Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond Scanning

99a1c6a52cc56cc25cde65be5d54081a?s=47 Dheeraj Joshi
November 15, 2016
Technology
0
150

Beyond Scanning

Slides from my talk at SeleniumConf UK 2016!

99a1c6a52cc56cc25cde65be5d54081a?s=128

Dheeraj Joshi

November 15, 2016
Tweet

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
99a1c6a52cc56cc25cde65be5d54081a?s=48 djadmin
0
6k
99a1c6a52cc56cc25cde65be5d54081a?s=48 djadmin
0
6.8k

Other Decks in Technology

See All in Technology
E53046bb9794560f541fcf2cf0b9d526?s=48 sayokomiura
0
220
A1792748885fe8f2555d9c718ee7ae53?s=48 joytomo
1
130
7e20183342a040a32924a41343603286?s=48 konabuta
1
340
380bcd2ab751f5838abd8219df53e5fe?s=48 tomoki10
5
2.9k
3e8f61263f14a620f21d5f3f89c4b846?s=48 gamella
1
1.1k
A64ac825509279a770c13c6fc517f11a?s=48 kawaguti
0
280
C422cc033079e005fd1aa1b845b099da?s=48 meow_noisy
2
400
8d6c54ebb889a5fe3f77b763d563fd9f?s=48 serinuntius
0
310
Bf7fe621f4fe1615c228ef8a79b87282?s=48 shirayanagiryuji
1
110
A07bf430b58349d4c0c88dabcd4c21f3?s=48 iam326
0
210
Ce65a0ab3a68718d409e4007da16e141?s=48 todatomohiro
0
1.3k
842515eaf8fbb2dfcc75197e7797dc15?s=48 sat
0
310

Featured

See All Featured
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
14
600
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
239
23k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
74
1.6k
5f50f94346fbcb23706f0707169317a4?s=48 aarron
261
36k
5b9fe87ec1faa67a4599782930f45ec9?s=48 sstephenson
149
12k
48c098b6579220a67a6ba949be6e4b5a?s=48 revolveconf
203
9.8k
A9704266587836f7e784235e5073b93e?s=48 jmmastey
18
3.3k
88bc30284c6a424b63a92aad27d0ba36?s=48 jnunemaker
PRO
43
4.8k
Ae14cc4491ac334f9cd23f9f93b4305e?s=48 orderedlist
PRO
331
36k
9fa239b3154a0169d99ab7bf1422dd12?s=48 marcelosomers
223
15k
E14f55d3f939977cecbf51b64ff6f861?s=48 keithpitt
403
20k
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
277
17k

Transcript

  1. Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere

  2. • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me

  3. More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,

    etc. What makes me happy?

  4. In this talk... • Why ? • Cross-site Scripting (XSS)

    • Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo

  5. Why should we Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. None
  7. None
  8. None

  9. Password Reuse Attacks

  10. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown

  11. CROSS SITE SCRIPTING - XSS • XSS attack users •

    Inject Malicious content • Exploits can be real bad

  12. What is XSS? Typical Reflected XSS

  13. Stored XSS

  14. DOM XSS

  15. Hunt... • Data <-> Code • Input Validation • Check

    HTML Encoding • Sanitizers • Analyze places where DOM elements are created

  16. XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html

  17. • Check for HTTPOnly, Secure flag on Session Cookie

  18. CROSS-SITE REQUEST FORGERY (CSRF)

  19. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks

  20. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work

  21. XSS + CSRF = ?

  22. Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)

  23. HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny

    • X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff

  24. Defense • Strategy - Integrate into SDLC • Static Code

    Analysis • Security Audits • CTFs

  25. Show Time !

  26. Questions ?

  27. Thank you @dheerajhere @djadmin