Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond Scanning

Avatar for Dheeraj Joshi Dheeraj Joshi
November 15, 2016
Technology
0
460

Beyond Scanning

Slides from my talk at SeleniumConf UK 2016!

Avatar for Dheeraj Joshi

Dheeraj Joshi

November 15, 2016
Tweet

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
Secure your Web Application
Avatar for Dheeraj Joshi djadmin
0
6.6k
Let's talk Security
Avatar for Dheeraj Joshi djadmin
0
7.5k

Other Decks in Technology

See All in Technology
Introdução a Service Mesh usando o Istio
Avatar for Aecio Pires aeciopires
1
280
それでも私が品質保証プロセスを作り続ける理由 #テストラジオ / Why I still continue to create QA process
Avatar for ぱいん pineapplecandy
0
150
Implementing and Evaluating a High-Level Language with WasmGC and the Wasm Component Model: Scala’s Case
Avatar for Rikito Taniguchi tanishiking
0
170
AI AgentをLangflowでサクッと作って、1日働かせてみた!
Avatar for Yano-13 yano13
1
120
私のMCPの使い方
Avatar for Yuta Matsumura tsubakimoto_s
0
120
「REALITY」3Dアバターシステムの7年分の拡張の歴史について
Avatar for gree_tech gree_tech
PRO
0
120
Introduction to Bill One Development Engineer
Avatar for Sansan, Inc. sansan33
PRO
0
300
Introduction to Sansan, inc / Sansan Global Development Center, Inc.
Avatar for Sansan, Inc. sansan33
PRO
0
2.8k
Biz職でもDifyでできる! 「触らないAIワークフロー」を実現する方法
Avatar for kanacan igarashikana
3
1.3k
SCONE - 動画配信の帯域を最適化する新プロトコル
Avatar for kazuho kazuho
1
310
Digitization部 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
5.6k
Oracle Base Database Service 技術詳細
Avatar for oracle4engineer oracle4engineer
PRO
12
81k

Featured

See All Featured
Statistics for Hackers
Avatar for Jake VanderPlas jakevdp
799
220k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
52
3.5k
How GitHub (no longer) Works
Avatar for Zach Holman holman
315
140k
Context Engineering - Making Every Token Count
Avatar for Addy Osmani addyosmani
7
280
Designing for humans not robots
Avatar for Tammie Lister tammielis
254
26k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
10
880
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
55
3k
Leading Effective Engineering Teams in the AI Era
Avatar for Addy Osmani addyosmani
7
570
4 Signs Your Business is Dying
Avatar for Josh Pigford shpigford
185
22k
Documentation Writing (for coders)
Avatar for Carmen Chung carmenintech
75
5.1k
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
16k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k

Transcript

  1. Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere

  2. • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me

  3. More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,

    etc. What makes me happy?

  4. In this talk... • Why ? • Cross-site Scripting (XSS)

    • Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo

  5. Why should we Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. None
  7. None
  8. None

  9. Password Reuse Attacks

  10. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown

  11. CROSS SITE SCRIPTING - XSS • XSS attack users •

    Inject Malicious content • Exploits can be real bad

  12. What is XSS? Typical Reflected XSS

  13. Stored XSS

  14. DOM XSS

  15. Hunt... • Data <-> Code • Input Validation • Check

    HTML Encoding • Sanitizers • Analyze places where DOM elements are created

  16. XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html

  17. • Check for HTTPOnly, Secure flag on Session Cookie

  18. CROSS-SITE REQUEST FORGERY (CSRF)

  19. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks

  20. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work

  21. XSS + CSRF = ?

  22. Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)

  23. HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny

    • X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff

  24. Defense • Strategy - Integrate into SDLC • Static Code

    Analysis • Security Audits • CTFs

  25. Show Time !

  26. Questions ?

  27. Thank you @dheerajhere @djadmin