Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond Scanning

99a1c6a52cc56cc25cde65be5d54081a?s=47 Dheeraj Joshi
November 15, 2016
Technology
0
220

Beyond Scanning

Slides from my talk at SeleniumConf UK 2016!

99a1c6a52cc56cc25cde65be5d54081a?s=128

Dheeraj Joshi

November 15, 2016
Tweet

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
Secure your Web Application
99a1c6a52cc56cc25cde65be5d54081a?s=48 djadmin
0
6.1k
Let's talk Security
99a1c6a52cc56cc25cde65be5d54081a?s=48 djadmin
0
6.9k

Other Decks in Technology

See All in Technology
Dagu | オンプレ向けワークフローエンジン(WebUI 同梱)
2a80a0a6f834a75cc418ef59175ecbb0?s=48 yohamta
0
210
Data Warehouse or Data Lake, which one do I choose?
00101a1274d1f92977f4e442ef73be86?s=48 ahana
0
150
LINE WORKS API 2.0について
1f7f0085220d6e48e5bdbf9b199b847c?s=48 mmclsntr
0
140
toilを解消した話
632368cb0b90fa711cec36a082a7e24e?s=48 asumaywy
0
220
家の明るさ制御 / Brightness Control in My House
2174bd20a68bf55c494a424ad3790f4a?s=48 1024jp
0
140
ニフティでSRE推進活動を始めて取り組んできたこと
374e82d9428869942bed1de094a7ca95?s=48 niftycorp
2
710
CTOのためのQAのつくりかた #scrumniigata / SigSQA How to create QA for CTOs and VPoEs
63d1e567c2c7b1dbf340f7bea9a92876?s=48 caori_t
0
340
キャッチアップ Android 13 / Catch up Android 13
D2bcabeeb1ddff142fb8988b412cb4d3?s=48 yanzm
2
1.2k
⚡Lightdashを試してみた
2c6a9bc003b77685330cc9359b6fbbc4?s=48 k_data_analyst
0
220
KubeCon Recap -Platform migration at Scale-
Ad22fcf5773b906c08330f4d57242212?s=48 inductor
0
110
信頼性の階層の一段目を積み上げる/Monitoring Dashboard
0b238801605070def81a98cfe8061aee?s=48 shonansurvivors
0
180
スクラムマスターの「観察」スキルを掘り下げる / Scrum Fest Niigata 2022
Da40bdb49bfb7a3fc9426dacac78a99c?s=48 ama_ch
0
830

Featured

See All Featured
The Illustrated Children's Guide to Kubernetes
0438ae60cde4c7add6f9da48f28c15cc?s=48 chrisshort
14
35k
Navigating Team Friction
245cee81a9c424266e5e401d844ea881?s=48 lara
175
11k
Rebuilding a faster, lazier Slack
C0b42577cfc2b321be3474618107e933?s=48 samanthasiow
62
7.2k
We Have a Design System, Now What?
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
35
2.9k
4 Signs Your Business is Dying
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
169
20k
StorybookのUI Testing Handbookを読んだ
50fc0fdc2327ecbe7350645812de52e3?s=48 zakiyama
4
2k
Facilitating Awesome Meetings
245cee81a9c424266e5e401d844ea881?s=48 lara
29
3.9k
10 Git Anti Patterns You Should be Aware of
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
638
52k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
12
900
Web development in the modern age
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
197
9.3k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
103
16k
The Web Native Designer (August 2011)
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
74
1.9k

Transcript

  1. Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere

  2. • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me

  3. More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,

    etc. What makes me happy?

  4. In this talk... • Why ? • Cross-site Scripting (XSS)

    • Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo

  5. Why should we Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. None
  7. None
  8. None

  9. Password Reuse Attacks

  10. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown

  11. CROSS SITE SCRIPTING - XSS • XSS attack users •

    Inject Malicious content • Exploits can be real bad

  12. What is XSS? Typical Reflected XSS

  13. Stored XSS

  14. DOM XSS

  15. Hunt... • Data <-> Code • Input Validation • Check

    HTML Encoding • Sanitizers • Analyze places where DOM elements are created

  16. XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html

  17. • Check for HTTPOnly, Secure flag on Session Cookie

  18. CROSS-SITE REQUEST FORGERY (CSRF)

  19. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks

  20. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work

  21. XSS + CSRF = ?

  22. Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)

  23. HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny

    • X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff

  24. Defense • Strategy - Integrate into SDLC • Static Code

    Analysis • Security Audits • CTFs

  25. Show Time !

  26. Questions ?

  27. Thank you @dheerajhere @djadmin