Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond Scanning

99a1c6a52cc56cc25cde65be5d54081a?s=47 Dheeraj Joshi
November 15, 2016
Technology
0
140

Beyond Scanning

Slides from my talk at SeleniumConf UK 2016!

99a1c6a52cc56cc25cde65be5d54081a?s=128

Dheeraj Joshi

November 15, 2016
Tweet

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
99a1c6a52cc56cc25cde65be5d54081a?s=48 djadmin
0
6k
99a1c6a52cc56cc25cde65be5d54081a?s=48 djadmin
0
6.7k

Other Decks in Technology

See All in Technology
C825832c4fc71ffdfd44905729281fb0?s=48 puhitaku
3
1.1k
3dfed36dc1543f0007b5fd46fcb41a47?s=48 yunoda
0
110
A64ac825509279a770c13c6fc517f11a?s=48 kawaguti
2
410
8b0e9a3684bd29ecece29db2582e38ae?s=48 norioikedo
0
210
Bf7fe621f4fe1615c228ef8a79b87282?s=48 shirayanagiryuji
1
160
E97091ac0d2c69ce9f9e8a8d0a2ea066?s=48 torisoup
11
5.2k
3373c144fef1d3518b9b3f24a6b46ad0?s=48 lmi
2
860
80542834077f51ffe731277513db2c07?s=48 zak3
1
170
569f10721398d92f5033097ac6d9132c?s=48 thockin
3
860
Cd823abda454a7a2065fe6fe273ae84b?s=48 viva_tweet_x
3
2.5k
4b2f3a64637b51e81813accbe8a98083?s=48 miura55
0
290
3a95702770e66754d87b824c1400054f?s=48 oliva
7
1k

Featured

See All Featured
462dad0dd24c568a32dcdb0ae895ae1b?s=48 rasmusluckow
318
18k
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
188
14k
C7393b7ba7ec9c8890dd77d209fbb3c9?s=48 maltzj
501
36k
7edec06b5435e0dac07a353b2cc26253?s=48 geeforr
332
29k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
295
39k
1b75d89772b7eea1f6c89fbf362607d9?s=48 moore
125
21k
E6c6e133e74c3b83f04d2861deaa1c20?s=48 searls
205
36k
D47656e20ff5e42f125fc5ea0fd636c6?s=48 tmm1
61
9.2k
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
7
390
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
168
7.2k
79acae287842acf29084005533a7fb3b?s=48 hursman
107
9.2k
E76911cbe088e5b850d966de3fc7435b?s=48 robhawkes
52
2.8k

Transcript

  1. Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere

  2. • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me

  3. More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,

    etc. What makes me happy?

  4. In this talk... • Why ? • Cross-site Scripting (XSS)

    • Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo

  5. Why should we Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. None
  7. None
  8. None

  9. Password Reuse Attacks

  10. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown

  11. CROSS SITE SCRIPTING - XSS • XSS attack users •

    Inject Malicious content • Exploits can be real bad

  12. What is XSS? Typical Reflected XSS

  13. Stored XSS

  14. DOM XSS

  15. Hunt... • Data <-> Code • Input Validation • Check

    HTML Encoding • Sanitizers • Analyze places where DOM elements are created

  16. XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html

  17. • Check for HTTPOnly, Secure flag on Session Cookie

  18. CROSS-SITE REQUEST FORGERY (CSRF)

  19. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks

  20. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work

  21. XSS + CSRF = ?

  22. Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)

  23. HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny

    • X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff

  24. Defense • Strategy - Integrate into SDLC • Static Code

    Analysis • Security Audits • CTFs

  25. Show Time !

  26. Questions ?

  27. Thank you @dheerajhere @djadmin