmatic Product Professional
lauravandoore
24
5.7k
KATA
mclloyd
14
11k
Transcript
Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere
• Front-End @ • Previously @ • Open Source (medium-cli)
• Ambidextrous TT Player About Me
More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,
etc. What makes me happy?
In this talk... • Why ? • Cross-site Scripting (XSS)
• Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo
Why should we Care about Security? Startups & SMEs are
known to cut corners. One of the first things they cut is ‘Security'.
None
None
None
Password Reuse Attacks
HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The
Shutdown
CROSS SITE SCRIPTING - XSS • XSS attack users •
Inject Malicious content • Exploits can be real bad
What is XSS? Typical Reflected XSS
Stored XSS
DOM XSS
Hunt... • Data <-> Code • Input Validation • Check
HTML Encoding • Sanitizers • Analyze places where DOM elements are created
XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html
• Check for HTTPOnly, Secure flag on Session Cookie
CROSS-SITE REQUEST FORGERY (CSRF)
Because the attack is carried out by the victim, CSRF
can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks
• Only accepting POST requests • Referer Protection • Multi-Step
Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work
XSS + CSRF = ?
Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)
HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny
• X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff
Defense • Strategy - Integrate into SDLC • Static Code
Analysis • Security Audits • CTFs
Show Time !
Questions ?
Thank you @dheerajhere @djadmin