Beyond Scanning

99a1c6a52cc56cc25cde65be5d54081a?s=47 Dheeraj Joshi
November 15, 2016
Technology
0
130

Beyond Scanning

Slides from my talk at SeleniumConf UK 2016!

99a1c6a52cc56cc25cde65be5d54081a?s=128

Dheeraj Joshi

November 15, 2016
Tweet

More Decks by Dheeraj Joshi

See All by Dheeraj Joshi
99a1c6a52cc56cc25cde65be5d54081a?s=48 djadmin
0
5.9k
99a1c6a52cc56cc25cde65be5d54081a?s=48 djadmin
0
6.7k

Other Decks in Technology

See All in Technology
Cad863e7fd94ece3248e0af21882259c?s=48 kennygt51
0
100
Cbc297b07593321e52c75a9ebcc0f843?s=48 jacopen
5
620
Bf7fe621f4fe1615c228ef8a79b87282?s=48 shirayanagiryuji
2
730
Fb025419ed38f98df595eb2eafc859f4?s=48 ihcomega56
5
2.2k
B29f42636a5f1249b640473d49aa4514?s=48 linedevth
1
180
5bbbb20da49b1f802af50b0f17a4f31f?s=48 miuranobuki
0
940
344128574661d939ea4cfe969823b774?s=48 syamauchi
0
110
34fcd5f1deeb25b1138e9845137feb6e?s=48 kakutani
2
560
Ae4ace6ba2b695fd37e4121faef66b43?s=48 katsushun89
0
110
5de063e47d0da381a3848e761a059a7a?s=48 tjun
5
780
5af8e5bd2f24e4ea0cee732c6cc259b3?s=48 haruharuharuby
0
280
Cc8a208e174943d1da814783841abd50?s=48 shinodogg
0
360

Featured

See All Featured
78b475797a14c84799063c7cd073962f?s=48 holman
287
130k
761be20b5ebd271008bcee1244fc5b52?s=48 matthewcrist
70
7k
11c84dff30266b907714802088852677?s=48 jasonvnalue
80
7.9k
C7393b7ba7ec9c8890dd77d209fbb3c9?s=48 maltzj
498
36k
39488f9d172ab92fd352f2cd7b73258d?s=48 mza
80
3.9k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
119
7.7k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1348
190k
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
154
11k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
119
15k
7cbd3f5f922d798cc312eaf596de7ae6?s=48 iamctodd
10
1.4k
Ae14cc4491ac334f9cd23f9f93b4305e?s=48 orderedlist
PRO
326
35k
170b760e0147792d0140e59ec78e9893?s=48 eitanlees
105
9.5k

Transcript

  1. Let’s talk Security Beyond Scanning Dheeraj Joshi @dheerajhere

  2. • Front-End @ • Previously @ • Open Source (medium-cli)

    • Ambidextrous TT Player About Me

  3. More... Uber, CKEditor, Dropbox, MailChimp, Recruiterbox, InVision, DigitalOcean, Intuit, Groupon,

    etc. What makes me happy?

  4. In this talk... • Why ? • Cross-site Scripting (XSS)

    • Cross-site Request Forgery (CSRF) • Content Security Policy (CSP) • HTTP Security Headers • Best Practices & Demo

  5. Why should we Care about Security? Startups & SMEs are

    known to cut corners. One of the first things they cut is ‘Security'.
  6. None
  7. None
  8. None

  9. Password Reuse Attacks

  10. HACKER PUTS HOSTING SERVICE “CODE SPACES” OUT OF BUSINESS The

    Shutdown

  11. CROSS SITE SCRIPTING - XSS • XSS attack users •

    Inject Malicious content • Exploits can be real bad

  12. What is XSS? Typical Reflected XSS

  13. Stored XSS

  14. DOM XSS

  15. Hunt... • Data <-> Code • Input Validation • Check

    HTML Encoding • Sanitizers • Analyze places where DOM elements are created

  16. XSS via template injection Using Sandbox Bypasses http://blog.portswigger.net/2016/04/adapting-angularjs -payloads-to-exploit.html

  17. • Check for HTTPOnly, Secure flag on Session Cookie

  18. CROSS-SITE REQUEST FORGERY (CSRF)

  19. Because the attack is carried out by the victim, CSRF

    can bypass: • HTTP Auth • Session-based auth • Firewalls CSRF Attacks

  20. • Only accepting POST requests • Referer Protection • Multi-Step

    Transactions • URL Rewriting • application/json “CSRF Myths” Preventions that Won’t work

  21. XSS + CSRF = ?

  22. Content Security Policy (CSP) CSP Evaluator (https://csp-evaluator.withgoogle.com)

  23. HTTP Security headers • Strict-Transport-Security: max-age=16070400; includeSubDomains • X-Frame-Options: deny

    • X-XSS-Protection: 1; mode=block • X-Content-Type-Options: nosniff

  24. Defense • Strategy - Integrate into SDLC • Static Code

    Analysis • Security Audits • CTFs

  25. Show Time !

  26. Questions ?

  27. Thank you @dheerajhere @djadmin