Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Beyond Scanning
Search
Dheeraj Joshi
November 15, 2016
Technology
0
470
Beyond Scanning
Slides from my talk at SeleniumConf UK 2016!
Dheeraj Joshi
November 15, 2016
Tweet
Share
More Decks by Dheeraj Joshi
See All by Dheeraj Joshi
Secure your Web Application
djadmin
0
6.6k
Let's talk Security
djadmin
0
7.5k
Other Decks in Technology
See All in Technology
モバイルゲーム開発におけるエージェント技術活用への試行錯誤 ~開発効率化へのアプローチの紹介と未来に向けた展望~
qualiarts
0
420
21st ACRi Webinar - Univ of Tokyo Presentation Slide (Ayumi Ohno)
nao_sumikawa
0
110
Claude Code Getting Started Guide(en)
oikon48
0
160
Bill One 開発エンジニア 紹介資料
sansan33
PRO
4
16k
タグ付きユニオン型を便利に使うテクニックとその注意点
uhyo
2
710
Multimodal AI Driving Solutions to Societal Challenges
keio_smilab
PRO
1
120
Modern Data Stack大好きマンが語るSnowflakeの魅力
sagara
0
290
その設計、 本当に価値を生んでますか?
shimomura
3
200
pmconf2025 - データを活用し「価値」へ繋げる
glorypulse
0
560
私のRails開発環境
yahonda
0
190
Agents IA : la nouvelle frontière des LLMs (Tech.Rocks Summit 2025)
glaforge
0
430
プロダクトマネジメントの分業が生む「デリバリーの渋滞」を解消するTPMの越境
recruitengineers
PRO
3
540
Featured
See All Featured
Designing for humans not robots
tammielis
254
26k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
359
30k
BBQ
matthewcrist
89
9.9k
Reflections from 52 weeks, 52 projects
jeffersonlam
355
21k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
10
700
Docker and Python
trallard
46
3.7k
Building Adaptive Systems
keathley
44
2.9k
How Fast Is Fast Enough? [PerfNow 2025]
tammyeverts
3
380
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.5k
The Power of CSS Pseudo Elements
geoffreycrofte
80
6.1k
Unsuck your backbone
ammeep
671
58k
Thoughts on Productivity
jonyablonski
73
5k
Transcript
Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere
• Front-End @ • Previously @ • Open Source (medium-cli)
• Ambidextrous TT Player About Me
More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,
etc. What makes me happy?
In this talk... • Why ? • Cross-site Scripting (XSS)
• Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo
Why should we Care about Security? Startups & SMEs are
known to cut corners. One of the first things they cut is ‘Security'.
None
None
None
Password Reuse Attacks
HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The
Shutdown
CROSS SITE SCRIPTING - XSS • XSS attack users •
Inject Malicious content • Exploits can be real bad
What is XSS? Typical Reflected XSS
Stored XSS
DOM XSS
Hunt... • Data <-> Code • Input Validation • Check
HTML Encoding • Sanitizers • Analyze places where DOM elements are created
XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html
• Check for HTTPOnly, Secure flag on Session Cookie
CROSS-SITE REQUEST FORGERY (CSRF)
Because the attack is carried out by the victim, CSRF
can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks
• Only accepting POST requests • Referer Protection • Multi-Step
Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work
XSS + CSRF = ?
Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)
HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny
• X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff
Defense • Strategy - Integrate into SDLC • Static Code
Analysis • Security Audits • CTFs
Show Time !
Questions ?
Thank you @dheerajhere @djadmin
djadmin
qualiarts
nao_sumikawa
oikon48
sansan33
uhyo
keio_smilab
sagara
shimomura
glorypulse
yahonda
glaforge
recruitengineers
tammielis
bermonpainter
matthewcrist
jeffersonlam
tammyeverts
trallard
keathley
thoeni
geoffreycrofte
ammeep
jonyablonski
