Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Beyond Scanning
Search
Dheeraj Joshi
November 15, 2016
Technology
0
360
Beyond Scanning
Slides from my talk at SeleniumConf UK 2016!
Dheeraj Joshi
November 15, 2016
Tweet
Share
More Decks by Dheeraj Joshi
See All by Dheeraj Joshi
Secure your Web Application
djadmin
0
6.3k
Let's talk Security
djadmin
0
7.2k
Other Decks in Technology
See All in Technology
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
4
920
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
200
web-application-security
matsuihidetoshi
0
170
推しは推せるときに推せ! プロダクトにフィードバックしていこう
nakasho
0
320
On Your Data を超えていく!
hirotomotaguchi
2
690
ChatworkのSRE部って実は 半分くらいPlatform Engineering部かもしれない
saramune
0
160
FrontDoorとWebAppsを組み合わせた際のリダイレクト処理の注意点
kenichirokimura
1
530
APIファーストなプロダクトマネジメントの実践 〜SaaSus Platformでの例〜 / "Practicing API-First Product Management - An Example with SaaSus Platform
oztick139
0
110
非同期推論システムによるコスト削減と信頼性向上
koki_nishihara
0
260
データベース02: データベースの概念
trycycle
0
160
Python と Snowflake はズッ友だょ!~ Snowflake の Python 関連機能をふりかえる ~
__allllllllez__
1
120
DMM.com アルファ室採用案内資料
hsugita
1
160
Featured
See All Featured
Statistics for Hackers
jakevdp
789
220k
What's in a price? How to price your products and services
michaelherold
237
11k
Happy Clients
brianwarren
92
6.4k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
2
1.3k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
244
20k
How to train your dragon (web standard)
notwaldorf
73
5.2k
How to Ace a Technical Interview
jacobian
272
22k
Become a Pro
speakerdeck
PRO
11
4.5k
Testing 201, or: Great Expectations
jmmastey
28
6.4k
The Mythical Team-Month
searls
216
42k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
YesSQL, Process and Tooling at Scale
rocio
164
13k
Transcript
Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere
• Front-End @ • Previously @ • Open Source (medium-cli)
• Ambidextrous TT Player About Me
More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,
etc. What makes me happy?
In this talk... • Why ? • Cross-site Scripting (XSS)
• Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo
Why should we Care about Security? Startups & SMEs are
known to cut corners. One of the first things they cut is ‘Security'.
None
None
None
Password Reuse Attacks
HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The
Shutdown
CROSS SITE SCRIPTING - XSS • XSS attack users •
Inject Malicious content • Exploits can be real bad
What is XSS? Typical Reflected XSS
Stored XSS
DOM XSS
Hunt... • Data <-> Code • Input Validation • Check
HTML Encoding • Sanitizers • Analyze places where DOM elements are created
XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html
• Check for HTTPOnly, Secure flag on Session Cookie
CROSS-SITE REQUEST FORGERY (CSRF)
Because the attack is carried out by the victim, CSRF
can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks
• Only accepting POST requests • Referer Protection • Multi-Step
Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work
XSS + CSRF = ?
Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)
HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny
• X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff
Defense • Strategy - Integrate into SDLC • Static Code
Analysis • Security Audits • CTFs
Show Time !
Questions ?
Thank you @dheerajhere @djadmin