$30 off During Our Annual Pro Sale. View Details »

Beyond Scanning

Dheeraj Joshi
November 15, 2016
Technology
0
330

Beyond Scanning

Slides from my talk at SeleniumConf UK 2016!

Dheeraj Joshi

November 15, 2016
Tweet

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
Secure your Web Application
djadmin
0
6.3k
Let's talk Security
djadmin
0
7.2k

Other Decks in Technology

See All in Technology
re:Invent2023で登場した運用開発用の可視化ツールたちを実際に見てみよう
yoshimi0227
0
350
TextField 表示スタイル変更の 有効活用例 5 選
akkie76
0
150
GoのProtocプラグインを活用した効率的な負荷試験戦略 / Efficient Load Testing Strategies Utilizing the Go Protoc Plugin
biwashi
0
120
本当にわかりやすいAI入門
segavvy
17
4.5k
dbt Coreとdbt-athenaによるAWS上のdbt環境構築ナレッジ
nayuts
0
290
LINE WORKS 最新メジャーアップデート(v3.8)勉強会
lwug
0
160
AWS re:Invent 2023 わざわざ現地まで行く意味あるの?→ありました
minorun365
PRO
5
1k
ミチビク株式会社エンジニアカンパニーデック
knsg16
0
2.2k
CSSパフォーマンスに関する計測結果
poteboy
3
1.4k
開発組織の体制づくり、いつやるか問題
akiroom
0
2k
SRE推進における失敗と成功 〜く"し"け"な"い"〜 - NIFTY Tech Day 2023
niftycorp
0
120
AI・機械学習ライブラリを使ったWebアプリでワクワク体験! / Qiita Night~AI、機械学習 / 20231201
you
PRO
1
1.3k

Featured

See All Featured
Rails Girls Zürich Keynote
gr2m
90
12k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
4k
For a Future-Friendly Web
brad_frost
168
8.5k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.7k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.5k
Code Reviewing Like a Champion
maltzj
511
38k
Typedesign – Prime Four
hannesfritz
35
1.8k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
219
21k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
52
19k
Design by the Numbers
sachag
272
18k
Reflections from 52 weeks, 52 projects
jeffersonlam
342
19k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
240
20k

Transcript

  1. Let’s talk Security
    Beyond Scanning
    Dheeraj Joshi
    @dheerajhere

    View Slide

  2. ● Front-End @
    ● Previously @
    ● Open Source (medium-cli)
    ● Ambidextrous TT Player
    About Me

    View Slide

  3. More...
    Uber, CKEditor, Dropbox,
    MailChimp, Recruiterbox, InVision,
    DigitalOcean, Intuit, Groupon, etc.
    What makes me happy?

    View Slide

  4. In this talk...
    ● Why ?
    ● Cross-site Scripting (XSS)
    ● Cross-site Request Forgery (CSRF)
    ● Content Security Policy (CSP)
    ● HTTP Security Headers
    ● Best Practices & Demo

    View Slide

  5. Why should we Care
    about Security?
    Startups & SMEs are known to cut
    corners. One of the first things they
    cut is ‘Security'.

    View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. Password Reuse
    Attacks

    View Slide

  10. HACKER PUTS HOSTING SERVICE “CODE
    SPACES” OUT OF BUSINESS
    The Shutdown

    View Slide

  11. CROSS SITE SCRIPTING - XSS
    ● XSS attack users
    ● Inject Malicious content
    ● Exploits can be real
    bad

    View Slide

  12. What is XSS?
    Typical Reflected XSS

    View Slide

  13. Stored XSS

    View Slide

  14. DOM XSS

    View Slide

  15. Hunt...
    ● Data <-> Code
    ● Input Validation
    ● Check HTML Encoding
    ● Sanitizers
    ● Analyze places where DOM
    elements are created

    View Slide

  16. XSS via template injection
    Using Sandbox Bypasses
    http://blog.portswigger.net/2016/04/adapting-angularjs
    -payloads-to-exploit.html

    View Slide

  17. ● Check for HTTPOnly, Secure flag on Session
    Cookie

    View Slide

  18. CROSS-SITE REQUEST
    FORGERY (CSRF)

    View Slide

  19. Because the attack is carried out
    by the victim, CSRF can bypass:
    ● HTTP Auth
    ● Session-based auth
    ● Firewalls
    CSRF Attacks

    View Slide

  20. ● Only accepting POST requests
    ● Referer Protection
    ● Multi-Step Transactions
    ● URL Rewriting
    ● application/json
    “CSRF Myths”
    Preventions that Won’t work

    View Slide

  21. XSS + CSRF = ?

    View Slide

  22. Content Security Policy (CSP)
    CSP Evaluator
    (https://csp-evaluator.withgoogle.com)

    View Slide

  23. HTTP Security headers
    ● Strict-Transport-Security:
    max-age=16070400; includeSubDomains
    ● X-Frame-Options: deny
    ● X-XSS-Protection: 1; mode=block
    ● X-Content-Type-Options: nosniff

    View Slide

  24. Defense
    ● Strategy - Integrate into SDLC
    ● Static Code Analysis
    ● Security Audits
    ● CTFs

    View Slide

  25. Show Time !

    View Slide

  26. Questions ?

    View Slide

  27. Thank you
    @dheerajhere
    @djadmin

    View Slide