Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond Scanning

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for Dheeraj Joshi Dheeraj Joshi
November 15, 2016
Technology
500
0

Beyond Scanning

Slides from my talk at SeleniumConf UK 2016!

Avatar for Dheeraj Joshi

Dheeraj Joshi

November 15, 2016

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
Secure your Web Application
Avatar for Dheeraj Joshi djadmin
0
6.7k
Let's talk Security
Avatar for Dheeraj Joshi djadmin
0
7.6k

Other Decks in Technology

See All in Technology
oracle-to-databricks-migration-with-llm-and-dbt
Avatar for case-k-git casek
1
400
Platform Engineering as a Product: Criteria for Improvement and Multi-Tenant Design
Avatar for Kumo Ishikawa kumorn5s
0
460
Generative UI × A2UI で AI エージェントを作った話 AI-DLC も使ってみた!
Avatar for たけのこ kmiya84377
1
310
マーケットプレイス版Oracle WebCenter Content For OCI
Avatar for oracle4engineer oracle4engineer
PRO
5
1.8k
実装は速くなった、レビューはどうする? ― 自身のレビューをAIで再現させるサーヴァントエンジニアリングのすゝめ / Implementation got faster. So what about reviews? — An invitation to Servant Engineering: Recreating your own code reviews with AI
Avatar for nrs nrslib
2
690
Unlocking the Apps
Avatar for Tim Perry pimterry
0
160
Cloud Run のアップデート 触ってみる&紹介
Avatar for Gre212 gre212
0
290
電子辞書Brainをネットに繋げてみた(自力編)
Avatar for らすぴー raspython3
0
410
最低限これだけ押さえれ大丈夫_Claude Enterprise/Team企業展開ガバナンス入門
Avatar for t-kikuchi tkikuchi
1
630
OpenID Connectによるサービス間連携
Avatar for Shigeki Shoji takesection
0
150
イベントストーミングとKiroの仕様駆動開発で実現する要件の認識合わせプロセス
Avatar for syobochim syobochim
7
1k
「コーディング」しない人のための Claude Code 入門 ChatGPT の次の一歩 — 業務に組み込む 育成・共有・自動化
Avatar for ふくだ(fukuda ryu) rfdnxbro
2
1k

Featured

See All Featured
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
270
14k
We Analyzed 250 Million AI Search Results: Here's What I Found
Avatar for Josh Blyskal joshbly
1
1.3k
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
55
10k
16th Malabo Montpellier Forum Presentation
Avatar for AKADEMIYA2063 akademiya2063
PRO
0
140
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
141
35k
How GitHub (no longer) Works
Avatar for Zach Holman holman
316
150k
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.7k
The Language of Interfaces
Avatar for Des Traynor destraynor
162
26k
Technical Leadership for Architectural Decision Making
Avatar for Kenny Baas-Schwegler baasie
3
390
HU Berlin: Industrial-Strength Natural Language Processing with spaCy and Prodigy
Avatar for Ines Montani inesmontani
PRO
0
390
A better future with KSS
Avatar for Kyle Neath kneath
240
18k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
28
3.5k

Transcript

  1. Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere

  2. • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me

  3. More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,

    etc. What makes me happy?

  4. In this talk... • Why ? • Cross-site Scripting (XSS)

    • Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo

  5. Why should we Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. None
  7. None
  8. None

  9. Password Reuse Attacks

  10. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown

  11. CROSS SITE SCRIPTING - XSS • XSS attack users •

    Inject Malicious content • Exploits can be real bad

  12. What is XSS? Typical Reflected XSS

  13. Stored XSS

  14. DOM XSS

  15. Hunt... • Data <-> Code • Input Validation • Check

    HTML Encoding • Sanitizers • Analyze places where DOM elements are created

  16. XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html

  17. • Check for HTTPOnly, Secure flag on Session Cookie

  18. CROSS-SITE REQUEST FORGERY (CSRF)

  19. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks

  20. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work

  21. XSS + CSRF = ?

  22. Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)

  23. HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny

    • X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff

  24. Defense • Strategy - Integrate into SDLC • Static Code

    Analysis • Security Audits • CTFs

  25. Show Time !

  26. Questions ?

  27. Thank you @dheerajhere @djadmin