Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Beyond Scanning
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Dheeraj Joshi
November 15, 2016
Technology
0
480
Beyond Scanning
Slides from my talk at SeleniumConf UK 2016!
Dheeraj Joshi
November 15, 2016
Tweet
Share
More Decks by Dheeraj Joshi
See All by Dheeraj Joshi
Secure your Web Application
djadmin
0
6.6k
Let's talk Security
djadmin
0
7.6k
Other Decks in Technology
See All in Technology
技術的負債の泥沼から組織を救う3つの転換点
nwiizo
7
2.2k
Ultra Ethernet (UEC) v1.0 仕様概説
markunet
3
200
Oracle Database@AWS:サービス概要のご紹介
oracle4engineer
PRO
4
1.6k
kintone開発のプラットフォームエンジニアの紹介
cybozuinsideout
PRO
0
820
OCI Security サービス 概要
oracle4engineer
PRO
2
13k
DX Improvement at Scale
ntk1000
2
290
Master Dataグループ紹介資料
sansan33
PRO
1
4.4k
Oracle Database@Azure:サービス概要のご紹介
oracle4engineer
PRO
4
1.1k
Security Diaries of an Open Source IAM
ahus1
0
200
どこで打鍵するのが良い? IaCの実行基盤選定について
nrinetcom
PRO
2
170
Datadog Cloud Cost Management で実現するFinOps
taiponrock
PRO
0
140
Data Hubグループ 紹介資料
sansan33
PRO
0
2.8k
Featured
See All Featured
エンジニアに許された特別な時間の終わり
watany
106
240k
svc-hook: hooking system calls on ARM64 by binary rewriting
retrage
2
140
Code Reviewing Like a Champion
maltzj
528
40k
GraphQLの誤解/rethinking-graphql
sonatard
75
11k
Principles of Awesome APIs and How to Build Them.
keavy
128
17k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
54k
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
reverentgeek
1
380
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Leadership Guide Workshop - DevTernity 2021
reverentgeek
1
230
RailsConf 2023
tenderlove
30
1.4k
AI Search: Where Are We & What Can We Do About It?
aleyda
0
7.1k
Game over? The fight for quality and originality in the time of robots
wayneb77
1
130
Transcript
Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere
• Front-End @ • Previously @ • Open Source (medium-cli)
• Ambidextrous TT Player About Me
More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,
etc. What makes me happy?
In this talk... • Why ? • Cross-site Scripting (XSS)
• Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo
Why should we Care about Security? Startups & SMEs are
known to cut corners. One of the first things they cut is ‘Security'.
None
None
None
Password Reuse Attacks
HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The
Shutdown
CROSS SITE SCRIPTING - XSS • XSS attack users •
Inject Malicious content • Exploits can be real bad
What is XSS? Typical Reflected XSS
Stored XSS
DOM XSS
Hunt... • Data <-> Code • Input Validation • Check
HTML Encoding • Sanitizers • Analyze places where DOM elements are created
XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html
• Check for HTTPOnly, Secure flag on Session Cookie
CROSS-SITE REQUEST FORGERY (CSRF)
Because the attack is carried out by the victim, CSRF
can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks
• Only accepting POST requests • Referer Protection • Multi-Step
Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work
XSS + CSRF = ?
Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)
HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny
• X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff
Defense • Strategy - Integrate into SDLC • Static Code
Analysis • Security Audits • CTFs
Show Time !
Questions ?
Thank you @dheerajhere @djadmin
djadmin
nwiizo
markunet
oracle4engineer
cybozuinsideout
ntk1000
sansan33
ahus1
nrinetcom
taiponrock
watany
retrage
maltzj
sonatard
keavy
destraynor
reverentgeek
marcelosomers
tenderlove
aleyda
wayneb77
