Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond Scanning

99a1c6a52cc56cc25cde65be5d54081a?s=47 Dheeraj Joshi
November 15, 2016
Technology
0
170

Beyond Scanning

Slides from my talk at SeleniumConf UK 2016!

99a1c6a52cc56cc25cde65be5d54081a?s=128

Dheeraj Joshi

November 15, 2016
Tweet

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
99a1c6a52cc56cc25cde65be5d54081a?s=48 djadmin
0
6k
99a1c6a52cc56cc25cde65be5d54081a?s=48 djadmin
0
6.8k

Other Decks in Technology

See All in Technology
49f49940f0831a426745c028684bcdad?s=48 hatena
0
3.1k
4f43f9f4dc4cc2897841877e8f7b032f?s=48 cielan
1
290
9df0566fad9c9ca3bf669917848878fe?s=48 i35_267
1
140
2c0947c6a28e7f771ebd9859ecf54e5c?s=48 shinyorke
3
1.6k
648cff4d467bb490796a225da8f33797?s=48 onysuke
1
170
351ad6de24f57760f9275bc0ad06e564?s=48 quiver
0
140
413a764e6df9d7f2adbddb0b278ebb7e?s=48 sosai
0
160
140494d272a4d89883a94fdfdb29dea2?s=48 oracle4engineer
PRO
0
180
49f49940f0831a426745c028684bcdad?s=48 hatena
0
2.8k
A19876f5694283f26a061746ba82c3b0?s=48 germsvel
1
120
97d180294474e9df01503148f3b11f39?s=48 lambda
0
2.9k
325ce6fcd0a74ff78990b8632817da55?s=48 yukihirochiba
0
1.3k

Featured

See All Featured
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
780
240k
Bfd6b681ec6e8c9bef82ff0521c364f7?s=48 kastner
56
2.1k
1f74b13f1e5c6c69cb5d7fbaabb1e2cb?s=48 sferik
612
56k
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
298
39k
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
364
63k
B47b288784fda77a94aeb234ca743c24?s=48 keavy
111
15k
78b475797a14c84799063c7cd073962f?s=48 holman
464
280k
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
249
21k
9128d500301ae51524e887bb680f471d?s=48 caitiem20
314
18k
11c84dff30266b907714802088852677?s=48 jasonvnalue
87
8.4k
Eb8975af8e49e19e3dd6b6b84a542e26?s=48 qrush
288
19k
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
43
2k

Transcript

  1. Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere

  2. • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me

  3. More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,

    etc. What makes me happy?

  4. In this talk... • Why ? • Cross-site Scripting (XSS)

    • Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo

  5. Why should we Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. None
  7. None
  8. None

  9. Password Reuse Attacks

  10. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown

  11. CROSS SITE SCRIPTING - XSS • XSS attack users •

    Inject Malicious content • Exploits can be real bad

  12. What is XSS? Typical Reflected XSS

  13. Stored XSS

  14. DOM XSS

  15. Hunt... • Data <-> Code • Input Validation • Check

    HTML Encoding • Sanitizers • Analyze places where DOM elements are created

  16. XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html

  17. • Check for HTTPOnly, Secure flag on Session Cookie

  18. CROSS-SITE REQUEST FORGERY (CSRF)

  19. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks

  20. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work

  21. XSS + CSRF = ?

  22. Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)

  23. HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny

    • X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff

  24. Defense • Strategy - Integrate into SDLC • Static Code

    Analysis • Security Audits • CTFs

  25. Show Time !

  26. Questions ?

  27. Thank you @dheerajhere @djadmin